Tuesday, December 16, 2008

GFI LANguard 9 Review

As a consultant, I used GFI LANguard (7?...it was at least 2 years ago) as a tool, in conjunction with nmap and some others, to perform security audits for our clients.

Now I've an opportunity to use it again, and agreed to give it a review.

Environment

The download from GFI's website was surprisingly small; only 50mb.

The installation was straight forward, with only two questions; installation location, and initial credentials to use for scanning your domain. The UI is no different, very intuitive. I'd expect nothing else from GFI, since most of their products are the same way.

The product is broken up into four components:

  • Management Console - the central location for launching scans, view saved scans, configure options, and use specialized network security tools.
  • Attendant Service - runs scheduled scans and patch deployments.
  • Patch Agent Service - handles the deployment of patches, service packs and software updates.
  • Script Debugger - use a vbscript compatible language to write your own vulnerability checks.

The strategy suggested by LANguard for vulnerability management is:

  • Scan
  • Analyze
  • Remediate

or, wash, rinse, repeat :-)

Network Audit

The first window you see upon program launch is the Network Audit tab. Here you have the option to scan the localhost, an entire network, launch a custom scan, or set up a scheduled scan. I opted to scan the entire network, knowing that it will stop after the 4th host is found, since that is the limit to my NFR key (in addition to not being able to receive product updates...which begs the question; How recent is my security vulnerability DB?) I digress....

During a scan operation, you can easily navigate through most of the program without interrupting it. I found going from inside the Network Audit tab, which shows you a more bland Scan status, I could switch to the more familiar Analyze page, where you can see the actual scan threads, and any error messages generated.

It took some time to scan; about 2 hours, but it did come back with a bevy of security vulnerabilities. I decided to scan a single Windows 2003 Standard server, which is a DC and application server. This took only 15 minutes, and the results are listed to the right.

What I like about this layout is that you get some similar options to the older version: A quick-launch option at the top, an overview of the scan on the left, and the details displayed on the right as you click on the overview items.

In addition to showing you patch vulnerabilities, LANguard also checks for configuration issues. My server has an ASP application that runs on a private LAN, with no publicly available pages, and I was shown some best-practice information, with direct links to MS KB articles. User accounts, network ports, hardware devices, applications installed, network shares, some security policies, and many more details are also displayed. Quite nice to get a top-down list like that, relieving you of having to dig through a series of MMC's, and other UI's to collect this type of info.

Once you've reviewed the scan, you click the Remediate link, and you are shown a list of all patches available, with options to sort by computers, patches, or deployment status. It's presented in a 3 step process; 1. Choose computer, 2. Choose patches, 3. Launch. In this area you are also able to deploy service packs and custom software, as well as given the ability to uninstall said software. There are also some handy links for changing credentials, computer profiles, deployment options and patch auto-download options.

You may also schedule your software deployment from the launch area.

Dashboard

The Dashboard shows you a pretty picture of your last scan, overall vulnerability level, vulnerability distribution, most vulnerable computers, and a time-line of vulnerability. You can also get a snapshot of your scheduled operations here.

The Dashboard will not show a vulnerability rating without valid credentials to the target computer. I found this to be a bit problematic trying to scan my Cisco ASA 5510 configured to authenticate against RADIUS. I tried both a domain account and local, which both failed the SSH connection test. My guess is that it hits it so many times that AAA marks my RADIUS server as failed, and falls back to LOCAL authentication...

Configuration

Options include;

  • Scanning Profiles allow you to customize scans, assessments and the network/software audit.
  • Scheduled Scans
  • Computer Profiles are useful if you have some non-Windows computers or devices with differing credentials than the Domain.
  • Applications Inventory will list all apps found, and give you the opportunity to uninstall invalid ones!
  • Microsoft Updates mimics WSUS in a simplified manner, allowing you to approve patches, and schedule automatic download of them.
  • Alerting is configured here, and fine tuned scanning profiles for notifications.
  • Database Maintenance Options is helpful to clean up your DB, host it on a SQL server, and perform other maintenance tasks.
  • Program Update for scheduling application updates.

Utilities

At first glance, I nearly glazed over this area, until I saw the Enumerate Users, Enumerate Computers, SNMP Audit, SNMP Walk, and SQL Server Audit tools. These are all great tools to have, but tThe configuration of the SQL Server Audit tool reveals a user to perform a password guess brute force attack on, and the list is quite weak. Go find more if you want to use this tool. The same holds true when using the SNMP Audit tool.

Personal Notes

Some particular things I noticed during my testing, not all good or bad, were;

  • LANguard licensing is comprised of a SMA (Software Maintenance Agreement) which controls product updates and Vulnerability Assessment definitions, and a limit to the number of machines that can be scanned and stored in the database. I scratched my head for 15 minutes trying to figure out why I couldn't simply scan 4 different machines, and since LANguard stores the machines scanned in the DB, you can't scan different targets until they are removed.
    • Go to Configure, Database Maintenance Options.
    • Choose Manage List of Scanned Computers
    • Delete computers to make room for new!
Reblog this post [with Zemanta]

No comments: