Nessus : Assessing system vulnerabilities
Keeping a server or workstation updated with the latest security patches and verifying it doesn't contain vulnerable configurations can be a daunting task, compound this by the number of distinct operating systems and hardware in an organization, and you realize this is not an easy project to undertake on a wide scale. In the following article we will explore Nessus , an Open Source vulnerability scanner well suited for this complex task.
Nessus is available for both Windows and Unix systems, so no matter how heterogeneous your environment is , you will be capable of running vulnerability tests on and from distinct platforms. Nessus -- like all network driven applications -- has both a client and server component, which allow you to execute security assessments in a very flexible manner.
Its server side component provides a central repository in which all vulnerability tests -- also known as plugins -- are registered and accessed across the network by Nessus client components. The work of Nessus clients comes down to fetching information from this database and performing the actual tests, either on the same host on which the client is installed or other networked devices, and later generating detailed reports on the encountered security holes and possible corrections for them.
Enhancing this client/server architecture, the Nessus server side component gives you the possibility of defining extensive rule sets, which allow you to grant granular access to certain plugins or inspections from Nessus clients, for example, if you have several system administrators on your network you can grant certain inspection privileges by specific user. While Nessus clients, offer extensive report generating features which give you detailed assessments on the severity of encountered flaws.
Now that we have described the major features in Nessus, lets get into basic usage scenarios. If you will be deploying Nessus on Unix platforms, this download will include both the client & server components bundled, in case you will be using Nessus on Windows platforms then you need to download specific packages: NeWT for servers and NessusWX for clients.
The first order of the day for using Nessus is installing its server component, in this process you will be prompted to download the initial Nessus plugin database which currently hovers around 6,000 different flaws covering both local and remote vulnerabilities for applications and operating systems. Nessus plugins are currently distributed in three feeds, and address the requirements for various organizations depending on their needs and budgets.
The GPL feed includes plugins written by the same Nessus user community and is freely available without registration, another variant dubbed registered feed is also publicly available and gives you access to commercially written plugins on a deferred basis from when they were written, however as its name implies, it does require that you submit registration information in order to receive an access code. Finally, the direct feed offers the latest vulnerability checks created by Tenable -- the commercial backers of Nessus -- on a payed subscription basis.
Obviously a static plugin database will quickly lose its vulnerability checking capabilities, in order to update Nessus database you need to execute the
nessus-update-plugins command which will fetch the corresponding feed depending on your installation (Registered, Commercial or GPL'ed). In case you did not register before installing Nessus, or opted not to download the initial plugin database, you can use the
nessus-fetch command which can download the database or register Nessus to gain access to the registered feed.
The next step you should take is defining users which will have access to the Nessus database, this is done with the
nessus-adduser command, which prompts for a username, password and access rules. These credentials will be used by Nessus clients , the first two being obviously very straightforward, while the rule sets are specific access restrictions -- Nessus documentation contains details on creating them. Finally, you should activate Nessus in daemon mode with the
nessus -D command to allow access from remote clients.
Using a Nessus client requires you to establish a session with a Nessus server, once this is done, launching an inspection on the host harboring the client or some remote system can be done in a few simple steps. You first need to select among groups of plugins for granular inspections, such as : Windows , RedHat, Debian or SMTP, among others, this process avoids running thousands of security checks on possibly non-applicable flaws, and the other step is defining the target host which can be done on an individual basis or in grouped fashion.
Once your preference are set and upon running the scan, Nessus will create a report with an assessment of the encountered flaws. The report will contain a host/port list with specific vulnerabilities, classified in one of three levels : note, warning or hole, each with a verbose description of the application, possible consequences of running it in such a manner and corrective measures. For later reference, Nessus clients can also archive all your reports for auditing purposes or correlating information on future inspections.
As we have outlined, Nessus offers the functionalities necessary to detect those hard to find application & OS specific flaws, which when combined with other Open Source tools like Snort for intrusion detection, and NMap for port inspection, will help you bulletproof your IT infrastructure in a timely fashion against vulnerability attacks.