Security scanning for small to midsized networks

BindView’s bv-Control for Internet Security 3.0 is a high-end security-management product designed to be your small to midsized network’s first line of defense against security breaches. BindView has built bv-Control for Internet Security on the battle-proven architecture of its bv-Control network-management suite.

The software ships on one CD-ROM, and the documentation is in PDF format. When you first insert the CD-ROM, an auto-run file launches an HTML-based installation guide that lets you browse a quick overview of the product, check out system requirements, and read the program’s documentation during the Setup process.

Installing bv-Control for Internet Security requires domain administrator privileges—if you plan to scan more than just your local machine. Because you have the option of installing the product as a local scanner, the Setup program prompts you for an appropriate user account. You can use a domain administrator account, a domain user account, or a local administrator account to configure the software. The distinction between domain administrator and domain user is that the former gives you full access to the entire domain, whereas the latter restricts you to scanning only the systems for which you have the proper credentials within the domain. I planned to scan my entire network, so I chose to use a domain administrator account. After the software passed the proper credentials to the Setup program, bv-Control for Internet Security was ready to run.

The software fits within the Microsoft Management Console (MMC) framework, which provides a familiar UI to your management suite. The two-pane interface displays product components in the left pane and details in the right pane. The UI was self-explanatory, so I dived straight into the heart of the software and began configuring the system for my network.

The product’s New Scan Wizard simplifies the process of selecting network devices and configuring scans. Surprisingly, the alternative method—manually adding systems and configuring the scanning process—is almost as simple as using the wizard. To satisfy my inner power user, I opted for the manual method.

I started by entering my network’s subnet mask into the software’s Targets folder. This procedure initiated an auto-discovery process that searched the subnet for the individual IP address of each machine on the network. This feature pleased me because I run a mix of Windows 2000 Server, Win2K Professional, Windows NT Server 4.0, OpenBSD, and Linux machines, and I never pay much attention to each system’s IP address. To help you separate the computers into groups, the auto-discovery process interrogates each OS’s TCP/IP stack and returns an OS name and version.

After the software finished interrogating the machines and adding them to bv-Control for Internet Security’s Targets folder, I started grouping the computers into categories. As Figure 1 shows, I based each group on the role of the systems in question. I then began running the product’s predefined scans. By default, bv-Control for Internet Security includes six security checks:

  • Normal Security Check—Looks for security holes that are common to most systems.
  • All Security Checks—Interrogates your systems for every imaginable security hole. This option is the most thorough and comprehensive check that the software offers.
  • Latest Update Security Check—Scans only for holes that the latest RapidFire Update informs the software about.
  • Password Cracker—Compares your systems’ password files against a word list and dictionary file to decipher weak passwords.
  • Quick Security Check—Quickly discovers the most severe security holes when you’re pressed for time.
  • SANS Priority One Security Check—Probes through your systems using the SANS Institute’s Priority One List or Top Ten List of Security Threats as its criteria.

If you want to implement a specialized set of scans, you can create your own security check. To do so, use the software’s intuitive tree-based UI, which groups specific vulnerabilities according to type and class. For example, I decided that I didn’t need to run password and file-sharing checks against my Microsoft IIS server, so I simply cleared the Permissions and Web Server check boxes. I also determined that I didn’t need to run sendmail and ssh security checks (both of which are useful for my UNIX systems) against my PDC, so I cleared the appropriate check boxes to save time while scanning my domain controllers (DCs).

After I created the appropriate scan checks, I used the scheduling feature to create automated jobs. Creating a scheduled event was simple. I selected the Jobs container, then used the context menu to create a new event. I assigned a name to the event (i.e., Nightly Domain Controllers Scan) and selected the appropriate security check. I then selected the PDC and BDC groups from the target list and configured the job’s frequency (e.g., nightly, at midnight). bv-Control for Internet Security also includes an Auto Fix feature, which monitors your registry and file permissions for aberrations. If a scheduled scan detects an aberration, the software automatically fixes the errors. I wanted the scan to run unattended, so I enabled the Auto Fix feature.

The duration of a scan depends on the type of scan that you choose. bv-Control for Internet Security can take seconds or minutes—and even longer if its port scanner runs into a firewall. For example, a scan of my Web server took just over a minute to complete, whereas a complete network scan took roughly half an hour. As a scan runs, the software provides information about the current security check, the number of holes it’s finding, and the severity of each hole. This information won’t make your scan go any faster, but you’ll appreciate the depth of data that you get during lengthy security checks.

After a scan is finished, the software publishes a report. As Figure 2 shows, bv-Control for Internet Security’s reporting features provide a cursory view of the security holes that the scanner detects. This quick summary report gives you a list of your network’s vulnerabilities, informs you whether the software has automatically fixed the problems, and briefly describes each hole. The software detected 15 security holes on my PDC and another 16 vulnerabilities on my Web server. I expected some of the holes (e.g., short passwords, passwords based on English words) and attributed other vulnerabilities to carelessness (e.g., forgetting to disable the guest account and insecure shares). Some of the weaknesses were inherent to the NT architecture (e.g., external users who use NetBios to access the browse list).

The software uses HTML to generate reports, so you can click on a security hole’s link to obtain information about the vulnerability. This functionality lets BindView include context-sensitive links to external sites such as NTBugtraq and the Windows 2000 Magazine Web site so that you can gather hotfixes and specific vendor information.

The summary report is the product’s default reporting format, but you can configure the program to output as much data—even in chart form—as you want. You can create a simple Executive Summary report that gives you only the basics, or you can set bv-Control for Internet Security to give you all available information (e.g., descriptions, fix availability, security check output data) in an in-depth technical Administrator Report. The software automatically archives old reports. Therefore, you can use the Compare Reports feature to perform trend and differential-analysis runs, which help you ensure that your network’s security holes remain closed.

BindView uses RapidFire Updates to keep bv-Control for Internet Security up-to-date with knowledge of the latest security holes and exploits. BindView distributes its updates—unlike auto-update features—over email. Email distribution lets the company use pretty good privacy (PGP) encryption to ensure the integrity of the updates. BindView’s RAZOR security team has a solid reputation for keeping abreast of the latest security problems, so you’re in good hands when it comes to fast and frequent updates.

bv-Control for Internet Security might not suit all environments. Because the product uses an agentless design, every scan that you run sucks up precious bandwidth across the network. If you’re working with large networks, expect bv-Control for Internet Security to keep your switches spinning. You can work around the bandwidth problem by installing the software on multiple machines so that you attain a load-balancing scenario. Unfortunately, this workaround makes report consolidation a logistical nightmare.

bv-Control for Internet Security is an excellent product for security-conscious environments. Its combination of power and ease of use makes it a perfect fit in small to medium-sized networks. Because the product’s design and prohibitive cost preclude it from the upper echelon of enterprise networks, it isn’t the penultimate security solution. However, bv-Control for Internet Security—with its extremely flexible reporting features—is simply one of the finest security management products available today.

bv-Control for Internet Security 3.0
Contact: BindView
Web: http://www.bindview.com
Price: $19.95 per IP address; $3995 for a class C subnet; $32,000 for a class B subnet
Decision Summary:
Pros: Comprehensive set of security checks; automatic problem correction; extremely flexible reporting features
Cons: Expensive for large networks; agentless system design, which might consume too much network bandwidth