Network Security Scanners: Comparing NMAP and Nessus

Network Security Scanners: Comparing NMAP and Nessus
Page content


At a basic level, Nessus is a vulnerability scanner whereas NMAP is used for mapping a network’s hosts and the hosts’ open ports. Both tools are used for examining network security, but several distinct differences exist. It wouldn’t be fair to do an apples to apples comparison of Nessus vs NMAP since these two programs are quite different in what they try to accomplish. This article will go through each of these applications and what role they best fit in your network security toolbox.


Nessus is first and foremost a vulnerability scanner. Although it scans ports just like NMAP, Nessus takes the open ports into account and notifies you if these ports have potential security vulnerabilities attached to them.

Nessus is typically installed on a server and runs as a web-based application. Nessus uses plugins to determine if a vulnerability is present on a specified machine. As of this writing, over 34,000 plugins are available looking for vulnerabilities in anything from Operating Systems (Unix, Linux, Windows) to specific application categories such as Databases or Web Servers.

Administrators log into the Nessus interface and set up policies, scans and view reports. Policies are set to determine what specific vulnerabilities are scanned for. One policy may be set up to look only at database vulnerabilities and will be targeted to run against your database server(s). Another policy may only look for Windows vulnerabilities while it runs against your entire network. Policies in Nessus set what will be scanned along with how it’ll be scanned (Figure 1).

Once a policy is set up, you can schedule scans. Scans in Nessus allow you to specify which machines you want scanned against which policy along with when you want the scan to run.

Once a scan is completed you can view a comprehensive report detailing any potential vulnerabilities on the machines you scanned. The nice thing about Nessus is that it’ll make intelligent recommendations based on security best practices. WMI service enabled? That’s okay – Nessus includes “informational” alerts and has a detailed write up for each vulnerability discovered letting you know the severity of the vulnerability along with mitigation tips (Figure 2).

The cost of Nessus depends on who’s using it. If you are using it for home (non-commercial) use, Nessus has a “Home Feed” subscription that is free. Commercial subscriptions – referred to as “Professional Feeds” give you a year’s worth of plugin and software updates along with email based support. Professional Feeds are priced at $1200 per year. Nessus can be downloaded here.

Figure 2 - Nessus - Detailed Report


NMAP is primarily a host detection and port discovery tool. Instead of using Nessus to look for specific vulnerabilities against a known quantity of hosts, NMAP discovers active IP hosts using a combination of probes. Once a network scan is done, you can have NMAP look at specific hosts for open ports. NMAP can also attempt to gather additional information about the open ports such as finding out the version of a database running on one of your servers, but it’s bread and butter is really the host detection and port scanning.

One huge benefit of NMAPs open source roots is that it includes a scripting engine that allows users to create complex NMAP scripts. Scripts are broken into several categories including “Auth” (attempts to brute force attack authentication), discovery, intrusive and malware (which looks for malware infected machines). NMAP’s list of scripts can be found on the NMAP site here. NMAP is free – licensed under GNU GPL and can be downloaded here.

Figure 3 - NMAP