GFI LANguard Network Security Scanner 6

Introduction

In today’s world of pervasive security threats it is ever more critical to know the current security posture of all systems in your environment. Organizations must have a continuous awareness of their exposure. This can be accomplished through various means. One of the most common methods of auditing the security of computer systems is running a vulnerability scan.

This is a review of the new release of LANguard Network Security Scanner (GFI LANguard NSS) from GFI. NSS will scan computers for known vulnerabilities and common misconfigurations and other potential security issues. It produces reports that can be used to assist in the tracking and mitigation of security issues that have been identified. Furthermore, NSS provides patch management capabilities that allow you to centrally download and push out patches to systems with identified vulnerabilities. Some key features of NSS are:

• The identification of rogue services and open TCP and UDP ports.
• Detects known CGI, DNS, FTP, Mail, RPC and other vulnerabilities.
• Detects Open shares and lists who has access to these shares together with their permissions.
• Enumeration of users, services, etc.

A complete list of features can be found in the product manual. My intention with this review is to see just how easily one can begin using this product – without reading the manual. This is the point-and-click world, and frankly, if you can’t just pick up a product and start using it, then the interface probably needs some improvement.

Installation

The installation of NSS was quick, easy and painless. Very little user interaction is required for the installation process. You will, of course, need to read and accept their license agreement and provide your license key. You will then see the following screen:

You will need to specify an account with Domain Administrator privileges which will be used by the LANguard NSS Attendant service to perform scheduled scans. You will also be asked to select either Microsoft Access or Microsoft SQL ServerMSDE as the database back-end for NSS. If you choose Microsoft SQL Server/MSDE as a database then you will receive an additional prompt for the SQL credentials to use to log on to the database. NSS has the ability to send administrative alerts via email, so you will need to provide an administrator email address and your mail server name.

First Scan

Upon running NSS for the first time, you are presented with what initially may seem to be a rather complex interface. Once you take a closer look, however, it’s much simpler than it first appears:

The left portion of the interface is a Tools Explorer. The right-hand portion is where scan results are displayed. I wanted to jump right into my first scan, so I clicked File and selected New. I was then presented with the following options:

Since this was my first attempt, I chose to scan a single computer. I wanted to know what NSS would tell me “out of the box” so I used the default scan profile as well:

I was quite surprised to see how much information the default scan profile provided. It was immediately apparent that I have some vulnerabilities that I need to address. Let’s see what we have:

By clicking on the Vulnerabilities item in the Scanned Computers window, I get more details on the vulnerabilities. NSS identifies missing service packs and patches, but not just for the operating system. It also showed me that I’m missing an MS Office service pack. It gives me some high-level details about each vulnerability. It identifies the missing service pack or patch, the vulnerability that it addresses (including the Microsoft ID), and the URL or path where the patch can be located.

NSS has identified all the vulnerabilities, and the System patching status provides a terrific summary by showing the status of ALL patches and service packs:

If I only had one system to maintain I could easily use Windows Update, but with multiple systems I’d like an easy way to automate this process. Fortunately, NSS provides a solution.
Deploy Microsoft Updates

NSS has a wonderful built-in tool to automatically download, distribute, and deploy Microsoft updates across multiple systems. This is accessed via the Scanned Computers window:

Select the computer that you want to be patched and right-click on it. From the pop-up menu, select Deploy Microsoft updates, and then either Service packs on, or Patches on. The deployment tool will show the service packs or patches that need to be distributed, with some options to provide some control over the process:

I first tried to deploy patches by accepting all default settings and clicking Start but nothing happened. I still didn’t want to crack open the manual, so I started a brief investigation. I quickly discovered that the patches need to be downloaded before the deployment can take place. This process is partially automated. I say “partially” because you have to perform this step separately from the deployment itself. NSS will handle the download for you; you simply need to tell it to do so:

The download took place quickly and neatly in the background, with NSS giving me the status of the download within its display. Once the download was complete, I clicked Start and the deployment process kicked off immediately! This is almost as easy as Windows Update, and it can be performed on multiple systems across the network.

