An important aspect of server security is being proactive about security screening. Anyone who is exposed to any services on the internet, penetration testing is an important task to ensure threat vulnerability (Digitalocean.com, 2014). There are many ways of performing this test, and one of the best ways is via OpenVAS (Openvas.org, 2014).
OpenVAS is the evolved from a project called Nessus, which became a proprietary tool. The security scanner is accompanied by Network Vulnerability Tests (NVTs) daily. The Open Vulnerability Assessment System (OpenVAS) was developed to allow free development of the vulnerability scanner since Nessus had become a paid-for subscription service.
OpenVAS is one of the top five tools for network assessment. OpenVAS is the world’s most advanced Open Source vulnerability scanner (Phatak, 2012). The scanner is 100% free and is based on and Open Source Software. It is a process to measure the IT threats of an infrastructure, identify them, classify and fix/mitigate then in a 3 tier scalable architecture on a day to day basis (Online Vulnerability Scanners and Port Scans, 2012).
OpenVAS is divided into two major components — a scanner and a manager. The scanner may exist on the target to be scanned and the feed vulnerability findings are fed to the manager. The manager then collects inputs from various scanners, applies its own intelligence logic to create a report (Sectools.org, 2014).
OpenVAS performs both authenticated and unauthenticated tests. The authenticated tests are local Security Checks (LSC). These tests are used for information gathering, configuration correctness (over SSH, over SMB/WMI), and missing updates/patches. The unauthenticated checks include network scanning, web applications audits and credentials brute force
OpenVAS uses and relies upon various standards listed below
- Common Vulnerability Enumeration
- Common Platform Enumeration
- Common Vulnerability Scoring System
- Open Vulnerability and Assessment Language
- IT-Grundschutz (YouTube, 2014)
Many times OpenVAS is misunderstood as an automated pentester or an attack tool or fix for vulnerable systems.
Following are aims of using OpenVAS
- Detect insecure configurations
- Check for compliance with your security policy - Harden both the exposed perimeter and the core of the network.
In the world of security OpenVAS is trusted as very stable and reliable way for detecting security loopholes, and for providing inputs to fix them (Greenbone.net, 2014). Creating detailed reports is one thing that makes OpenVAS a tool favored by infrastructure security managers (Doreau, 2011).
References
Digitalocean.com,. (2014). How To Use OpenVAS to Audit the Security of Remote Systems on Ubuntu 12.04 | DigitalOcean. Retrieved 19 October 2014, from https://www.digitalocean.com/community/tutorials/how-to-use-openvas-to-audit-the-security-of-remote-systems-on-ubuntu-12-04
Doreau, H. (2011). Vulnerability management with OpenVAS (1st ed.). Retrieved from http://2011.rmll.info/IMG/pdf/5-Henri-OpenVAS-RMLL2011.pdf
Greenbone.net,. (2014). Greenbone: FAQ. Retrieved 19 October 2014, from http://www.greenbone.net/learningcenter/faq.html
Openvas.org,. (2014). OpenVAS Manager: Main Page. Retrieved 19 October 2014, from http://www.openvas.org/src-doc/openvas-manager-5.0.4/index.html#Introduction
Dalziel, H. (2014). OpenVAS Tutorial (Vulnerability Assessment) and summary of framework.Concise-courses.com. Retrieved 19 October 2014, from http://www.concise-courses.com/security/openvas-tutorial/
Sectools.org,. (2014). OpenVAS – SecTools Top Network Security Tools. Retrieved 19 October 2014, from http://sectools.org/tool/openvas/
YouTube,. (2014). Setting up OpenVAS on Kali Linux + Config and Scanning Howto + Free Startup Script. Retrieved 19 October 2014, from https://www.youtube.com/watch?v=0b4SVyP0IqI
Online Vulnerability Scanners and Port Scans,. (2012). 10 Essential Open Source Security Tools | HackerTarget.com. Retrieved 19 October 2014, from http://hackertarget.com/10-open-source-security-tools/
Computerweekly.com,. (2014). OpenVAS how-to: Creating a vulnerability assessment report. Retrieved 19 October 2014, from http://www.computerweekly.com/tip/OpenVAS-how-to-Creating-a-vulnerability-assessment-report
Phatak, P. (2012). Top 10 Security Assessment Tools - Open Source For You. Open Source For You. Retrieved 19 October 2014, from http://www.opensourceforu.com/2012/02/top-10-security-assessment-tools/
