Vulnerability scanners are computer programs that are designed to carry out assessments for weaknesses to computers, computer systems, networks, as well as computer applications. There are many vulnerability scanners. The scanners are distinguishable by the focus they target. Though functionalities of vulnerability scanners may vary, they all share the same purpose of identifying the vulnerabilities that are in one or many targets. Examples of Vulnerability scanners present in the market today are OpenVAS, Core impact, GFI LanGuard, QualysGuard, MBSA, Retina, Secunia PSI, Nipper, Saint, NeXpose and Nessus. This paper will focus on Nessus and NeXpose vulnerability scanners.
Nessus Vulnerability Scanner
Nessus is a popular product for vulnerability and configuration assessments produced by the company Tenable Network Security. Among its features are, “high-speed discovery, configuration auditing, asset profiling, sensitive data discovery, patch management integration, and vulnerability analyses’ of a security posture. This is done through enhancing the features of the security postures; that is its usability, effectiveness, efficiency, as well as communication with all parts of an organization. According to Nilsson (2006, p.39), Nessus is one of the most capable vulnerability scanners. This is especially so, when it uses with UNIX systems. Initially, Nessus was a free and open source. However, the year 2005 saw the company close the source code. This was followed by removal of the “Free Feed” version in 2008. Currently, it costs $1,200 to access it for one year. This is still cheaper, when compared to its competitors. There also exists a free “Home Feed” version, which has limited capabilities and only is available for home network use. Nessus undergoes constant updating that consists of more than 46,000 plugins. The key features of Nessus include remote and local security checks, a server or client architecture, which has a web-based interface, and an embedded scripting language tool useful for writing a client’s own plug gins or to allow the client understand the existing plug gins (Nilsson, 2006, p.40).After closure of the open source, some users established Open VAS as an open source equivalent to Nessus. The latest released Nessus is version 5.
NeXpose Vulnerability Scanner
NeXpose is a vulnerability scanner produced by Rapid7 Company. NeXpose targets at supporting the whole vulnerability management lifecycle. This includes discovering, detecting, verifying, classifying risk, analyzing impact, reporting, and mitigation (Stephenson, 2007, p. 49). NeXpose also integrates with another product of Rapid7 called Metaspoilt. Metaspoilt is used for vulnerability exploitation. Users of NeXpose buy it as standalone software, an appliance, or as a virtual machine. It can also be bought as a managed service or a private cloud deployment. Users of NeXpose interact through a web browser. There exists a free version of NeXpose, which is referred as the free ‘Community Edition”. This can be used to scan up to 32 IPS. In addition, there is a version known as “Express”, which costs $3,000 per year for every user. Another version, “Express Pro” goes for $7000 per year for every user. Finally, there is the Enterprise4, whose cost starts at $25,000 for every user per year. The latest version of NeXpose is 5.1.
The Criteria of Comparing Nessus and NeXpose Vulnerability Scanners
According to Garza and Roth (2003, p. 24), the main criterion of evaluating security scanners like Nessus and NeXpose is determining the number of vulnerabilities each can detect. The authors caution buyers against relying on the number that manufacturers of the products give. If one needs an informed opinion, he/she should get this information from neutral parties, or the actual users of the products. The number of false detections is also crucial. Although there is nothing wrong with being over-prepared, many false detections waste a lot of time of security specialists or computer system administrators. This is because all the false detections require verifying and filtering out as necessary.
Convenience is another criterion of judging scanners (Garza and Roth, 2003, p. 26; Stephenson, 2008, p. 40). This may refer to how easy the product can be installed, the price, functionality, Front-End, audit policies, audit function, and reporting, among other factors. This criterion is normally dependent on the needs of a user. For instance, a user may opt for a scanner, because it is easy to use. Another user may opt for a scanner, because it is easy to install.
Comparison between Nessus and NeXpose Vulnerability Scanners
Worldwide network of developers currently has 24000 vulnerability checks that can use Nessus (Nilsson, 2006, 42). These checks cover different points of vulnerabilities, for instance backdoors, CGI abuses, Cisco, Denial of Service, finger abuses, FTP, gaining a shell remotely, among others. When running tests, there is an option for turning on or off the different checks. This option is useful, if some checks do not apply or in case the checks interrupt the processes running on the system under scan. In addition, there is the option of allowing a specific test for vulnerabilities.
