Dagan, Kyle CIV DISA GS4B wrote: > Exactly how does nessus store the credentials and is it a secure method such > as encryption? Just need to know of the credentials are "out in the blue" > per say.
Nessus Client 3.0 stores credentials securely, unless you specifically ask it to save the credentials in clear text. We recently published a blog entry on how this client saves its data and scan policies at blog.tenablesecurity.com. In the case of Windows, Nessus also has options to prevent the transmission of domain credentials in clear text and use SSH keys. This protects you from having a hostile system on your network wait for you to scan it to receive the domain or SSH passwords. We also get a lot of .mil customers asking us about Telnet support. You can encrypt Telnet passwords all day, but when you scan 1000s of systems with Telnet, it is not encrypted and you end up broadcasting this all over your network. Historically, there have been many different types of Nessus clients, some written by Tenable, some written by other Nessus users and some commercial products. There have been a wide variety of methods used (including clear text) to store credentials. I don't have a list handy of which clients stored credentials which way. This was one of the reasons to move to a new Nessus Client 3.0 across all OSes. Ron Gula, CTO Tenable Network Security _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
