Posted by: Anonymous Coward
on February 10, 2005 09:53 AM
Vulnerability scanning such as performed by Nessus is a symptomatic approach to verifying the security of a computing environment. In my view, this is a useful but limited complement to configuration testing available through the <A HREF="http://www.cisecurity.org/" title="cisecurity.org">CIS benchmarks</a cisecurity.org> or <A HREF="http://www.bastille-linux.org/" title="bastille-linux.org">Bastille</a bastille-linux.org>.
The reason is that computing environments are deeply layered. Vulnerability scanners can only reach the exposed layers of the environment, so they necessarily operate on incomplete information. If you harden your systems only to what external scanning reveals, you'll end up with a "hard on the outside, soft on the inside" penetration profile.
Security should provide defense in depth and containment, so that if outer layers are compromised, all is not lost. That requires knowing your systems well, which is why the benchmarking tools can be so useful from a security perspective.
(By the way, in case it's not clear why there is a Nessus server separate from the client, it's in order to allow the server to be placed wherever on the network the scanning is to be conducted.)
Learn about Linux
Download Linux
Get Linux help
Don't forget configuration testing
Posted by: Anonymous Coward on February 10, 2005 09:53 AMThe reason is that computing environments are deeply layered. Vulnerability scanners can only reach the exposed layers of the environment, so they necessarily operate on incomplete information. If you harden your systems only to what external scanning reveals, you'll end up with a "hard on the outside, soft on the inside" penetration profile.
Security should provide defense in depth and containment, so that if outer layers are compromised, all is not lost. That requires knowing your systems well, which is why the benchmarking tools can be so useful from a security perspective.
(By the way, in case it's not clear why there is a Nessus server separate from the client, it's in order to allow the server to be placed wherever on the network the scanning is to be conducted.)
#