Nessus: Vulnerability scanning in the enterprise

In the previous two installments of our series on using Nessus in the enterprise, we explored downloading and installing the Nessus vulnerability scanner and conducting system scans. Now that you have these basic procedures under your belt, we'll examine some general advice for building an enterprise scanning program with Nessus.

Developing an enterprise scanning program is, by necessity, a highly customized task. You can't simply take a stock plan off the shelf and implement it in your organization. You need to consider the unique technical, regulatory, political and cultural requirements facing your enterprise before launching this inherently intrusive activity. For example, the scanning program used by a research university would necessarily be quite different from that used by an ultra-secret gover...

BROWSE BY TAG Network Security Tactics,   Application and Platform Security,   Open Source Security Tools and Applications,   Enterprise Vulnerability Management,   Vulnerability Risk Assessment,   Network Intrusion Detection and Analysis,   Monitoring Network Traffic and Network Forensics,   Enterprise Network Security,   VIEW ALL TAGS

RELATED CONTENT Network Security Tactics Scapy tutorial: How to use Scapy to test Snort rules How to use hping to craft packets Securing naming and directory services for application defense-in-depth Five endpoint DLP deployment data security tips How to properly implement firewall egress filtering What to do with network penetration test results How to use TrueCrypt for disk encryption Protecting enterprise networks from new mobile application downloads Maintaining security after a cloud computing implementation Preparing the network for a cloud computing implementation Open Source Security Tools and Applications Screencasts: On-screen demonstrations of security tools PuTTY configuration tips: How to connect to remote network systems Screencast: Find rogue wireless access points with Vistumbler H.D. Moore on future of Metasploit attack platform H.D. Moore speaks about Metasploit Project deal, Release 3.3 Screencast: How to launch an OpenVAS scan Could Metasploit popularity erode? Metasploit Project acquired by vulnerability management firm Rapid7 SSH key compromise shuts down Apache website Screencast: Smoothwall offers firewall defense in lean times Vulnerability Risk Assessment Microsoft to address eight security vulnerabilities in Windows, Office Customer gets say during responsible vulnerability disclosure panel Relying on basic network intrusion detection systems isn't enough Disaster recovery plans and DLP solutions top 2010 priorities Information security book excerpts and reviews What patch management metrics does Project Quant use? Screencast: How to launch an OpenVAS scan Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Vulnerability Risk Assessment Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Blowfish  (SearchSecurity.com) Kermit  (SearchSecurity.com) Open Source Hardening Project  (SearchSecurity.com) SnortSnarf  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

nment agency. Both plans would differ significantly from the scanning plan used by an e-commerce retailer. Let's look at a few broad principles that apply in any large enterprise.

• Don't keep scanning secret. Over the course of my career, I've seen many organizations implement vulnerability scanning programs for the first time. With very few exceptions, the security officials responsible for the program decide that the best way to launch this effort is to treat these scans as a tightly-held secret. Invariably, this backfires. The primary reason is political – you don't want system administrators to feel that you're policing their configuration management. On the contrary, the goal of your scanning program should be to increase administrator awareness and assist them in the secure configuration of their systems. A scan that produces very few results is a successful scan!

• Coordinate your scans widely. This advice goes hand-in-hand with the previous tip. In addition to notifying system administrators, make sure that everyone who's even tangentially affected by your scans knows what you're doing. Remember that the scanning process can have unforeseen effects on your infrastructure. You certainly don't want your company to become aware of your new scanning procedures because they brought the network to its knees! Notify system administrators, network engineers, application administrators, management and support personnel of the scans in advance – they will serve as an early-warning system if problems arise. This is especially true the first several times you scan systems.

• Balance the risks and benefits of scanning. Some scans may produce unpredictable results. If you're running scans for vulnerabilities that might produce a denial of service when exploited, the scan itself might induce that denial of service. As a remedy, you may wish to enable the "All but dangerous" option in Nessus for the majority of your routine scans and then perform periodic full scans on a highly coordinated basis. (Don't, however, decide that you'll never run the dangerous scans because you're not the only one with a copy of Nessus – the bad guys also have it!)

• Provide a self-service option. If possible, allow administrators to initiate scans on their own. With Nessus, you can simply create accounts for them using the nessus-adduser command. You can also create rules that limit the systems that individual users may scan. For example, if an administrator is only responsible for the 192.168.53.x subnet and the individual server 192.168.22.13, you might use the following rules to limit the access for that user:
  accept 192.168.53.0/24 accept 192.168.22.13 default deny

  Nessus 3 uses a directory-based user structure. Rules (such as those in the example above) are placed in a file named rules in the C:\Program Files\Tenable\Nessus\users\username\auth directory.
  

  Allowing users to initiate their own scans lets them go above and beyond your enterprise scanning program. For example, administrators might want to self-initiate scans at various points during the system build process or after making configuration changes on a system.

Hopefully, these tips gave you some good general advice on incorporating Nessus into your enterprise security architecture. In the final installment of this series, we'll take a look at building reports using Nessus output.

ABOUT THE AUTHOR:

Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles including the CISSP Prep Guide and Information Security Illuminated.