I will reflect upon the differences observed between three different vulnerability scanners and management tools, Nessus, Nexpose, and OpenVAS. Areas to be reviewed include, ease of use, accuracy of findings, depth of information in the tool and reports, actionability of the information provided and any other relevant criteria believed to be relevant. This report will also compare the results, remediation advice, and reliability as observed by the three different software programs. The test used for this report will be performed on a virtual network constructed entirely inside of a virtual machine on a 2009 Mac Pro using Parallels 10. The free versions of Nessus and Nexpose vulnerability scanners will run against the Metasploitable 2 virtual machine inside of Parallels and OpenVAS, which is a free open source vulnerability scanner, will be referenced from a YouTube video. Each test will be performed under identical network conditions.
All three vulnerability scanners offer templates for a variety of scans that can be performed. Nessus offers more advanced scan templates as part of a paid software upgrade. I found the Nessus and OpenVAS interfaces to be slightly more intuitive than Nexpose. Upon the initial scan, Nexpose returned the largest number of results compared to Nessus, 336 to 142 respectively. A full audit scan was performed using Nexpose returning 88 critical vulnerabilities. Nessus returned 4 Critical vulnerabilities under the advanced scan and 7 critical vulnerabilities under the Basic scan. In order to eliminate as many false positives as practical, it’s crucial for security administrators to accurately target specific vulnerabilities as part of their remediation. The depth of information available within the tools used within Nexpose is vastly greater than those of Nessus. Nexpose has the ability to create user and asset groups, which helps in the management of larger scale projects essentially enabling a security administrator to assign specific segments of a network to specific groups for analysis. Nexpose would be better suited for larger networks of larger companies and organizations. Both Nessus and Nexpose allow scheduling and email functions. The free version of Nexpose didn’t include any Malware kits that could be used for exploits.
Both Nexpose and Nessus include an abundance of reference materials provided with each vulnerability scan. Reference materials made available by all three offerings are very useful in helping devise remedial procedures by providing information in relation to a particular vulnerability. The reference materials include links to the following websites; Open Sourced Vulnerability Database (OSVDB), NIST National Vulnerability Database, CERT Vulnerability Notes Database, and Symantec’s Connect Security Focus website all of which are replete with very useful information.
Each time I ran scans with Nessus and Nexpose, they both returned a slightly different number of vulnerabilities. Although the scans were performed inside of the virtual machines, the Norton Anti-Virus of the host operating system would display pop-up windows, which stated that a vulnerability has been blocked from the Metasploitable virtual machine. This brings to mind that Anti-Virus programs may adversely affect the results returned by these scans and should, in most cases, be disabled by default. Since every network is different, a critical component to assuring that scans return the least possible number of false positives is to tune the scanning profiles to suit the requirements of the system being probed for weaknesses. Actionability of the exploits is easily performed with Nexpose due to the built in Metasploit modules and malware kits provided by the paid edition of the software scanner.
Both Nessus and Nexpose are equally helpful in providing remediation advice referred to as “solutions”. Nexpose reports provided more eye candy including charts and graphs, which makes it simpler to visualize the overall security posture of an organization at a glance. Vulnerability reports are just as equally important as the vulnerability scan itself. Nexpose has the largest selection of report types that can be produced. One or more types of reports can be used in conjunction with each other.
Vulnerability scanning is a crucial component to network security and should be implemented by any organization wishing to improve its security posture. It’s critical in today’s networking environment that organizations take a harder stance with securing their networks. Vulnerability scanners could offer a detailed analysis of potential vulnerabilities that may exist within networks if used properly. All three vulnerability scanners provide the same basic information but the presentation, available scan options, and quality of results are vastly different as well as the reporting mechanisms used for presentation. Costs being equal, I would choose the Nexpose Vulnerability scanner over the other two. Although all three of the scanners have their weaknesses, Nexpose’s strong points overshadow its weaknesses more effectively and the added advanced vulnerability management tools included are beneficial when working in a team environment making working on large scale networks more manageable.
OpenVAS. (2015). Open Source vulnerability scanner and manager. Retrieved 6 2015, from openvas.org: http://www.openvas.org
rab. (2014, 4). Vulnerability scanner product reviews. Retrieved 6 2015, from royabubaker.com: http://www.royabubakar.com/blog/2014/04/29/vulnerability-scanner-product-reviews/
Rapid7. (2015). Rapid7 Nexpose. Retrieved 6 2015, from Rapid7: http://www.rapid7.com/products/nexpose/index.jsp
Tenable. (2015). Nessus Vulnerability Scanner. Retrieved 6 2015, from Tenable network Security: http://www.tenable.com/products/nessus-vulnerability-scanner