This is a read-only archive. Find the latest Linux articles, documentation, and answers at the new!

Feature: Security

Nessus assesses system vulnerabilities

By Daniel Rubio on February 09, 2005 (8:00:00 AM)

Share    Print    Comments   

Keeping a server or workstation updated with the latest security patches can be a daunting task. Compounding the problem is the number of distinct operating systems and hardware in an organization. Nessus, an open source vulnerability scanner, can help with this complex task.

Nessus is available for both Windows and Unix systems, so you can run vulnerability tests on and from distinct platforms. The application has both a client and a server component, which allows you to execute security assessments flexibly.

Nessus's server-side component provides a central repository in which all vulnerability tests -- implemented as plug-ins -- are registered and accessed across the network by Nessus client components. The work of Nessus clients comes down to fetching information from this database and performing the actual tests, either on the same host on which the client is installed or other networked devices, and later generating detailed reports on the encountered security holes and possible corrections for them.

Enhancing this client/server architecture, the Nessus server component gives you the possibility of defining extensive rule sets, which allows you to grant granular access to certain plug-ins or inspections from Nessus clients. For example, if you have several system administrators on your network, you can grant certain inspection privileges by specific user. Nessus clients offer extensive report-generating features, which gives you detailed assessments on the severity of encountered flaws.

If you will be deploying Nessus on Unix platforms, your download will include both the client and server components. If you will be using Nessus on Windows, you need to download two packages: NeWT for servers and NessusWX for clients.

The first order of the day for using Nessus is installing its server component. During this process you will be prompted to download the initial Nessus plug-in database, which currently includes around 6,000 different flaws covering both local and remote vulnerabilities for applications and operating systems.

Nessus plug-ins are distributed in three feeds that address the requirements for various organizations depending on their needs and budgets. The GPL feed comprises plug-ins written by the Nessus user community and is freely available without registration. A registered feed is also publicly available, and gives you access to commercially written plug-ins on a deferred basis from when they were written; however, as its name implies, it does require that you submit registration information in order to receive an access code. Finally, the direct feed offers the latest vulnerability checks created by Tenable, the commercial backers of Nessus, on a paid subscription basis.

Obviously, a static plug-in database quickly loses its vulnerability-checking capabilities. To update the Nessus database, execute the nessus-update-plug-ins command, which will fetch the corresponding feed depending on your installation (registered, commercial, or GPLed). If you did not register before installing Nessus, or opted not to download the initial plug-in database, you can use the nessus-fetch command, which can download the database or register Nessus so you can gain access to the registered feed.

The next step you should take is defining which users have access to the Nessus database, via the nessus-adduser command, which prompts for a username, password, and access rules. The rule sets are specific access restrictions -- Nessus documentation contains details on creating them. Finally, you should activate Nessus in daemon mode with the nessus -D command to allow access from remote clients.

Using a Nessus client requires you to establish a session with a Nessus server. Once you've done that, you can launch an inspection on the host or some remote system in a few simple steps. You first need to select among groups of plug-ins for granular inspections, such as Windows, Red Hat, Debian, or SMTP, among others. This process avoids having users run thousands of security checks on possibly non-applicable flaws. The other step is defining the target host, which you can do on an individual or grouped basis.

Once your preferences are set, and upon running the scan, Nessus will create a report with an assessment of the flaws it encounters. The report will contain a host/port list with specific vulnerabilities, classified in one of three levels -- note, warning, or hole -- each with a verbose description of the application, possible consequences of running it, and corrective measures. For later reference, Nessus clients can also archive all your reports for auditing purposes or correlating information with future inspections.

Nessus offers the functionality necessary to detect those hard-to-find application and OS-specific flaws. When combined with other open source tools like Snort for intrusion detection and NMap for port inspection, Nessus can help you bulletproof your IT infrastructure against vulnerability attacks.

Daniel Rubio is the principal consultant at Osmosis Latina, a firm specializing in enterprise software development, training, and consulting based in Mexico.

Share    Print    Comments   


on Nessus assesses system vulnerabilities

Note: Comments are owned by the poster. We are not responsible for their content.

Don't forget configuration testing

Posted by: Anonymous Coward on February 10, 2005 09:53 AM
Vulnerability scanning such as performed by Nessus is a symptomatic approach to verifying the security of a computing environment. In my view, this is a useful but limited complement to configuration testing available through the <A HREF="" title="">CIS benchmarks</a> or <A HREF="" title="">Bastille</a>.

The reason is that computing environments are deeply layered. Vulnerability scanners can only reach the exposed layers of the environment, so they necessarily operate on incomplete information. If you harden your systems only to what external scanning reveals, you'll end up with a "hard on the outside, soft on the inside" penetration profile.

Security should provide defense in depth and containment, so that if outer layers are compromised, all is not lost. That requires knowing your systems well, which is why the benchmarking tools can be so useful from a security perspective.

(By the way, in case it's not clear why there is a Nessus server separate from the client, it's in order to allow the server to be placed wherever on the network the scanning is to be conducted.)


This story has been archived. Comments can no longer be posted.

Tableless layout Validate XHTML 1.0 Strict Validate CSS Powered by Xaraya