PaulDotCom mailing list archives
Nessus vs McAfee Vulnerability Management
From: lonervamp at gmail.com (Michael Dickey)
Date: Thu, 11 Mar 2010 08:56:35 -0600
Sometimes when playing poker, you get dealt good hands and sometimes bad hands. Sometimes you're better off just folding and pressing your luck on what you get next. I've been using McAfee Foundstone (the old name for Vulnerability Manager when McAfee marketing got stupid and started naming things based on their general use rather than any branding) for over a year now, and I can wholeheartedly say I would rather fold my cards and take my chances being dealt any other vuln manager out there. To back up a bit, Foundstone is a vulnerability scanner, not a manager. It does credentialed scans and does do quite a range of target devices. In fact, if you look at the FASL audit files they have, they're curiously similar to Nessus...I'll stop there... At any rate, I've never been too critical of what they will find or no find. My environment is not varied enough to really push its boundaries. Foundstone landed in my lap because we do use other McAfee products and they gave us the device for free about 2 years ago. There is a "ticket" system in the tool so, yes, they can call it a manager, but it sucks that so many tools want to give you their own internal afterthoughts of a ticket system. For those of us in SMBs, we can't manage more than 2 ticket systems. So for me, Foundstone has no remediation capabilities other than parsing the reports out yourself. Likewise, if you "accept" a vulnerability during one audit period, you'll have to accept it again next period, but at least the reports *do* let you know what is new from the last audit. You can make and schedule your own scans, but what I'd suggest is just having 4 scans. Everything. Critical/PCI-type systems. A test system to use as a baseline. And a scan you can edit (i.e. change the target as needed) for ad-hoc scans. The reporting sucks, plain and simple. You basically scan your targets and Foundstone spits out the results and gives you a score. You can't "pass" on this score if you use Windows boxes (take a moment and let that sink in), because you'll be dinged on unpatched issues, whether they're realistic or not. So there is no automated reporting to hand to mgmt to say, "We pass." Well, unless you just don't check for those specific vulns, but that sort of defeats the integrity of the scanning. I'm not aware that you can put in custom configuration standards and check your server builds, but I guess you could massage those details out of the reports on your own. The reports do include lots of information things like, "port 80 is open." The appliance is a rebadged Dell server running Windows. Don't expect anything cute there. You'll need to feed the scanner any new devices you have and manually remove dead devices. This may be universal for all scanners, but McAfee has no real magic to fix that manual task. There is a "discovery" scan mode, but I've never seen it actually populate the device; it just gives you a scan and you then have to populate your new devices into the scan(s) you want them in. Yes, one scan at a time if you have multiple. Some people may make a case about plugging it into ePO (McAfee's centralized master for all their products) so it can make better IPS decisions. That sounds great, but managing ePO is a job in itself, and the more you plug into it, the more that it true. And you'll hate yourself for being stuck with it. Nice things? They do keep it updated regularly, and they do have nice knowledgebase/forums online for questions. In the end, if I had a choice to be dealt a new vuln scanner/manager, I would take that up. There is really nothing compelling to me to make me live with McAfee other than inheriting it. Maybe the others have the same limitations, but that's the risk I'd accept. For yourself, I'd try hard to get a side-by-side comparison between McAfee and Nessus. Live with both for a week and see how the reports make you feel, how you can work with them, and so on. How does it go with Reading Rainbow? ...don't take my word for it! :) On Wed, Mar 10, 2010 at 1:57 PM, subzer0girl <subzer0girl at gmail.com> wrote:
I need a little help convincing the purchasing people that I need Nessus. They are suggesting McAfee Vulnerability Management is a viable alternative. I want to stick with Nessus since that is what I have experience with. I've googled for a comparison of the two products but haven't found anything of value. Does anyone have experience with how the two products compare ? Any help would be appreciated Sandy
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20100311/d6fa2d6e/attachment.htm
Current thread:
- Nessus vs McAfee Vulnerability Management subzer0girl (Mar 10)
- Nessus vs McAfee Vulnerability Management John Strand (Mar 10)
- Nessus vs McAfee Vulnerability Management Albert R. Campa (Mar 10)
- Nessus vs McAfee Vulnerability Management Chris Merkel (Mar 10)
- Nessus vs McAfee Vulnerability Management Ng Choon Kiat (Mar 10)
- Nessus vs McAfee Vulnerability Management John Strand (Mar 11)
- Nessus vs McAfee Vulnerability Management Ron Gula (Mar 11)
- Nessus vs McAfee Vulnerability Management Michael Dickey (Mar 11)
- Nessus vs McAfee Vulnerability Management John Strand (Mar 10)