Q&A: Open Source Network Vulnerability Scanners

Vulnerability management is no longer about maintaining perfectly patched machines.

With today’s well-connected networks, maintaining perfectly patched machines is practically impossible. Thank the small window between vulnerability disclosure and the appearance of a related exploit.

As a recent Yankee Group report notes, price is also a problem. “There are far too many assets in an enterprise network to manage individually, and at an average cost of $235 to patch a desktop (based on a 2003 Yankee Group enterprise security spending survey), patching all vulnerabilities as rapidly as possible becomes cost prohibitive.”

Instead of patching every vulnerability, organizations typically target the most potentially damaging ones. First, however, they have to know which vulnerabilities exist on their networks. For that, companies use network vulnerability scanners.

To discuss these scanners, Security Strategies spoke with Renaud Deraison, who created and maintains Nessus ( http://www.nessus.org/), the most widely used open source vulnerability scanner. Deraison is also the chief research officer at Tenable Network Security Inc. in Columbia, Md.

Who uses Nessus? Since it’s free, does that tend to attract smaller organizations with less to spend on security?

Actually, a lot of big companies are using Nessus; it’s not considered as a last resort or cheap option at all. From the Nessus point of view, 75,000 organizations are using it, which makes Nessus the number two, if not the number one scanner on the market.

How does Nessus compare with proprietary network vulnerability scanners?

Basically, Nessus is a scanning engine, not a complete vulnerability assessment and management solution. Generally, I’d be the worst person to ask how it compares to other scanners out there. However, the fact is that the biggest problems with security scanners [are] side effects …

Why do scanners have side effects?

Scanners were developed at a time when security teams were brand new in companies, and … the scanner would need to port-scan a host, or every server, and send probes to see if it’s vulnerable to something or not. The thing is, a lot of devices don’t like being scanned, such as embedded devices. Sometimes a printer, say, will print 20 pages as a result.

Or sometimes the results can be devastating. Say it’s the database in charge of the payroll. If it’s crashing on a Friday night at the end of the month … basically those [security] guys will lose their jobs. This isn’t just Nessus—this is every network vulnerability scanning tool, because you have a tool interacting with software, and you can’t predict every response or guarantee the software won’t crash something.

So side effects are a problem for all scanners?

Yes. No company out there has the resources to set up a lab which can reproduce all the network devices and configuration you’ll find across the world. But thanks to the community built behind Nessus and the free exchange between users and developers, we basically have the best lab of the world. I get feedback from users, sometimes just a few minutes after I publish a new plug-in. In that regard, we compare very well to commercial scanners … and this is why so many companies choose to use Nessus, no matter how big they are.

What’s the advantage of quickly releasing or revising plug-ins?

When the scanner tells you your remote Apache server has to be patched, sometimes a scanner can be wrong, and basically with every commercial offering, people are stuck into believing the scanner blindly. With Nessus, they can actually check to see how the scan was done. So they waste less time …

And the more they use Nessus, [oftentimes] the more [instances] they want to deploy, and basically that’s where Tenable gets in the picture, because we sell a product called Lightning which manages a great number of Nessus scanners.

What advantages do commercial scanners give companies?

They bring the fact that they’re a big company, and won’t go away soon. But with Tenable, we take a lot of customers away from ISS, because people are not happy with their solution, because basically they have not changed their scanning engine much over the last three years. So people are upset with it.

How difficult is Nessus to set up and deploy? Do you need an extremely experienced administrator?

Nessus really is a scanning engine. It does some reports … but what we’re interested in on the Nessus side is the technical detection of vulnerabilities, and that’s it. If people want more than that, then they’re more than encouraged to look at commercial offerings around that. It’s not as complicated as some of the tools out there; we made it very easy to set up and very easy to deploy, so if you wanted to set up a scan of 500 or 1,000 computers for tomorrow, a Unix admin could do that. Now if you’re talking about scanning 50,000 hosts, you need multiple hosts, and multiple scanners to make them work together, and if you don’t use any other commercial tool … it’s going to be [difficult].

[Even simpler, however is] a version of Nessus called Newt, which is free or commercial, depending upon how you use it … and this is extremely easy to set up.

Beyond side effects, what other challenges do administrators running scans face?

Credentials can be a problem. You can log in to a remote host—provided you have credentials—but even so, sometimes you cannot have access to every host. Not every administrator will give you the password to every host. So what happens is people do a scan once a quarter. Very few people do a weekly scan. So we wrote NeVO, basically Nessus for the network, and maybe we will only see 80 percent of the vulnerabilities, but at least we’ll see them. [Lightning can also manage NeVO.]

How exactly does NeVO differ from Nessus?

NeVO is really a sniffer. It doesn’t look at attacks like an IDS does, but it looks at banners. So when you connect to Apache … we see the [Apache] banner, and we can see whether that version of Apache is vulnerable or not, as well as your browser.

NeVO also avoids scanner side effects—it’s a passive scanner. So it basically sniffs the network 24x7 and determines the presence of vulnerabilities based on the traffic it observes. When you sniff the vulnerabilities, you get all the data for free, so there’s no latency, you don’t ask for permission, [and] you don’t ask for forgiveness. Really, we have horror stories, sometimes with Nessus, sometimes with other scanners, because some vendors out there put such fragile TCP/IP stacks on the market that they’re bound to crash anyway.

Has the shrinking time between disclosure of vulnerabilities, and a related exploit, driven increased use of scanners?

Yes. Basically, one year or two years ago, when there was a new Microsoft advisory, I would not get any e-mail about them. I would write the plug-in [quickly], but there was no pressure. Now when the vulnerability is published—at something like 2 PM eastern time—at 2:30 PM I start receiving e-mails for the plug-in: “Where are the plug-ins? It’s been 20 minutes already!”

How frequently should companies scan? Is quarterly too infrequent?

The fact is, vulnerabilities appear every day. Some of them are being critical, like every second Tuesday of the month with Microsoft patches, and some are useless—[say,] a flaw in a content management system no one uses.

Doing a monthly scan would be much, much better than doing a quarterly scan. Monthly should be good enough. But then you really need something like NeVO watching in between scans … If someone plugs in his personal laptop on the network, you probably want to know about that … Basically it just takes one laptop to spread a worm in your network.

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.