Protect your network against internal or external attacks

If you need to secure your network against internal or external attacks, you would do well to implement a tool that promises to run a thorough list of security checks on your machines and create vulnerability assessment reports. NetIQ’s Security Analyzer 3.5a, which the company advertises as "Essential Security Analysis for Networks and Servers," lives up to that lofty promise.

Security Analyzer ships on one CD-ROM and includes two well-written manuals: a User’s Guide and a Security Developer’s Kit. Installing Security Analyzer is easy: Simply run Setup, let the CD-ROM spin a few times, give the program administrative permissions (for scanning across domains), and you’re up and running.

NetIQ based Security Analyzer’s architecture on profiles and policies. Profiles let you create scanning conditions (i.e., which policies to use and which hosts to scan), and policies define what Security Analyzer will search for during a security check. NetIQ offers 10 default security policies: Complete Security Analysis, Standard Security Analysis, Critical Security Analysis, Intermediate Security Analysis, Inventory Scan, Port Scan Only (Well-Known Ports), Port Scan Only (Standard Ports), Password Grinding Analysis, Ping Scan, and UNIX Security Analysis. These policy files are essentially Perl scripts, so if you know Perl, you can create your own policies. Security Analyzer even includes a software development kit (SDK) to help you create custom policy files.

Security Analyzer’s UI, which Figure 1 shows, lets you select from several predefined profiles, each of which offers a different level of security checks depending on the targets that you run them against. I decided to create a profile with which to run a security scan across my network. I selected New from the main interface, then assigned a name and test policy to the new profile. I also entered an IP range to initiate Security Analyzer’s automatic-discovery feature, which pings through the IP addresses in search of available and responding hosts. Alternatively, you can add computers to profiles by entering their host names, but if you have many systems on your network, the automatic-discovery feature is preferable.

I then created a second profile to scan my Web server for security holes. Although Security Analyzer’s policies address the majority of security vulnerabilities, I decided to create my own test policy that isolated specific Web server vulnerabilities and excluded extraneous tests, such as mail-server vulnerability and password-strength checks.

To create this policy, I clicked New Policy in the Edit Security Analysis Profile dialog box and typed a name and description. Then, in the Scan What? dialog box, I selected specific vulnerability tests to include in the policy: Web Server and File Access Control. The software offers verbose descriptions of each security check. After selecting the tests to run, I disabled the port scanner—because, realistically, the Web server listens only on port 80—and saved the profile.

After I created the Web server scan policy, I launched both scan jobs. The network scan trudged through 180,000 tests in a respectable 20 minutes. The Web server scan plowed through 157 tests in less than 90 seconds. After the software completed both scans, it created an HTML report file, which Figure 2 shows. On the Web server, Security Analyzer detected 15 separate vulnerabilities and prioritized them. I expected the Low Risk vulnerabilities—minor problems such as improper permissions on temporary directories. The Medium Risk vulnerabilities included Virtualized UNC Share problems and improper IIS parameters. These vulnerabilities were fairly innocuous. However, the one High Risk vulnerability surprised me. For some reason, the file permissions on my system-repair directory were world-writable, letting anyone with physical access to the Web server obtain a copy of my system’s SAM database—essentially granting access to every accounts password on the machine.

The complete network scan detected 875 more vulnerabilities, illustrating my utter network-security ineptitude. After Security Analyzer detects vulnerabilities, it cross-references them against a fix database and provides either a list of manual fixes or a link to online hotfixes. Unfortunately, some of these security problems are inherent in the Windows architecture, so Security Analyzer could offer only 413 fixes. The software doesn’t include an automatic-fix feature because NetIQ believes that most customers prefer to fix problems manually. However, if you simply want to plug a few permissions holes on several machines, such maintenance could be time-consuming.

Security Analyzer’s report generator is top-notch. You can customize reports so that they contain as much detail as you require. A comparative report tool lets you issue differential analysis runs against archived reports to check for any discrepancies. The report generator’s only fault is that it doesn’t provide links to online fixes.

I ran through all the testing policies to ensure that they worked properly, then decided to use the scheduling facility to run policies at specific intervals. On the program’s toolbar, I clicked Scheduler to bring up the Scheduler applet. I specified a profile and the interval by which I wanted it to run. After I configured the type of report to generate, the Scheduler prompted me to add any preprocessing tasks (i.e., specific applications or batch files that the Scheduler runs before launching the event). You can also add post-processing tasks. I used the latter option to upload log files to an FTP server following the scheduled event. Finally, I set the event’s priority level. Security Analyzer’s scanning engine is well threaded, so you can set the Scheduler to run multiple scan processes simultaneously.

To ensure that Security Analyzer can detect the latest vulnerabilities and exploits, NetIQ offers an automatic-update feature called AutoSync. AutoSync polls NetIQ’s servers for the latest Security Analyzer updates. Interestingly, you can choose between NetIQ’s update downloads and third-party updates that NetIQ has certified. These updates let you access numerous testing policies that users have created for the most esoteric needs. And because NetIQ puts third-party updates through a rigorous certification process, you won’t need to worry about downloading Trojan horses or other malicious code.

On larger networks, you’ll probably want to deploy Security Analyzer’s agents on remote systems. By using agents to scan—as opposed to scanning each machine from a central server—you offload the software’s security checks and processing onto the client systems, which then report back to the central server. This feature is beneficial to large enterprise networks because it requires no more than a few bytes of network bandwidth for scanning. To ensure the integrity of the data that the agents return, Security Analyzer uses 128-bit encryption to secure its packets.

NetIQ has priced Security Analyzer competitively. The Professional Edition, which supports as many as 256 IP addresses, is a bargain for small enterprises and a steal for large enterprise networks. The Enterprise Edition, which supports an unlimited number of hosts, is a no-brainer for anyone who wants to properly lock down a network.

Security Analyzer 3.5a
Contact: NetIQ
Web: http://www.webtrends.com
Price: $2399 for the Professional Edition; $4999 for the Enterprise Edition
Decision Summary:
Pros: Comprehensive set of security checks; intuitive UI; excellent reporting features; good scheduler; support for user-created security checks; ability to run with or without agents
Cons: Doesn’t automatically correct common problems