Strengths: Simple to setup and use.
Weaknesses: No documentation made it very difficult to understand its true benefits.
Verdict: Good appliance package, also available in software and service formats to fit every enterprise.
As an appliance, NeXpose fits into our category of fully featured products, but it is also available as software only. Uniquely, Rapid 7 also offers a managed service for organizations with limited resources.
The appliance came with no documentation beyond a one-page laser-printed quick-start guide. Although this product is fairly easy to use and setup, it can be difficult to understand how to make it work best for a particular environment, but some documentation is available on the device itself and that helps a little in terms of setup and operation.
Still, it is difficult to exploit fully the obvious features of this device without something more. We visited the Rapid 7 website and found several whitepapers, but they were mostly marketing and press-related.
Phone support is available in both the U.S. and Europe during normal work hours and email support is also available. But support was not needed as this is a very simple device to set up and use. The strength of the product from an operational perspective is its intuitive menuing system. Of all the products on test, NeXpose had one of the nicest menus.
Once the product is plugged in, turned on and the preliminary configuration is complete (you do this from a small panel on the front of the appliance) all operation and additional configuration is through a web interface. Operation is clean and it provides several pre-configured reports in HTML, including a report card, executive report and a detailed audit report.
One useful capability is NeXpose’s verification of vulnerabilities. The Report Card report contains all vulnerabilities found organized by IP address. But if it cannot validate the vulnerability, it indicates that and thus false positives may be highlighted. We are cautious about this, however, because the practice can lead to false negatives and the user needs to understand the context for the vulnerability.
Generally, we found this was a serviceable appliance that would have been much more useful with better documentation.