By the way, I meant Qualys, not Qualysis.... Rafael Rosado, CISSP, CISA IT Security Manager Caribbean and Latin America Region (CALA) & Global Risk Assessment and Penetration Testing Lucent Technologies O Corporate Security Business Assurance and Risk Mitigation Services (B.A.R.M.S.) 2400 SW 145th Avenue - Room 1S056 Miramar, Florida 33027 +1 954-885-2176 (voice) * +1 954-885-3861 (fax) * +1 954-648-3532 (mobile) or 9546483532at_private (text message) * rarosadoat_private (email) * This electronic mail message contains information belonging to Lucent Technologies, which may be confidential and/or legal privileged. The information is intended only for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, printing, copying, distribution, or the taking of any action in reliance on the contents of this electronically mailed information is strictly prohibited. If you receive this message in error, please immediately notify us by electronic mail and delete this message. -----Original Message----- From: Rosado, Rafael (Rafael) Sent: Thursday, March 27, 2003 4:46 PM To: 'dan.lynchat_private' Cc: 'pen-testat_private' Subject: RE: Vulnerability scanners Dan, I will not provide you with an endorsement of any product (commercial or freeware), but I can tell you that there are less expensive commercial solutions than Qualysis (not to say that the Qualysis product is not worth that cost, although it does seem steep... well, then you have Foundscan which is much more expensive). You probably need to bring several full evaluation copies in-house and run your own "head-to-head" comparisons. If you dont have the time or resources to perform such an in-house evaluation, you could take your chances in relying on 3rd Party comparisons/evaluations (such as the one done my Information Security Magazine - http://www.infosecuritymag.com/2003/mar/cover.shtml and http://www.infosecuritymag.com/2003/mar/comparisonchart.shtml or Network World Fusion at http://www.nwfusion.com/reviews/2002/vulnerability0204.jsp). You could always go with the limited budget solution - Nessus and "Almost Free" Tools (refer to Fred Langston's presentation - http://www.issa-ps.org/presentations/issaps-0303a.pdf). Each alternative has implementation, deployment and maintenance costs associated with it. Regarding the accuracy of each and how often these are updated with the latest attack signatures is debatable, although Nessus has been highly rated by many for accuracy and updated attack signature availabilty (it is considered one of the most widely accepted and recommended security tools available, along with NMAP which Nessus has embedded into it). Most security professionals I have interacted with have mentioned that they use Nessus to complement the results from whatever commercial vulnerability scanners they are using. Good Luck with your evaluation/decision. Rafael Rosado, CISSP, CISA IT Security Manager Caribbean and Latin America Region (CALA) & Global Risk Assessment and Penetration Testing Lucent Technologies O Corporate Security Business Assurance and Risk Mitigation Services (B.A.R.M.S.) 2400 SW 145th Avenue - Room 1S056 Miramar, Florida 33027 +1 954-885-2176 (voice) * +1 954-885-3861 (fax) * +1 954-648-3532 (mobile) or 9546483532at_private (text message) * rarosadoat_private (email) * This electronic mail message contains information belonging to Lucent Technologies, which may be confidential and/or legal privileged. The information is intended only for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, printing, copying, distribution, or the taking of any action in reliance on the contents of this electronically mailed information is strictly prohibited. If you receive this message in error, please immediately notify us by electronic mail and delete this message. -----Original Message----- From: Rob Shein [mailto:shotenat_private] Sent: Thursday, March 27, 2003 3:34 PM To: 'Dan Lynch'; pen-testat_private Subject: RE: Vulnerability scanners I'd be astounded if it took that much money to administer Nessus. I run nessus, and it's so little trouble that I don't think I've spent 60 minutes administering/installing/maintaining it all year so far. Every time I run it, I do the check for updates (and heck, you can set that as a cron job if you really want), and aside from that I've had no trouble with it whatsoever. I cannot believe that Qualys has vulnerability signatures faster than Nessus, at least by any reasonable amount of time...I've seen NASL plugins out within hours of the vulnerability being made public. Easier updates than Nessus? Um..."nessus-update-plugins"...wait about 20-90 seconds...done! What's so hard about that? And I can write my own NASL plugins for Nessus if I so desire (and I have), which I cannot do with Qualys. Finally, a company I worked for tested Qualys once, and they failed to find some of the more important problems with the NT box we stood up outside of our firewall. This was years ago, and I'm sure things have improved (or so I hope) but it was still a powerful thing to see first hand. In the end, we went with Nessus, and never had a problem after that. > -----Original Message----- > From: Dan Lynch [mailto:dan.lynchat_private] > Sent: Wednesday, March 26, 2003 6:47 PM > To: pen-testat_private > Subject: Vulnerability scanners > > > Greetings list, > > Yesterday some reps from Qualys came with a sales > presentation for their QualysGuard appliance. I'd like to > solicit your comments and opinions on that product. In > particular, do you think it's $45,000 per year better than > Nessus? (That's about the cost we'd face based on our IP > address range.) They claim it costs as much in administration > to run Nessus. Does Qualys' claim to more vulnerability > signatures and faster/easier updates hold water? > > Any input you can offer is greatly appreciated. > > > > Dan Lynch > Information Technology Analyst > County of Placer > Auburn, CA > > 530/889-4222 > > > Bureaucracy: the art of making the possible impossible. > > > top spam and e-mail risk at the gateway. > SurfControl E-mail Filter puts the brakes on spam & viruses > and gives you the reports to prove it. See exactly how much > junk never even makes it in the door. Free 30-day trial: http://www.surfcontrol.com/go/zsfptl1 top spam and e-mail risk at the gateway. SurfControl E-mail Filter puts the brakes on spam & viruses and gives you the reports to prove it. See exactly how much junk never even makes it in the door. Free 30-day trial: http://www.surfcontrol.com/go/zsfptl1 top spam and e-mail risk at the gateway. SurfControl E-mail Filter puts the brakes on spam & viruses and gives you the reports to prove it. See exactly how much junk never even makes it in the door. Free 30-day trial: http://www.surfcontrol.com/go/zsfptl1
This archive was generated by hypermail 2b30 : Thu Mar 27 2003 - 14:12:18 PST