Kudos on a nice comparison writeup RR!

Thanks for the update RoleReversal,

Iit would be curious to run both tools on the same config and compare the results. I tend to think of the CIS as sort of a "standard" or "best practices" for benchmarks... from their website:


As far as your other question goes, you have to fill provide name, email and accept TOUA before download. Although email address or personal info is NOT verified (by confirmation email or otherwise). You get access to download right away.

Quick disclaimer, I have not used the tool, I'm basing my observations on information that was on the website:

My concern was that I could not find any information on what the tool bases the audit results on? I always had great results using CIS RAT. Their benchmark guide is detailed and fairy well written. A person auditing an IOS/PIX device has access to details of the recommendation made by the tool, not just pass or fail.

pseud0, if you are concerned about this particular tool's impact on the audit device (as we all are with any audit tool) best option is to save config file and run audit on a file instead of pulling it directly from the device.

I had pretty good results with DumpSec (formerly DumpACL), and its FREE


http://www.somarsoft.com/

Version 6 may not be vulnerable. Remember, this issue came out in 2005.

http://www.securiteam.com/windowsntfocus/5XP0H1FG0S.html

Here is the quick and dirty that might work for you:

I'm interested in opinions on commercial scanner applications, not managed services.

There has been a lot of talk about Web Application Scanners and their effectiveness. There are a lot of industry articles (Rolling Reviews, etc) blog posts and independent reviews (Larry Suto's paper) and the rebuttals from HP/IBM. I was wondering what the personal opinions of this forum's members are. Does anyone have a preferred WAS?

Cheers!

Cool. Thanks for the info.

My personal favorite, especially if you're using BackTrack to learn:

http://forums.remote-exploit.org

Chuck-full of tutorials, insightful threads and fun!

Forums @ http://www.learnsecurityonline.com are also good

Cheers!

If the device supports SNMP you can use it to pull relevant information from the device. (make sure to change the default community string or better yet if the device supports it use SNMPv3)

IMHO Only basic Linux knowledge is required for OS101. Especially if you're planning on using BT distro (as it is recommended by OS team). And if get lost and can't remember/not sure of some linux commands or options, you can use my favorite: Google! 

Woot! Just got my OSCP cert! If anyone is on the fence about getting this, I have three words for you:

FANTASTIC! FANTASTIC! and ...wait what's the word I'm looking for, oh yea
FANTASTIC!

Kudos to Offensive Security team on making the experience fresh, enjoyable and challenging!

Just signed up for class. Can't wait to start! Thanx for a wonderful course writeup blackazarro.