Nessus vs McAfee Vulnerability Management

[lonervamp at gmail.com (Michael Dickey)]

Sometimes when playing poker, you get dealt good hands and sometimes bad
hands. Sometimes you're better off just folding and pressing your luck on
what you get next. I've been using McAfee Foundstone (the old name for
Vulnerability Manager when McAfee marketing got stupid and started naming
things based on their general use rather than any branding) for over a year
now, and I can wholeheartedly say I would rather fold my cards and take my
chances being dealt any other vuln manager out there.

To back up a bit, Foundstone is a vulnerability scanner, not a manager. It
does credentialed scans and does do quite a range of target devices. In
fact, if you look at the FASL audit files they have, they're curiously
similar to Nessus...I'll stop there... At any rate, I've never been too
critical of what they will find or no find. My environment is not varied
enough to really push its boundaries. Foundstone landed in my lap because we
do use other McAfee products and they gave us the device for free about 2
years ago.

There is a "ticket" system in the tool so, yes, they can call it a manager,
but it sucks that so many tools want to give you their own internal
afterthoughts of a ticket system. For those of us in SMBs, we can't manage
more than 2 ticket systems. So for me, Foundstone has no remediation
capabilities other than parsing the reports out yourself. Likewise, if you
"accept" a vulnerability during one audit period, you'll have to accept it
again next period, but at least the reports *do* let you know what is new
from the last audit.

You can make and schedule your own scans, but what I'd suggest is just
having 4 scans. Everything. Critical/PCI-type systems. A test system to use
as a baseline. And a scan you can edit (i.e. change the target as needed)
for ad-hoc scans.

The reporting sucks, plain and simple. You basically scan your targets and
Foundstone spits out the results and gives you a score. You can't "pass" on
this score if you use Windows boxes (take a moment and let that sink in),
because you'll be dinged on unpatched issues, whether they're realistic or
not. So there is no automated reporting to hand to mgmt to say, "We pass."
Well, unless you just don't check for those specific vulns, but that sort of
defeats the integrity of the scanning.

I'm not aware that you can put in custom configuration standards and check
your server builds, but I guess you could massage those details out of the
reports on your own. The reports do include lots of information things like,
"port 80 is open."

The appliance is a rebadged Dell server running Windows. Don't expect
anything cute there.

You'll need to feed the scanner any new devices you have and manually remove
dead devices. This may be universal for all scanners, but McAfee has no real
magic to fix that manual task.

There is a "discovery" scan mode, but I've never seen it actually populate
the device; it just gives you a scan and you then have to populate your new
devices into the scan(s) you want them in. Yes, one scan at a time if you
have multiple.

Some people may make a case about plugging it into ePO (McAfee's centralized
master for all their products) so it can make better IPS decisions. That
sounds great, but managing ePO is a job in itself, and the more you plug
into it, the more that it true. And you'll hate yourself for being stuck
with it.

Nice things? They do keep it updated regularly, and they do have nice
knowledgebase/forums online for questions.

In the end, if I had a choice to be dealt a new vuln scanner/manager, I
would take that up. There is really nothing compelling to me to make me live
with McAfee other than inheriting it. Maybe the others have the same
limitations, but that's the risk I'd accept.

For yourself, I'd try hard to get a side-by-side comparison between McAfee
and Nessus. Live with both for a week and see how the reports make you feel,
how you can work with them, and so on. How does it go with Reading Rainbow?
...don't take my word for it! :)

On Wed, Mar 10, 2010 at 1:57 PM, subzer0girl <subzer0girl at gmail.com> wrote:

> I need a little help convincing the purchasing people that I need Nessus.
> They are suggesting McAfee Vulnerability Management is a viable
> alternative.  I want to stick with Nessus since that is what I have
> experience with.  I've googled for a comparison of the two products but
> haven't found anything of value. Does anyone have experience with how the
> two products compare ?
>
> Any help would be appreciated
>
> Sandy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20100311/d6fa2d6e/attachment.htm