Penetration Testing mailing list archives

RE: Vulnerability scanners

From: Derrick Johnson <derrick_b_johnson () yahoo com>
Date: Fri, 28 Mar 2003 08:46:26 -0800 (PST)

We used Nessus quite extensively. I've actually been
in the business long enough where I've used ISS,
CyberCop, Nessus, Foundscan, and now Qualys.  When I
did IS Consulting, we'd run both ISS and CyberCop, or
either one along with Nessus, because there was a
chance one would find something the other didn't or
one would be able to go into more detail about what
was found and how to fix it.

Qualys definently has Foundscan beat in terms of
reporting.  However Foundscan definently has Qualys
beat in terms of speed.  With Foundscan, you can't
download the report.  You have to copy and paste it
into Word in order to alert the a system owner to a
vulnerability - if you don't want to provide them
access to the scanner.  One thing I like about Qualys
is that you can view individual system reports as the
scan is progressing, you don't have to wait until the
entire scan is done to view one system's problems. 
Once a system has completed, you click on it's IP and
you have a report of that one system.  Comes in handy
for single system reports.

Qualys and Foundscan definently have Nessus beat in
terms of minimized false positives.  So many times
Nessus would report on a vulnerability only for the
system owner to report that the recommended patch had
already been applied, or that files Nessus was finding
were nowhere to be found on the system.  You can fix
this in Nessus by altering the signature code, whereas
you have to tell Foundstone and Qualys that a
particular finding is a false postive.  What they do
with that info, I have no idea.

Hope this helps

--Derrick


--- Michael Welch <mdwelch () sendsecure com> wrote:

About 4 months ago I performed a comparison of
Qualys, Foundscan, and
Vigilante.  They all have there good and bad
point's.  The nice things about
Qualys was that all you had to do is plug the
appliance into your network
and you were ready to go.  My concern was that
although your scan data was
transferred via https it was stored on another
companies network.  Being a
security professional I have a hard time allowing my
internal network
scanning results sitting on another's network.

-----Original Message-----
From: Paris Stone [mailto:paris () ciscoinstructor net]
Sent: Thursday, March 27, 2003 5:25 PM
To: Alex Russell; Jeff Williams @ Aspect; Dan Lynch;
pen-test () securityfocus com
Subject: Re: Vulnerability scanners


The Qualys box is an appliance that is configured
once.  It connects out
your
firewall using SSL (TCP 443) to hit Qualys's
web/scanner server.  It then
retrieves
the information(database of exloits, etc...) and
runs them against your
internal
network.  It then uploads the info to their database
servers using SSL.
Then all
of your information is available via the web with
nice reporting, pretty
graphics,
etc...  It breaks it down into reports for techies
and reports for
non-techies
(CxO's) daily, weekly, monthly.  The economies thing
is simply that you have
a
yearly subscription based upon number of hosts
scanned.  A fixed cost,
24x7x365
tool that doesn't have HR or benefit issues and
doesn't get kids sick and
have to
take days off.  It IS easy to setup and
administration is easy for those who
can
RTFM.

Alex Russell (alex () netWindows org) wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 27 March 2003 12:58 pm, Jeff Williams @

Aspect wrote:

Let's assume that you're talking about 256 IPs

(based on Qualys'

published pricing), and you want to scan weekly.

That's at least a day a

week of effort for someone (probably more to

generate a very nice report

and summaries).  The cost of a full-time sysadmin

(including salary,

benefits, office, etc...) probably costs well

north of $100K.  You'd have

to include some equipment costs in there.  So I

doubt you could do it

much cheaper. I think vulnerability scanning is a

reasonable thing to

outsource for companies that are not in the

security or networking field

already.


This sounds like a false economy to me.

First: how does the Qualis box remove the need for

a sysadmin? It's just
one

more appliance to manage, and something your

existing admin should be able

to do anyway. And if you already didn't have an

admin, you'd need one now

that you're thinking in terms of security. No extra

cost here (aside from

incremental admin time).

