Penetration Testing mailing list archives
RE: Vulnerability scanners
From: Derrick Johnson <derrick_b_johnson () yahoo com>
Date: Fri, 28 Mar 2003 08:46:26 -0800 (PST)
We used Nessus quite extensively. I've actually been in the business long enough where I've used ISS, CyberCop, Nessus, Foundscan, and now Qualys. When I did IS Consulting, we'd run both ISS and CyberCop, or either one along with Nessus, because there was a chance one would find something the other didn't or one would be able to go into more detail about what was found and how to fix it. Qualys definently has Foundscan beat in terms of reporting. However Foundscan definently has Qualys beat in terms of speed. With Foundscan, you can't download the report. You have to copy and paste it into Word in order to alert the a system owner to a vulnerability - if you don't want to provide them access to the scanner. One thing I like about Qualys is that you can view individual system reports as the scan is progressing, you don't have to wait until the entire scan is done to view one system's problems. Once a system has completed, you click on it's IP and you have a report of that one system. Comes in handy for single system reports. Qualys and Foundscan definently have Nessus beat in terms of minimized false positives. So many times Nessus would report on a vulnerability only for the system owner to report that the recommended patch had already been applied, or that files Nessus was finding were nowhere to be found on the system. You can fix this in Nessus by altering the signature code, whereas you have to tell Foundstone and Qualys that a particular finding is a false postive. What they do with that info, I have no idea. Hope this helps --Derrick --- Michael Welch <mdwelch () sendsecure com> wrote:
About 4 months ago I performed a comparison of Qualys, Foundscan, and Vigilante. They all have there good and bad point's. The nice things about Qualys was that all you had to do is plug the appliance into your network and you were ready to go. My concern was that although your scan data was transferred via https it was stored on another companies network. Being a security professional I have a hard time allowing my internal network scanning results sitting on another's network. -----Original Message----- From: Paris Stone [mailto:paris () ciscoinstructor net] Sent: Thursday, March 27, 2003 5:25 PM To: Alex Russell; Jeff Williams @ Aspect; Dan Lynch; pen-test () securityfocus com Subject: Re: Vulnerability scanners The Qualys box is an appliance that is configured once. It connects out your firewall using SSL (TCP 443) to hit Qualys's web/scanner server. It then retrieves the information(database of exloits, etc...) and runs them against your internal network. It then uploads the info to their database servers using SSL. Then all of your information is available via the web with nice reporting, pretty graphics, etc... It breaks it down into reports for techies and reports for non-techies (CxO's) daily, weekly, monthly. The economies thing is simply that you have a yearly subscription based upon number of hosts scanned. A fixed cost, 24x7x365 tool that doesn't have HR or benefit issues and doesn't get kids sick and have to take days off. It IS easy to setup and administration is easy for those who can RTFM. Alex Russell (alex () netWindows org) wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 27 March 2003 12:58 pm, Jeff Williams @Aspect wrote:Let's assume that you're talking about 256 IPs(based on Qualys'published pricing), and you want to scan weekly.That's at least a day aweek of effort for someone (probably more togenerate a very nice reportand summaries). The cost of a full-time sysadmin(including salary,benefits, office, etc...) probably costs wellnorth of $100K. You'd haveto include some equipment costs in there. So Idoubt you could do itmuch cheaper. I think vulnerability scanning is areasonable thing tooutsource for companies that are not in thesecurity or networking fieldalready.This sounds like a false economy to me. First: how does the Qualis box remove the need fora sysadmin? It's just onemore appliance to manage, and something yourexisting admin should be ableto do anyway. And if you already didn't have anadmin, you'd need one nowthat you're thinking in terms of security. No extracost here (aside fromincremental admin time). Secondly: if you've got a trained monkey doing yourreport generation, thenyou're right about the costs. If, however, you havea developer automatemost of that, then you can add more nodes to bescanned at much lowerincremental cost (change a config file).Additionally, using publicsignature sets may have downsides, but using OpenSource tools is good bothfor your own internal flexiblity and for the worldat large (checks aren'tquite right? set that developer to work writing andcontributing backbetter ones!). All in all, your initial costs to do it in housewith smart people and OpenSource tools might be higher, but your incrementalcosts do not grow atnearly the same rate. OTOH, if you don't have anyadmins or developers,then Qualys might look like a very nice option. HTH - -- Alex Russell alex () netWindows org alex () SecurePipe com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux)iD8DBQE+g3J/oV0dQ6uSmkYRAvN6AJ44Qwzu3sSypJkLDRbl1W1ZjrrnswCZASf0m88qoVsnBJR2vt7vXZaYyKc= =kMak -----END PGP SIGNATURE----- top spam and e-mail risk at the gateway. SurfControl E-mail Filter puts the brakes on spam &virusesand gives you the reports to prove it. See exactlyhow muchjunk never even makes it in the door. Free 30-daytrial:http://www.surfcontrol.com/go/zsfptl1--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Paris Stone CISSP, CCNP, CNE/CNI, MCSE/MCT, Master CIW Administrator, CIW Security Analyst, NSA A+, Network+, iNet+ http://www.ciscoinstructor.net/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"The rich man is not the one with the most, but the one who needs the least" top spam and e-mail risk at the gateway. SurfControl E-mail Filter puts the brakes on spam & viruses and gives you the reports to prove it. See exactly how much junk never even makes it in the door. Free 30-day trial: http://www.surfcontrol.com/go/zsfptl1 top spam and e-mail risk at the gateway. SurfControl E-mail Filter puts the brakes on spam & viruses and gives you the reports to prove it. See exactly how much junk never even makes it in the door. Free 30-day trial: http://www.surfcontrol.com/go/zsfptl1
__________________________________________________ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com top spam and e-mail risk at the gateway. SurfControl E-mail Filter puts the brakes on spam & viruses and gives you the reports to prove it. See exactly how much junk never even makes it in the door. Free 30-day trial: http://www.surfcontrol.com/go/zsfptl1
Current thread:
- Re: Vulnerability scanners, (continued)
- Re: Vulnerability scanners Nicolas Gregoire (Mar 27)
- Re: Vulnerability scanners R. DuFresne (Mar 27)
- RE: Vulnerability scanners Ken Smith (Mar 27)
- RE: Vulnerability scanners Rosado, Rafael (Rafael) (Mar 27)
- RE: Vulnerability scanners Rosado, Rafael (Rafael) (Mar 27)
- Re: Vulnerability scanners Jeff Williams @ Aspect (Mar 27)
- Re: Vulnerability scanners Chris Sharp (Mar 27)
- Re: Vulnerability scanners R. DuFresne (Mar 27)
- Re: Vulnerability scanners Paris Stone (Mar 27)
- RE: Vulnerability scanners Michael Welch (Mar 27)
- RE: Vulnerability scanners Derrick Johnson (Mar 28)
- Re: Vulnerability scanners Roman Medina (Mar 28)
- RE: Vulnerability scanners David Nester (Mar 28)
- RE: Vulnerability scanners Michael Welch (Mar 27)