RE: Vulnerability scanners

From: Derrick Johnson (derrick_b_johnson@yahoo.com)
Date: Fri Mar 28 2003 - 11:46:26 EST

We used Nessus quite extensively. I've actually been
in the business long enough where I've used ISS,
CyberCop, Nessus, Foundscan, and now Qualys. When I
did IS Consulting, we'd run both ISS and CyberCop, or
either one along with Nessus, because there was a
chance one would find something the other didn't or
one would be able to go into more detail about what
was found and how to fix it.

Qualys definently has Foundscan beat in terms of
reporting. However Foundscan definently has Qualys
beat in terms of speed. With Foundscan, you can't
download the report. You have to copy and paste it
into Word in order to alert the a system owner to a
vulnerability - if you don't want to provide them
access to the scanner. One thing I like about Qualys
is that you can view individual system reports as the
scan is progressing, you don't have to wait until the
entire scan is done to view one system's problems.
Once a system has completed, you click on it's IP and
you have a report of that one system. Comes in handy
for single system reports.

Qualys and Foundscan definently have Nessus beat in
terms of minimized false positives. So many times
Nessus would report on a vulnerability only for the
system owner to report that the recommended patch had
already been applied, or that files Nessus was finding
were nowhere to be found on the system. You can fix
this in Nessus by altering the signature code, whereas
you have to tell Foundstone and Qualys that a
particular finding is a false postive. What they do
with that info, I have no idea.

Hope this helps

--Derrick

--- Michael Welch <mdwelch@sendsecure.com> wrote:
> About 4 months ago I performed a comparison of
> Qualys, Foundscan, and
> Vigilante. They all have there good and bad
> point's. The nice things about
> Qualys was that all you had to do is plug the
> appliance into your network
> and you were ready to go. My concern was that
> although your scan data was
> transferred via https it was stored on another
> companies network. Being a
> security professional I have a hard time allowing my
> internal network
> scanning results sitting on another's network.
>
> -----Original Message-----
> From: Paris Stone [mailto:paris@ciscoinstructor.net]
> Sent: Thursday, March 27, 2003 5:25 PM
> To: Alex Russell; Jeff Williams @ Aspect; Dan Lynch;
> pen-test@securityfocus.com
> Subject: Re: Vulnerability scanners
>
>
> The Qualys box is an appliance that is configured
> once. It connects out
> your
> firewall using SSL (TCP 443) to hit Qualys's
> web/scanner server. It then
> retrieves
> the information(database of exloits, etc...) and
> runs them against your
> internal
> network. It then uploads the info to their database
> servers using SSL.
> Then all
> of your information is available via the web with
> nice reporting, pretty
> graphics,
> etc... It breaks it down into reports for techies
> and reports for
> non-techies
> (CxO's) daily, weekly, monthly. The economies thing
> is simply that you have
> a
> yearly subscription based upon number of hosts
> scanned. A fixed cost,
> 24x7x365
> tool that doesn't have HR or benefit issues and
> doesn't get kids sick and
> have to
> take days off. It IS easy to setup and
> administration is easy for those who
> can
> RTFM.
>
> Alex Russell (alex@netWindows.org) wrote:
> >
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA1
> >
> >On Thursday 27 March 2003 12:58 pm, Jeff Williams @
> Aspect wrote:
> >> Let's assume that you're talking about 256 IPs
> (based on Qualys'
> >> published pricing), and you want to scan weekly.
> That's at least a day a
> >> week of effort for someone (probably more to
> generate a very nice report
> >> and summaries). The cost of a full-time sysadmin
> (including salary,
> >> benefits, office, etc...) probably costs well
> north of $100K. You'd have
> >> to include some equipment costs in there. So I
> doubt you could do it
> >> much cheaper. I think vulnerability scanning is a
> reasonable thing to
> >> outsource for companies that are not in the
> security or networking field
> >> already.
> >
> >This sounds like a false economy to me.
> >
> >First: how does the Qualis box remove the need for
> a sysadmin? It's just
> one
> >more appliance to manage, and something your
> existing admin should be able
> >to do anyway. And if you already didn't have an
> admin, you'd need one now
> >that you're thinking in terms of security. No extra
> cost here (aside from
> >incremental admin time).
> >
> >Secondly: if you've got a trained monkey doing your
> report generation, then
> >you're right about the costs. If, however, you have
> a developer automate
> >most of that, then you can add more nodes to be
> scanned at much lower
> >incremental cost (change a config file).
> Additionally, using public
> >signature sets may have downsides, but using Open
> Source tools is good both
> >for your own internal flexiblity and for the world
> at large (checks aren't
> >quite right? set that developer to work writing and
> contributing back
> >better ones!).
> >
> >All in all, your initial costs to do it in house
> with smart people and Open
> >Source tools might be higher, but your incremental
> costs do not grow at
> >nearly the same rate. OTOH, if you don't have any
> admins or developers,
> >then Qualys might look like a very nice option.
> >
> >HTH
> >
> >- --
> >Alex Russell
> >alex@netWindows.org
> >alex@SecurePipe.com
> >-----BEGIN PGP SIGNATURE-----
> >Version: GnuPG v1.0.7 (GNU/Linux)
> >
>
>iD8DBQE+g3J/oV0dQ6uSmkYRAvN6AJ44Qwzu3sSypJkLDRbl1W1ZjrrnswCZASf0
> >m88qoVsnBJR2vt7vXZaYyKc=
> >=kMak
> >-----END PGP SIGNATURE-----
> >
> >
> >top spam and e-mail risk at the gateway.
> >SurfControl E-mail Filter puts the brakes on spam &
> viruses
> >and gives you the reports to prove it. See exactly
> how much
> >junk never even makes it in the door. Free 30-day
> trial:
> >http://www.surfcontrol.com/go/zsfptl1
> >
> >
>
> --
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Paris Stone
> CISSP, CCNP, CNE/CNI, MCSE/MCT,
> Master CIW Administrator, CIW Security Analyst, NSA
> A+, Network+, iNet+
> http://www.ciscoinstructor.net/
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> "The rich man is not the one with the most, but the
> one who needs the least"
>
>
>
> top spam and e-mail risk at the gateway.
> SurfControl E-mail Filter puts the brakes on spam &
> viruses
> and gives you the reports to prove it. See exactly
> how much
> junk never even makes it in the door. Free 30-day
> trial:
> http://www.surfcontrol.com/go/zsfptl1
>
>
>
>
>
>
>
> top spam and e-mail risk at the gateway.
> SurfControl E-mail Filter puts the brakes on spam &
> viruses
> and gives you the reports to prove it. See exactly
> how much
> junk never even makes it in the door. Free 30-day
> trial:
> http://www.surfcontrol.com/go/zsfptl1
>

__________________________________________________
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
http://platinum.yahoo.com

top spam and e-mail risk at the gateway.
SurfControl E-mail Filter puts the brakes on spam & viruses
and gives you the reports to prove it. See exactly how much
junk never even makes it in the door. Free 30-day trial:
http://www.surfcontrol.com/go/zsfptl1

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:31 EDT