NeWT by Tenable

INTRODUCTION
Over the course of the past year the number of security threats has increased at a rapid rate. Fortunately, many of these threats may be twarted by simple upkeep of computers. Simply applying operating system patches in a timely manner after they are released will secure the computer against many of the top vulnerabilities being targeted. In a managed environment network administrators have great discretion over what and when patches are applied to a computer. In a non-managed, diverse environment administrators have a much harder time ensuring that the computers on the network have been patched. One possible solution is implementing a product like NeWT.

To understand NeWT one must first understand Nessus. Nessus is a free security scanner that probes the computers on a network to determine how secure they are from compromises. It can run checks against Windows, Mac, and Unix-like operating systems. Each vulnerability check is written as a seperate plug-in so that the user may selectively install and run only the scans that they are concerned with. New plug-ins are written by the direct contributors to the Nessus Project as well as the user community using the NASL (Nessus Attack Scripting Language). Updates for the latest security holes are published daily (even advertised via an RSS feed). At the time of writing 4,646 plugins were available. Scans can be configured to only look to see if a hole exists or to more actively pursue the computer in an attempt to compromise it.

Nessus involves two components the server and a client. Clients exist for a variety of operating systems includig Windows. The server though must run on a Unix-based platform. Not having sufficient access to a Unix machine prevented me from testing the Nessus product. Fortunately, Tenable Network Security provides a Windows-based product that provides Nessus scans. I found NeWT by following a link on the Nessus website. It basically runs a client/server interaction from a single XP machine.

INSTALLATION
There is very little to say about the installation of NeWT. NeWT is downloaded as a .zip file. Double-clicking the file in XP will launch a window with the contents of the file from which the Setup program can be run. During installation the user is asked whether WinPcap should be installed. This tool is required for NeWT and should be installed unless it is already present (rare unless NMAP or SNORT has been installed).

PERFORMANCE
NeWT is an easy-to-use piece of software. NeWT opens to a New Scan option. NeWT then prompts you for the IP addresses to scan. Specific addresses, as well as IP ranges, can be entered in a variety of formats. The examples link even pops up a window to show you the options.

After entering the targets, the specific types of scans must be chosen. Here the user can choose whether to only scan for vulnerabilities or actually try to exploit the computers. New users are cautioned against the dangerous scans as system crashes may result if particular vulnerabilities are found. In an environment where an administrator wants to truly test the security of a machine they own this option might be good. For my purposes (new user scanning the computers of others), the dangerous scans were not selected.

NeWT is surprisingly quick in its default scan. It typically averaged scanning around 10 IP addresses per minute. These numbers are an average when scanning a range of IP addresses that included both "live" and "dead" hosts (IP addresses which did and did not respond to a ping). NeWT's interface informs the user of how far through the process they are.

After completing the scan, NeWT pops open a browser window containing the results of the scan. The report lists a summary at the top of what it found on each IP address scanned. Below follows details for each IP address. Here is an edited report. It only contains the results of 2 computers for brevity, clarity, and privacy.

COST
NeWT is provided as a complimentary download. Support is not available from Tenable and it can only scan the local Class C subnet (it can only scan the range of IP addresses where the first 3 groups of numbers are identical to those in the scanning machine's IP address).

NeWT Pro is a available and will scan an unlimited number of IP addresses. It's cost is $6000. Support and maintenance may be purchased for an additional $1200 per year.

RECOMMENDATION
I think NeWT performs its stated functions well. It seems to properly identify many security holes and has an impressive variety of plug-ins available due to its wide, active user base. I think that it is best suited for an IT manager who does not control the installation of OS patches on computers but nevertheless needs to ensure that the computers are patched against major vulnerabilities. It would be incredibly useful as a threat evaluation tool when new dangers are announced. It could also be useful at locations that need to let users connect their own computers, such as a university, library, public hotspot, etc. Computers could be scanned before they are allowed network access and presented with a summary of how to remedy problems if they fail.

I do not think that NeWT Pro is worth the cost. NeWT does fine on smaller networks, even if multiple scans must be run for multiple segments. For organizations that need to run scans on a much larger network, it is my belief that it would be more cost-effective to run a Unix station with the actual Nessus program than to actually pay for the Pro license and support.

I am a little hesitant to advise any major ventures into the Nessus arena at this time due to the uncertainty of Windows Service Pack 2 and other firewall programs. Firewall programs may block Nessus scans from running. As the number of firewall users increases the number of computers that will be effectively evaluated by Nessus scans descreases. Depending on user trends, we may be at a point where the costs of installing, learning, and configuring Nessus scans may not be outweighed by the benefit gained by the time it is in place.