The Nessus vulnerability scanner was created by the Nessus Development Team, led by Renaud Deraison. Nessus is one of the greatest tool designed to automate the testing and to discover the known security problems. Nessus is designed to help, identify, and solve known problems before a hacker takes advantage of them. Nessus is a great tool with lots of capabilities. In this article, we shall endeavour to cover the basics of Nessus and Nessus-3 setup and configuration.
WHAT’S NEW IN NESSUS-3
Nessus 3 is the latest version of Nessus. Tenable Network Security, Inc. offers Nessus 3 as a free product for UNIX, Windows, and OS X operating systems. The following are the list of changes between Nessus 2 and Nessus 3:
- NASL3 is 16 times faster than NASL2 and a full 256 times as fast as NASL1.
- The IDS-evasion feature is no more.
- Nessus 3 has more protocol APIs.
- In Nessus 3, each host is tested in its own individual process and scripts share the same process space.
- An NASL script can only use 80 Megs of memory.
- The NASL3 VM is more secure. A poorly written NASL script is not vulnerable to any buffer, stack overflows or memory corruption because the language itself prevents the problem from occurring.
- There are two kinds of NASL functions such as:
- “Harmless” functions which cannot interact with the local systems.
- Functions which can interact with the local system are supported in Nessus 3. However, the script must be signed by Tenable. In this way, tainted scripts cannot interact with the local system and the risk of a script being copied or hacked from system-to-system is reduced.
SCANNING MODE AND NESSUS OS FINGERPRINTING
The ability to detect the operating system of a remote target is always critical. A vulnerability scanner must be able to adapt the different type of environments. One of the initial steps that Nessus takes is, it attempts to identify the remote operating system. This is a highly critical step, as the other Nessus modules will often rely on this information to make intelligent decisions such as whether to scan the target host or not.
DEPLOYING A NESSUS INFRASTRUCTURE
Before deploying a Nessus infrastructure, the user should understand the target network. For instance:
- Where are the network bottlenecks?
- Where are the firewalls?
- Where are the RFC 1918 networks?
- What routing protocols are used?
- What network protocols are typically used?
Nessus 3 is all about its speed. With Nessus 3, the network is the limiting factor. If more speed is required, the user should have multiple Nessus engines running in parallel. Besides speed, the user will also get other benefits from such a configuration. For example, when scanning a local broadcast domain, the user’s Nessus scanner should be able to pick up on things which typically would not be routed to the next-hop router. By having a scanner on each broadcast domain, the user can detect and use broadcast traffic, RFC 1918 addressing and much more. Having separate scanners ensures that the Nessus scanning traffic does not traverse WAN pipes. Nessus 3 runs on UNIX, Windows, and OS X operating systems. Hence, an organization can, deploy the Windows version of Nessus on their Backup Domain Controllers.
It is very important to plan where a scan should begin. Do you want to simulate the “hackers” view and scan from outside the network? Do you want to scan from inside a network? Do you want to scan from a business partner network into your network? There are hundreds of permutations. The first question will be: “which vector of attack do I wish to test for?” Ideally, you want to test all the different permutations.
How often you can scan? If active scanning is the only scanning being done, then the user should scan as often as possible. Most organizations utilize Change Control Procedures. Try to scan after a change control window. Remember, if you are scanning for every 30 days, a change in the network after 2 days of scan will go undetected for 28 days. While outside the scope of this paper, Tenable offers a 24×7 passive vulnerability scanner which detects these changes in real time. With respect to time, Tenable releases dozens of plugins per month. Be sure to have your Nessus scanner set up to automatically retrieve the latest direct feed from Tenable prior to a scan.
Nessus is an excellent tool that will greatly aid your ability to test and discover the security problems. The power that Nessus gives you should be used wisely as it can render production systems unavailable with some of the most dangerous plug-ins. We hope this article has given you a brief knowledge on Nessus and how it tests and discovers the security problems.