Secondly: if you've got a trained monkey doing your

report generation, then

you're right about the costs. If, however, you have

a developer automate

most of that, then you can add more nodes to be

scanned at much lower

incremental cost (change a config file).

Additionally, using public

signature sets may have downsides, but using Open

Source tools is good both

for your own internal flexiblity and for the world

at large (checks aren't

quite right? set that developer to work writing and

contributing back

better ones!).

All in all, your initial costs to do it in house

with smart people and Open

Source tools might be higher, but your incremental

costs do not grow at

nearly the same rate. OTOH, if you don't have any

admins or developers,

then Qualys might look like a very nice option.

HTH

- --
Alex Russell
alex () netWindows org
alex () SecurePipe com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)


iD8DBQE+g3J/oV0dQ6uSmkYRAvN6AJ44Qwzu3sSypJkLDRbl1W1ZjrrnswCZASf0

m88qoVsnBJR2vt7vXZaYyKc=
=kMak
-----END PGP SIGNATURE-----


top spam and e-mail risk at the gateway.
SurfControl E-mail Filter puts the brakes on spam &

viruses

and gives you the reports to prove it. See exactly

how much

junk never even makes it in the door. Free 30-day

trial:

http://www.surfcontrol.com/go/zsfptl1

--

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Paris Stone
CISSP, CCNP, CNE/CNI, MCSE/MCT,
Master CIW Administrator, CIW Security Analyst, NSA
A+, Network+, iNet+
http://www.ciscoinstructor.net/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

"The rich man is not the one with the most, but the
one who needs the least"



top spam and e-mail risk at the gateway.
SurfControl E-mail Filter puts the brakes on spam &
viruses
and gives you the reports to prove it. See exactly
how much
junk never even makes it in the door. Free 30-day
trial:
http://www.surfcontrol.com/go/zsfptl1







top spam and e-mail risk at the gateway.
SurfControl E-mail Filter puts the brakes on spam &
viruses
and gives you the reports to prove it. See exactly
how much
junk never even makes it in the door. Free 30-day
trial:
http://www.surfcontrol.com/go/zsfptl1



__________________________________________________
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
http://platinum.yahoo.com

top spam and e-mail risk at the gateway.
SurfControl E-mail Filter puts the brakes on spam & viruses
and gives you the reports to prove it. See exactly how much
junk never even makes it in the door. Free 30-day trial:
http://www.surfcontrol.com/go/zsfptl1

Current thread:

Re: Vulnerability scanners, (continued)
- - Re: Vulnerability scanners Nicolas Gregoire (Mar 27)
  - Re: Vulnerability scanners R. DuFresne (Mar 27)
- RE: Vulnerability scanners Ken Smith (Mar 27)
- RE: Vulnerability scanners Rosado, Rafael (Rafael) (Mar 27)
- RE: Vulnerability scanners Rosado, Rafael (Rafael) (Mar 27)
- Re: Vulnerability scanners Jeff Williams @ Aspect (Mar 27)
- Re: Vulnerability scanners Chris Sharp (Mar 27)
  - Re: Vulnerability scanners R. DuFresne (Mar 27)
- Re: Vulnerability scanners Paris Stone (Mar 27)
  - RE: Vulnerability scanners Michael Welch (Mar 27)
    - RE: Vulnerability scanners Derrick Johnson (Mar 28)
    - Re: Vulnerability scanners Roman Medina (Mar 28)
    - RE: Vulnerability scanners David Nester (Mar 28)
- RE: Vulnerability scanners Ken Smith (Mar 27)
- Re: Vulnerability scanners Sean Knox (Mar 28)
- RE: Vulnerability scanners Paris Stone (Mar 28)
- RE: Vulnerability scanners Rapaille Max (Mar 28)
- Re: Vulnerability scanners Alfred Huger (Mar 31)
- Vulnerability scanners joe na (Mar 31)