Know What's on Your Network

June 24, 2011
Mercy Hospital in Miami is a 483-bed acute care facility established in 1950. The hospital is a member of Catholic Health East (CHE), a

Mercy Hospital in Miami is a 483-bed acute care facility established in 1950. The hospital is a member of Catholic Health East (CHE), a multi-institutional health system of 43,000 employees comprising health ministries located within 11 eastern states from Maine to Florida. Ranked by number of visits, CHE is the largest healthcare system that operates home-care agencies. Mercy hospital has a 30-person IT department servicing 683 physicians and 2,000 employees. The department's network of 80 servers supports healthcare-related applications for the hospital's 1,500 devices on the computer network.

The Challenge

Because of the nature of healthcare, we manage a multitude of devices from MRI scanners to portable heart monitors to lab instruments. Each device has its own complexities and operating system, and most have vendor-supplied PC workstations or servers that are off-limits to local IT staff. Patching any of these devices requires patch or update certification by the medical instrument vendor before any changes can be made. And because the devices are a mix of assorted Linux, Unix, Sun Solaris and Windows devices, they potentially put our healthcare organization at risk.

We thus knew that we needed a way to not only audit the network and discover what devices existed on the network, but to also decide how and where device fixes were necessary. In some instances, this meant isolating devices from the rest of the network until the identified vulnerabilities could be addressed by the vendor.

Our research for a solution led us to eEye Digital Security, which develops endpoint security and vulnerability management software. They recommended we test their Retina Network Security Scanner, which conducts vulnerability assessments, identifies known network security vulnerabilities, and assists in prioritizing threats for remediation.

Internal Testing

We conducted internal testing in three areas: accuracy, speed and evasion. For accuracy, the Retina Network Security Scanner fingerprinted every Windows-based operating system in the network. For non-Windows operating systems that run on the network, Retina offered a list of options. For example, when Retina searched for a printer, the software would tell us that a particular printer could be running on a Linux OS. Retina then listed four or five different versions of Linux. We also wanted to know if Retina would identify all devices properly. It did. We also tested Retina by having it look for well-known vulnerabilities such as Blaster(2003), Sasser(2004), the Windows Meta File (WMF)(11/05) exploit and new zero-day attacks such as the one that leveraged a previously unknown vulnerability in Microsoft Internet Explorer. Retina found machines that were vulnerable to the Sasser worm and the VML exploit. We then tested Retina on patched machines, and the software let us know which machines were no longer vulnerable. We also tested HP Unix, Sun Solaris, VMware ESX server, Cisco switches, Cisco routers, and CheckPoint firewalls. Retina found vulnerabilities in each one.

For speed testing, we ran Retina on an ongoing basis to audit each of our 1500 nodes on our network. Retina launched scans and finished common port-scan audits in less than 30 seconds per machine.

We also tested for anti-evasion tactics to see if Retina could evade our intrusion detection and intrusion prevention systems (IPS). This feature is important to us because we need to know what people can do maliciously and how we can prevent it. We set Retina at its highest speed, ran it through an IPS, and it picked up Retina scanning the network. Then we set Retina at its lowest speed, randomized the settings, and used some of the advanced evasion tactics built into the tool. Retina walked through the IPS with no detection.


One major benefit we have received by using Retina is the amount of labor we save. I can't begin to quantify how many man-hours it would take to walk the entire length of the hospital to locate each device, determine its operating system, and ascertain if these devices are patched or if their registries are set correctly. Doing this manually also does not guarantee we can achieve 100-percent consistency with our results. In fact, there really is no way to accurately tell what's running on our network without the help of a third-generation scanning tool like Retina.

Since finishing our testing and deploying Retina, it has kept us in line with our network. It's an effective tool for defining not only what's on the network but also what is vulnerable, and discerning holes in the network.

Retina also lets us know where patches need to be applied, where people have left default configurations, where someone has started a service that we don't know about, and when someone brings up a Web server incorrectly or without our knowledge. It also gives us more in-depth information compared to most vulnerability scanners. Since Retina can look at the Windows operating system in detail, it can tell us if registry keys can be changed. It also tells us if certain files exist where they shouldn't, or if we can enumerate our users in Active Directory because of a misconfiguration. Retina also has a vulnerability catalog that associates vulnerabilities with their CAN, the CVE numbers, and with the bug track ID numbers. It did a credible job associating most everything that they offer, and keeping current with it.


Retina is configurable. The device has helped us build what we believe to be a best-practices standard that can be used throughout the entire Catholic Health East system. For larger organizations, eEye offers a management framework called REM Security Management Console. REM supports a distributed scanning environment of hundreds of scanners across hundreds of remote facilities. REM can manage all Retina scanners and reports from one centralized location.

One of the most interesting reports that the REM product can generate is Deltas. Delta reports measure the difference achieved between two scanning operations. We apply changes and fixes based upon the results of our first scan. The Delta report will show what's been fixed between the two scans. These reports are highly satisfying because they provide evidence of progress, which translates to better network integrity. REM can also generate executive reports with pie charts and graphs.

Fernando Martinez is CIO of Mercy Hospital, Miami, Fla.