@RISK Online - The Security Blog
3
user(s) online.
GFI LANguard
NSS Review
Introduction
In today’s world of
pervasive security threats it is ever more critical to know the current
security posture of all systems in your environment. Organizations must have a continuous
awareness of their exposure.
This can be accomplished through various means. One of the most common methods of
auditing the security of computer systems is running a vulnerability
scan. This paper is a brief
review of the new release of LANguard Network Security Scanner
(GFI LANguard NSS) from GFI. NSS will scan computers for known
vulnerabilities and common misconfigurations and other potential security
issues. It produces reports
that can be used to assist in the tracking and mitigation of security issues
that have been identified.
Furthermore, NSS provides patch management capabilities that allow
you to centrally download and push out patches to systems with identified
vulnerabilities. Some key
features of NSS are:
· The identification of rogue services and open TCP and
UDP ports
· Detects known CGI, DNS, FTP, Mail, RPC and other
vulnerabilities
· Detects Open shares and lists who has access to these
shares together with their permissions.
· Enumeration of users, services, etc.
A complete list of features
can be found in the product manual. My intention with this review is to
see just how easily one can begin using this product – without
reading the manual. Now, RTFM
is on the lips of all tech support people reading this article. I fully understand that. But this is the point-and-click
world, and frankly, if you can't just pick up a product and start using it,
then the interface probably needs some improvement.
Installation
The installation of NSS was
quick, easy and painless. Very
little user interaction is required for the installation process. You will, of course, need to read
and accept their license agreement and provide your license key. You will then see the following
screen:
You will need to specify an
account with Domain Administrator privileges which will be used by the LANguard NSS Attendant service to perform scheduled
scans. You will also be asked
to select either Microsoft Access or Microsoft SQL Server\MSDE as the
database back-end for NSS. If
you choose Microsoft SQL Server/MSDE as a database then you will receive an
additional prompt for the SQL credentials to use to log on to the
database. NSS has the ability
to send administrative alerts via email, so you will need to provide an
administrator email address and your mail server name.
First Scan
Upon running NSS for the first
time, you are presented with what initially may seem to be a rather complex
interface. Once you take a
closer look, however, it's much simpler than it first appears:
The left portion of the
interface is a Tools Explorer.
The right-hand portion is where scan results are displayed. I wanted to jump right into my first
scan, so I clicked File and selected New. I was then presented with the
following options:
Since this was my first
attempt, I chose to scan a single computer. I wanted to know what NSS would tell
me “out of the box” so I used the default scan profile as well:
I was quite surprised to see how
much information the default scan profile provided. It was immediately apparent that I
have some vulnerabilities that I need to
address. Let's see what we
have:
By clicking on the
Vulnerabilities item in the Scanned Computers window, I get more details
on the vulnerabilities. NSS
identifies missing service packs and patches, but not just for the
operating system. It also
showed me that I'm missing an MS Office service pack. It gives me some high-level details about each vulnerability. It identifies the missing service
pack or patch, the vulnerability that it addresses (including the Microsoft
ID), and the URL or path where the patch can be located.
NSS has identified all the
vulnerabilities, and the System patching status provides a terrific
summary by showing the status of ALL patches and service packs:
If I only had one system to
maintain I could easily use Windows Update, but with multiple systems I'd
like an easy way to automate this process. Fortunately, NSS provides a
solution.
Deploy Microsoft Updates
NSS has a wonderful built-in
tool to automatically download, distribute, and deploy Microsoft updates
across multiple systems. This
is accessed via the Scanned Computers window:
Select the computer that you
want to be patched and right-click on it. From the pop-up menu, select Deploy
Microsoft updates, and then either Service packs on, or Patches
on. The deployment tool
will show the service packs or patches that need to be distributed, with
some options to provide some control over the process:
I first tried to deploy
patches by accepting all default settings and clicking Start but
nothing happened. I still
didn't want to crack open the manual, so I started a brief
investigation. I quickly
discovered that the patches need to be downloaded before the deployment can
take place. This process is
partially automated. I say
“partially” because you have to perform this step separately
from the deployment itself. NSS
will handle the download for you; you simply need to tell it to do so:
The download took place
quickly and neatly in the background, with NSS giving me the status of the
download within its display.
Once the download was complete, I clicked Start and the
deployment process kicked off immediately! This is almost as easy as Windows
Update, and it can be performed on multiple systems across the network.
