Main Nav

Educause security group,

 

Can anyone recommend a particular vulnerability scanner software, product, appliance, or service that you are using at your campus? This is a need at our campus and I am trying to review the different options available for a small campus. Thanks for any help, insight, or feedback you can provide.

 

Thanks,

Greg Schmalhofer

 

Millersville University

Information Security Coordinator

Millersville, PA

Comments

Greg, <?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

 

I would recommend GFI LANGuard it is easy to use.

 

Carlos

 

Carlos S. Lobato, CISA, CIA

IT Compliance Officer

 

New Mexico State University

Information and Communication Technologies

MSC 3AT PO Box 30001

Las Cruces, NM  88003-8001

 

Phone: 575-646-5902

Fax: 575-646-5278

 

Email: clobato@nmsu.edu

 

 

 

Message from bsigmo15@uncc.edu

QualysGuard


Thanks,

 

Aaron Sigmon | Sr. Information Security Engineer

UNC Charlotte | Information and Technology Services

9201 University City Blvd. | Charlotte, NC 28223

bsigmo15@uncc.edu | http://www.uncc.edu

-------------------------------------------------------------------------------------

If you are not the intended recipient of this transmission or a person responsible for delivering it to the intended recipient, any disclosure, copying, distribution, or other use of any of the information in this transmission is strictly prohibited.  If you have received this transmission in error, please notify me immediately by email or by telephone at 704.687.1289.  Thank you. 


From: Greg Schmalhofer <Greg.Schmalhofer@MILLERSVILLE.EDU>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY@LISTSERV.EDUCAUSE.EDU>
Date: Thursday, November 15, 2012 11:21 AM
To: "SECURITY@LISTSERV.EDUCAUSE.EDU" <SECURITY@LISTSERV.EDUCAUSE.EDU>
Subject: [SECURITY] Vulnerability Scanner Recommendations

Educause security group,

 

Can anyone recommend a particular vulnerability scanner software, product, appliance, or service that you are using at your campus? This is a need at our campus and I am trying to review the different options available for a small campus. Thanks for any help, insight, or feedback you can provide.

 

Thanks,

Greg Schmalhofer

 

Millersville University

Information Security Coordinator

Millersville, PA

Qualysguard Enterprise

On Nov 15, 2012 8:32 AM, "Greg Schmalhofer" <Greg.Schmalhofer@millersville.edu> wrote:

Educause security group,

 

Can anyone recommend a particular vulnerability scanner software, product, appliance, or service that you are using at your campus? This is a need at our campus and I am trying to review the different options available for a small campus. Thanks for any help, insight, or feedback you can provide.

 

Thanks,

Greg Schmalhofer

 

Millersville University

Information Security Coordinator

Millersville, PA

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, Nov 15, 2012 at 11:21:54AM -0500, Greg Schmalhofer wrote: > Can anyone recommend a particular vulnerability scanner software, product, > appliance, or service that you are using at your campus? This is a need at > our campus and I am trying to review the different options available for a > small campus. Thanks for any help, insight, or feedback you can provide. If you're looking for something to raise general awareness or you need something low-cost to justify one of the more expensive solutions, OpenVAS is a fork of Nessus 2.2. Nessus has a significantly larger vulnerability base and significant speed/threading improvements but for a smaller campus, limited budgets or as a proof-of-necessity, OpenVAS is a solid product. I vaguely remember it taking about twenty or thirty minutes to stand up an Ubuntu Server VM with OpenVAS ready to go. Yes, I use it regularly for scanning inside my department. Nessus is the gold standard in this space. It's a solid product and yes, we're customers. Nexpose from Rapid7 is solid but pricey. The generic reports are nearly identical to what you get from Nessus and OpenVAS but their remediation and custom reports are great, plus you get a product that can intimately interact with Metasploit (now a Rapid7 product as well). Call them, schedule a demo, it's very cool. We're not customers but I still appreciate what I've seen of it via friends in the VA/PT space and other institutions. AlienVault ships with OpenVAS (you can replace it with Nessus) and provides Snort and OSSEC, as well as some decent log aggregation/search (I prefer ELSA for logs but I digress...). They have an upgrade route from their free product (OSSIM) to their proprietary product and offer a 28-day evaluation of their "Unified Security Management" appliance. I had some issues with OSSIM in a virtual environment but that was a couple of years ago and they've made huge strides. I'm hoping to get one of the USMs on campus in the near future. Good luck! kmw -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAlClJeoACgkQsKMTOtQ3fKGi8wCfRKSqrIuwzTyKPWZ2kXSQRz4Q V50AoKuifVKBfnAMaF4d2s1pDLf0B35K =yyqH -----END PGP SIGNATURE-----
We've been building up an nCircle service.  People seem to like it. It's reporting and remediation features are nice


