OpenVAS

Photo by Shahadat Rahman on Unsplash

OpenVAS is a widely used vulnerability scanner distributed by Greenbone Networks. OpenVAS includes a variety of built-in tests and a Web interface. In addition, OpenVAS makes setting up scanning user-friendly and highly configurable.

OpenVAS is open source. When OpenVAS produces a false positive, users can review the plugin to determine the cause of the misidentified vulnerability. OpenVAS has grown a broad community of security experts. When you flag a false positive to the OpenVAS mailing list, the feedback is usually prompt and knowledgeable. In this way, false positives may be remediated within hours – this benefits the entire community.

A vulnerability scanner enables the monitoring of networks, systems, and applications for security vulnerabilities. Vulnerability management scanners like OpenVAS identify and classify potential points of weakness in your infrastructure, quantify the possible risk, and recommend mitigations to remediate the problem. The goal is to prevent and minimize attacks by targeting identified exploits present within the networks. OpenVAS achieves this by closely inspecting areas such as firewalls, applications, and services to gain unauthorized access to organizational networks and assets. These potential points of weakness are then compared against a database of known vulnerabilities to identify the gaps and then get them corrected quickly.

Authenticated and Unauthenticated Testing Using OpenVAS

OpenVAS enables a multitude of internet and industrial protocols and supports both authenticated and unauthenticated testing.

Unauthenticated scanning will help identify and show weakness in the perimeter. For example, unauthenticated scans typically identify misconfigured firewalls or exposed web servers in the demilitarized zone (DMZ) by scanning these devices remotely. Unauthenticated scans can also work with assets on wireless or wired networks.

Authenticated scanning enables access to the network directly using protocols such as remote desktop protocol (RDP) and secure shell (SSH). Direct access allows the scanners to go deeper to gain access to the network to detect better threats and a closer simulation of a user’s activities. In addition, authenticated scanning will find application and operating system vulnerabilities on endpoints and servers.

Feeds Available for OpenVAS

The OpenVAS scanner uses regularly updated feeds. Feeds may include the commercial Greenbone Security Feed (GSF) or the free Greenbone Community Feed (GCF). The GSF is a paid service utilizing updates from security experts worldwide. Updates are delivered automatically via the Greenbone Security Manager (GSM) and the Greenbone Cloud Services (GCS). These feeds form a stream of small procedures that the scanner uses to check all the devices in your network for known and potential security problems. The GSF has approximately 100,000 vulnerability tests and continues to grow. The GCF is a free community feed. The GCF has over 50,000 vulnerability tests and is the default configuration for OpenVAS.

The OpenVAS scanner also supports over 26,000 common vulnerabilities and exposures (CVEs).

The Business Value of OpenVAS

Scanners such as OpenVAS are designed to be used by internal information (IT) and security operations center (SOC) teams. OpenVAS provides increased transparency for management to better manage IT assets and processes. In addition, OpenVAS proactively collects data and automates reports to better manage IT assets and operations.

Compliance is another area of opportunity. Many times vulnerability scanning is a mandatory part of compliance programs. For example, the Payment Card Industry Data Security Standard (PCI DSS) certification requires regular vulnerability scanning.

It is worth noting that the remediation of vulnerabilities has been a long-standing problem within IT and SOC teams. OpenVAS provides a powerful ability to collect vulnerability data and make it actionable. Once the data is collected, then prioritization is another critical part of risk assessment. Risk prioritization centers on the vulnerabilities which attackers most easily exploit.

Vulnerability Scanning Versus Penetration Testing

Vulnerability scanners search systems and networks for vulnerabilities. An essential difference between vulnerability scanning and penetration testing is that vulnerability scanning can be automated, where a penetration test requires various levels of expertise. Penetration testing is an authorized simulated attack by white hat hackers designed to evaluate the system’s security. Penetration tests can identify vulnerabilities in many areas.

Basic Scan with OpenVAS

The OpenVAS interface utilizes a wizard to help you set up scans for your targeted machines. To perform a scan, you must first identify a target internet protocol (IP) address. After entering an IP address into the wizard, you can select Start Scan. The scan’s progress is shown at the bottom of the page. The scan will also show summarized data about the current ongoing progress and any results from the scans.

As OpenVAS is running, you can click on the status bar. Vulnerabilities that are detected will be listed. You can click on these vulnerabilities and drill down to get more important details.

Advanced Scan with OpenVAS

OpenVAS also includes an advanced task wizard that enables:

• Task naming
• Scan configuration
• Target IP address
• Scheduling scans
• Authorized (credentialed) scans

OpenVAS provides standard default scans, allows you to create customer scans, and enables users to create custom configs. “Out-of-the-box” OpenVAS provides some basic scan configurations – you can drill down by clicking on them to see additional details.