OPINION: Lock in the Nessus monster
- 24 April, 2002 10:52
In this instalment of Linux in the Channel, we consider combining a couple of the hot topics that are presently popular reseller discussion items: software as a service, and network security. We will look at a tool that allows you to deliver both, helping you broaden and improve your service delivery spectrum to your customers, help improve your customers' network infrastructure and business systems surety, and, as an added bonus, help the global Internet in the process. The wonder tool we examine with which we can achieve all this is called Nessus.
Nessus (www.nessus.org) is an implementation of a network security scan. In the Nessus project's terms, a network security scanner is technology that will audit a remote server or network of servers, and determine whether bad guys (that is "crackers", as opposed to hackers) are able to break into it, or misuse it in some way. The Nessus project has provided the Internet community with a very powerful, modular, totally free and easy-to-use instantiation of just such a scanner.
The business plan reads as follows. A network security scanner is a sophisticated piece of software that most customers need use only sporadically. Rather than try and generate revenue by selling installation or support services surrounding this software, the channel can make money by selling security scanning services to existing customers, and hopefully entice some new customers into the fray as well.
Prior to establishing the business of selling said services to our customers, we should, as good channel businesspeople and consultants, first examine the various technology options available. There are numerous products in this market from a number of vendors: Axent Technologies offers NetRecon 3.0+ (from $US1,995), there's eEye Digital Security Retina (from $US1,145), ISS has its Internet Security Systems Internet Scanner (from $US2,795), and finally Network Associates has CyberCop Scanner ($US2,252 plus $32 per node.) All are interesting products, worthy of our consideration. Here's the crux of the analysis, however: no matter how good these tools are, all pale by comparison to Nessus. In all the security expert reports I have read in the past 18 months, Nessus is considered the best-of-breed security vulnerability scanning product, by a long margin. That it is open source, has long-term viability and is totally free of any licensing or use costs are mere bonuses, and great for reducing our cost of establishing this business service.
If we have decided that Nessus is to be our core tool in implementing a security vulnerability scanning service, we need to install Nessus, and become familiar with the technology. Nessus operates via a client-server architecture. The heavy-lifting work is done by the Nessus server, while the user-interface is provided by the Nessus client, which can be installed on another workstation. The simplest and easiest way to deploy on a server is via a current-generation Linux distribution (SuSe 7.3, Red Hat 7.2, Mandrake 8.2, for example). Nessus comes with Linux/Unix, Windows and Java clients. Take your pick.
Nessus provides a number of innovative attributes. Among these are that, unlike many other security scanners, Nessus does not presume anything about the network and host that is about to be scanned, including whether or not a service or daemon is running on the default IP port. Nor is it fooled by the service reporting incorrect version numbers or other identifier tags, which are often used to finger vulnerable pieces of software. No matter where it is, or how it tries to hide, Nessus will detect it and test for all known vulnerabilities. And it knows nearly a thousand of these.
The features list of Nessus is quite long. Nessus has a plug-in architecture, and each security test is written as an external plug-in. This allows for easy extension or customisation with your own scripts. Nessus comes with the Nessus Attack Scripting Language (NSAL), which is a special language designed to write security test scripts. Scripts can also be written in other languages, such as C. Nessus knows up-to-date security vulnerability information on all the popular OS platforms. Also, with its client-server architecture, you are able to install the scanning engine on a server, and audit any number of hosts from your workstation. Nessus can also scan multiple hosts at once, meaning that if you supply it with a beefy server, you can scan dozens of systems simultaneously. Nessus also generates reports in plain text, LaTeX (then PDF) and HTML with pretty graphs.
The actual business process of running a security vulnerability scan would operate along these lines. First off, you market your service. When customers come knocking, as a minimum, you ask for them to sign off on a disclaimer/nondisclosure document, giving you authority to operate the vulnerability scan against the specified server at their behest, and certifying that they are indeed the legitimate operators of the server to be scanned. It might be an idea to consult your legal people, and also review the System Administrators Guild of Australia Ethics document (www.sage-au.org.au/ethics). Reports of the security scan can then be used to recommend a course of action with regards to patching holes and applying vendor or distribution updates, assisting your customer in securing their hosts and generating further service revenue for your business.
Prior to all this, pricing needs to be established. This is totally at your discretion, and would involve you analysing your customer base, "time and effort" costs and current market conditions. Considering that there is very little work that you need to do to get Nessus to scan a host, there should be plenty of scope for decent margins on this service, so be competitive.
As we have seen, Nessus can form the basis of a valuable service to your customers as well a lucrative business unit for your company or consultancy. It has one additional implicit but very important function: the greater the number of secured hosts there are on the Internet, the less the possible platforms for crackers to launch attacks from, thus helping increase overall security on the Internet, and decreasing fraud and spam. This is good for the health of the Internet, and good for your business.
As always, please consider the following if you decide to implement a security scanning service with a tool like Nessus: while you aren't required to pay for this excellent technology, it is in your enlightened best interests to contribute to the project in any way you can. Money, software or hardware can be donated to the Nessus project and, if nothing else, helping them test new releases and giving feedback and encouragement are the least you can do. Oh, and if you do decide to run with this service, please mention that you use Nessus somewhere in your marketing literature. This is nothing but good manners and good karma, and good karma has been shown to be the basis of much excellent business in the channel.
Con Zymaris (email@example.com) is the CEO of Cybersource, an IT and internet professional services company.