Rollout: Tenable's Nessus 3.0

Tenable generated a lot of attention with its move to a closed-source but still-free 3.0 version of Nessus. That action prepared Tenable for a new type of remote check to Nessus: endpoint compliance, which ensures machines are configured in accordance with an organization's local policies and best practices. This addition puts Nessus in the company of very few others--and introduces a fee-based version of Nessus.The major commercial products in this field--eEye's Retina, Internet Security Systems' Internet Scanner and StillSecure's VAM--scan for vulnerabilities, but few offer customized compliance checks of files, ACLs and registry settings, if they even offer compliance checks at all. Rapid 7's NeXpose is one of the few competitors that has all these features.

Like those scanners, Nessus has had just two types of vulnerability checks. One required credentials to log in and check a system locally; the other used remote querying, fingerprinting or exploit tests to try to identify vulnerabilities. There are advantages to both methods. The credential-based system often produces faster and more accurate results, but sometimes you don't have the right credentials, so it's important to be able to do without.

Tenable's endpoint compliance checks are similar to credentialed vulnerability scanning in that they also require credentials, but the goal isn't to find vulnerabilities. Vulnerabilities tend to be cut-and-dry; you're vulnerable or you're not. Compliance is trickier. Every environment has slightly different requirements, which increasingly are dictated by laws like HIPAA and GLB. While one organization may require passwords be eight characters long, another may require 16 characters. Neither is right or wrong; they're just different. Endpoint compliance checks validate the settings (such as registry keys, file permissions and particular security settings) for each host against a site's unique policy.

Although a few of these types of checks existed before Nessus 3.0, they were all written in NASL (Nessus Attack Scripting Language), and an admin had to have at least some programming ability to create additional checks. This new feature has a simple configuration framework and plenty of sample templates for customizing policies for both Unix and Windows. Although plenty of other vulnerability scanning products can claim built-in compliance checks with canned scans, Rapid 7's NeXpose enterprise vulnerability solution and Nessus are rare in encouraging their customers to create compliance checks.

Reasonable Fee

While the Nessus scan engine, most vulnerability checks, and front-end interfaces are still free with version 3.0, using the new compliance checks requires a $1,200-per-year Direct Feed license for each scanner. Since Nessus Direct Feeds are licensed by scanner and not by the number of machines they will scan, managers of relatively large networks can purchase a vulnerability scanner and an endpoint-compliance product for much less than most per-host products would cost. The Direct Feed includes immediate access to all plug-ins developed by Tenable (the free plug-in feeds are delayed by seven days), support from Tenable, and the compliance modules.

Once you install your Nessus server and register it with the Direct Feed (one simple command line), it downloads the latest plug-ins and signatures automatically. However, you'll need an audit file before you do any compliance checks. Audit files are the meat and potatoes of a compliance check that define exactly what you require in your environment. They're easy to understand even without documentation, and Nessus' 70-page .pdf file does a good job demonstrating different types of checks that can be created.

One of the more interesting tools created for this feature is the Windows Nessus Policy Creator--a simple program (a Run button, a Save button, and a window for the result) that creates a policy based on the host on which it runs. The template that's generated will likely need some tweaking (for example, to allow stricter settings if that's allowed by policy), but it offers a good starting point for creating a comprehensive policy for Windows machines. If your environment has standard configurations that meet your security requirements, generating audit files that can be used to baseline other hosts on your network is a one-click process.

Easy To Write, Hard To EnableWriting an audit check can be simple; it took us no time at all to write one to detect a particular antivirus version. However, getting that audit file to work took us quite a bit more time. One of the bugs was ours--though the syntax looks vaguely similar to XML, it's not. The tag, for example, isn't ended by a tag, but by an tag. Additionally, some of the Windows compliance checks can be run without access to the registry, but for the ones that do need it, some configuration tweaking might be involved. This problem wasn't necessarily Nessus'; rather, it was the fact that Nessus uses remote registry calls and most nondomain Windows XP Pro desktops don't allow such calls by default. Enabling the remote registry key check requires an undocumented process that can be onerous on nondomain machines, and though the changes could be scripted up by a skilled system admin or programmer, the same skilled individual could probably write the compliance checks himself at that point. Using domain admin credentials with the appropriate group policy object would be much simpler.

In testing Nessus inside a network of VMware images, we noticed one quirk, which you should consider if you're running a large virtualization setup. Nessus explicitly detects VMware on start-up, and warns that performance can be poor in that environment. Tenable commented that this would be a problem only when doing large-scale scanning or performance testing. Scanning a few hosts to exercise the new compliance checks won't be a problem, according to the vendor.

Although Nessus still lacks the polish of some of the more expensive vulnerability scanning products, especially in its asset-tracking and reporting features, you can't beat its price. In comparison, Retina costs $1,995 for 128 IPs; Internet Scanner, $999 for 10 IPs; NeXpose, $12,000 for 64 IPs; and VAM, $55,000 for 250 IPs. Adding on compliance checks only increases the value, especially for those in the market for compliance auditing tools as well. If you need asset tracking, better reporting, or to manage multiple sensors for different scan perspectives, Tenable's Security Center is available, and starts at $15,750 for 500 IPs. Security Center includes an unlimited number of Direct Feed licenses--though with only 500 IPs, more than a few scanners would be overkill. Still, even Nessus can get the job done on its own. n

Jordan Wiens is a network security engineer at the University Of Florida. Write to him at [email protected].