Tenable Network Security's Nessus Scanner
This document describes the vulnerability scanning service offered by ITS, and how to schedule a scan. This service may be scheduled by a departmental administrator or Local Support Partner (LSP). A more appropriate product for personal computers is Symantec Endpoint Protection (SEP) which can be otained by UVa affiliates at Software Central.
Nessus Vulnerability Scanner
ITS uses the Nessus vulnerability scanner. This is a security product that assesses devices on a network for potential vulnerabilities to malware and unwanted access. It applies a list of checks and tests, gathering appropriate pieces of information and reporting those vulnerabilities.
Nessus provides detailed information about each vulnerability found, including the vulnerable host, a description of the vulnerability, and the steps to take to eliminate the vulnerability. These findings are purely for an administrator’s awareness; ITS does not require that remediations be applied. However, they should be given careful consideration.
The scanner’s vulnerability database is regularly updated. These updates include recently found vulnerabilities for most operating systems.
The ITS Default Scan
ITS will scan devices on the UVa network as a free service. By default, ITS scans machines for most identified vulnerabilities. At the department’s request, a scan for “Denial of Service” vulnerabilities can be performed. There is a possibility that a Denial of Service scan will cause a targetted device to crash, which is why this sort of scan is not part of the default service.
The Nessus Report
You will be emailed the report generated by Nessus. Please mention the format of the report that you wish to receive: PDF, HTML (Web), or CSV (spreadsheet, including Excel). Vulnerabilities listed in the report are assigned a risk level (critial, high, medium, low, info). Remediation information is included, as well as links into Tenable’s website with BugTraq IDs, CVE IDs, etc. A local introduction to the Nessus Report is available.
Request a Scan
Decide on a convenient time for the scanning. You will want to notify your users in case they notice evidence of the scanning software in logs and/or a brief peak in network traffic. You also need to be sure all machines are powered on. Finally, email email@example.com with the IP addresses of the machines to be scanned, the time you’d like the scanning to be done, and any special concerns you may have. Devices which reside on both the open UVa network (128.143.x.x) and on the More Secure Network (MSN) may be scanned.
Note: Hardware Firewall
A firewall in front of your servers will affect the Nessus scanner the same way it affects external attempts from any other network device. You may request that the external address of your server be scanned. The report will demonstrate whether inbound connection attempts are allowed or rejected on the firewall as planned. An internal address (addresses beginning with a 10, for example) cannot be scanned because the firewall is in the way.