Nexpose and Nessus Vulnerability Management Tools

The evaluation criteria

Nessus

NeXpose

Functionality

Nessus Audit is intended only for Windows operating systems as it comes for free. But more functionality is possible with the professional feed, which goes for a considerable yearly cost (Information Assurance Technology Analysis Center 2011, p. 94).

NeXpose functionality is full, but has a restriction of not more than 32 IPs in the User Interface at one time, when using the “Community” version. The regulatory audits for the “community” versions are also disabled.  Another important functionality of NeXpose is that it integrates directly with Metasploit, which simplifies the audit process actual testing portion by simply hoping down to the console and test for the indicated vulnerabilities instead of hunting the source in order to verify a reported issue (Information Assurance Technology Analysis Center 2011, p.95).

Installation and Setup

The Nessus installation process is easy as it does not require any dependencies and it is installed rapidly.  The setup requires one to have a Unix or Windows operating system, and as a recommendation, prior installation of several external programs. The Lynx (included in many Linux versions) automatic install is the simplest installation method (Anderson 2010, par. 3).  The Nessus fact that installation is more simple than that of NeXpose could have contributed in giving its application an upper hand over Nexpose.

The installation of NeXpose is also easy although it requires dependency, which is, however, easy to locate, after which it is installed rapidly. The installation process of vulnerabilities scanners is important as many people are not willing to go for the complicated scanners which might challenge them in installing. Therefore, the easiness of NeXpose installation has favored its popularity over some other vulnerabilities scanners.

Audit Policies

Nessus comes without any pre-configured audit policies, and it has some user documentation. In many cases, the first policy configuration fails, which usually signifies that most of the options described in the User Guide are not supported, or it may include recommendations by Tenable.

In Nessus, one creates his policy and then executes the scan, after which he is offered a technical report. The report gives cursory overviews of the vulnerabilities detected along with the CVSS score assignment that is normally granted after detecting the vulnerability. That marks the end of the Nessus function, after which one generates the report and commences on the process of addressing individual vulnerabilities (Chen 2011, par.4).  The report is generated externally by the vulnerability management system, and is in HTML or the Nessus specific file formats.  In case one wants to re-audit the system with Nessus, one has to repeat the processing and entering the IP or netblock and re-scan and assign the policy. Therefore, re-auditing with Nessus is time-consuming and can be annoying. This can work against its being more favoured than the NeXpose vulnerabilities scanner.

On the other hand, NeXpose comes with a number of pre-configured audit policies to test for the regulatory regulations such as SARBOX, PCI, web application audit, full blown penetration test, “full” and “exhaustive” audits, and HIPAA Audit Functioning and Reporting.

NeXpose, on the other hand, offers an automated option for scheduling process, which means that one only needs to enter the netblock or IP information once into the User Interface as the information is stored. At the same time, NeXpose offers its users a chance to create an asset object. Upon completion of the audit, the NeXpose console lists all the discovered vulnerabilities and provides the entire asset’s overall CVSS score together with the Risk score per system within the asset group (Wang 2010, par. 3).

Moreover, NeXpose has two reporting options, which are either Technical or Executive. The technical reports give a complete list of all issues discovered, the way they were discovered and a step to step way of resolving them. The Executive report gives the high level overview, together with graphs, risk levels and charts (Chen 2011, par.5).

With NeXpose one can also track the issue directly via the NeXpose console, and after the issue is resolved, one should click the “exclude” function and specify why he/she is excluding the vulnerability. Therefore, the management of vulnerability is easier in NeXpose and all information required is within the single system as the whole lifecycle of discovery, verification, and resolution is in a single webpage (Information Assurance Technology Analysis Center 2011, p 98).

Availability

Nessus is a freeware, but commercial organizations using it must purchase a ProfessionalFeed subscription so as to use Nessus in scanning their networks, and also to obtain updates and support. The ProfessionalFeed subscribers also obtain a hardened, Web-based VMware virtual appliance for hosting Nessus. Pre-installed Nessus is also available on one of two rack-mountable hardware appliances.  Nessus HomeFeed is available for home users, with ability to scan up to 16 IP addresses within a non-business network.

There are four versions of NeXpose, including 1) NeXpose Enterprise, designed for the organizations with large, intricate networks of above 1,024 IP addresses; it is intended for installation on dedicated servers hosting no other security software; 2) NeXpose Express, intended for small-to-medium sized businesses, which are classified as Class C networks, consisting of 256 IP addresses and below. It is also designed for laptops; 3) NeXpose Consultant aimed for independent security consultants and auditors as it is designed to work on laptop; it also has configuration features for tuning the tool for one-time integrated tests; 4) NeXpose Community, which is a free single-user edition designed for home business use on networks of up to 32 IP addresses or single user on network.

Type

Nessus is a Multilevel Scanner.

NeXpose is an Automated Pen Testing Suite.

Targets

Nessus targets TCP/UDP/IP networks, operating systems, Windows file content types, Web servers, SQL data bases, CGI scripts, and Cisco IOS devices.

NeXpose targets networks, operating systems, web applications, and databases.

Operating Systems Compatibility

Nessus is compatible with Linux (Debian 5, Red Hat ES 4/5/6, SuSE 9.3/10.0/11, Windows XP (pre SP2)/Server 2003/Server 2008/2008 R2/Vista/7; Fedora Core 12/13/14, Mac OS X 10.4/10.5/10.6; Ubuntu 8.04/9.10/10.04/10.10;  SPARC Solaris 10 FreeBSD 8; and VMware if  the simulated machine does not use Network Address Translation (NAT)( Information Assurance Technology Analysis Center 2011, p 92).

NeXpose is compatible with Windows Server 2003 SP2/R2, Enterprise Linux5, VMware ESXi 4, Red hat and Ubuntu 8.04 Long Term Support (SANS, 2010, par. 3).

License

Nessus is a freeware, although operation and support/updates are subscribed for.

Nexpose is a commercial tool but its Community edition is a freeware. As it can be standalone software or a plug-in, its licensing is not a static concept.

Standards

The standards for Nessus are OVAL, CVSS, SCAP, and CVE

The standards for NeXCpose are SCAP, OVAL, CVE, CVSS

Supplier

Nessus is supplied by Tenable Network Security.

NeXpose is supplied by Rapid7, which also supplies other penetrating software, which is also compatible with NeXpose.

Capabilities

According to Welberg (n.d, n.p) Nessus can find environmental vulnerabilities due to the fact that they also employ information through Intrusion Detection System as they create vulnerabilities reports.

Nessus does not have the capability of creating its own vulnerabilities numerical score.

NeXpose does not find environmental vulnerabilities.

According toWelberg (n.d, n.p) NeXpose has its inbuilt capability of building its own numerical scores for vulnerability.