Educause Security Discussion: Re: Vulnerability Scanner Recommendations

[John Ladwig <John.Ladwig () SO MNSCU EDU>]

We're a whopping big system (fifty-mumble campuses, a couple of data centers, statewide network), so we have scaling 
issues (dozens of responsible network/server admins, hundreds of networks, tens of thousands of devices, and over half 
a hundred scanning devices) that you may or may not have to deal with in your environment.

We use nCircle IP360 for regular internal and monthly "external"ish (outside our common address ranges) vulnerability 
scans.  Their delegation and permissions model scales quite well to our needs for scan scheduling, asset grouping, and 
reporting.

We also use Qualysguard for PCI DSS-mandated quarterly ASV scanning and reporting.  It also seems to have the 
properties to scale well, though we have a lot fewer users and networks enrolled in the product.

nCircle is a well put together solution.  Their scanning devices are pretty simple flash-based 1 rack unit devices, 
which call home to an on-our-premises mothership for updates and marching orders, as well as delivering scan data.  The 
scanners have multiple ethernets, and each can be configured as 802.1q trunks, which we find pretty handy for a lot of 
our environments, eg negating the need for explicit permit ACLs on internal control points and so on.

nCircle has a proprietary vulnerability-scoring model that doesn't map especially well to compliance mandates such as 
"remediate quickly all vulnerabilities with a CVSS base score above 4.0"  However, if the scoring model (and it's 
recently become a little more tunable than it was in the past) suits you, it does allow for some pretty impressive 
slice-and-dice patch-prioritization and reporting methodologies; scores can range from 0 up through several hundred 
thousand, if that suits your goals and organizational structure and incentives/penalties. It's not a cheap product, 
though.

Qualysguard, for us, seems a bit better fit for compliance regimes like PCI DSS, exposing the CVSS base scores in a 
more usable way.  They also rate vulns on a 1-5 scale, which for a lot of orgs is more than enough to differentiate 
between sets of machines and different levels of prioritization.  The process of moving a quarterly scan report to 
their PCI DSS compliance portal and thence to a compliance reporting point for an acquiring bank seems a bit fiddly for 
most of our campus users.  For the small number of externally-visible in-scope IPs we have, the Qualysguard pricing is 
reasonable.

Both of the above products give very nice reporting and vulnerability/host/host-os/network history graphing, which can 
be pretty handy.


In addition, we have a number of seats in Veracode for our enterprise web-app developers.  They (and our AppSec 
coordinator/cheerleader) seem to like it for both static analysis and dynamic over-the-wire webapp vuln scanning.  
We've recently gotten another pen-testish webapp scanner, but I can't recall the product name at the moment, and we 
haven't done more than begun to kick the tires as yet.

Nessus and suchlike are fine tools for pen-test and very small environments, but trying to manage a historical view of 
a host or set of hosts by collating standalone report documents is something that I've only seen done very manually and 
painfully.  I can only imagine that Tenable must have put together some sort of overall console/management system to 
handle this sort of thing, but I've never had a chance to interact with it.

So, like so many times, "a recommendation depends on what resources you have, and what your goals are."

    -jml



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Greg 
Schmalhofer
Sent: Thursday, November 15, 2012 10:22 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Vulnerability Scanner Recommendations

Educause security group,

Can anyone recommend a particular vulnerability scanner software, product, appliance, or service that you are using at 
your campus? This is a need at our campus and I am trying to review the different options available for a small campus. 
Thanks for any help, insight, or feedback you can provide.

Thanks,
Greg Schmalhofer

Millersville University
Information Security Coordinator
Millersville, PA