Mailing List Archive

Fw: Running Nessus On Virtual Machine
----- Forwarded Message ----
From: Eric van Straten <>
To: "Nelson, C.M." <>
Sent: Thursday, July 19, 2007 8:36:43 AM
Subject: Re: Running Nessus On Virtual Machine

>Has anyone tried running Nessus on a VMWare ESX server under either
>Windows or Linux? If so what OS did you use and did it work?

Good morning Carl,

I have been running Nessus for over a year on Virtual Machines.

We have standardized on RedHat Enterprise Linux v4 for our production linux servers so I am keeping my Nessus scanning systems on the same version for sheer ease of management. As I type this response I really should be working on my VI3 migration...but, I was running Nessus/RHEL4 on top of VMware ESX2 and after this weekend it will be on VMware ESX3 as well as
moving from HP DL380's to HP DL585's. As a side note: From my initial (and unscientific) testing I'm already seeing 8x's (plus) in performance improvements -- Amazing what new hardware can do for you with upgraded software !! ...that's overall and not specific to Nessus.

So, back to the task at hand...

If you are working from a command line with Nessus on a Linux box running on VMware ESX server you will see a message state that they do not recommend it. But... they also do not tell you that you can't! I've been having another conversation with Tenable and mentioned that I was running on VMWare and the response that I got (to paraphrase) is that they are worried that "would lead to significantly longer scan times and even missed vulnerabilities because of time-outs and lost packets."

So, this is a possible risk when running Nessus in a VM environment. You will have to decide if longer scan times is an
issue for you. Personally, I discussed this with my boss and he is willing to accept that. ...your management (or you) may not.

The other gentleman that responded already (Patrick) may be able to respond better... but I personally have never been a fan of running any scanning tool on a Virtual Linux box running on top of a Windows based Virtual Host. My logic behind this is that you are still running on windows. I.E. relying on the windows TCP/IP stack. I could very well be wrong with this... but I would trust ESX server to pass the traffic through "unhampered" more than VM Workstation or VMServer.

If my boss would let me do it (he still doesn't trust *nux) I would have my work desktop and laptop running Linux and a VM of XP for those things that are just absolutely windows based (I still interface with MS/Windows/Active Directory more than I want). For now I have to dual boot my laptop.

As a little
background ... just a couple of years ago I fought hard to keep Virtualization out of datacenter. Then I switched jobs and was "forced" to take on responsibility for the VMWare products... and have since fallen in love with the VMWare ESX server products. I still do not like the end-of-lifed GSX server (can't wait to remove the last server this weekend), have a passing knowledge of the workstation products (they are okay for testing...but then again I have ESX for that personally) and absolutely no knowledge of the VMWare Server product. BUT, if I were to run VMWare server I would run it on top of Linux and not windows for the very reason's that I mentioned previously. I believe that my dislike for the VMWare GSX product is due to the fact that we are running it on top of W2K.

Sorry if rambled around some. ..but essentially, yes I run it in a VMWare ESX environment, yes it works, and it's true that Tenable
suggests that you not do it.


p.s. if you have a dog please give him/her an extra scratch behind the ear for me ;-)

Pinpoint customers who are looking for what you sell.

Get the free Yahoo! toolbar and rest assured with the added security of spyware protection.
Re: Fw: Running Nessus On Virtual Machine [ In reply to ]
Eric made several very good points about Nessus under VMWare, and I'd
like to add a bit more information about what Tenable has seen from
users running Nessus under VMWare.

The most common "worse case" we've seen is a Windows user, running
Nessus under a VM, which is short on memory, with a NATed interface,
with a local firewall on the Windows side. There are lots of
opportunities for resources to not be available for the Nessus scan and
the scan to be inaccurate because of some filtering, a dropped packet or
so on. We run into this situation often enough that you get the message
about abysmal performance with Nessus under a VM.

Today, with more organizations deploying ESX and resourcing their
machines adequately, there still is a performance hit, but it isn't
nearly as bad as what I previously described. We're definitely
considering detecting ESX (as compared to an OS hosted VM) and either
not displaying the performance warning, or displaying one less alarming.

For organizations that do have multiple Nessus scanners under VM and
also stand-alone, try the following tests:

- Between scanning with native scanners and VM scanners, are there
different counts of open ports or even number of identified hosts?

- Are the actual scan times that different? (Consider the total scan
time as well as the average scan times for each host which you can get
from plugin 19506)

If the differences are acceptable, moving to a virtual environment for
your scanners may be an option.

My last point on Nessus and VMs though is that I've seen many
organizations load up more and more applications on the VM servers, be
they ESX or a nice system just running VMs. As with any type of VM
environment, the more other applications you end up putting on the same
physical host, the more chances you have at running out of physical
system resources to your VMs.

Ron Gula, CTO
Tenable Network Security

Nessus mailing list