SecurityFocus interviews Ron Gula to get a glimpse of Tenable's upcoming free (but closed-source) Nessus 3 vulnerability scanner. The discussion looks at license changes, community involvement, daemon security, new features, GPL open-source versus free, NASL, and more.
Could you introduce yourself?
Ron Gula: I am a Tenable co-founder, CEO and CTO. Renaud Deraison, the Nessus creator, and I have been at Tenable for over three years now. Prior to Tenable, I was the original author of the Dragon intrusion detection system and founded Network Security Wizards.
Why did you choose to change the license of Nessus?
Ron Gula: Customer demand. Organizations want a free product that they can use, and a place they can get commercial support and training from if needed. I'd also like to point out that although Nessus 3 is not released under the GPL, Tenable is still actively maintaining Nessus 2. We just released an update for Nessus 2.2 with lots of improvements.
I thought you chose to develop a closed source tool to have more control on the code, and more opportunities to get profits. Why did your customers ask you to rewrite a closed source version? What type of advantage should they get from a closed source version?
Ron Gula: There [was a] very small benefit to working with one set of code, but the overwhelming reason was to have a better relationship with our user base - a majority of which can't really use GPL code. Of course everyone does, but in this day an age of SOX, FISMA and 'process' a lot of folks are having to replace open source solutions with technology that is supportable and has licenses inline with whatever corporate policy is out there.
If we were trying to make money with Nessus, we would not give it away. A majority of the folks that use Nessus don't give us any money.
I think you meant free as in free-of-charge, right? (not free as in freedom)
Ron Gula: "Free" or "freedom" means many things to people in different countries, courts and businesses. Nessus 2 was released under a GPL and that certainly is not "free" like a FreeBSD license. There are many companies who use GPL software in their commercial products and hide it from their customers.
Nessus 3 will be free of charge for end users or service providers or consultants to do whatever they want with it, except put it into a product or re-brand it as their own software. We're also simplifying the license agreements for our vulnerability updates such that the 7-day delayed feed (also free) can be used in commercial venues. Our direct feed could always be used that way as well, but we're also including support with it. At $1200/year per scanner, this is huge news to the enterprise, consultants and anyone else that wants to have a great supported vulnerability scanner.
What new features does Nessus 3.0 include?
Ron Gula: Nessus 3 is a rewritten scan engine that is compatible with the existing library of vulnerability checks.
The basic features are:
- Increased speed (a rough worse case of 1.5x to 2x, and best case of 17x. For scanned Windows servers, it's about 5x)
- 'Packaged' distributions. This is actually a large feature set as we have very large percentages of the user population hand-compiling Nessus each time.
- Lots of tiny features like network capture of potential false positives to make diagnostics easier, some new APIs in the NASL language, and much faster 'boot' time to launch Nessus.
- The direct feed for Nessus 3 will also include support from Tenable. In the past, users could search mailing lists, but many of these posts came from the "community" and were not always timely or useful.
- Tenable is also announcing training and certification programs around Nessus 3 as well.
- We're also in talks with a major publisher to produce a line of Nessus 3 books about scanning, using Nessus, getting certified, etc. There were lots of books that mentioned Nessus already, but these were not consistent or updated in a way that a direct relationship with Tenable could provide.
How can Nessus 3 be so much faster at scanning large networks? What changes in the scan technology were made versus the GPL version - improved port scanning, memory optimization, parsing NASL scripts, or others?
Ron Gula: This is a "secret sauce" question. The modifications were mainly in the interpreter of the NASL engine, but the community should be aware that Tenable audited the entire NASL set of plugins for speed. Nessus 2 is much faster than Nessus 2 was this time last year. Once we got Nessus 2 as fast as we could, we set out to write a more optimized engine for Nessus 3. In the end, it boils down to simplifying and improving the Nessus code so that most of the CPU time is spent doing network operations and very little else.