Problem solve Get help with specific problems with your technologies, process and projects.

Nessus vulnerability assessment with the SANS Top 20

Using the SANS Top 20 in conjunction with Nessus can help you eliminate exposures that give unauthorized privileged access to vulnerable hosts.

Eliminating exposures that give unauthorized system or root access to vulnerable hosts is an arduous task. Fortunately, the annual SANS Top 20 classifies most of these dangerous holes for both Windows and Unix, and prescribes best practices for patching and remediation. Universal support of the list by high-level incident response teams from the UK and Canada and members of the Information Systems Security Association has also led to the development of numerous open source and commercial detection tools. Many of these tools, including Nessus, are recommended on the SANS Top 20 for finding vulnerabilities.

The SANS Top 20 arranges vulnerabilities into 10 classes for each platform with categories of vulnerabilities within them. For instance, Windows classes target issues with Web servers, remote access services, file sharing applications and LSAS exposures. Unix classes cover Web servers, mail transport service, simple network management protocol, databases and kernel vulnerabilities. The list specifies which vulnerability detection tools are best used for particular Windows and Unix vulnerability classes. Nessus, for example, is recommended for the Web server vulnerability class. In fact it's promoted for four Windows and five Unix classes, so using Nessus is a huge benefit since it crosses over the greatest number of classes.

As an open source tool, Nessus has been widely used since 1998 for doing vulnerability assessments. It can scan a network and find specific vulnerabilities, such as PHP, IIS and Apache buffer overflows as listed for the Windows Web server class. Nessus currently detects vulnerabilities via a range of more than 6,000 plug-ins, where each looks for a single vulnerability.

Nessus conducts its vulnerability assessment in a four or five step process (depending on whether denial-of-service tests are conducted). First it determines whether the scanned host is alive. It then conducts a port scan to determine what services are available. It scans each service to identify the software version running, then uses this information to determine what specific vulnerabilities to test -- that is, which plug-ins to call. It conducts the vulnerability test using the required plug-in set. Then if DoS testing is selected Nessus will conduct this sequence last, as it may take the host offline.

After scanning, Nessus provides a prioritized report of the SANS Top 20 vulnerabilities that were discovered. However, like many pure-play vulnerability scanning tools, Nessus doesn't offer remediation capabilities. It merely provides links to the Common Vulnerability and Exposure list entries for the potential problems it finds. You'll need to refer to the SANS Top 20 list for links to the various vendor sites for patch remediation.

Nessus is a medium-difficulty tool to use since it requires a Linux workstation and knowledge of the Linux command line to install, configure, update the plug-in list and start the Nessus server daemon. Nessus client(s) can either be Linux- or Windows-based. You can have many clients attached to one server, and for testing a global network this may be preferable. (Note: Understanding the complexities of Nessus takes time. A new book by Syngress Publishing, Nessus Network Auditing is a valuable reference that comprehensively explains the tool's range of use).

Other tools promoted by the SANS Top 20 include L0phtCrack's LC5 password-auditing tool, open source Snort, eEye Digital Security Retina scanner (a direct competitor to Nessus), which uses a streamlined detection algorithm that's well known for detecting potential vulnerabilities. Foundstone Enterprise and Qualys Guard vulnerability scanners are also recommended and offer similar functionality. In my humble opinion, the Nessus tool gives me 95% of the value for free -- providing that you're willing to wait the required seven days to get the plug-in updates. Tenable Network Security now charges for its "Direct Feed" of the latest and greatest plug-ins, however as an open source tool, user created plug-ins or plug-ins created under a GPL remain free to all.

Some tools work well in tandem. For example, a Snort system can monitor for attacks on vulnerabilities discovered on the specific hosts scanned by Nessus. The administrator reads the Nessus report and then sets up Snort to look for those specific vulnerabilities, though it's a highly manual process. While a powerful tool, Snort is resource intensive, requiring manpower for viewing logs and assessing possible attack sequences.

The SANS Top 20 list completes each vulnerability class description by offering best practices to use in remediation. Software updates (patches) are typically recommended, and security pros are advised to go back to the software vendor to retrieve the latest updates. The list also gives general best practice information, such as setting a proper password length and how often it should be changed.

The purpose of the SANS Top 20 report is to list the most serious vulnerability classes for Windows and Unix and then offer general guidelines on detection and remediation. If you have the right skill set in-house, the SANS Top 20 paired with recommended open source detection tools and suggested remediation offers an effective strategy for strengthening network security.


  Introduction: What is Nessus?
  How to install and configure Nessus
  How to run a system scan
  Using Nessus Attack Scripting Language (NASL)
  Vulnerability scanning in the enterprise
  How to simplify security scans
  How to use Nessus with the SANS Top 20


Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles including the CISSP Prep Guide andInformation Security Illuminated.


This was last published in January 2006

Dig Deeper on Risk assessments, metrics and frameworks