Configuration Vulnerabilities
While applying service packs
and system patches is a large part of security management, there are more mundane
issues that need to be resolved as well. Specifically, system administration
and configuration errors must be tracked and resolved. NSS is able to identify many
misconfigurations and potential administration issues that should at least
be reviewed. The first one that
jumped out of my initial scan was Password Policy. NSS displays the current system
Password Policy settings:
NSS does not do any analysis
of your policy, nor does it provide any method for making changes. I can't really fault GFI for this
decision, however. While there
could be an informational message explaining good password policies, there
is no universal answer.
Furthermore, there are so many ways of addressing these settings, it is really NOT advisable to attempt this via
a wizard or some other 3rd party interface. Password policies can be set through
local system policies, or they can be deployed globally across a domain
using Group Policy Objects (GPOs).
The next configuration item
that caught my attention was the Security Audit Policy. By default, there is no auditing
enabled in any version of Windows.
This time, however, NSS does provide a Wizard to assist you in
setting up reasonable audit settings:
The wizard displays what it
calls recommended auditing policies. You are not forced to accept these
settings, but can modify them in the wizard before applying them. My personal feeling is that these
settings are a bit too much. Before
applying any audit policies you should consider these points:
· What is the purpose of the system being evaluated?
· What sort of information is being processed by this
system?
· What environment is this system in? Is it a home computer? A workstation? A web server for a highly visible
organization? A data repository
of sensitive information?
· Is it “visible” to the Internet? Intranet? Or is it an isolated system in a
secure environment with limited connectivity?
Apply audit policies in
accordance with the sensitivity of the system and its potential exposure to
attack or compromise.
I'm not going to go into
extreme details on additional configuration features, but NSS does give a
good profile of your systems, to include:
· Enumeration of open TCP and UDP ports
· Enumeration of Open shares and lists who
has access to these shares together with their permissions.
· Enumeration of groups, including group members.
· Enumeration of users, services, etc.
· Enumeration of USB devices.
· Enumeration of network devices and identification of
the device type (Wired, Wireless, Virtual)
These details provide an
excellent system profile, and may expose potential problems such as rogue
services or unprotected file shares.
Reporting
Once you have all this
information, what are you doing to do with it? Perhaps you perform security audits
for your organization, but you are not involved in system
administration. Perhaps the
affected systems belong to multiple groups, and you need to get the
information to many people. You
will at least need to notify your boss/manager of the findings. For this, you need reporting capabilities. Unfortunately, NSS does not provide
any built-in reporting capabilities.
I was quite surprised by this omission. This is a good tool, with some
excellent features, but at some point you have to report to the boss. You need to be able to provide
reports of:
·
The systems that
have been evaluated.
·
The
vulnerabilities identified on each system, preferably in multiple formats
(Critical vulnerabilities and the systems that are affected; vulnerable systems
sorted by domain, section, IP, etc; Patch status of evaluated systems).
·
What has been done
to mitigate the identified vulnerabilities.
·
The change in
security posture over time.
NSS can be run from a command
line, with the option of saving output to either XML or HTML format. The output is not an actual report,
but simply the results of the scan, similar to what is shown in the GUI
interface.
While there are no built-in
report features, the data is stored in an Access database. It would be trivial to develop your
own reports based on the stored data, but it would be very nice to have
some simple canned reports included with the product.
Summary
Overall, I think LANguard Network Security is a decent product. It combines vulnerability scanning
and patch distribution into a very simple and straightforward package. Its strengths are definitely in its
ease of use, its flexibility, and the fact that it serves as both
Vulnerability scanner and patch manager. Its primary weakness is the lack of
built-in reporting. I plan to
continue using NSS here in my home office. I have about 10 systems that I need
to maintain, and until now, I've been letting the patches download
automatically, and then manually installing them myself at each
machine. I will use NSS
primarily for its patch management feature, so I don't need to go room to
room to make sure all my systems are up to date.
Please note, I've barely
scratched the surface of what this product can do. I've already mentioned that one of
the strengths of NSS is its flexibility. Along with all the features I
discussed in this article, here's a list of what I didn't address:
·
Detects known CGI,
DNS, FTP, Mail, RPC and other vulnerabilities
·
Detects Wireless
devices
·
Detects Rogue or
back-door users
·
Enumeration of
network devices and identification of the device type (Wired, Wireless,
Virtual)
·
Can perform
Scheduled Scans.
·
Automatically
updates Security vulnerability checks.
·
Ability to save
and load scan results.
·
Ability to compare
scans, to learn about new possible entry points.
·
Operating system
identification.
·
SSH Module which
allows execution of security scripts on Linux/Unix machines.
I think that overall, this
product is definitely worth a look.
With strong features and reasonable pricing, I think it can fit the
bill for many small to medium sized organizations.
References:
LANguard Network Security Scanner information
LANguard Network Security Scanner download
|
