RE: Vulnerability scanners

From: Rosado, Rafael (Rafael) (rarosado@lucent.com)
Date: Thu Mar 27 2003 - 16:55:12 EST

• Next message: Jeff Williams @ Aspect: "Re: Vulnerability scanners"
• Previous message: Rob Shein: "RE: Vulnerability scanners"
• Maybe in reply to: joe na: "Vulnerability scanners"
• Next in thread: Jeff Williams @ Aspect: "Re: Vulnerability scanners"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

By the way, I meant Qualys, not Qualysis....

Rafael Rosado, CISSP, CISA
IT Security Manager
Caribbean and Latin America Region (CALA) &
Global Risk Assessment and Penetration Testing
Lucent Technologies O
Corporate Security
Business Assurance and Risk Mitigation Services (B.A.R.M.S.)
2400 SW 145th Avenue - Room 1S056
Miramar, Florida 33027
+1 954-885-2176 (voice) *
+1 954-885-3861 (fax) *
+1 954-648-3532 (mobile) or 9546483532@mobile.att.net (text message) *
rarosado@lucent.com (email) *

This electronic mail message contains information belonging to Lucent
Technologies, which may be confidential and/or legal privileged. The
information is intended only for the use of the individual or entity named
above. If you are not the intended recipient, you are hereby notified that
any disclosure, printing, copying, distribution, or the taking of any action
in reliance on the contents of this electronically mailed information is
strictly prohibited. If you receive this message in error, please
immediately notify us by electronic mail and delete this message.

-----Original Message-----
From: Rosado, Rafael (Rafael)
Sent: Thursday, March 27, 2003 4:46 PM
To: 'dan.lynch@placer.ca.gov'
Cc: 'pen-test@securityfocus.com'
Subject: RE: Vulnerability scanners

Dan,

I will not provide you with an endorsement of any product (commercial or
freeware), but I can tell you that there are less expensive commercial
solutions than Qualysis (not to say that the Qualysis product is not worth
that cost, although it does seem steep... well, then you have Foundscan
which is much more expensive). You probably need to bring several full
evaluation copies in-house and run your own "head-to-head" comparisons.

If you dont have the time or resources to perform such an in-house
evaluation, you could take your chances in relying on 3rd Party
comparisons/evaluations (such as the one done my Information Security
Magazine - http://www.infosecuritymag.com/2003/mar/cover.shtml and
http://www.infosecuritymag.com/2003/mar/comparisonchart.shtml or Network
World Fusion at http://www.nwfusion.com/reviews/2002/vulnerability0204.jsp).

You could always go with the limited budget solution - Nessus and "Almost
Free" Tools (refer to Fred Langston's presentation -
http://www.issa-ps.org/presentations/issaps-0303a.pdf).

Each alternative has implementation, deployment and maintenance costs
associated with it. Regarding the accuracy of each and how often these are
updated with the latest attack signatures is debatable, although Nessus has
been highly rated by many for accuracy and updated attack signature
availabilty (it is considered one of the most widely accepted and
recommended security tools available, along with NMAP which Nessus has
embedded into it).

Most security professionals I have interacted with have mentioned that they
use Nessus to complement the results from whatever commercial vulnerability
scanners they are using.

Good Luck with your evaluation/decision.

Rafael Rosado, CISSP, CISA
IT Security Manager
Caribbean and Latin America Region (CALA) &
Global Risk Assessment and Penetration Testing
Lucent Technologies O
Corporate Security
Business Assurance and Risk Mitigation Services (B.A.R.M.S.)
2400 SW 145th Avenue - Room 1S056
Miramar, Florida 33027
+1 954-885-2176 (voice) *
+1 954-885-3861 (fax) *
+1 954-648-3532 (mobile) or 9546483532@mobile.att.net (text message) *
rarosado@lucent.com (email) *

This electronic mail message contains information belonging to Lucent
Technologies, which may be confidential and/or legal privileged. The
information is intended only for the use of the individual or entity named
above. If you are not the intended recipient, you are hereby notified that
any disclosure, printing, copying, distribution, or the taking of any action
in reliance on the contents of this electronically mailed information is
strictly prohibited. If you receive this message in error, please
immediately notify us by electronic mail and delete this message.

-----Original Message-----
From: Rob Shein [mailto:shoten@starpower.net]
Sent: Thursday, March 27, 2003 3:34 PM
To: 'Dan Lynch'; pen-test@securityfocus.com
Subject: RE: Vulnerability scanners

I'd be astounded if it took that much money to administer Nessus. I run
nessus, and it's so little trouble that I don't think I've spent 60 minutes
administering/installing/maintaining it all year so far. Every time I run
it, I do the check for updates (and heck, you can set that as a cron job if
you really want), and aside from that I've had no trouble with it
whatsoever. I cannot believe that Qualys has vulnerability signatures
faster than Nessus, at least by any reasonable amount of time...I've seen
NASL plugins out within hours of the vulnerability being made public.
Easier updates than Nessus? Um..."nessus-update-plugins"...wait about 20-90
seconds...done! What's so hard about that? And I can write my own NASL
plugins for Nessus if I so desire (and I have), which I cannot do with
Qualys.

Finally, a company I worked for tested Qualys once, and they failed to find
some of the more important problems with the NT box we stood up outside of
our firewall. This was years ago, and I'm sure things have improved (or so
I hope) but it was still a powerful thing to see first hand. In the end, we
went with Nessus, and never had a problem after that.

> -----Original Message-----
> From: Dan Lynch [mailto:dan.lynch@placer.ca.gov]
> Sent: Wednesday, March 26, 2003 6:47 PM
> To: pen-test@securityfocus.com
> Subject: Vulnerability scanners
>
>
> Greetings list,
>
> Yesterday some reps from Qualys came with a sales
> presentation for their QualysGuard appliance. I'd like to
> solicit your comments and opinions on that product. In
> particular, do you think it's $45,000 per year better than
> Nessus? (That's about the cost we'd face based on our IP
> address range.) They claim it costs as much in administration
> to run Nessus. Does Qualys' claim to more vulnerability
> signatures and faster/easier updates hold water?
>
> Any input you can offer is greatly appreciated.
>
>
>
> Dan Lynch
> Information Technology Analyst
> County of Placer
> Auburn, CA
>
> 530/889-4222
>
>
> Bureaucracy: the art of making the possible impossible.
>
>
> top spam and e-mail risk at the gateway.
> SurfControl E-mail Filter puts the brakes on spam & viruses
> and gives you the reports to prove it. See exactly how much
> junk never even makes it in the door. Free 30-day trial:
http://www.surfcontrol.com/go/zsfptl1

top spam and e-mail risk at the gateway.
SurfControl E-mail Filter puts the brakes on spam & viruses
and gives you the reports to prove it. See exactly how much
junk never even makes it in the door. Free 30-day trial:
http://www.surfcontrol.com/go/zsfptl1

top spam and e-mail risk at the gateway.
SurfControl E-mail Filter puts the brakes on spam & viruses
and gives you the reports to prove it. See exactly how much
junk never even makes it in the door. Free 30-day trial:
http://www.surfcontrol.com/go/zsfptl1

• Next message: Jeff Williams @ Aspect: "Re: Vulnerability scanners"
• Previous message: Rob Shein: "RE: Vulnerability scanners"
• Maybe in reply to: joe na: "Vulnerability scanners"
• Next in thread: Jeff Williams @ Aspect: "Re: Vulnerability scanners"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:31 EDT