For this edition of the Ultimate Security Toolkit, I looked at HackerShield 2.0 from BindView. HackerShield is a security and vulnerability scanning tool that checks for more than 450 potential problems and can automatically update itself with new security checks from BindView. HackerShield can also repair some vulnerabilities automatically and reverse any changes made, if necessary.
Features and Benefits
HackerShield detects and tests for security vulnerabilities in Windows NT hosts. In addition to common Web server vulnerabilities, the scanner also tests for potential Denial of Service (DoS) problems. It tests and scans all TCP/IP devices, but this review focuses on HackerShield's performance and features when scanning NT-only environments.
HackerShield comes with a large database that it uses to launch simulated attacks on your choice of network devices. HackerShield scans each computer’s OS and internal configuration. Scans include checking for incorrectly configured files, directories, users, and permissions. The scanner comes with a large dictionary and uses various techniques to identify passwords vulnerable to hacking. HackerShield’s database of MD5 checksums can also detect changes in key system files.
After performing a scan, HackerShield creates an HTML-formatted report, which is exportable to an ODBC database package. The report identifies each vulnerability or misconfiguration that the scanner found and provides instructions on how to eliminate each threat. Each report also includes links to background information, including notes from BindView’s research team and security advisories from manufacturers and security agencies. Reports include graphs and charts that provide a graphical view of the number of vulnerabilities the scanner found and their severity. Save your reports so you can compare them to locate any differences or new security issues. HackerShield also lets you schedule scans to run at set time intervals (e.g., every 6 hours) or at a particular time (e.g., at 11:00 p.m.). The scanner comes with various scan policies, and it lets you create custom scan policies as well.
BindView updates HackerShield using Rapid Fire Updates. BindView creates these updates every month, emails them to a designated mailbox, and if desired, installs them automatically. BindView also releases Rapid Fire Updates 24 to 48 hours after the discovery of a major security risk. Once you install an update, you can run a scan using only the updated checks. If you compare your original scan report with the report that the updated scan generates, the difference between the two will show you the vulnerabilities that the update fixed.
Installation and Use
BindView recommends that you install HackerShield on at least a 200MHz Pentium-class machine, 128MB of RAM, and 40MB of available disk space, running NT 4.0 Service Pack 4 (SP4) or greater. I installed HackerShield on an IBM Netfinity 5500 Server with a 500MHz Pentium III processor, 256MB of RAM, and an 18GB hard disk, running NT 4.0 SP6a and Microsoft Internet Information Server (IIS) with Option Pack 4.
Following the installation I had some file version problems with my particular configuration. After the required reboot, HackerShield normally does some final cleanup and configuration tasks. Instead, a Windows dialog box appeared with a DLL error, and the HackerShield services didn't start. I tried to fix the problem in various ways, but finally I gave up and called BindView technical support. I was very impressed with the quick response and accurate answers that I received from BindView's technical people. However, after trying some of their suggestions, I decided to rebuild my test system (due to my own impatience).
I rebuilt my test system using NT 4.0 SP4, and I didn’t install IIS. This time, I had no problems getting HackerShield to run. I have talked with BindView's technical support people since then, and they have assured me that they have resolved the issue. My problem occurred because I had incorrect versions of some Microsoft library files. If I had updated my Microsoft libraries and Microsoft Data Access Components (MDAC) files after I installed HackerShield, I would have fixed my problem and prevented the need for a rebuild.
When I launched HackerShield, I found it easy to navigate and configure. During configuration, the scanner asks for your email server's host name. Using the built-in POP3 client, HackerShield sends account alerts via email when scans start and stop. Or, you can configure HackerShield to use SNMP alerting. The configuration applet also gives you a username for Rapid Fire Updates.
Once I finished my initial configuration, I added my network and subnet address to the network-mapping tool and let HackerShield find each TCP/IP device on my network. By dragging and dropping hosts from the network map window to the target window, I created a list of hosts for HackerShield to scan. From the target window, I could right-click my targets and start a scan. From the toolbar, I could schedule a scan to run at another time or on a different day.
In my tests, I ran multiple scans, as Screen 1 shows, hanging the scan policy each time. HackerShield performed very well, and I was amazed by its speed in creating a list of every username and password on my PDC and the local accounts on each member server. Out of curiosity, I fired up my favorite password cracker to compare its speed to HackerShield's. My password-cracking software took 3 hours to come up with the same account list that HackerShield created in minutes.
HackerShield was impressive in its levels of reporting. Not only were the reports complete and accurate, but they also gave me the option of selecting certain vulnerabilities and letting the scanner automatically repair them, also seen in Screen 1. Normally, I wouldn't recommend changing any settings automatically without testing the changes in a lab environment first, but for this review I let HackerShield repair a number of the vulnerabilities it found. The scanner couldn't repair all of them, but the report provided thorough information about each problem and repair recommendations. I had no problems with the auto fix feature, although if I had, HackerShield tracks changes and can undo them, if necessary.
One of the Best
HackerShield is one of the best products that I have reviewed so far. BindView's technical support was competent and helpful when I ran into problems. All in all, the product left me confident that each host that it scanned and repaired was safe and secure. In addition, HackerShield's scheduling feature lets me set my network for weekly scans and compare the reports to locate any differences or new security issues. At a cost of $1995.00 for a 25-user license, HackerShield definitely has a home in my security toolkit.
| Contact: BindView * 800-813-5869 |
Price: $1995 for a 25-user license; call for other pricing options
Pros: Complete, thorough scans; excellent, easy-to-understand reporting; can scan and test all TCP/IP devices.
Cons: The network-mapping function can be confusing if you don't understand TCP/IP principles.