The goal of running a vulnerability scanner is to identify devices on your network that are open to known vulnerabilities. Different scanners accomplish this goal through different means. Some work better than others.
Some may look for signs such as registry entries in Microsoft Windows operating systems to identify that a specific patch or update has been implemented. Others, in particular Nessus, actually attempt to exploit the vulnerability on each target device rather than relying on registry information.
Kevin Novak did a review of commercial vulnerability scanners for Network Computing Magazine in June of 2003. While one of the products, Tenable Lightning, was reviewed as a front-end for Nessus, Nessus itself was not tested directly against the commercial products. Click here for the complete details and results of the review: VA Scanners Pinpoint Your Weak Spots.
One issue with vulnerability scanners is their impact on the devices they are scanning. On the one hand you want the scan to be able to be performed in the background without affecting the device. On the other hand, you want to be sure that the scan is thorough. Often, in the interest of being thorough and depending on how the scanner gathers its information or verifies that the device is vulnerable, the scan can be intrusive and cause adverse affects and even system crashes on the device being scanned.
There are a number of highly rated commercial vulnerability scanning packages including Foundstone Professional, eEye Retina and SAINT. These products also carry a fairly hefty price tag. It is easy to justify the expense given the added network security and peace of mind, but many companies simply don't have the sort of budget needed for these products.
While not a true vulnerability scanner, companies that rely primarily on Microsoft Windows products can use the freely available Microsoft Baseline Security Analyzer (MBSA). MBSA will scan your system and identify if there are any patches missing for products such as the Windows operating systems, Internet Information Server (IIS), SQL Server, Exchange Server, Internet Explorer, Windows Media Player and Microsoft Office products. It has had some issues in the past and there are occasionally errors with the results of MBSA- but the tool is free and is generally helpful for ensuring that these products and applications are patched against known vulnerabilities. MBSA will also identify and alert you to missing or weak passwords and other common security issues.
Nessus is an open-source product and is also freely available. While there is a Windows graphical front-end available, the core Nessus product requires Linux / Unix to run. The up side to that is that Linux can be obtained for free and many versions of Linux have relatively low system requirements so it would not be too difficult to take an old PC and set it up as a Linux server. For administrators used to operating in the Microsoft world there will be a learning curve to get used to Linux conventions and get the Nessus product installed.
After performing an initial vulnerability scan you will need to implement a process for addressing the identified vulnerabilities. In most cases there will be patches or updates available to cure the problem. Sometimes though there may be operational or business reasons why you can't apply the patch in your environment or the vendor of your product may not yet have released an update or patch. In those cases you will need to consider alternative means to mitigate the threat. You can refer to details from sources such as Secunia or Bugtraq or US-CERT to identify any ports to block or services to shut down that might help protect you from the identified vulnerability.
Above and beyond performing regular updates of antivirus software and applying the necessary patches for any new critical vulnerabilities, it is wise to implement a schedule for periodic vulnerability scans to make sure nothing has been missed. Quarterly or semi-annual vulnerability scanning can go a long way to helping you make sure you catch any weaknesses in your network before the bad guys do.