February 9, 2005

Nessus assesses system vulnerabilities

Author: Preston St. Pierre

Keeping a server or workstation updated with the latest security patches can be a daunting task. Compounding the problem is the number of distinct operating systems and hardware in an organization. Nessus, an open source vulnerability scanner, can help with this complex task.

Nessus is available for both Windows and Unix systems, so you can run vulnerability tests on and from distinct platforms. The application has both a client and a server component, which allows you to execute security assessments flexibly.

Nessus's server-side component provides a central repository in which all vulnerability tests -- implemented as plug-ins -- are registered and accessed across the network by Nessus client components. The work of Nessus clients comes down to fetching information from this database and performing the actual tests, either on the same host on which the client is installed or other networked devices, and later generating detailed reports on the encountered security holes and possible corrections for them.

Enhancing this client/server architecture, the Nessus server component gives you the possibility of defining extensive rule sets, which allows you to grant granular access to certain plug-ins or inspections from Nessus clients. For example, if you have several system administrators on your network, you can grant certain inspection privileges by specific user. Nessus clients offer extensive report-generating features, which gives you detailed assessments on the severity of encountered flaws.

If you will be deploying Nessus on Unix platforms, your download will include both the client and server components. If you will be using Nessus on Windows, you need to download two packages: NeWT for servers and NessusWX for clients.

The first order of the day for using Nessus is installing its server component. During this process you will be prompted to download the initial Nessus plug-in database, which currently includes around 6,000 different flaws covering both local and remote vulnerabilities for applications and operating systems.

Nessus plug-ins are distributed in three feeds that address the requirements for various organizations depending on their needs and budgets. The GPL feed comprises plug-ins written by the Nessus user community and is freely available without registration. A registered feed is also publicly available, and gives you access to commercially written plug-ins on a deferred basis from when they were written; however, as its name implies, it does require that you submit registration information in order to receive an access code. Finally, the direct feed offers the latest vulnerability checks created by Tenable, the commercial backers of Nessus, on a paid subscription basis.

Obviously, a static plug-in database quickly loses its vulnerability-checking capabilities. To update the Nessus database, execute the nessus-update-plug-ins command, which will fetch the corresponding feed depending on your installation (registered, commercial, or GPLed). If you did not register before installing Nessus, or opted not to download the initial plug-in database, you can use the nessus-fetch command, which can download the database or register Nessus so you can gain access to the registered feed.

The next step you should take is defining which users have access to the Nessus database, via the nessus-adduser command, which prompts for a username, password, and access rules. The rule sets are specific access restrictions -- Nessus documentation contains details on creating them. Finally, you should activate Nessus in daemon mode with the nessus -D command to allow access from remote clients.

Using a Nessus client requires you to establish a session with a Nessus server. Once you've done that, you can launch an inspection on the host or some remote system in a few simple steps. You first need to select among groups of plug-ins for granular inspections, such as Windows, Red Hat, Debian, or SMTP, among others. This process avoids having users run thousands of security checks on possibly non-applicable flaws. The other step is defining the target host, which you can do on an individual or grouped basis.

Once your preferences are set, and upon running the scan, Nessus will create a report with an assessment of the flaws it encounters. The report will contain a host/port list with specific vulnerabilities, classified in one of three levels -- note, warning, or hole -- each with a verbose description of the application, possible consequences of running it, and corrective measures. For later reference, Nessus clients can also archive all your reports for auditing purposes or correlating information with future inspections.

Nessus offers the functionality necessary to detect those hard-to-find application and OS-specific flaws. When combined with other open source tools like Snort for intrusion detection and NMap for port inspection, Nessus can help you bulletproof your IT infrastructure against vulnerability attacks.

Daniel Rubio is the principal consultant at Osmosis Latina, a firm specializing in enterprise software development, training, and consulting based in Mexico.