On the other hand, NeXpose specializes both in depth and breadth of vulnerability scanning (Franklin Jr., 2003, 9. 27). NeXpose can carry scans for vulnerabilities in a computer’s hardware, operating system (OS), and network layer like Cisco, Windows, Linux, Unix, AS/400, and BSD. In addition, NeXpose can scan for services as well as application layer vulnerabilities like Lotus Notes, Oracle, Exchange, IIS, Adobe Acrobat, among many others. According to the Information Assurance Tools Report (2011 p. 44), NeXpose can perform over 20,000 different vulnerability checks against over 1,500 devices.
With Nessus, after one creates his/her policy and executes the plan, he/she is offered one technical report. In this report provided by Tenable Network Security, one has a cursory overview of the detected vulnerabilities together with the occasional Common Vulnerability Scoring System score given to vulnerability. After this, the user has no option but to come up with his or her report and go ahead with the process of finding his/her external vulnerability management system (Stephenson, 2007, p. 50). The user will then have to add all the issues and start addressing individual vulnerabilities.
In addition, apart from some file formats supported by Nessus, actual reports may only be generated in Hypertext Markup Language (HTML), LaTeX and Extensible Markup Language (XML). Nilsson (2006, p. 42) notes that there used to be an option to print reports in PDF, but it no longer exists with version 4s.
Besides, if one wants to re-audit the system, he/she needs to repeat the whole process of entering the Internet Protocol or net block in order to rescan and reassign the policy (Nilsson 2006, p.41), . This is unnecessarily time consuming and may be annoying to users who do not like wasting time.
On the other hand, with NeXpose, once the user enters the net block information or the Internet Protocol into the user interface, this information is immediately stored. The user can then use the option of setting up an automated schedule process to carry out a re-audit (Information Assurance Tools Report, 2011, p. 6). For instance, a user dealing with Payment Card Industry Data Security Standard (PCI-DSS) may set up re-audits of this task. This is saying that, with NeXpose, a user has the privilege of creating an asset object.
After the NeXpose audit is complete, the NeXpose console lists out all vulnerabilities that have been discovered (Franklin Jr., 2003, 28). NeXpose also provides the user with an overall Common Vulnerability Scoring System score for the whole asset. In addition, it provides a Risk score based on each system that is within the asset group. Unlike its competitor Nessus, the user is given two repotting options; one Technical and the other Executive (Stephenson, 2008, p. 51). The technical report consists of a complete list of the discovered issues, including how these issues were discovered. Also, the technical report gives step by step instructions on how the issues can be resolved. In addition, the executive report consists of a high level overview of the scan. The report comes with graphs, charts, and basic statistical analyses of risk levels.
Even more so, it is possible to customize NeXpose reports basing on criteria of the user (Franklin Jr., 2003, 27). The user may customize a report to show the vulnerabilities the user wishes to see. NeXpose has the option to show “All Vulnerabilities”, “Critical and Severe Vulnerabilities”, only the “Critical Vulnerabilities”. Unlike in Nessus, the NeXpose user may have the report in various formats including PDF.
Apart from the comprehensive reporting that NeXpose offers, the product also provides the user with an option to track issues directly using the NeXpose console (Stephenson, 2007, p. 49). Once a given issue is resolved, the user may click on the image labeled “exclude’, and he/she will be asked to give a reason for the exclusion of the vulnerability. The integrated vulnerability management system simplifies the work of an analyst, because all the information that he/she may need is contained within a single system. With NeXpose, the whole process of discovery, verification and resolution is located on a single webpage. Besides, NeXpose has an integrated postgresql database (Information Assurance Tools Report, 2011, p. 7). The analyst has an option of retrieving a custom reporting from the database whenever deemed necessary.
Moving on to audit policies, it is to be noted that Nessus has no pre-configured audit policies (Nilsson, 2006, 42). Even though there is user documentation, once the user configures the first policy and, for instance, it fails, the user then has no other option but to obtain another product. This is because most of the options described by the User Guide either do not support or are not recommended by Tenable Network Security (Information Assurance Tools Report, 2011, p. 9).
In contrast, NeXpose comes with a number of configured policies that allow for testing not only regulations (like PCI, SARBOX, Web Application Audit), but also to carry out a full blown exhaustive test (Stephenson, 2007, p. 49). As a result, an auditor’s work is simplified as no time is wasted trying to configure a working audit policy. Much time is saved by excluding the procedure of developing a working audit policy, running it, and reconfiguring the policy as happens with Nessus.
