NetIQ Vulnerability Manager
NetIQ Vulnerability Manager (formerly VigilEnt Security Manager) consists of a Microsoft Management Console (MMC) snap-in, core services, a SQL Server 2000 database, and platform-specific agents. You need to install an agent on at least one target system in the domain you want to scan; you can then scan other systems in the domain by proxy. Of the scanners I tested, this product posted the quickest scan time and provided a lot of additional functionality (beyond simple scanning for known vulnerabilities), including user- and audit-specific scans and reports. For example, you can have the product return a list of "powerful users" who are members of the Administrators group or who can perform privileged operations such as taking ownership of or shutting down a system. The product's Help system is friendly and easy to use. The right-hand pane of the MMC console lists common questions and provides hyperlinks to the answers.
NetIQ Vulnerability Manager ships with a built-in database of more than 600 potential vulnerabilities, which this product calls security checks. The product arranges certain checks into 17 well-thought-out, predefined scans called policy templates. Performing a vulnerability scan consists of running one of these templates on a group of target computers. You can find basic templates that help get you started auditing for regulations, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Sarbanes-Oxley Act (SOX), or for best practices, according to lists such as the SANS Top 20; you can build your own checks as well. Built-in wizards let you quickly create custom scans designed to work with your systems' Active Directory (AD), registry, and user-account settings. You can schedule reoccurring scans--a plus for organizations that require regular audits.
NetIQ Vulnerability Manager also lets you run predefined tasks that list specific types of users, group memberships, file shares, or system services; you can use another built-in wizard or write a script to create your own tasks. NetIQ Vulnerability Manager uses these tasks when remediating identified vulnerabilities (e.g., when disabling or deleting an account, restricting a share or file permission, stopping an unsafe or unnecessary service).
You can have the product export reports into .html, .pdf, or .xls files and email them or post them to a share or Web site. NetIQ Vulnerability Manager adds a twist to its reporting by letting you assign risk and exposure weighting to servers and vulnerabilities; according to this weighting, the highest-risk systems appear at the top of the product's reports. Such enhanced statistics help you triage discovered vulnerabilities across your enterprise, beyond what's possible using more typical Low-, Medium-, and High-risk rankings. Another reporting highlight is the report viewer's Data View, which Figure 2 shows. This view lets you group, query, and sort results in real time so that you can more easily find specific information. You can export results to Crystal Reports, Adobe Systems' Adobe Acrobat, Microsoft Excel, Microsoft Word, or text formats.
Unfortunately, the report formats are relatively generic, regardless of the policy template you used to perform the scan. The product's remedy explanations are inconsistent in their level of helpfulness; you often must hunt down solutions to found vulnerabilities. On the plus side, though, NetIQ Vulnerability Manager provides an AutoSync product update service that gives you access to TruSecure security bulletins and updated security checks. You can also use NetIQ Vulnerability Manager to check for missing patches on your target systems, although the product can't deploy those patches for you.
See associated table
GFI LANguard N.S.S.
The smallest of the scanners in this roundup, GFI LANguard N.S.S. includes a range of scans to help identify useful security information at a glance. The diversity of available scans is impressive, but the scanner's database is much smaller than the others in this roundup. The version I tested retains earlier versions' quick-to-launch, easy-to-use aspects but sports a new look, which Figure 3 shows. I rated the available Help documentation as fair.
The product, which stores scan results in either a Microsoft SQL Server Desktop Engine (MSDE) or SQL Server 2000 database, doesn't use scan groups. When you start a scan, you specify your target systems according to name, IP address range, or domain or import that information from a text file. The GFI LANguard N.S.S. vulnerability database includes more than 300 (predominantly UNIX) vulnerability checks. You can use the tool's GUI or built-in script editor and debugger to create your own vulnerability checks. GFI LANguard N.S.S. augments its vulnerability scans with share enumerations that include the target computer's permission settings, password policy, security-auditing settings, local users and groups, installed services, and startup type. GFI LANguard N.S.S. also provides TCP and UDP port scanning, highlighting ports used by many Trojan horse programs and helping alert you to possible previously successful attacks. GFI LANguard N.S.S. lists other useful information about the target system such as OS, network devices, registry information, and sessions. The product also provides additional tools that let you deploy Microsoft patches and custom software, perform DNS lookups, execute Traceroute or Whois functions, enumerate computers and users, and perform SNMP auditing (e.g., scan a computer or subnet for SNMP services that have weak community strings). I especially liked the Result Comparison tool, which lets you compare two previous scans. You can use this tool to create a baseline against which to compare subsequent scans. Combined with a reoccurring scan, you could set up a system to detect new computers or services that come online in your network. On the down side, despite its useful tools and options, GFI LANguard N.S.S. detected the fewest vulnerabilities of the products I tested and reported many false positives.
N.S.S. presents its results in a Windows Explorerlike view; you can expand nodes to see more detailed data. Scanned vulnerabilities include risky services, incorrectly configured registry settings, and other published vulnerabilities from sources such as BugTraq. The product categorizes vulnerabilities as High, Medium, or Low security risks and, in some cases, lists a short (and fairly generic) description and a link to a vendor or BugTraq remediation steps. For example, after encountering the SNMP service running on my target computer, the product reported
Numerous vulnerabilities have been reported in multiple vendors' SNMP implementations. You should check if your system is Vulnerable.
I'd have been happier if the tool had told me whether the SNMP service it found was actually vulnerable to a specific exploit. The product provides several attractive, predefined HTML reports showing scan-result data. You can create your own reports by using a simple wizard.
See associated table
Register