Configuration Vulnerabilities

While applying service packs and system patches is a large part of security management, there are more mundane issues that need to be resolved as well. Specifically, system administration and configuration errors must be tracked and resolved. NSS is able to identify many misconfigurations and potential administration issues that should at least be reviewed. The first one that jumped out of my initial scan was Password Policy. NSS displays the current system Password Policy settings:

NSS does not do any analysis of your policy, nor does it provide any method for making changes. I can’t really fault GFI for this decision, however. While there could be an informational message explaining good password policies, there is no universal answer. Furthermore, there are so many ways of addressing these settings, it is really NOT advisable to attempt this via a wizard or some other 3rd party interface. Password policies can be set through local system policies, or they can be deployed globally across a domain using Group Policy Objects (GPOs).

The next configuration item that caught my attention was the Security Audit Policy. By default, there is no auditing enabled in any version of Windows. This time, however, NSS does provide a Wizard to assist you in setting up reasonable audit settings:

The wizard displays what it calls recommended auditing policies. You are not forced to accept these settings, but can modify them in the wizard before applying them. My personal feeling is that these settings are a bit too much. Before applying any audit policies you should consider these points:

• What is the purpose of the system being evaluated?
• What sort of information is being processed by this system?
• What environment is this system in? Is it a home computer? A workstation? A web server for a highly visible organization? A data repository of sensitive information?
• Is it “visible” to the Internet? Intranet? Or is it an isolated system in a secure environment with limited connectivity?

Apply audit policies in accordance with the sensitivity of the system and its potential exposure to attack or compromise.

I’m not going to go into extreme details on additional configuration features, but NSS does give a good profile of your systems, to include:

• Enumeration of open TCP and UDP ports.
• Enumeration of Open shares and lists who has access to these shares together with their permissions.
• Enumeration of groups, including group members.
• Enumeration of users, services, etc.
• Enumeration of USB devices.
• Enumeration of network devices and identification of the device type (Wired, Wireless, Virtual).

These details provide an excellent system profile, and may expose potential problems such as rogue services or unprotected file shares.

Reporting

Once you have all this information, what are you doing to do with it? Perhaps you perform security audits for your organization, but you are not involved in system administration. Perhaps the affected systems belong to multiple groups, and you need to get the information to many people. You will at least need to notify your boss/manager of the findings. For this, you need reporting capabilities. Unfortunately, NSS does not provide any built-in reporting capabilities. I was quite surprised by this omission. This is a good tool, with some excellent features, but at some point you have to report to the boss. You need to be able to provide reports of:

• The systems that have been evaluated.
• The vulnerabilities identified on each system, preferably in multiple formats (Critical vulnerabilities and the systems that are affected; vulnerable systems sorted by domain, section, IP, etc; Patch status of evaluated systems).
• What has been done to mitigate the identified vulnerabilities.
• The change in security posture over time.

NSS can be run from a command line, with the option of saving output to either XML or HTML format. The output is not an actual report, but simply the results of the scan, similar to what is shown in the GUI interface.

While there are no built-in report features, the data is stored in an Access database. It would be trivial to develop your own reports based on the stored data, but it would be very nice to have some simple canned reports included with the product.

Conclusion

Overall, I think LANguard Network Security Scanner is a decent product. It combines vulnerability scanning and patch distribution into a very simple and straightforward package. Its strengths are definitely in its ease of use, its flexibility, and the fact that it serves as both Vulnerability scanner and patch manager. Its primary weakness is the lack of built-in reporting. I plan to continue using NSS here in my home office. I have about 10 systems that I need to maintain, and until now, I’ve been letting the patches download automatically, and then manually installing them myself at each machine. I will use NSS primarily for its patch management feature, so I don’t need to go room to room to make sure all my systems are up to date.

Please note, I’ve barely scratched the surface of what this product can do. I’ve already mentioned that one of the strengths of NSS is its flexibility. Along with all the features I discussed in this article, here’s a list of what I didn’t address:

• Detects known CGI, DNS, FTP, Mail, RPC and other vulnerabilities.
• Detects Wireless devices.
• Detects Rogue or back-door users.
• Enumeration of network devices and identification of the device type (Wired, Wireless, Virtual).
• Can perform Scheduled Scans.
• Automatically updates Security vulnerability checks.
• Ability to save and load scan results.
• Ability to compare scans, to learn about new possible entry points.
• Operating system identification.
• SSH Module which allows execution of security scripts on Linux/Unix machines.

I think that overall, this product is definitely worth a look. With strong features and reasonable pricing, I think it can fit the bill for many small to medium sized organizations.