Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Advantages Of Running Both Network & Authenticated Nessus Scans

Implementing Different Scan Types

Often, Nessus and Security Center users ask how often they should run a vulnerability scan, and what kinds of scans should be run. In a previous post we explored some of the different scan types, including network checks, local checks and configuration auditing. I often encourage people to run all three types of scans against their network with different frequency. All three types provide interesting and useful results that should be included in your vulnerability management program. In this post we will explore the differences, and benefits, of running the first two types of scans mentioned: network-based scans and local checks.

Network-Based Scanning

My test system is an older version of Fedora Linux (Fedora Core 5). It is missing several patches and contains a web application, osCommerce, with several vulnerabilities. I scanned the system using a standard Nessus network-based scan and got results that one would expect from a scan with this configuration. For example, Nessus reported the current HTTP server version and type:

Picture 79.png

Nessus did not find any vulnerabilities or missing patches associated with this instance of Apache. The banner that was retrieved indicated that it is Apache version "2.2.0" running on Fedora. This version is reported to contain several vulnerabilities:

http://httpd.apache.org/security/vulnerabilities_22.html

The obvious question is, "if Nessus found that the banner contains a vulnerable version of Apache, why didn't it show up in the report?" The answer has to do with "backporting". Backporting is when a Linux distribution applies patches to a particular software package, but does not update the banner that is displayed by the service over the network (i.e. patching an older version rather than upgrading to a newer version without the vulnerabilities). Therefore, even if the banner in this case reports a vulnerable version of Apache, there is no way to be certain because it's part of a distribution (Fedora), which may have backported the patches. In order to reduce false positives, Nessus now includes "backport.inc", which documents the various banners from several different Linux distributions and identifies the backported version and the real version. The "backported version" is the version of the software that was patched by the Linux distribution, and the real version is the latest version of the product. For example, the entry for Fedora Core 5's instance of Apache is:

# Fedora FC5

backported_versions[i++] = "Apache/2.2.0 (Fedora)";

real_versions[j++] = "Apache/2.2.99 (Fedora)";

This information tells Nessus that while Fedora will report Apache 2.2.0, they've been backporting fixes since then. Nessus sets the real version to Apache version 2.2.99, which does not exist, but ensures that the Fedora Apache will always be flagged as a backport. There are new plugins that will report when this condition has occurred, according to the service. For example, the host we scanned in this example also has an alert on port 80 that reads:

BackportsPlugin.png

Nevertheless, how can we tell if those patches have really been applied? We'll get to that in the local checks section, but first let’s look at one advantage that network checking has over local checking. In the following alert Nessus discovered that osCommerce was installed and contained an unprotected Admin directory:

Picture 80.png

This is an advantage because in order to test a service and application, sometimes you need to see it running. In this case, Nessus was able to find evidence that osCommerce was configured incorrectly and exposing a vulnerability to the network.

Local Checking

To get a complete and accurate picture of the vulnerabilities that exist on a particular host, a local check for current patches can be performed. This testing requires that you have credentials on the hosts that you are testing. When run against our test host, Nessus finds that there are several missing patches, including updates for the "httpd" package, which is Apache:

Picture 77.png

Suppose we want to see all of the patches that are missing from this particular host. We can use the filtering and reporting features in the Nessus client to produce a report that lists each patch that is missing:

LocalChecksReport.png

The report above uses a template that was documented in the post titled "Creating Custom Reports with Nessus 4". This report is formatted nicely for network administrators as they can use it as a guide to apply patches. For example, if the systems administrator sees the report above, they should issue commands to apply the patches. However, the Fedora release running on this system is no longer supported, so it is recommended that the system be rebuilt with Centos 5. Once the system has been rebuilt, you can ensure all the latest operating system updates are applied by issuing the "yum update" command. If there are packages to be updated, they will be listed:

# yum update Loading "fastestmirror" plugin
Loading "priorities" plugin
Loading mirror speeds from cached hostfile
* rpmforge: ftp-stud.fht-esslingen.de
* base: mirror.trouble-free.net
* updates: ftp.linux.ncsu.edu
* addons: mirror.unl.edu
* extras: mirror.skiplink.com
374 packages excluded due to repository priority protections
Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package NetworkManager-gnome.i386 1:0.7.0-4.el5_3 set to be updated
---> Package stunnel.i386 0:4.15-2.el5.1 set to be updated
---> Package mesa-libGL.i386 0:6.5.1-7.7.el5 set to be updated
---> Package planner.i386 0:0.14.1-4.el5 set to be updated
---> Package cdrecord.i386 9:2.01-10.7.el5 set to be updated
---> Package hwdata.noarch 0:0.213.11-1.el5 set to be updated
[SNIP]

If you see the message "No Packages marked for Update", this means your system is up-to-date. An up-to-date system scanned with local checks may not contain results. You can disable "Silent Dependencies" and make sure that Nessus was able to login in and check for patches:

ChecksPassed.png

Conclusion

In the examples above, we can see the value in running both network-based and local authenticated Nessus scans that check for the presence of patches. In the network example, we see how Nessus is able to avoid false positives and report on distributions performing backporting of security patches. In addition, Nessus has several plugins that identify vulnerabilities in applications and services across the network. Local checking allows Nessus to perform a full patch audit, and when coupled with the reporting features can provide a report that can be shared with systems administrators and used to help keep tabs on which systems are missing patches.

Resources

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training