The Rapid7 Nexpose series has been with us for a long time. There certainly is a wealth of experience here and, for the most part, it shows. We received the product in a dedicated hardware appliance and setting it up was a bit of a challenge. When we powered up the appliance it automatically assumed a DHCP address and received its IP automatically. The trouble was that it had no way to tell us what the IP was. We ran ZenMap against our test domain to find it. We had no luck with that either so we connected a keyboard, mouse and screen. That let us see the IP and connecting to it over the web interface became easy.
We found that even though there is a lot of documentation, it leaves a lot to be desired. For example, as with many similar appliances we were unable to find a definitive illustration of the rear panel showing which network ports to use for what. We experimented. The initial setup is not well-documented and a knowledge of Linux is assumed. We did not find this uncommon. However, being a common fault does not excuse it.
This is an extremely powerful enterprise-grade tool. It has the ability to use distributed scan engines and the web interface is quite straightforward. The user guide is significantly better than the administrator guide in terms of completeness. Just about everything you can imagine is covered, and covered well, for the user or security admin. The assumption appears to be that IT people can set up the tool without a lot of help, but users need more assistance.
Capabilities for this tool are significant. For example, by associating threats with various vulnerabilities and analyzing both in the context of your network, Nexpose Ultimate can assign a risk, making remediation triage easier. We also like that the tool has special scans for special kinds of servers, such as DHCP or database.
One of the most hazardous areas of risk in the enterprise is the web. Web servers are notorious for being low hanging fruit to attackers. Nexpose Ultimate can perform detailed analysis of websites, including spidering the entire site. Discovery includes both asset and service. This is very important since services that are not needed but are turned on are popular points of entry for attackers. Asset discovery can use ICMP echo (ping), TCP packets and UDP packets, the latter two being useful if echo is turned off on some assets (as it should be for internet-facing assets).
The tool has its own ticketing system and drill down is excellent. By identifying tickets for an asset, you can drill down to see the details about the vulnerability. Reporting is extensive and you can create ad hoc reports in CSV format from SQL queries. In addition to an impressive array of reports for compliance - PCI, for example - you can create your own templates or modify existing ones.
While Nexpose Ultimate does not explicitly provide pen testing, Rapid7 provides the commercial version of Metasploit, a venerable pen testing tool.
The website is about as complete as one could want. Just about every aspect of buying, owning and using Nexpose tools is represented and there is a good community area. You even can download free versions of many Rapid7 tools, such as a small version of Nexpose or a community version of Metasploit.
Pricing is a bit on the high side averaging $125 per IP at 128 IP level. There is a good collection of support options - again, a bit on the high side.
That said, however, this is a solid enterprise-grade vulnerability management tool complete with most of the pieces you need and it certainly is scalable across even the largest enterprises. Once we had the tool up and running, we had no trouble navigating and looking for creative ways to scan an enterprise.
