Re: Small/Medium Business Scanner

[Paul Asadoorian <paul () pauldotcom com>]

Everyone has done a great job of "evangelizing" Nessus, so stop that or
I will be out of a job ;)

I will preface this by saying that if you use a product you are happy
with I will not pass judgment or try to convince you to use something
else.  If it works for you, that's awesome!

Of course I am biased towards Nessus, but just a few things to throw in
the mix when looking at features:

- Local Patch Checking will look at operating system and application
vulnerabilities on many different platforms, Windows, UNIX (HP,
Solaris), Linux (Too many distros to list), Mac OS X, and VMware ESX.
You need to log into the OS to do this, and we support SSH (several
different methods), and SMVB on Windows.  Several protections exist to
thwart any attempts to steal credentials.

- A single scanner costs $1200 per year, and you can scan as many
different IP addresses as you like, no limits.

- I've got Nessus installed on all kinds of different systems, mostly
old and slow machines because that's what I have laying around, or in a
VM on a laptop. It performs really well, and you can scan A LOT of
hosts, especially if you tune the policy. It comes down to this
question: "Does it matter how long it takes to scan your network?".  So,
if you have 150 hosts, and it takes a day to scan all of them, is that
acceptable?  Also, how long it takes to scan is dependent on too many
factors to list here :)

- John mentioned common misnomer "Nessus does not do DB, network device
or application level checks." - As John already knows, We support
configuration auditing for all major databases, Cisco IOS, and many
applications such as Apache, PHP, IIS, and more!  Configuration auditing
allows you to define what settings should exist in your systems and
configuration, then check for it using simple regex.

There is actually a post that will publish tomorrow morning on the
Tenable Blog (http://blog.tenable.com) that covers some of the myths
surrounding Nessus.

Let me know if you have any questions!

Cheers,
Paul

On 1/19/11 1:08 PM, Kevin Shaw wrote:
> I second Nessus. I get all the client software vulnerabilities and since
> I'm not allowed to exploit them during most of my tests, I share names
> and snippets and links to the respective exploits to show their "let's
> patch service vulnerabilities first" mindset should be slightly
> adjusted. Getting a list of all software running on a system is nice too
> - and it works on Windows and Linux with the respective credentials. I
> shopped around for my company and this turned out the most affordable
> for how small they are.
>
> On Jan 19, 2011 9:50 AM, "John Strand" <strandjs () gmail com
> <mailto:strandjs () gmail com>> wrote:
> > You know I am biased.
> >
> > However, I have had nothing but good results from Nessus.
> >
> > Also, the reporting in the newest version is miles better then it was.
> >
> > For the cost, you cannot beat it.
> >
> > There has been a few people I have talked to recently that say that Nessus
> > does not do DB, network device or application level checks. Some say, it
> > only does OS checks. I do not quite know where this rumor started, but it
> > is untrue. It does excellent checks on these devices.
> >
> > I am sure Paul or Ron know the specifics.
> >
> > *Summon Gula or Asadorian!*
> >
> > Finally, check out the credentialed scans. Rather than just checking for
> > external vulnerabilities, you can also check client side software as well.
> >
> > HTH,
> >
> > John
> >
> >
> >
> > On Tue, Jan 18, 2011 at 10:59 AM, Butturini, Russell <
> > Russell.Butturini () healthways com
> <mailto:Russell.Butturini () healthways com>> wrote:
> > > I'd just double check and make sure you understand the licensing options
> > > for Nexpose. There are some very affordable ones that don't' require
> buying
> > > big hardware and are optimized to run on notebook PCs.
> > >
> > > -----Original Message-----
> > > From: pauldotcom-bounces () mail pauldotcom com
> <mailto:pauldotcom-bounces () mail pauldotcom com> [mailto:
> > > pauldotcom-bounces () mail pauldotcom com
> <mailto:pauldotcom-bounces () mail pauldotcom com>] On Behalf Of Zate Berg
> > > Sent: Tuesday, January 18, 2011 10:29 AM
> > > To: PaulDotCom Security Weekly Mailing List
> > > Subject: Re: [Pauldotcom] Small/Medium Business Scanner
> > >
> > > I'd vote for Nessus in your situation too. Possibly combine it with
> > > something like Seccubus (V2 is due out soon).
> > >
> > > Zate
> > >
> > >
> > >
> > > On Tue, Jan 18, 2011 at 10:00 AM, Dark Harper <darkharper2 () gmail com
> <mailto:darkharper2 () gmail com>>
> > > wrote:
> > > > Hi all,
> > > >
> > > > This ones probably been around and around a dozen times but I'm after
> > > > some advice/recommendations on a vulnerability scanner for a small to
> > > > medium sized business.
> > > >
> > > > My short list is now down to two - Nessus or NeXpose.
> > > >
> > > > Our environment is spread across three sites, around 50 nodes in each.
> > > > The sites are not permanently linked. One of those sites is PCI DSS
> > > compliant.
> > > > I've been using OpenVAS but am not a fan. Access to remote scanners
> > > > is via SSH tunnels/small links.
> > > >
> > > > Cost is definitely a consideration as budget is tight this year. I'm
> > > > leaning towards Nessus as it is miles cheaper than NeXpose and
> > > > requires much lower spec hardware from what I can tell. Recent
> > > > Metasploit plugin is also a plus. Can anyone say why I would put up the
> > > extra cash for NeXpose?
> > > > -Dark
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > Pauldotcom mailing list
> > > > Pauldotcom () mail pauldotcom com <mailto:Pauldotcom () mail pauldotcom com>
> > > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > > Main Web Site: http://pauldotcom.com
> > > _______________________________________________
> > > Pauldotcom mailing list
> > > Pauldotcom () mail pauldotcom com <mailto:Pauldotcom () mail pauldotcom com>
> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > Main Web Site: http://pauldotcom.com
> ******************************************************************************
> > > This email contains confidential and proprietary information and is
> not to
> > > be used or disclosed to anyone other than the named recipient of this
> email,
> > > and is to be used only for the intended purpose of this communication.
> ******************************************************************************
> > > _______________________________________________
> > > Pauldotcom mailing list
> > > Pauldotcom () mail pauldotcom com <mailto:Pauldotcom () mail pauldotcom com>
> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > Main Web Site: http://pauldotcom.com
> >
> >
> >
> > --
> > John Strand
> > Office: (605) 550-0742
> > Cell: (303) 710-1171
>
>
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com

-- 
Paul Asadoorian
PaulDotCom Enterprises
Web: http://pauldotcom.com
Phone: 401.829.9552
Fax: 1.877.846.2187
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com