In the past, we have used ISS, LANguard for risk assessments, and
fullfilling vulnerability scan requests from administrators on campus.
Our old procedure was fairly simple. Administrator would email request
a scan of his/her system(s). We would then run ISS manually in the
evening and email the results back to the administrator. However, in
the past year or so, there has been an increase in the number of scan
requests we received, and a decrease in the amount of time we have
available to run and babysit scans.
To help us in our vuln. Scanning services and our own scans, we decided
to implement an automated scanning system were administrators could
request the scans and get their results with as little human
intervention as possible. In the beginning of the project when we were
looking at technologies, we considered using ISS with some software from
another university which provided a mod_perl interface to this.
However, due to the complexity of the software and lack of
documentation, we decided to go another route.
After looking and comparing scanners, we found that Nessus would better
suit our project. Nessus's client/server architecture made it very easy
for us create a "cluster" of scanners, and then we set about writing a
web interface to offer several features:
1) schedule single or recurring scans
2) be notified of results
3) offer the results in several formats
4) differential scans, or report "diffing"
5) generate a wide variety of metrics based on scan results
So far, we've implemented 1, 2, and 3 (the reports that are generated
right now are just the stock nessus report formats). The project,
called the Vulnerability Scanning Cluster (VSC), is in the process of
being open sourced and we continue to do development, when time and
resources permit us to. We hope to get features 4 and 5 implemented in
the next release along with our own custom reports.
In the process of working on the VSC and using it, we've found that
Nessus results are generally more thorough and easy to read. I remember
running ISS and Nessus scans and getting very different reports. The
ISS report was thin and not terribly useful, and the Nessus report
showed a lot of things that ISS didn't find.
Additionally, and I haven't checked ISS lately, but it seems that the
Nessus plugins are added more frequently and in greater numbers. I
know that after some of the bigger incidents this year (SQL slammer,
RPC-DCOM) Nessus had plugins available right away.
We still use LANguard for quick single-host scans and for completeness
on risk assessments, but the VSC with Nessus is our workhorse. In fact
we are dropping support for ISS in favor of the VSC. Administrators on
campus can still purchase ISS for themselves, but we're hoping that more
will begin to use our Nessus-based service.
My personally list of reasons why Nessus wins out over ISS are:
- It's easier to use
- It has more and frequently updated plugins
- Scans are very thorough and easily customizable
- Client/Server architecture is perfect for our automated system.
Hope this helps,
-matt
--
Matthew Wirges
Security and Policy Analyst
ITaP Security and Privacy :: Purdue University
[EMAIL PROTECTED] :: (765)496-2307
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of David Kyle Sayre
> Sent: Tuesday, December 23, 2003 4:34 PM
> To: [EMAIL PROTECTED]
> Subject: ISS vs. Nessus
>
> Hello all,
>
> We have been using ISS Internet scanner and nessus (among
> other tools),
> and we would like to start combining, and where appropriate, moving
> tests from Internet scanner to nessus. We have a large
> Internet scanner
> policy, and instead of going through it by hand, I was wondering if
> anyone had a good correlation of Internet scanner and nessus
> reports? I
> tried using the CVE's, but that only gets us so far, we still
> have over
> 300 test to try and correlate, and the CVE's do not map to X-Force
> numbers (and Internet scanner tests) very well.
>
> Also I was looking for a good vulnerability scanner
> comparison to show
> to manager types. Most of our managers are for the move to
> nessus, but
> some are still reluctant, and I would like to put as many
> nails in ISS's
> coffin as possible.
>
> Thanks,
> David Sayre
> Los Alamos National Labs
>
> _______________________________________________
> Nessus mailing list
> [EMAIL PROTECTED]
> http://mail.nessus.org/mailman/listinfo/nessus
>
_______________________________________________
Nessus mailing list
[EMAIL PROTECTED]
http://mail.nessus.org/mailman/listinfo/nessus
