After Hours

General discussion


Tech Notes

By ShannonSnowden ·
Tags: Off Topic
blog root

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Right Tool For the Job - Nessus

by ShannonSnowden In reply to Tech Notes

<a href="img">"><img src="" style="border-style: none"></a>

<h2>The Need</h2>

<p>Vulnerability assessments are one of the key tools that
information security professionals use to learn about their network environment. With the increasing quantity of threat agents
and government regulations that carry harsh penalties, businesses have to know
where their security vulnerabilities exist and now to mitigate them. </p>

<p>I had an opportunity a little over a year ago to help
analyze tools for a vulnerability assessment proof of concept project at a
multi-national Fortune 500 company. The idea of the project was to learn the
business value that vulnerability assessments might provide and to discover the
actual vulnerabilities. </p>

<h2>The Job</h2>

<p>We were sure some level of vulnerability assessments were
necessary, but recognized that there were no internal mitigation processes to
support the findings of the assessments. This proved to be a good intuition.
About nine months after we were successfully scanning and building processes, I
read an article about a company who had spent about $90,000 on a commercial
vulnerability scanning solution only to see it fail miserably because they had
not developed support processes.</p>

<p> For the proof of concept phase, the scanner couldn?t be on a
short evaluation period timeframe because as much as the technical results of
the scans were important, building internal mitigation support processes were
equally important. </p>

<h2>The Tool</h2>

<p>Even though we had access to commercial tools, we chose the
open source Nessus ( vulnerability scanner. Nessus is the de facto
standard of vulnerability scanners. In fact, many commercial products use the
Nessus engine in their products and nearly every major security hardware vendor
supports Nessus scan results. </p>

<p>Nessus currently comes in two versions. The open source Nessus
2.2.x version and the recently released Nessus 3 closed source but free
version. Tenable Security (<a href=""></a&gt
supports the Nessus project and maintains the development of both versions.</p>

<p> <br />Nessus features include:</p>

configurable scan options like scanning as few a one host to multiple
subnets. </li></ul><ul><li>DNS
resolution or MAC address tracking for DHCP-enabled targets</li></ul><ul><li>Scan
throttling to avoid network bandwidth saturation</li></ul><ul><li>Fully
featured, highly configurable nmap port scanner </li></ul><ul><li>Plug-ins
- each plug-in is a test, for example every Microsoft security patch is a
separate plug in. Currently there are over 10,000 for the free version of
Nessus 3</li></ul><ul><li>NASL
scripting that allows custom plug-in creation</li></ul><ul><li>GUI or
command line clients </li></ul><ul><li>Reports
in .html and txt formats</li></ul><ul><li>Exports
directly to MySQL databases for analysis</li></ul>

<h2>Working with Nessus</h2>

<p>Nessus uses client-server architecture and is deployable on
many different operating system types. Tenable Security offers a version of the
Nessus scanner for Windows called NeWT, however; it is not as feature-rich as
the Linux version of Nessus. </p>

<p>We really wanted to test the full features of Nessus so we
decided to go with a SuSE Enterprise Linux 9 virtual machine on VMWare ESX for
the server and our Windows XP machines running the Nessuswx GUI client. </p>

<p>The members of the testing team were not Linux gurus and
fortunately, the installation of Nessus over a year ago on was not that
difficult, but challenged our Linux skills. Today installing Nessus on openSUSE
10 Linux is no harder than installing an application on Windows. You only need
a minimum installation of openSUSE 10, and then install the Nessus .rpm from <a href=""></a>. The
installation sets up Nessus as a running service on the openSUSE machine. </p>

<p>We began scanning local subnets and generated the built-in
.html reports that Nessus creates. We found unknown vulnerabilities on the
network nearly from the first scans completed. As I gained confidence in
Nessus, and learned how to throttle the bandwidth usage, we expanded our
scanning out to the company facilities near our location, then eventually to
the locations throughout the United


<p>You can scan with administrator credentials on the target
machine, or as an unknown user to get different views of vulnerabilities with
Nessus. Nessus scans ports and checks vulnerabilities in discovered services as
the unknown user or with administrator credentials, conducts full host-based
scans checking registry settings, services and file permission vulnerabilities.

<p>Since Nessus has the ability to export the scan findings
into MySQL, I installed MySQL and use custom queries to sort through the
generous quantity of vulnerability data that Nessus creates. We conduct scans on the company?s subnets
located all over the world from the Louisville location and generate insightful vulnerability reports using Nessus and MySQL.

</p><p>See these screenshots (<a href="../../2300-1009-6048886.html" title=""></a&gt
of Nessus and Nessuswx in the Nessus gallery. </p><h2><strong>Right tool for the job?</strong></h2>

<p>With Nessus in production for a little over a year now, we
are able to provide the company the vulnerability assessment information from
any facility in the world that we knew it needed. </p>

<p>Because Nessus is free, runs on free operating systems and
requires little hardware resources, it has allowed the internal support
processes to develop along with the skill sets to support vulnerability
analysis.</p><h2><b>Write your own review</b></h2><p>If you've found the perfect tool for the job, we want to hear about it. <a href="">Send us an e-mail</a> describing the product and the job you're using it for. If we feature the product in The Right Tool for the Job? blog, you'll earn a little cash and be featured across the TechRepublic Web site and in our newsletters. </p>

Collapse -

Right Tool For the Job - Nessus

by rapell In reply to Right Tool For the Job - ...

    Nice. really nice. How would you compare/reconcile this magic with Metasploit framework or snort?

Collapse -

Right Tool For the Job - Nessus

by ShannonSnowden In reply to Right Tool For the Job - ...

I'm not too familiar with Metasploit, but I think it is more focused on
actually exploiting the vulnerability than just detecting it. Nessus is
focused on discovering that the vulnerability exists and reporting it
so it can be mitigated. <br />
<br />
Consider that typical Nessus scans are active, which means that you
launch the scan and it performs a snapshot discovery of
vulnerabilities. This gives you a good comparison to what Snort does.

Snort is a tool looking for nefarious patterns or intrusion attempts on
the live network based on rules that you create. These two tools
compliment each other because a host could have a vulnerability that
hasn't been exploited, but Nessus detects it and you mitigate the
vulnerability before it impacts your network.

Collapse -

Right Tool For the Job - Nessus

by delimiter2 In reply to Right Tool For the Job - ...

This is a nice article. I'm just now starting a automated vulnerability assessment project for my employer. I'm wondering which version of nessus you are using (you mention 2.2.x and 3 but don't say which) and why? Also it would be nice to know about delta-tracking, which is the ability to see what changes week-to-week or month-to-month. Does mysql help towards that functionality?<br /><br />One program I looked at was inprotect, but it seems to have become outdated and doesn't support nessus 3.0. Alas I have instead chosen to use nscan from

Collapse -

Right Tool For the Job - Nessus

by ShannonSnowden In reply to Right Tool For the Job - ...

<br />Thanks for your comments Mark. <br />
<br />
We actually used both versions. We are now currently running version 3.
<br />
<br />
There are several differences between versions 2 and 3, primarily version 2 is open source and 3 is not. Version 3 is
still free to use, but Tenable closed the source. This <a href="">link </a>explains the performance differences between the versions very
well. <br />
<br />
Both versions have a delta scan option for you to track just the
changes between scans, this certainly can be elaborated upon with MySQL
queries. <br />
<br />
nscan looks interesting. I struggled with how to get the scan options
set up and scheduled, but eventually found that using the NessusWX
client to set up the scan parameters, export it to the Nessus server
and launch the scan from the server's secure shell was the most

Related Discussions

Related Forums