Re: Evaluating Rapid7's Nexpose

["Ferris, Joe" <jferris () ADMIN FSU EDU>]

We have been using NeXpose for over a year and a half after a long
evaluation period.  Our experiences with Rapid7 have been positive, we
can always reach a live person and they are more than willing to work
with us on any issue or suggestion.  We have been working with their
company to improve NeXpose and many of our suggestions have been
included in their recent upgrade/release.  We have a fairly large
deployment of their solution and it continues to grow each week.

> From what we have seen, we do not normally have any issues with false
positives on the Windows side or with most versions of *nux.  We have
seen false positives with some Debian distributions and also Solaris
systems.  The patch versions seem to report back information that is a
little different than what NeXpose is expecting to see.  We are
currently working with them to correct these false positives.  Also, we
are using the NeXpose internal ticketing system for administrators to
report false positives back to us and that seems to be working pretty
well.

The older Derby database was not as scalable for us, smaller deployments
may be fine,  and did show some performance problems in the past.  The
latest release supports PostgreSQL and should not have the same issues
for our deployment.

We have had access to an older version of the API documentation and
there seems to be a lot that can be done with it, I'll have to call them
today and see if I can get an updated version.  We have done a lot with
tweaking the scan engine (settings and configuration for how you are
scanning, ports, vulnerabilities checks, network discovery etc...) but
have not had to write many custom scripts.  We are planning on working
with Rapid7 to include some custom rules for the future though.

If you have any other questions please let me know and I'll do what I
can to help.

Regards,

Joe Ferris
Network Security Engineer
Florida State University
850-645-8051 (Work)
850-694-4064 (Mobile)
jferris () admin fsu edu 


-----Original Message-----
From: Michael Bayne [mailto:baynema () JMU EDU] 
Sent: Wednesday, April 11, 2007 11:28 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Evaluating Rapid7's Nexpose

We're currently evaluating Rapid7's Nexpose vulnerability scanner.  They

claim to have a large install base in education, so I thought I'd see if

any of you were using it and what your experience with it have been.

I'm particularly interested in your estimates of false positives/false 
negatives, how you handle false positives in reporting, scalability, 
experiences with Rapid7's technical support, how well its database and 
web services scans work.

The marketing guy was pushing the fact that all the vulnerability checks

are stored in text files and custom vulnerability checks can be written.

  The scripting language for the checks seems to be proprietary, 
however, which makes writing custom checks a tad bit hard without 
documentation.  Has anyone tried to write custom checks?  Have you had 
custom checks written for you by Rapid7?  Have you been able to get 
documentation about scripting from Rapid7?

Any other thoughts you might want to share would be appreciated.

Thanks.

-- 

Mike Bayne
Security Engineer
baynema () jmu edu
1.540.568.1684