Every organization has needs that will be somewhat different from another related to their vulnerability management program. This can vary from the scanner used (cloud or on premise), the places where sensors are deployed, technology in your environment, and over needs of your vulnerability management program. The following is some recommended deployment best practices that, hopefully, should apply to everyone.By: Justin Fimlaid

Every organization has different needs related to their vulnerability management program. This varies from the scanner used (cloud or on premise), the places where sensors are deployed, the technology environment, and the needs of your vulnerability management program. That being said, here’s some deployment best practices that apply to most everyone.

Additional Scanners Required

Conducting actor scans through a firewall or other network devices can impact scan results or the network device itself. Therefore, it’s best to deploy additional Nessus scanners in hard-to-reach places like portions that are segregated behind firewalls. Since the scanners reside on the same network segment as their target, these scanners can access systems without network topology issues interfering with their operation.

Scaling your Tenable IO Scan

For scaling purposes, Tenable recommends deploying an additional scanner for at least every one thousand intended scan targets. For large scale scans, customers should then assign scanners to scanner groups so groups of scanners can load share. Users should then place passive network monitor listeners in each network segment for full network coverage. Passive network scanners are placed on a span port, virtual span port, or network tap. This allows Tenable IO to see all network traffic in all directions, inbound, outbound, and host to host as long as it traverses the network device from which Nessus network monitor is receiving data. Network admins can also place a listener at the ingress and egress points to audit communications into and out of the environment.


Each sensor should have at least two network interfaces: one for management and one for listening rated for a maximum of 1 GB of traffic. With the special license and specific hardware traffic, you can monitor up to 10 GB. Deploying Nessus agents on a per-host basis can help overcome obstacles like systems with uncertain connectivity, i.e. remote offices and mobile laptops. Agents can conduct local vulnerability, configuration, and compliance assessments. Agents are ideal for deploying with a standard system image to ensure greater asset coverage. A best practice is to have all new agents join the default group for easy new agent identification and later sorting. You can automate this process during installation or by using the built-in command line tool.

Tenable IO Distributed Network

Tenable IO includes access to Tenable’s distributed network of cloud scanners for scanning public-facing assets. These do not require deployment efforts and are maintained by Tenable. Tenable also provides Nessus as a preauthorized scanning solution in the AWS marketplace for Amazon Elastic Compute Cloud (Amazon EC2). It can also scan AWS EC2 assets. As it uses a prebuilt integration, identifying assets to be scanned in real-time is an automatic process. Tenable also offers third-party connectors for AWS and Qualys. AWS Cloud Trail must be configured and an IAM permissions policy created prior to creating the AWS connector.

If you need assistance with Tenable IO, advice on deployment practices, or turn-key support with Tenable vulnerability management managed services contact us today!