Cheap Scanning Comes at a Price

A global deployment of the free Nessus port-scanning software saves the budget but lacks the reports that management demands.

Vulnerability assessments are a crucial aspect of our overall information security program. We use Nessus, a port scanner that's available free on the Internet, to conduct assessments of our infrastructure. To ensure that we have full coverage, we've installed what we call "scan engines" at various locations throughout our organization in the U.S., Europe and Asia.

Each scan engine consists of a PC with our hardened installation of Linux and Nessus loaded on it, and each is responsible for scanning ports across its respective geographical area. My team and I just beefed up the scan-engine PCs with additional memory. We've also written scripts, which we configured within Nessus by selecting various plug-ins, to continuously scan our infrastructure for certain types of vulnerabilities.

Since we're scanning huge amounts of address space, a full scan using all available plug-ins would take many days, use a lot of resources and create lots of data to review. Instead, we try to strike a balance by selecting only those sets of plug-ins that represent the most serious risks.

The downside is that by not running all available plug-ins, we risk missing a potential vulnerability. For now, however, the ability to very quickly scan our entire environment is more important. We still do periodic scans with a more comprehensive list of plug-ins, but not on a daily basis.

One plug-in we enable is for the remote procedure call Distributed Component Object Model vulnerability, which is responsible for allowing worms such as MS Blaster to propagate through the network. By scanning in an expedited manner, we can quickly identify vulnerable workstations and servers.

We try our best to keep servers and workstations patched, but every now and then a resource gets installed in a location that isn't under our control, such as the engineering labs, and malicious code sneaks into our production environment.

In my company, the engineering labs aren't controlled. Servers and workstations are built up and torn down regularly, without much thought given to secure installation practices. We're working on a plan to segregate the labs from the rest of the corporate network, but until we get executive buy-in and funding for this project, we will continue to have this risk.

Virtual private networks and dial-up connections are other points of entry for malicious code. As much as we'd like to think that employees are following policy and not using their home PCs to access our corporate network, it's clear that they're doing exactly that. Since home PCs aren't patched and configured to our standards, malicious code often propagates through our VPN and into our production network from these unsecured resources.

Nessus Shortcomings

As useful as Nessus is, it has a few shortcomings compared with commercial scanning products. The first is centralized management. It would be nice to be able to manage all of our scanning engines from one location, but with Nessus, we must log into each scan engine separately.

Another problem is the inability to provide role-based access to the scanning infrastructure so that nonsecurity personnel can use the application to scan certain networks for specific vulnerabilities.

Finally, there is the whole issue around reporting. No matter how robust, easily manageable, intuitive and inexpensive the tool is, if we can't produce meaningful reports, it's hard to get management support. We've done some manipulation of the raw data produced by Nessus, but we can't afford to dedicate a person full time to creating reports.

Most commercial tools have addressed these shortcomings, but you pay a steep price. Unfortunately, our security budget has been cut drastically, and we have to be very picky with how we spend money.

We'll probably look at some commercial tools that can supplement Nessus with strong reporting features but continue to manage the scanning engines individually. Who knows? Perhaps someone will release an open-source centralized management tool for Nessus.

Another option for reporting just might lie with security event management (SEM) software. These programs, also called security information management tools, are fairly new and look promising.

By using SEM software, we can funnel or redirect all of our event logs to a centralized server, including logs from all of our firewalls, routers, intrusion-detection systems, Tripwire change monitoring, authentication servers, Unix systems logs and Windows NT security event logs.

The SEM server then aggregates and correlates the data to provide a meaningful look at events within the environment. It can also archive the data, send out alerts and report on events, trends and usage.

SEM is a powerful technology that can provide information not only on security events but also on other business process issues. That should help us meet Sarbanes-Oxley Act compliance requirements.

I'm reviewing products from several SEM vendors now. One that has the most potential for my organization is ArcSight from Sunnyvale, Calif.-based ArcSight Inc. We've had limited exposure to this tool, but it seems like the answer to many of our security needs, since it can accept results from our Nessus scan engines. If ArcSign's reporting is strong enough, it would alleviate the need for us to replace Nessus with something more expensive.

What Do You Think?

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at, or join the discussion in our forum: QuickLink a1590.

To find a complete archive of our Security Manager's Journals, go online to

Copyright © 2004 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon