Educause Security Discussion mailing list archives
Re: Vulnerability Scanner Recommendations
From: John Ladwig <John.Ladwig () SO MNSCU EDU>
Date: Fri, 16 Nov 2012 23:38:06 +0000
We're a whopping big system (fifty-mumble campuses, a couple of data centers, statewide network), so we have scaling issues (dozens of responsible network/server admins, hundreds of networks, tens of thousands of devices, and over half a hundred scanning devices) that you may or may not have to deal with in your environment. We use nCircle IP360 for regular internal and monthly "external"ish (outside our common address ranges) vulnerability scans. Their delegation and permissions model scales quite well to our needs for scan scheduling, asset grouping, and reporting. We also use Qualysguard for PCI DSS-mandated quarterly ASV scanning and reporting. It also seems to have the properties to scale well, though we have a lot fewer users and networks enrolled in the product. nCircle is a well put together solution. Their scanning devices are pretty simple flash-based 1 rack unit devices, which call home to an on-our-premises mothership for updates and marching orders, as well as delivering scan data. The scanners have multiple ethernets, and each can be configured as 802.1q trunks, which we find pretty handy for a lot of our environments, eg negating the need for explicit permit ACLs on internal control points and so on. nCircle has a proprietary vulnerability-scoring model that doesn't map especially well to compliance mandates such as "remediate quickly all vulnerabilities with a CVSS base score above 4.0" However, if the scoring model (and it's recently become a little more tunable than it was in the past) suits you, it does allow for some pretty impressive slice-and-dice patch-prioritization and reporting methodologies; scores can range from 0 up through several hundred thousand, if that suits your goals and organizational structure and incentives/penalties. It's not a cheap product, though. Qualysguard, for us, seems a bit better fit for compliance regimes like PCI DSS, exposing the CVSS base scores in a more usable way. They also rate vulns on a 1-5 scale, which for a lot of orgs is more than enough to differentiate between sets of machines and different levels of prioritization. The process of moving a quarterly scan report to their PCI DSS compliance portal and thence to a compliance reporting point for an acquiring bank seems a bit fiddly for most of our campus users. For the small number of externally-visible in-scope IPs we have, the Qualysguard pricing is reasonable. Both of the above products give very nice reporting and vulnerability/host/host-os/network history graphing, which can be pretty handy. In addition, we have a number of seats in Veracode for our enterprise web-app developers. They (and our AppSec coordinator/cheerleader) seem to like it for both static analysis and dynamic over-the-wire webapp vuln scanning. We've recently gotten another pen-testish webapp scanner, but I can't recall the product name at the moment, and we haven't done more than begun to kick the tires as yet. Nessus and suchlike are fine tools for pen-test and very small environments, but trying to manage a historical view of a host or set of hosts by collating standalone report documents is something that I've only seen done very manually and painfully. I can only imagine that Tenable must have put together some sort of overall console/management system to handle this sort of thing, but I've never had a chance to interact with it. So, like so many times, "a recommendation depends on what resources you have, and what your goals are." -jml From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Greg Schmalhofer Sent: Thursday, November 15, 2012 10:22 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Vulnerability Scanner Recommendations Educause security group, Can anyone recommend a particular vulnerability scanner software, product, appliance, or service that you are using at your campus? This is a need at our campus and I am trying to review the different options available for a small campus. Thanks for any help, insight, or feedback you can provide. Thanks, Greg Schmalhofer Millersville University Information Security Coordinator Millersville, PA
Current thread:
- Vulnerability Scanner Recommendations Greg Schmalhofer (Nov 15)
- Re: Vulnerability Scanner Recommendations Sigmon, Aaron (Nov 15)
- Re: Vulnerability Scanner Recommendations Roger A Safian (Nov 15)
- Re: Vulnerability Scanner Recommendations mccalluq (Nov 15)
- Re: Vulnerability Scanner Recommendations Roger A Safian (Nov 15)
- Re: Vulnerability Scanner Recommendations Walter Petruska (Nov 15)
- Re: Vulnerability Scanner Recommendations Kevin Wilcox (Nov 15)
- Re: Vulnerability Scanner Recommendations Shamblin, Quinn (Nov 15)
- Re: Vulnerability Scanner Recommendations George Farah (Nov 15)
- Re: Vulnerability Scanner Recommendations Barron Hulver (Nov 16)
- Re: Vulnerability Scanner Recommendations Kevin Halgren (Nov 16)
- Re: Vulnerability Scanner Recommendations John Ladwig (Nov 16)
- <Possible follow-ups>
- Vulnerability Scanner Recommendations Carlos Lobato (Nov 15)
- Re: Vulnerability Scanner Recommendations Sigmon, Aaron (Nov 15)