Agent-based system security scanner

Scanning your systems for security vulnerabilities is a paramount task, so selecting a security scanner that is right for your network is important. If you're looking for an agent-based system security scanner, SFProtect 2.0 might be the solution for you.

SFProtect, from Agilent Technologies (the Hewlett-Packard—HP—spin-off), fits well into almost any size network. The product runs on Windows NT systems and conforms to the client and agent structure. After you load the agent onto one or more systems, the agent conducts scheduled security scans and automatically emails reports to specified individuals. You use the client software to configure the agent.

You can configure the agent's scan schedule and notification parameters and specify which vulnerabilities to check for. Scan scheduling is flexible; you can define the scan to run once, daily, weekly, or monthly. You can also choose which day and what time of day the scan takes place. Notification parameters let you direct SFProtect to automatically email scan reports to an administrator after the software completes the reports. Parameters include destination email name and address, mail server, and return address information in case of a mail failure.

SFProtect organizes vulnerabilities into specific groups by using a tree structure, which makes defining which vulnerabilities to scan for easy. SFProtect uses a hierarchy of seven vulnerability categories: user accounts, audit policy, system logon, file system, Registry, services, and shares. When you expand any category, you receive a list of that category's vulnerabilities from which you can enable or disable any vulnerability check. In addition, various vulnerability checks have parameters that you can define to refine the scan. The program can scan NT's built-in password policy for compliance, and you can define policies such as thresholds for minimum password length, maximum password age, and the account lockout policy.

A handy feature of SFProtect is its ability to automatically fix some vulnerabilities. For example, if the account password-length policy on an NT system isn't in compliance with the value that the SFProtect scan policy defines, the program can automatically adjust that parameter to meet the SFProtect policy requirements.

To test SFProtect, I loaded it on a small test network that contained three machines. I installed SFProtect-Server (i.e., the agent) on two NT Server 4.0 Service Pack 5 (SP5) systems and installed SFProtect Remote Client for SFProtect Agent (i.e., the client) on an NT Workstation 4.0 system.

Installation of the system agents was smooth; I needed to provide only an installation path for the service's executable files. The client software installed just as easily with only the additional requirement of specifying a folder name for the Start menu.

You must also install the SFLicenseManager service on an NT system on the network. The license manager governs client connections to remote agents by using a license data file that you receive with the software.

With the software installed, I configured each agent to perform scans according to my preferences. Using the client interface to configure the agents was easy because of the neatly organized treeview. The left pane displays a list of available top-level categories: System, Risks, Policy, Reports, and Log. Selecting any item in the left pane displays that item's details in the right pane.

To configure the agents, I first needed to use the client software to log on to an agent-enabled server. Then, I went through the Policy parameters to define which vulnerabilities to check for, how often to perform security scans, and to whom to email the reports. I saved the defined policy to that system and logged off. To apply the same policy to my second test server, I needed only to use the client software to log on to the second server, load the defined policy, and resave that policy on the second server. Duplicating the policy was fairly simple. However, you need to contact each server individually, so rolling out policies to a few hundred servers might be painful. I didn't find a clear-cut way to apply scan policies to multiple servers in a batch process.

After configuring the agents, I used the SFProtect client to log on to a server, then selected Audit from the top of the main dialog box to force a scan. When the scan completed, I reviewed the easy-to-read and well-designed report, which Screen 1 shows. SFProtect provides only an Audit Report and a Fix Report, both of which Agilent designed for administrators who are responsible for security matters. The Audit Report organizes problems in a list that contains a brief description of each problem. The Audit Report also contains extensive vulnerability details. The Fix Report shows details regarding the correction of vulnerabilities that the software discovered.

When the scan completed, I tested the product's auto-fix functionality. From the main dialog box, I simply selected Fix, which opened a Fix dialog box that shows a list of all the detected security risks for the system. The list contains a brief description and a hyperlink to a more detailed explanation for each detected problem. A check box for enabling the auto-fix functionality accompanies each vulnerability. After reviewing and selecting each item for correction, I selected Finish from the Fix dialog box to begin the auto-fix process. SFProtect's auto-fix capability worked well. This timesaving feature adds significant value to the product.

SFProtect has an easy-to-use interface, and the product saved me time by automatically correcting security vulnerabilities. During my testing, Agilent provided respectable technical support and answered all my questions. However, even with the product's ease of use, it still needs improvement. Several topic areas in the online documentation come up blank, although printed documentation is available. The product doesn't provide a facility for automatic product or vulnerability test upgrades, makes rolling out a policy to numerous machines painfully time-consuming, and doesn't offer a built-in mechanism to push the agent software out to a remote system. However, if these limitations aren't a concern for your enterprise network environment, you'll find that SFProtect is a worthy and competitively priced addition to your security toolkit.

SFProtect 2.0
Contact: Agilent Technologies * 919-462-7656 or 800-452-4844
Web: http://www.agilent.com
Price: $995 for SFProtect-Server; $149 for SFProtect Remote Client for SFProtect Agent
Decision Summary:
Pros: Has a well-designed interface; can automatically fix some detected vulnerabilities; reduces overall network scan times through agent-based architecture
Cons: Doesn't provide a means to push agents out to servers; doesn't offer an automated product upgrade facility; makes rolling out policy to numerous agents time-consuming; has incomplete online documentation