Why Upgrade to Nessus 4?
Nessus 4 improves performance and reliability over Nessus 3, at the expense of bringing significant architectural changes. This document explains the performance benefits of upgrading from Nessus 2 or Nessus 3 to Nessus 4.
A look back
When Tenable started to design Nessus 3 in early 2005, we looked at the aging Nessus 2 code base and decided to take a step back: we looked at the number of plugins we had written, how we changed the way we wrote plugins (with protocol libraries ever increasing in size) and then we looked at the Nessus 2 code base not only to determine and remove the existing bottlenecks we met at the time, but also to identify where the bottlenecks would be in the years to come. We therefore wrote Nessus 3 which was, given the plugin set of the time, twice as fast as Nessus 2. It now is much faster, as time has validated our analysis and our plugins have grown to become more complex.
The goal of the Nessus 4 release was to not only unify the code base between all platforms (the Unix and Windows versions have grown apart over time), but to improve the performance on all platforms by doing so.
With the release of Nessus 4, we have decided to perform new benchmarks to compare Nessus 2 and Nessus 3 against Nessus 4.
NASL2 vs. NASL4 Raw Performance Improvements
The biggest change in Nessus 3 is the NASL3 engine. NASL is the language used to describe all the vulnerability checks Nessus uses, and the NASL engine is in charge of reading each script and executing them.
Because 99.99% of the Nessus checks are written in NASL, the more efficient the NASL engine is, the less impact the scanner will have on the scanning system. In Nessus 3, the NASL engine has been re-written from scratch in order to integrate better with Nessus itself, and to be radically more efficient. Better yet, the NASL3 architecture makes it very easy to tune furthermore without redesigning the whole engine, thus guaranteeing even further improvements in the future!
The following tests are extreme cases, which exhibit some of the limitations of NASL2. The more meaningful tests are #1 and #4 as they are most likely to reflect real life situations.
Scan Time (Unix)
During our testing, Nessus 4 is over ten times faster than Nessus 2.
| |
Scan time |
Improvement over Nessus 2 |
Improvement over Nessus 3 |
| Nessus 2 | 70m16s | - | - |
| Nessus 3 | 11m02s | 6.36x | - |
| Nessus 4 | 6m47s | 10.36x | 1.62x |
Scan Time (Windows)
Nessus 3 for Windows was very different from Nessus 3 on Unix. In fact, only the NASL subcomponent was the same while the rest of the codebase was Windows specific. When working on Nessus 4, we unified the code bases and identified (and subsequently removed) bottlenecks occurring across all operating systems. We found a number of issues with Windows and worked around them while using a smaller, cleaner code base. As a result, Nessus 4 on Windows is much faster than version 3:
| |
Scan time |
Improvement |
| Nessus 3 | 36m03s | - |
| Nessus 4 | 7mn09s | 5.04x |
Memory Usage
The amount of memory used by Nessus 4 is much lower than with Nessus 2, and since the scan is faster, memory is used for a shorter amount of time. A lower memory consumption means that, bandwidth permitting, you can test more hosts in parallel and therefore speed up the scan even further.
System Load
The system load characterizes the level of CPU usage. The higher the load is, the more time it will takes for each process to get a time slice. On systems with a very high load, the system seems un-responsive and may even start to lose packets, thus slowing down the scan or even missing information.
Due to its architecture, Nessus 4 generates a system load that is much lower than Nessus 2 and Nessus 3:
Extended NASL Language
NASL4 contains new functions which in turn let NASL scripts be more efficient and more powerful. Starting with Nessus 3, NASL scripts could write directly to the ethernet level, handle non-blocking sockets, etc. In NASL4, they can use PCRE, can write to other link layers than ethernet, communicate globally during a scan, etc...
While engineers at Tenable will try to be backward compatible with Nessus 2 and Nessus 3 most of the time, these functions will be used to improve the results of the scan or to speed it up.
Commercial Support
If you buy a ProfessionalFeed and use it with Nessus 4, you are entitled to get access to our customer support page, which lets you manage your activation code and easily communicate with our support team.
For more information about the ProfessionalFeed click here, or buy one now.
Conclusion
The design of Nessus 4 was done from what we learned over years of development of Nessus 3 and Nessus 2. It is not only faster, its design takes into account what we want to do with Nessus in the future. If you use Nessus professionally, you should definitely upgrade to this newer version.
Information About the Test
All the benchmarks above, except the Windows ones, have been done on a Dual Xeon system, running at 2.8GHz with 2Gb of ram, running Linux Red Hat Enterprise Linux ES 5 (Linux 2.6.18-92.1.18.el5PAE).
The tested scanners are Nessus 4.0.0, 3.0.6 and Nessus 2.2.10.
Each scan was done with 4 plugins in parallel, scanning 50 hosts in parallel (4 x 50), the tested network is comprised of two local class Cs containing 33 live hosts in total (mixture of Windows, Solaris, Linux and Mac OS X hosts). Windows and SSH credentials have been provided to the scanner, 'safe checks' are enabled, CGI scanning disabled. Plugin set used was 200904101434.
On Windows, the tests were done under a single-CPU Windows XP SP3 VM with 786Mb of RAM running on an intel Xeon CPU running at 2.66GHz.
The tested scanners are Nessus 3.2.1.1 and Nessus 4.0.0. Each scan was done with 4 plugins, 50 hosts in parallel.
The Windows scanners scanned a class C containing a mixture of Linux and Windows targets hosts. Windows and SSH credentials have been provided to the scanner, 'safe checks' are enabled, CGI scanning disabled. Plugin set used was 200904102034.
|