Looking at the Front-End of NeXpose, the product has the Hypertext Preprocessor (PHP) Front-End. This Front-End loads faster and does not take a large size of memory. On the other hand, Nessus has a flashy Front-End User Interface, which may attract users who like physically attractive things. However, this Front-End uses more space than that of PHP (Garza and Roth, 2003, p. 26).
Another crucial point to note is that, a Nessus download is restricted to auditing only windows vulnerabilities. If the user wants to perform other audits apart from windows vulnerabilities, he/she is required to pay $1200 a year to access the professional feed (Nilsson, 2006, p.41).
NeXpose, on the other hand, offers full functionality to all purposes. The only restriction is on the “Community” version, as the user is restricted from having more than 32 Internet Protocols in the User Interface at any given time. In addition, regulatory audits are disabled (Stephenson, 2008, p. 51).
Another important feature of NeXpose is that it allows direct integration with Metaspoilt, a computer security project that is an open source (Information Assurance Tools Report, 2011, p. 9). As a result, the actual testing portion of an audit is easy as the user can move to the console and go ahead to test the reported vulnerabilities. This would be difficult elsewhere as it would involve hunting for the source in order to verify a reported issue.
Let us look at the ease of installing the two products. It is worth notice that both NeXpose and Nessus are easy to install. Nessus does not require any dependencies and installs after approximately five minutes. NeXpose requires one dependency that takes about two minutes to install. Thereafter, the installation process of NeXpose takes approximately five minutes (Stephenson, 2008, p. 50).
Summary of the Comparison between Nessus and NeXpose Vulnerability Scanners
Evaluation Criteria
|
Nessus
|
NeXpose
|
Number of Vulnerabilities
|
24000
|
20,000
|
Reporting
|
One technical report given.
|
Two reports given (Technical report and Executive report).
|
Common Vulnerability Scoring System score given
|
Common Vulnerability Scoring System score given
|
Lacks automated repeat of audit.
|
Has automated re-audit option.
|
Customization of reports requires user’s manual effort. Time is wasted coming up with reports. Errors made by user may cause serious oversights in the final report.
|
Reports can be automatically customized. This saves time. Accuracy is guaranteed.
|
Tracking and resolving issues requires manual effort
|
Issues can be directly tracked and resolved using the NeXpose console
|
Reports can be produced in other formats but not PDF.
|
Reports can be produced in other formats including PDF.
|
Audit policies
|
Comes with no pre-configured audit policies. Time is spent configuring the product before use.
|
Comes with a number of configured policies. This saves time that could otherwise been wasted configuring the product before use.
|
Front-End User Interface
|
Flashy Front-End User Interface. Uses more space than the Hypertext Preprocessor (PHP) Front-End User Interface. Takes relatively long time to load.
|
Hypertext Preprocessor (PHP) Front-End user Interface. Does not use a lot of space. Does not take a lot of time to load.
|
General Accessibility
|
Download is restricted to auditing only windows vulnerabilities. Other purposes require the professional feed.
|
Offers full functionality to all purposes. Restriction is on the Community version.
|
Integration with Metaspoilt
|
Does not allow direct integration with Metaspoilt.
|
Allows direct integration with Metaspoilt
|
Ease of installation
|
Approximately five minutes
|
Approximately five minutes
|
Dependencies during installation
|
No dependencies required
|
One dependency required. Takes two minutes to locate and install the dependency.
|
After looking at the two products, I recommend NeXpose to anyone in need of a vulnerability scanner. This gives a lot of advantages for those who use Nessus. The use of NeXpose saves time and simplifies the work of the analyst. Though Nessus has some positives (like not having dependencies), it is truly no match for NeXpose. Rapid7 should study NeXpose in order to realize why Nessus is lagging behind. Rapid7 should then seek to improve Nessus based on the services offered by NeXpose. Choosing one of the two products, however, depends on a user's personal preferences. For instance, the user who requires different kinds of reports may opt for NeXpose, while the user who likes sophistication may stick with Nessus. However, we should note that there are many other Vulnerability scanners in the market. For instance, there is, OpenVAS, Core impact, GFI LanGuard, QualysGuard, MBSA, Retina, Secunia PSI, Nipper, Saint. One needs to analyze the pros and cons of all the scanners in order to identify the one that will best serve him/her.