A Look at Nessus

by Chris Hurley - 6/20/00

I recently had the opportunity to extensively test the Nessus system scanner. I found the product, which can be obtained free from www.nessus.org, to be an extremely valuable tool. If there is a negative, it is the initial configuration, which can be a non- trivial exercise if the GTK kit, also available at the Nessus website and necessary to utilize the optional graphical interface, has not already been installed on your system.

Nessus requires that a server daemon be installed on a UNIX (Solaris, Linux, AIX, etc) platform. This daemon is then configured and started by the root user. After the dameon has been initialized, each user must be added manually by root. This was the place where I was first impressed by Nessus. Each individual user account can be set up with parameters that the super user deems appropriate. By this I mean that the IP where the daemon is instructed to accept a connection from can be specified as well as what, if any, additional restrictions are placed on the user. An initial password is chosen at this time.

Remote access is one of the really impressive features of Nessus. The user side software can be run in a Unix environment or on a Win 9x or NT platform. The first connection to the Nessus server initiates a key sequence after the user has provided the initial password. An encrypted key is generated and subsequent connections are verified via this key.

Once a connection has been established to the Nessus server, the fun really begins. The user enters a range of IP addresses to scan for vulnerabilities. The default scanner used is Nmap. The user friendly GUI allows the user to determine which checks/attacks he wishes to perform. These range from relatively harmless pings to DoS attacks. For those not familiar with some of these attacks, Nessus has a built in option to disable the "dangerous" attacks. Nice for a SysAdmin who doesn't want to accidentally crash his own system while trying to identify and correct vulnerabilities. The user also has the ability to exclude any resources that he doesn't want to test. This can come in very handy, especially when trying out the DoS attacks.

After the scan has been performed, a full listing of all vulnerabilities and their seriousness is displayed for the user. One very nice feature to note here is that the CVE number is also sited for reference. There are several options for saving this data including a nifty HTML format that includes pie charts and graphs that you can show to your customer.

At this point, Nessus takes on one of two roles. These vulnerabilities can be analyzed to determine a point of attack to gain unauthorized access. Conversely, System Administrators or security personnel can use this data to shore up the system in question. Nessus provides "fixes" with each vulnerability. By this I mean that if a patch is available to fix the hole, Nessus will tell you where to get it. Also, if some Registry editing or it's equivalent should be undertaken, Nessus provides instructions on how to close the hole this way.

On the whole, I would rate Nessus as a fantastic tool. Whether you are searching for information, or trying to reduce your system's vulnerability, Nessus can be configured to get the job done. Although setup is not as easy as the Nessus website would have you believe, it is not very difficult for the experienced Unix user. I would recommend downloading Nessus from www.nessus.org and taking it on a test drive of your own. Let us know what you think and if you have come across any useful configurations or modifications