The ease or difficulty of each scanning method depends on your environment and your organizational needs.
Consider the following questions:
- Is it possible to install a Nessus scanner and possibly a Nessus Network Monitor in every network segment?
- Would it be easier to install a small number of Nessus Managers (for example, 1 or 3) and just allow the agents to report back in over and through hops and firewalls, etc.?
- Are all your systems online, connected, and reporting back full results during your scan windows?
- Are all systems, when sleeping, configured correctly and respond appropriately to wake-on-lan?
- Do you spend time trying to keep track or obtain the current credentials for a large number of systems?
- Does your network include a number of laptops that predominantly work remotely and which cannot be credential-scanned through VPN or when not connected to the organization network directly?
The majority of plugins work with Nessus Agents. The exceptions include:
- Plugins that work based on remotely disclosed information or that detect activity performed through remote connectivity, such as logging into a DB server, trying default credentials (brute force), or traffic related enumeration.
- Plugins related to network checks.
There are also cases where there is overlap in the intent of the check. For example, if you use OS fingerprinting without credentials in a network-based scan and query the system for the exact version of its OS in a credentialed scan, this overlap heightens the credential findings over the network, since the network version tends to be a best guess.