I was wondering what everyone thinks is the best available network vulnerability scanner?  My company is currently running ISS but we are looking to move to something else possibly more cost efficient.  We do support a fairly large network so the tool has to be able to handle large scale scanning.  Any ideas are welcome!

Thanks in advance for the advice!

On a side note, I just noticed an article on Dark Reading about Qualys providing a free scan to anyone. It scans for the top 20 SANs vulnerabilities. 
http://www.darkreading.com/document.asp?doc_id=140088&WT.svl=wire_2

geekyone, are you looking to run automated scans of multiple subnets or just scan each new host before allowing it onto the production network.

I regularly use Nessus and ISS for both automated scans and on demand scanning. I've only used Qualys on pentests and I like it a lot. I has a very, very big db of scans and they are very effective at scanning large subnets quickly. The scan data is stored on Qualys servers though. If you talk with them you will find that this is not as much of an issue as it sounds. The data is encrypted and you're really the only one with access to it. It is also very cost effective as you only pay for each engagement based on number of IPs.

I would not really class a tool like Core Impact in with traditional vulnerability scanners though. It is more in the realm of an automated exploitation tool that actively compromises the host. It would fit in the same category as  Immunity's Canvas and Metasploit. Core does have a consultant license too.

It all depends on budget too. Seeing as you are already paying for ISS you might want to have the various vendors pilot/demo their tool on specific hosts/subnets in your environment. Pick the best one based on results.

dean

If you don't use GFIlangaurd for a vulnerability scanning, which is its purpose, what do you use it for?

GFI's Languard  can be used for patch deployment and not vulnerability scanning alone. you can check for patches, download and push them to the hosts via the interface.

To throw in my two cents:
I just finished rolling out Qualys for one of the big 3 auto manufacturers, and I have been fairly impressed so far.  The major advantage for a lot of people is the control interface.  It is all web based, you can slice and dice the results as needed, setup a wide variety of scans that are as passive or invasive as you think you'd need, all of the updateing and maintenance is handled by Qualys, and is has a very nifty built in reporting module that can kick off surprisingly polished executive reports.  It brings a lot of value to global operations, but I'm not sure you're going to get the same bang for your buck for smaller networks.  The major bonus of consolidated control and reporting is not going to be as much of a factor if you have dozens of security folks rather than thousands. Depending on your agreement with IBM, I just don't know if you are going to get much in the way of dollar savings by switching to the Q.  Nessus is obviously the best dollar value choice if you go with the free version, but that is only the case if you can handle not having updated signatures.  Even then, if you have a small enough shop you can get the paid version for about $1200.  That is only for a single user, though, and you still don't have the full enterprise command and control interface. 

There are not a lot of specific recommendations people are going to be able to give you without having more info on your environment, but I'd recommend not posting much more info than you already have.  I'm probably preaching to the choir, but I'd avoid posting too much data into an open forum.  PM some of the more senior members of the group if you want more detailed advice.