NeXpose Release July, 11 2011

Document created by mburstein Employee on Jul 11, 2011Last modified by mburstein Employee on Nov 1, 2011
Version 3Show Document
  • View in full screen mode
                                                        

Rapid72011-07-11 product updates
                  Release announcement

         

This Rapid7® NeXpose® 2011 Summer Release (v4.12.1) General Availability release features support for new platforms and private cloud deployments, more powerful and flexible permission management, expanded workflow for vulnerability exceptions, and many other improvements.

 

This announcement documents what's new in this NeXpose release. Your NeXpose installation will automatically download and install content updates. If you have enabled NeXpose to install product updates, it will do so as well. See the third FAQ.

        

Reminder: Complete your database migration!
                 

         

If you have not migrated yet: All releases of NeXpose now require the PostgreSQL 9 database to be running. If you are using an earlier version of PostgreSQL, your NeXpose installation will be ineligible to receive any content or product updates. Over time, this will result in decreased accuracy and validity of your results and reporting.


To execute the migration, first download and review the guide Migrating the NeXpose Database. This document includes detailed instructions on how to prepare for, run, and monitor the migration.

 

After reviewing the guide, go to the Database Migration page, which you can access by clicking the maintenance link on the Administration page of the console Web interface. When you are ready to execute the migration, click the Start Migration button. Follow the migration guide for instructions throughout the process.

Support for Windows 7 and additional platforms

Expanded operating system support gives you more options for popular platforms to run NeXpose on. The following are newly supported operating systems:

 

  • Windows 7 Professional (RTM and SP1), Ultimate, Enterprise; 32-bit and 64-bit*
  • Windows Server 2008 R2 SP1, Standard, Enterprise; 64-bit
  • Ubuntu 10.04 LTS 64-bit
  • VMware ESX 3.5
  • VMware ESXi 3.5
  • VMware ESX 4.0
  • VMware ESXi 4.0
    *This platform is supported for the Security Console only. All other platforms listed on the Rapid7 Web site are supported for the standalone Scan Engine, as well as the Security Console. See http://www.rapid7.com/products/nexpose/system-requirements.jsp for all supported platforms.

 

Private cloud support

The new multi-tenant architecture supports private cloud deployments, providing greater scalability and flexibility for enterprises and MSSPs. Your organization can maintain silos of information for various clients or business units while achieving economies of scale with shared infrastructure. For information on how to set up and support a private cloud deployment, see the new NeXpose Multi-tenancy Guide, which you can obtain by contacting Technical Support.

Enhanced permissions and roles

New and enhanced permissions give you greater flexibility in assigning responsibilities related to scanning, reporting, and remediating vulnerabilities, as well as performing other critical operations. The Roles page in the Security Console Web interface has been updated to facilitate creating custom roles with the expanded list of permissions available. Certain roles and permissions have been renamed and given updated descriptions to better reflect the activities associated with them. Of particular note, the  Site Administrator role has been renamed Site Owner, and the System Administrator role has been renamed Asset Owner. See the NeXpose Administrator's Guide for names and descriptions of all roles and permissions and guidance on how to select them when creating user accounts.

Enhanced report access control

A number of improvements to report functionality help you control visibility into sensitive asset and vulnerability data:

  • With the API v1.2, you can now restrict the use of export formats such as database, CSV, or XML.
  • You can now restrict specific report sections so that only users with the Generate Restricted Reports permission can use them.
  • Secure report distribution allows users to create access lists for reports so that sensitive asset data remains under control of the Security Console.
  • The Report Distribution page has been re-designed for better usability.
See the NeXpose Reporting Guide for detailed information.

 

Expanded workflow and new API for vulnerability exceptions

It is now easier to exclude vulnerabilities from reports and risk scores through a permission-based sequence of activities. By controlling who can submit, review, or delete vulnerability exceptions, you can create a set of checks and balances related to the handling and reporting of vulnerability data. The vulnerability exception workflow is available in the Security Console Web interface (see the NeXpose User's Guide) and the API v1.2 (see the NeXpose Extended API v1.2 Guide).

Dynamic Scan Pooling

You can now create Scan Engine pools with the API v1.2. A pool is a group of Scan Engines that can be bound to a site. Configuring a pool allows you to distribute scan load evenly across all Scan Engines in a pool.

Enterprise scalability and performance

Improvements in back-end architecture result in lower memory footprint and better performance under heavy load.

Other changes

 

 

  • The Maintenance page now works better in Internet Explorer so that you can complete maintenance tasks more easily.
  • The new Site Risk Trend chart on every Site Details page of the Security Console Web interface shows your risk posture over time, improving your ability to make remediation decisions.
  • Improved accuracy of asset counts by operating system helps you to track operating systems in your environment.
  • Improved handling of cookie name/value pairs that contain periods allow for more reliable Web scanning.
  • The ODBC database format for exporting data is no longer supported. JDBC and other export formats remain supported in the product.
  • The API v1.1 now includes the Users element in Site and AssetGroup API functions, allowing you to specify users who have access to sites and asset groups.
  • The API v1.1 and v1.2 guides feature improved interface descriptions to help you integrate API functions with your internal system.

 

End of life announced for Windows Server 2003

Windows Server 2003 (32-bit and 64-bit) will reach end of life as a platform supported by Rapid7 on February 15, 2013. For information on the end of life policy, see the Rapid7 Web site.

Reminder: Clear your browser cache after updating

For best performance, it is strongly recommended that you clear your browser cache after applying this major product update.

          

Product update
                 

                   
  •   Linux 32                      | Update ID: 2737899882
  •   Linux 64                      | Update ID: 738592782
  •   Windows 32                     | Update ID: 2354729496
  •   Windows 64                     | Update ID: 4158868432

Installers
                 

   Released on July 11, 2011 (see fourth FAQ).                             

md5sum files
                 

Download the appropriate md5sum file to ensure that the installer was not corrupted during download:                                 

Frequently asked questions (FAQs)
                 

                  
  • How will I know NeXpose has updated with this specific release?
    All updates are listed on the News page of the NeXpose Security Console Web interface.
  • Why doesn’t the most recent date on the News page match the dates of the current updates on the Administration page?
    You may occasionally notice that the most recent date on the News page does not match the dates of the current updates listed on the NeXpose Security Console administration page. The dates on the News page are official release dates. The dates on the console page indicate when updates were actually applied to your NeXpose installation.
  • What are content updates, and what are product updates?
    Content updates include new checks for vulnerabilities, patch verification, and compliance with security policies. Product updates include performance improvements, bug fixes, and new features in NeXpose.
  • Why are installers not updated with every release?
    To help you stay on top of an ever-growing number of security threats, Rapid7 makes the delivery of new security content timely and convenient.  After installation and first-time start-up, NeXpose continues to update itself dynamically. This makes it unnecessary for Rapid7 to update installers  with every release of security content. So, you don't have to download installers every time new content is available.
  • Does this dynamic self-updating cause NeXpose to restart?
    Yes. You may notice NeXpose taking longer to start for the first time after installation. You may also notice it restarting more than once as it completes a required sequence of updates.
  • How can I obtain more information about this release?
    If you have purchased NeXpose, contact our Technical Support Team at Support@Rapid7.com. If you are using the Community version of NeXpose, go to http://community.rapid7.com.
         
Rapid7: Recipient of Highest Ranking in Vulnerability Management
from Gartner and Forrester:
http://www.rapid7.com/resources/gartner_marketscope.jsp
http://www.rapid7.com/resources/forrester-wave.jsp
           

Attachments

    Outcomes