Good day Greg

 

My recommendation. Start with establishing a process for what the VA needs to accomplish based on your environment and move towards choosing a scanner that will help in light of your resources, how thorough you need to be and what type of assessments your will be doing. for example, network scans or web application and operating systems scans or PCI related scans etc. etc.

 

We here use Nessus and Web inspect. Both are fantastic and easy to use.

 

Hope that helps

 

George Farah, GIAC/GSEC Gold, CRISC, CISA
University Information Systems Security Manager

Queen's University,

-----------------------------------------------------------

CONFIDENTIALITY CAUTION: 

This communication and any attachments is for the use of the individual or entity to which it is addressed and may contain information that is privileged, proprietary, confidential and exempt from disclosure. If you are not the intended recipient you are notified that any dissemination, distribution, or copying of the communication is strictly prohibited. If you received this communication in error, please notify the sender and destroy this email immediately.

 

AVERTISSEMENT RELATIF À LA CONFIDENTIALITÉ: 

Cet envoi (et toute pièce jointe) ne s'adresse qu'à la personne ou à l'entité à laquelle il est destiné. Il peut contenir des renseignements privilégiés, confidentiels et ne devant pas être divulgués. Si vous n'êtes pas le destinataire prévu,  nous vous avisons que toute dissémination, distribution ou copie de cet envoi est strictement interdite. Si vous receviez cet envoi par erreur, veuillez en aviser l'expéditeur et détruire ce courriel immédiatement.

 

 

 

 

 

+1

 

<2C17E27E26DEE641AEECF7583B3CAB1A1E7868A6@evcspmbx2.ads.northwestern.edu> X-Mailer: Oracle Connector for Outlook 10.1.3.0.11 110130 (12.0.6550) X-Accept-Language: en-us, en MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=-------245534d3245534d3 This is a multi-part message in MIME format ---------245534d3245534d3 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Tenable internal, Qualys external. = = Thanks, Quentin L. McCallum, CISSP Information Security Analyst Lansing Community College 517-267-5014 =
I'm also interested in this as I'm trying to move toward quarterly vulnerability scans instead of the on-demand as we do now. Currently I have my external security consultant handle our vulnerability scans so I rely on him for guidance for a specific scanner and right now we are using Nessus. I have a service for our PCI compliance SAQs and they handle the external scans for me for just the few IPs in scope for PCI. Barron Barron Hulver Director of Networking, Operations, and Systems Center for Information Technology Oberlin College 148 West College Street Oberlin, OH 44074 http://www2.oberlin.edu/staff/bhulver/
Personally I love our Nessus system, but I don't have experience with other commercial products. 
http://www.tenable.com/products/nessus/nessus-product-overview

OpenVAS is free and open-source and it's OK, though it's not as easy to use and requires more customization to be useful.  Nessus gives better results in my opinion.  It's interesting to scan the same system with each and see the difference in results.
http://www.openvas.org/

In any case, these are just a tools.  You still have to be able to assess and validate the results these systems give you.  They help find a number of issues, but there are always some false-positives or differences in judgement regarding how significant an issue is.  For example, I consider a Denial-of-Service vulnerability on most systems to be a medium-risk issue, we'll fix it at the next good opportunity or scheduled update cycle.  Potential information exposure, on the other hand, is high-risk and requires a more urgent response.  Network security scanners may prioritize such vulnerabilities differently from what I would.  It doesn't mean they're wrong, it's just a difference in judgement based on our environment.

