No-frills security scanning

Nessus and Internet Scanner prove less costly but less capable

IT managers were already busy finding and fixing security holes in their networks when the Blaster worm sparked a new sense of urgency. The good news is, there is no shortage of tools to help with the task. In “Uncovering Network Holes” we looked at two pricey and polished vulnerability assessment products from Qualys and Foundstone. Here we examine two less costly and less capable alternatives from Internet Security Systems (ISS) and the Nessus Project.

Qualys and Foundstone did very well in our tests. Both of these appliance-based solutions combine fast and accurate scanning with a rich set of reporting options and helpful features such as scan scheduling, network mapping, and trouble ticketing systems for tracking your progress in addressing the network vulnerabilities they identify.

We were not so impressed by Internet Scanner 7.0 or Nessus 2.0.6, both of which lack the strong reporting capabilities of Qualys and Foundstone, as well as the ability to map networks, track remediation efforts, and automate scans and updates to the vulnerabilities database. Internet Scanner and Nessus also proved more difficult to set up and manage.

On the other hand, the scanning engines of Internet Scanner and Nessus were accurate, with verifiable reporting and links to Mitre’s CVE (Common Vulnerabilities and Exposures) list. Their reports, while bare-bones, were easily accessible, requiring only that the end user have a Web browser. For shops willing to do without frills, and whose reporting needs are minimal, Internet Scanner and Nessus can do the job. Because Nessus is free, and performed better in our tests, we recommend it over ISS’s Internet Scanner.

The Price Leader

Nessus consists of both server and client components, with the server doing the scanning and assessment. Although the server is only available for Unix and Linux, you can choose from several clients, including those for Windows, several flavors of Unix and Linux, a Java client, and even one in development for the Sharp Zaurus PDA. Tenable Network Security is developing a commercial version of Nessus for Windows servers, scheduled for release in the fourth quarter of 2003. It will add functionality missing in the open source version of Nessus, such as a Web interface and remediation management, but it won’t be free. 

We also tested Nessus under Knoppix-STD (Security Tools Distribution), a product that we can’t rain enough praise on. Knoppix is a one-disk bootable version of Linux, incorporating Nessus as part of the Knoppix toolkit. We found this by far the easiest and most convenient way to run Nessus.

Although Nessus has third-party support for Web access capabilities, the default installation required us to use Windows or Linux clients, neither of which has the ability to schedule a scan. We had to enter our network’s IP addresses manually or via a file import capability in order to scan; in either case, Nessus required us to enter either a range of addresses or a single address at a time. On the plus side, Nessus' client-server approach allows IT staffs to control scans from multiple clients.

While we weren’t presented with any helpful network information or recently discovered vulnerabilities when we logged in to Nessus, as we were with Qualys and Foundstone, we did have a functional interface to initiate our scans. Up-to-date vulnerability information and scripts can be gathered simply by typing the command nessus-update-plugins.

Nessus’s reporting options match up with Internet Scanner, but fall far short of Qualys and Foundstone. Nessus does present both a basic and a technically-oriented report, and it includes some limited color graphs and pie charts via HTML. It also lets you compare reports from two scans taken at different times, creating a data trend of sorts. But because Nessus lacks a database, it cannot provide the historical trending reports necessary to track remediation efforts progress or indicate whether your network is becoming more or less secure over time. Here again, third-party help is available; Inprotect  allows customization of Nessus to add a database for storing historical data and scheduling scans.

When scanning, we found Nessus to be fairly snappy, depending on the hardware platform. Nessus helpfully notes whether a server stopped responding during a scan, and we found its ability to recognize possible false positives useful. We also liked Nessus’s passive, non-destructive scanning mode, which identifies vulnerabilities without launching exploits that may crash a host or service. The option of using the Nessus attack-scripting language to build our own security tests pleased us, too.

To its credit, Nessus also supports a PKI of sorts, using a certificate for authentication. We could also create accounts and access rules for different users. However, because management of the Nessus server is based on command-line parameters, it can be a bit clunky.

In short, Nessus isn’t the most feature-rich or prettiest vulnerability assessment product on the market, but we can’t complain about what we get for the price. Although we did have some problems with scanned hosts freezing or locking up during Nessus scans, the machines returned to normal once the scan was completed. Overall, we would like to see stronger reporting, including trending analysis, and a Web interface would be a plus. But if your needs are simple, Nessus does the job of identifying vulnerabilities and recommending fixes, and the Knoppix/Nessus combination goes a long way toward making the scanner easy to use.

A Mixed Bag

Internet Scanner requires MSDE (Microsoft SQL Server 2000 Desktop Edition), which must be downloaded and installed separately; we had some problems loading MSDE on our test machines. We then installed the Internet Scanner package, and encountered several annoyances, such as having to agree to the license agreement twice and clicking four dialogs to specify a directory for the install. These problems were trivial but indicative of the frustrations we experienced with the ISS product. Not so trivial was the instability of the Internet Scanner application, which crashed repeatedly during testing.

Internet Scanner’s management interface is straightforward and divided into three panes. The first pane is the Hosts Tree, which provides detailed information on machines, vulnerabilities, services, and accounts. The next pane is the Properties View, which lists discovered hosts and specifics related to that host including OS ID and MAC addresses. The third pane is the Status View, which reports progress during a scan.

We discovered we could schedule a scan several ways, but not from within the Windows application itself, and we didn’t particularly like the methods at our disposal. We were limited to either the Windows Task Scheduler or the Internet Scanner’s Engine Manager via command line. We were not impressed.

We did, however, like Internet Scanner’s ability to import IP addresses. In fact, its IP import functionality was better than any product we’ve tested so far. And we could easily select from a variety of vulnerability assessment policies to run, and even edit a policy while a scan was in process.

Internet Scanner breaks reports into three categories: Executive, Line Management, and Technician. We found the reports, based on Crystal Reports, to be simplistic for a commercial product, and the report-generated graph layout was somewhat confusing.

We could export reports in several formats, including PDF (in multiple languages), HTML, and RTF. We could also export a list of hosts based on OS and/or service to a text file.

Like Nessus, Internet Scanner includes a scripting language, FlexChecks, for creating custom security tests. FlexChecks scripts can be written in either C or Perl. Internet Scanner displays the MAC address of a scanned host, so we could more easily track a host down in a DHCP environment. During scans, Internet Scanner can detect which OS is running on a host and limit its vulnerability checks to the specific OS. On the down side, when we hid an IP address via stealth, Internet Scanner couldn’t initiate a scan.

Translating accurate vulnerability assessments into a foolproof report, one that even Dilbert’s boss can understand, should be the ultimate goal of a vulnerability scanner. Neither Nessus nor Internet Scanner achieved this level of perfection but both performed accurate scans and provided the essential information. Although neither of these products is in the same class as those from Qualys and Foundstone, either one can tell you what you need to know about your network and how to fix it. If the choice comes down to Nessus or Internet Scanner, Nessus is the clear winner in our book.

InfoWorld Scorecard
Performance (15.0%)
Reporting (25.0%)
Value (10.0%)
Management (20.0%)
Scalability (10.0%)
Setup (10.0%)
Security (10.0%)
Overall Score (100%)
Internet Security Systems Internet Scanner 7.0 5.0 5.0 5.0 6.0 7.0 5.0 7.0 5.6
Nessus 2.0.6 7.0 5.0 10.0 5.0 7.0 6.0 8.0 6.4