This tutorial will help value-added resellers (VARs) and security consultants with the basics of Nessus -- a robust, free vulnerability scanning tool that fits your budget and matches commercial product feature sets. Use this expert step-by-step guidance to learn everythingfrom installation and configuration techniques, to running a scan, to managing reports and interpreting results.
Nessus Tutorial Introduction
It's time that you give Nessus a look! This free tool offers a surprisingly robust feature set and is widely supported among the information security community. It doesn't take long between the discovery of a new vulnerability and the posting of an updated script for Nessus to detect it. In fact, Nessus takes advantage of the Common Vulnerabilities and Exposures architecture that facilitates easy cross-linking between compliant security tools.
Learn more about how the Nessus tool works a little differently than other scanners.
Getting started with Nessus
Nessus is a member of the family of security tools known as vulnerability scanners. As the name implies, these products scan the network for potential security risks and provide detailed reporting that enables you to remediate gaps in your security posture. These scans run using a client/server architecture, so let's discuss both pieces of that architecture.
The scan engine is available for Linux/Unix systems only (sorry Microsoft fans!). Installation is actually quite simple.
Get the basics on how to install and configure Nessus.
How to run a system scan
Now that you've got it up and running, we'll examine how to use this powerful open source vulnerability scanner to monitor systems for security issues.
We'll assume that you're using the Unix Nessus GUI, but the commands are quite similar for those using NessusWX (for Windows).
Make sure you have the basic information you need to conduct vulnerability scans with Nessus.
Vulnerability scanning in the enterprise
Developing an enterprise scanning program is, by necessity, a highly customized task. You can't simply take a stock plan off the shelf and implement it in your organization. You need to consider the unique technical, regulatory, political and cultural requirements facing your enterprise before launching this inherently intrusive activity. For example, the scanning program used by a research university would necessarily be quite different from that used by an ultra-secret government agency. Both plans would differ significantly from the scanning plan used by an e-commerce retailer.
Get a handle on the few broad principles that apply in any large enterprise.
Managing Nessus reports
If you're like most security practitioners, you're probably now facing a mountain of data, have no time to read through it and are wondering whether using Nessus is really practical for your complex environment. Rest assured there are methods to save you from this madness! In this tip, we'll explore three techniques that may help you get the most out of Nessus and manage the data produced by this valuable tool. We'll look at manipulating output files, parsing data with Perl scripts and creating a Nessus database.
Ensure that you're well on your way toward developing a Nessus reporting infrastructure for your customer's organization.
Simplifying security scans with a spreadsheet model
Unless you have a 10-node test network, running a full network scan is a sure-fire recipe for crashing systems and dragging performance. I have seen a Nessus scan cause an entire QA subnet to grind to a halt due to open connections that exhausted server memory. You can avoid this scenario by dividing networks into small, manageable IP spaces and maintaining data in a spreadsheet. This approach allows for more intelligent scanning, even when using common off-the-shelf or open source tools that lack heavy enterprise management features.
Learn more about how to build a spreadsheet to divide your customer's network into manageable IP spaces.
Using Nessus with the SANS Top 20 to identify critical vulnerabilities
Eliminating exposures that give unauthorized system or root access to vulnerable hosts is an arduous task. Fortunately, the annual SANS Top 20 classifies most of these dangerous holes for both Windows and Unix, and prescribes best practices for patching and remediation. Universal support of the list by high-level incident response teams from the U.K. and Canada and members of the Information Systems Security Association has also led to the development of numerous open source and commercial detection tools. Many of these tools, including Nessus, are recommended on the SANS Top 20 for finding vulnerabilities.
Read more about creating an effective strategy for strengthening network security with SANS Top 20.
About the author
Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles including the CISSP Prep Guide and Information Security Illuminated.
This was first published in April 2007