GFI LANguard 9 Review

As a consultant, I used GFI LANguard (7?...it was at least 2 years ago) as a tool, in conjunction with nmap and some others, to perform security audits for our clients.

Now I've an opportunity to use it again, and agreed to give it a review.

Environment

The download from GFI's website was surprisingly small; only 50mb.

The installation was straight forward, with only two questions; installation location, and initial credentials to use for scanning your domain. The UI is no different, very intuitive. I'd expect nothing else from GFI, since most of their products are the same way.

The product is broken up into four components:

  • Management Console - the central location for launching scans, view saved scans, configure options, and use specialized network security tools.
  • Attendant Service - runs scheduled scans and patch deployments.
  • Patch Agent Service - handles the deployment of patches, service packs and software updates.
  • Script Debugger - use a vbscript compatible language to write your own vulnerability checks.

The strategy suggested by LANguard for vulnerability management is:

  • Scan
  • Analyze
  • Remediate

or, wash, rinse, repeat :-)

Network Audit

The first window you see upon program launch is the Network Audit tab. Here you have the option to scan the localhost, an entire network, launch a custom scan, or set up a scheduled scan. I opted to scan the entire network, knowing that it will stop after the 4th host is found, since that is the limit to my NFR key (in addition to not being able to receive product updates...which begs the question; How recent is my security vulnerability DB?) I digress....

During a scan operation, you can easily navigate through most of the program without interrupting it. I found going from inside the Network Audit tab, which shows you a more bland Scan status, I could switch to the more familiar Analyze page, where you can see the actual scan threads, and any error messages generated.

It took some time to scan; about 2 hours, but it did come back with a bevy of security vulnerabilities. I decided to scan a single Windows 2003 Standard server, which is a DC and application server. This took only 15 minutes, and the results are listed to the right.

What I like about this layout is that you get some similar options to the older version: A quick-launch option at the top, an overview of the scan on the left, and the details displayed on the right as you click on the overview items.

In addition to showing you patch vulnerabilities, LANguard also checks for configuration issues. My server has an ASP application that runs on a private LAN, with no publicly available pages, and I was shown some best-practice information, with direct links to MS KB articles. User accounts, network ports, hardware devices, applications installed, network shares, some security policies, and many more details are also displayed. Quite nice to get a top-down list like that, relieving you of having to dig through a series of MMC's, and other UI's to collect this type of info.

Once you've reviewed the scan, you click the Remediate link, and you are shown a list of all patches available, with options to sort by computers, patches, or deployment status. It's presented in a 3 step process; 1. Choose computer, 2. Choose patches, 3. Launch. In this area you are also able to deploy service packs and custom software, as well as given the ability to uninstall said software. There are also some handy links for changing credentials, computer profiles, deployment options and patch auto-download options.

You may also schedule your software deployment from the launch area.

Dashboard

The Dashboard shows you a pretty picture of your last scan, overall vulnerability level, vulnerability distribution, most vulnerable computers, and a time-line of vulnerability. You can also get a snapshot of your scheduled operations here.

The Dashboard will not show a vulnerability rating without valid credentials to the target computer. I found this to be a bit problematic trying to scan my Cisco ASA 5510 configured to authenticate against RADIUS. I tried both a domain account and local, which both failed the SSH connection test. My guess is that it hits it so many times that AAA marks my RADIUS server as failed, and falls back to LOCAL authentication...

Configuration

Options include;

  • Scanning Profiles allow you to customize scans, assessments and the network/software audit.
  • Scheduled Scans
  • Computer Profiles are useful if you have some non-Windows computers or devices with differing credentials than the Domain.
  • Applications Inventory will list all apps found, and give you the opportunity to uninstall invalid ones!
  • Microsoft Updates mimics WSUS in a simplified manner, allowing you to approve patches, and schedule automatic download of them.
  • Alerting is configured here, and fine tuned scanning profiles for notifications.
  • Database Maintenance Options is helpful to clean up your DB, host it on a SQL server, and perform other maintenance tasks.
  • Program Update for scheduling application updates.

Utilities

At first glance, I nearly glazed over this area, until I saw the Enumerate Users, Enumerate Computers, SNMP Audit, SNMP Walk, and SQL Server Audit tools. These are all great tools to have, but tThe configuration of the SQL Server Audit tool reveals a user to perform a password guess brute force attack on, and the list is quite weak. Go find more if you want to use this tool. The same holds true when using the SNMP Audit tool.

Personal Notes

Some particular things I noticed during my testing, not all good or bad, were;

  • LANguard licensing is comprised of a SMA (Software Maintenance Agreement) which controls product updates and Vulnerability Assessment definitions, and a limit to the number of machines that can be scanned and stored in the database. I scratched my head for 15 minutes trying to figure out why I couldn't simply scan 4 different machines, and since LANguard stores the machines scanned in the DB, you can't scan different targets until they are removed.
    • Go to Configure, Database Maintenance Options.
    • Choose Manage List of Scanned Computers
    • Delete computers to make room for new!
Reblog this post [with Zemanta]

Comments

Post a Comment

Popular posts from this blog

NPI Search Redundancy

Most healthcare professionals know at this point that all providers of health care, require NPI (National Provider Identifier) numbers. Without one, it will become increasingly difficult for claims to be paid by commercial payers, and impossible to collect medicare and medicaid payments. Since we are a coding/billing/collection/management agency, we have frequented the NPPES (National Plan & Provider Enumeration System) to lookup NPI information. Unfortunately, there have been brief periods of downtime of the site, causing us to implement our own solution: a backup of the registry. I have a daily cron job that downloads the NPI database, push it into MySQL, giving us an albeit slow, but accurate access to an off-line version of this data. The shell script below performs the retrieval: #!/bin/sh WORKDIR="/srv/htdocs/npi" LOG="$WORKDIR/npi.log" MONTH=`date +%b` LASTMONTH=`date +%b --date='1 month ago'` YEAR=`date +%Y` URL="http://nppesdata.cms.h
Read more

freeFTPD

Image
Image by Micah68 via Flickr I've been using FileZilla FTP server for some time now and have been happy for the performance. Recently, we needed the ability to expose the FTP service to another client, and the documents that we'd be receiving would be arriving in an un-encrypted form, unlike our other clients. I decided I could simply enable FTPS , the SSL enabled FTP protocol and open a port to 990 on my ASA 5525 Security Appliance and NAT traffic to our server. Unfortunately I quickly found out that a passive FTPS server behind my firewall won't work without some specific configuration changes as discussed in this article . With all that fussing around, I decided to check out freeFTPd, a single deamon that offers both FTP and SFTP, not to be confused with FTPS, but the secure file transfer protocol that is common to the SSH ( secure shell ) protocol. It's fairly straight forward, but is a bit quirky and the documentation is non-existent. Follow some of my ti
Read more

Using ImageMagick and Tesseract to sort TIFFs on Windows

Image
Recently I wrote a post about my search for a TIFF iFilter that would enable me to use VBScript to query a Windows Indexing Services server for file management. I found that since OCR is never always 100% accurate, neither were my attempts at sorting all the inbound EMR faxes we get each day. I did however, find Tesseract , a great product that was originally developed by HP and proprietary, and is now developed by Google and licensed under the Apache License v2, open source . It is one of the most accurate open source OCR engines available. It is quite basic, and in the version you obtain from the project page , it only operates from the command line, and without the libtiff library, will only do it's work on un-compressed TIFFs. More information can be found on the project pages , and Wikipedia . Doing some scouring, I aso found a front-end , and ArchivistaBox, a complete document management system . Image via Wikipedia I'm using it in Windows, so I needed to do one of
Read more