A Deep Dive into OpenVAS: Enhancing Network Security Through Vulnerability Scanning

Heads up: Some of the vulnerabilities found in the reports were created for the explicit purpose of testing the accuracy and reliability of OpenVAS as a tool and platform.

TL;DR:
This blog post explores the implementation of OpenVAS (Open Vulnerability Assessment System) to enhance our company's network security. If you’re interested in a deeper dive into the process, I’ve written a detailed paper on the subject, which you can refer to for more in-depth insights.

Initially, OpenVAS was set up on a Linux VM. Several scan types were configured, including host discovery, full/fast scans, authenticated scans, and CVE scans, which helped identify critical and minor vulnerabilities. The tool's detailed reports prioritized remediation efforts.

After testing, the setup was moved to a dedicated on-premise server for better reliability and performance. As things progress, automation and integration with other security tools are planned to streamline vulnerability management. OpenVAS proved to be a valuable, cost-effective solution for identifying and mitigating security risks in corporate networks.

While the tests also show potential false positives, having automated security scanning can prove invaluable with a proper process in place for scanning and triage.

Introduction

In today’s interconnected world, cybersecurity is more critical than ever. You might never think your company will be the target of a cyber attack, but you can never rely on beliefs.

Organizations face constant cyberattack threats, making a robust vulnerability management system essential for safeguarding sensitive information. OpenVAS (Open Vulnerability Assessment System), a powerful open-source vulnerability scanner, can be a pivotal tool in securing your network.

In this blog post, I will walk you through implementing OpenVAS in a corporate network environment, discussing its setup, findings, challenges, and benefits.

What is OpenVAS?

OpenVAS is a comprehensive vulnerability scanning tool designed to identify potential security risks in a network. It performs detailed assessments by scanning various devices, ports, and applications for vulnerabilities. It also provides valuable insights through generated reports, allowing security teams to prioritize remediation based on the severity of the risks.

The flexibility of OpenVAS makes it a strong candidate for organizations looking for a cost-effective, open-source solution to monitor their network's security posture continuously.

Getting Started With OpenVAS: Setup and Configuration

The first step in implementing OpenVAS was setting up the tool on a macOS machine. However, due to networking restrictions with Docker on macOS, I faced challenges giving OpenVAS access to the network from the container. After several attempts using custom bridges and VLANs, I decided to set up a Linux VM running Ubuntu, which worked seamlessly with Docker, enabling me to deploy OpenVAS without any issues. The docker-compose.yml I was using can be found here.

An important thing to note is that to each container, network_mode: "host" should be added to allow all the containers to be treated as separate machines in the network. The point is that they get a private IP Address from the local network, allowing them to ping all devices inside this network.

With OpenVAS running on the Linux VM, I could begin scanning CodeChem’s network to identify vulnerabilities. I configured OpenVAS to scan two subnets within the network (192.168.0.100/24 and 192.168.0.101/24), ensuring that it covered the entire range of addresses managed by the router. This initial scan uncovered valuable information, such as operating systems, ports, applications, CVEs, and certificates, which were ranked based on their severity.

Scans: Types, Setup, and Results

One of the most important features of OpenVAS is its scan types and how they can be configured to meet specific needs for vulnerability assessments. I configured several types of scans for our network to ensure thorough vulnerability detection.

Defining Targets and Network Segmentation

I began by selecting two subnets (192.168.0.100/24 and 192.168.0.101/24) to scan, covering all devices connected to our network, including servers, workstations, and networked devices. It ensured that every device would be included in the vulnerability scanning process.

Host Discovery

The first task was a Host Discovery scan to identify all active devices on the network. This scan helped create a comprehensive inventory of devices essential for targeting future vulnerability scans.

Full and Fast Scans

Next, I performed Full and Fast Scans across the network. The Full Scan checked for vulnerabilities like missing patches, open ports, and configuration errors, while the Fast Scan focused on critical issues. These scans uncovered important findings, including a brute-force attack on a VNC Remote Control service. OpenVAS identified the weak password, allowing us to act quickly and secure the device.

Authenticated Scans

I set up Authenticated Scans on critical systems like web servers and databases for deeper insights. These scans required valid credentials, enabling OpenVAS to detect vulnerabilities not visible from the outside, such as misconfigurations and outdated software.

CVE Scan Tasks

To ensure no known vulnerabilities were missed, I created CVE Scan Tasks, which specifically checked for critical vulnerabilities cataloged in the CVE database. These scans were vital for systems exposed to the internet, like public-facing web servers.

Fine-Tuning the Scan Process

After initial scans, I refined the process by scheduling daily scans at 7:00 AM and configuring email alerts for critical vulnerabilities. This automation ensured continuous monitoring without manual intervention.

Generated Reports

Each scan generated detailed PDF reports that listed vulnerabilities, categorized by severity, and offered actionable remediation steps. These reports helped our security team prioritize fixes and strengthen the network's security posture.

The results from these scans were detailed and comprehensive, with OpenVAS identifying both critical vulnerabilities that required immediate attention and minor issues that could be addressed over time. For example, some critical findings included outdated software versions with known exploits, while minor findings were related to less severe configuration issues.

Here’s an example of one of the generated reports, which visually breaks down the scan results:

These detailed reports helped prioritize remediation efforts based on severity, allowing the security team to address the most pressing vulnerabilities first.

Transitioning to an On-Premise Setup

While the initial configuration on the VM was successful, I realized that for OpenVAS to perform daily scans and provide continuous monitoring, it needed to be moved to a dedicated on-premise server. Running OpenVAS on a VM can be unstable, especially if the virtual environment encounters resource limitations. Moving to an on-premise machine offered the following benefits:

1. Reliability: The server would always be available, ensuring scans ran without interruptions.

2. Performance: On-premise hardware offered more control over resources, allowing OpenVAS to handle larger networks and more complex scan tasks.

3. Scalability: As the network grows, the on-premise setup can be upgraded to meet increasing demands.

Once the transition was made to the dedicated server, OpenVAS was successfully set up and configured to run daily scheduled scans. This setup will ensure that our network remains continuously monitored, providing regular reports and timely alerts whenever vulnerabilities are detected.

The Next Steps: Automating and Integrating OpenVAS

With OpenVAS now running on an on-premise server, the next steps involve automating the vulnerability management process. These include:

• Automated Remediation Workflows: Implementing automated processes to address vulnerabilities once identified, reducing the need for manual intervention.

• Integration with Other Security Tools: Enhancing OpenVAS's capabilities by integrating it with other security tools used in the company, creating a more cohesive security strategy.

These additional features will help streamline the vulnerability management process, improve response times, and strengthen the organization’s security infrastructure.

Conclusion

In summary, implementing OpenVAS within a company’s network environment has been a rewarding and educational experience. The tool's ability to perform thorough vulnerability scans, generate detailed, actionable reports, and offer customized scanning options makes it an indispensable asset for any organization's cybersecurity framework.

While OpenVAS is a cost-effective and open-source solution, it’s important to note that it does come with some challenges. These include occasional performance limitations when scanning larger networks and the need for manual intervention to handle false positives. However, its flexibility, scalability, and robust reporting features make it an essential part of a comprehensive vulnerability management system.

The transition to an on-premise setup ensures that OpenVAS can continue to monitor the network reliably and efficiently. As the next step, I plan to focus on automating remediation workflows, integrating OpenVAS with other security tools, and fine-tuning the system to adapt to evolving threats.

By adopting OpenVAS as part of a broader security strategy, organizations can enhance their defenses, mitigate risks, and reduce the potential impact of cyber threats.