Kevin

On 11/15/2012 10:21 AM, Greg Schmalhofer wrote:

Educause security group,

 

Can anyone recommend a particular vulnerability scanner software, product, appliance, or service that you are using at your campus? This is a need at our campus and I am trying to review the different options available for a small campus. Thanks for any help, insight, or feedback you can provide.

 

Thanks,

Greg Schmalhofer

 

Millersville University

Information Security Coordinator

Millersville, PA

We’re a whopping big system (fifty-mumble campuses, a couple of data centers, statewide network), so we have scaling issues (dozens of responsible network/server admins, hundreds of networks, tens of thousands of devices, and over half a hundred scanning devices) that you may or may not have to deal with in your environment.

 

We use nCircle IP360 for regular internal and monthly “external”ish (outside our common address ranges) vulnerability scans.  Their delegation and permissions model scales quite well to our needs for scan scheduling, asset grouping, and reporting.

 

We also use Qualysguard for PCI DSS-mandated quarterly ASV scanning and reporting.  It also seems to have the properties to scale well, though we have a lot fewer users and networks enrolled in the product.

 

nCircle is a well put together solution.  Their scanning devices are pretty simple flash-based 1 rack unit devices, which call home to an on-our-premises mothership for updates and marching orders, as well as delivering scan data.  The scanners have multiple ethernets, and each can be configured as 802.1q trunks, which we find pretty handy for a lot of our environments, eg negating the need for explicit permit ACLs on internal control points and so on.  

 

nCircle has a proprietary vulnerability-scoring model that doesn’t map especially well to compliance mandates such as “remediate quickly all vulnerabilities with a CVSS base score above 4.0”  However, if the scoring model (and it’s recently become a little more tunable than it was in the past) suits you, it does allow for some pretty impressive slice-and-dice patch-prioritization and reporting methodologies; scores can range from 0 up through several hundred thousand, if that suits your goals and organizational structure and incentives/penalties. It’s not a cheap product, though.

 

Qualysguard, for us, seems a bit better fit for compliance regimes like PCI DSS, exposing the CVSS base scores in a more usable way.  They also rate vulns on a 1-5 scale, which for a lot of orgs is more than enough to differentiate between sets of machines and different levels of prioritization.  The process of moving a quarterly scan report to their PCI DSS compliance portal and thence to a compliance reporting point for an acquiring bank seems a bit fiddly for most of our campus users.  For the small number of externally-visible in-scope IPs we have, the Qualysguard pricing is reasonable.

 

Both of the above products give very nice reporting and vulnerability/host/host-os/network history graphing, which can be pretty handy.

 

 

In addition, we have a number of seats in Veracode for our enterprise web-app developers.  They (and our AppSec coordinator/cheerleader) seem to like it for both static analysis and dynamic over-the-wire webapp vuln scanning.  We’ve recently gotten another pen-testish webapp scanner, but I can’t recall the product name at the moment, and we haven’t done more than begun to kick the tires as yet.

 

Nessus and suchlike are fine tools for pen-test and very small environments, but trying to manage a historical view of a host or set of hosts by collating standalone report documents is something that I’ve only seen done very manually and painfully.  I can only imagine that Tenable must have put together some sort of overall console/management system to handle this sort of thing, but I’ve never had a chance to interact with it.

 

So, like so many times, “a recommendation depends on what resources you have, and what your goals are.”

 

    -jml

 

 

 

Close
Close


Annual Conference
September 29–October 2
View Proceedings

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.