Educause Security Discussion
mailing list archives
Re: Vulnerability Scanner Recommendations
From: John Ladwig <John.Ladwig () SO MNSCU EDU>
Date: Fri, 16 Nov 2012 23:38:06 +0000
We're a whopping big system (fifty-mumble campuses, a couple of data centers, statewide network), so we have scaling
issues (dozens of responsible network/server admins, hundreds of networks, tens of thousands of devices, and over half
a hundred scanning devices) that you may or may not have to deal with in your environment.
We use nCircle IP360 for regular internal and monthly "external"ish (outside our common address ranges) vulnerability
scans. Their delegation and permissions model scales quite well to our needs for scan scheduling, asset grouping, and
We also use Qualysguard for PCI DSS-mandated quarterly ASV scanning and reporting. It also seems to have the
properties to scale well, though we have a lot fewer users and networks enrolled in the product.
nCircle is a well put together solution. Their scanning devices are pretty simple flash-based 1 rack unit devices,
which call home to an on-our-premises mothership for updates and marching orders, as well as delivering scan data. The
scanners have multiple ethernets, and each can be configured as 802.1q trunks, which we find pretty handy for a lot of
our environments, eg negating the need for explicit permit ACLs on internal control points and so on.
nCircle has a proprietary vulnerability-scoring model that doesn't map especially well to compliance mandates such as
"remediate quickly all vulnerabilities with a CVSS base score above 4.0" However, if the scoring model (and it's
recently become a little more tunable than it was in the past) suits you, it does allow for some pretty impressive
slice-and-dice patch-prioritization and reporting methodologies; scores can range from 0 up through several hundred
thousand, if that suits your goals and organizational structure and incentives/penalties. It's not a cheap product,
Qualysguard, for us, seems a bit better fit for compliance regimes like PCI DSS, exposing the CVSS base scores in a
more usable way. They also rate vulns on a 1-5 scale, which for a lot of orgs is more than enough to differentiate
between sets of machines and different levels of prioritization. The process of moving a quarterly scan report to
their PCI DSS compliance portal and thence to a compliance reporting point for an acquiring bank seems a bit fiddly for
most of our campus users. For the small number of externally-visible in-scope IPs we have, the Qualysguard pricing is
Both of the above products give very nice reporting and vulnerability/host/host-os/network history graphing, which can
be pretty handy.
In addition, we have a number of seats in Veracode for our enterprise web-app developers. They (and our AppSec
coordinator/cheerleader) seem to like it for both static analysis and dynamic over-the-wire webapp vuln scanning.
We've recently gotten another pen-testish webapp scanner, but I can't recall the product name at the moment, and we
haven't done more than begun to kick the tires as yet.
Nessus and suchlike are fine tools for pen-test and very small environments, but trying to manage a historical view of
a host or set of hosts by collating standalone report documents is something that I've only seen done very manually and
painfully. I can only imagine that Tenable must have put together some sort of overall console/management system to
handle this sort of thing, but I've never had a chance to interact with it.
So, like so many times, "a recommendation depends on what resources you have, and what your goals are."
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Greg
Sent: Thursday, November 15, 2012 10:22 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Vulnerability Scanner Recommendations
Educause security group,
Can anyone recommend a particular vulnerability scanner software, product, appliance, or service that you are using at
your campus? This is a need at our campus and I am trying to review the different options available for a small campus.
Thanks for any help, insight, or feedback you can provide.
Information Security Coordinator