Tenable Nessus Review - A Network Vulnerability Scanner

Page content

Overview and Features

Tenable Nessus is an active network security vulnerability scanner. Nessus was developed in 1998 as a free security scanner by Renaud Deraison. After quickly becoming one of the most widely used network security vulnerability scanners, Tenable Network Security changed Nessus 3.0 to a proprietary license and required users to purchase “Feeds” to use Nessus and receive updates.

Below are some of the main features of Nessus:

  • Configuration auditing
  • Asset profiling
  • Vulnerability scanning and analysis
  • Web based interface
  • Scan for and report on over 34,000 vulnerabilities

For more detailed information on how to run Nessus Scans, check out my article on “Tenable Nessus – How to Use Nessus”.

Installation and Usage

Installing Nessus is really quite simple. Nessus runs as a web based application with a single system service under Windows. Administrators can manage user accounts and plug-in updates from the Nessus Server Manager on the machine Nessus is installed.

The Nessus “Client” is really just a flash based user interface accessed via web browser.

Once a user is logged in, they can navigate the easy to use interface to create policies, run scans and view reports.

Policies are the meat and potatoes of Nessus. The Policy specifies what and how to scan. After specifying a name for a policy, you decide which credentials the policy should use to connect to your target machines. You also use the policy to set up groupings of vulnerability tests to run. For example, you may have a policy that only targets Web server vulnerabilities and one policy that targets databases. Policies are easy to setup, but offer several options for customizing performance.

After creating a policy, users can initiate a scan. Setting up a scan is as easy as giving the scan a name, assigning targets to the scan and assigning a policy. Scans will be carried out immediately. It’s unfortunate that Nessus doesn’t let you save scan criteria for later use. The user interface appears to allow for multiple scans to run concurrently, but I wasn’t able to find any way to re-use scan criteria. Not a major issue, but for those who want to do frequent scans, Tenable expects you to dish out for their higher end product.

Once a scan is complete, you can view detailed information on vulnerabilities found. I especially liked the reporting interface in that it allows you to easily see a top level view of all machines scanned with the number of high, medium and low vulnerabilities. You can then double click on a host to drill into specific details on the vulnerabilities found along with practical advice on how to eliminate or mitigate the vulnerability.

Nessus Server Manager

Nessus Scan Policy

Nessus Plugins

Nessus Scan Results

Nessus Detailed Report

Pricing and Overall Score (4 out of 5)

Nessus is free for home users, but is licensed on a yearly subscription for commercial businesses. The business license – referred to as the Nessus Professional Feed – runs $1,200 each year and is required for using Nessus and receiving plug-in updates.

Overall, Nessus is a good product with some minor quibbles. The lack of ability to schedule or even save scan configurations somewhat limits the usefulness of the product. For larger organizations who will want to run regular scans, Nessus will be a chore. For smaller organizations who want to perform occasional one-off scans, Nessus works well. Another minor quibble is the way users are set up within the system. As mentioned earlier, user administration is performed through a separate user interface – one that is not locked down in any way. It seems odd that anyone with access to the server can go in and add themselves to the allowed user list in Nessus. The scanner itself is top notch – with the ability to scan for 34,000+ vulnerabilities and Nessus’ host of performance configuration options, Nessus’ benefits greatly outweigh the drawbacks.

Last Minute Update

I was notified shortly after posting this article that Nessus now includes the ability to save scan templates. Since the recent update was not a major point release, I won’t be re-reviewing the latest version, but if the ability to save scans was holding you back from trying Nessus before, you’ve got more reason to check out Nessus now.