informa
/
Application Security
Commentary

Test Drive: GFI LanGuard 2014

LanGuard worked well in the lab and may prove more beneficial to IT operations than security teams.

tested (Nmap) uses a standard install process so I expected uninstallation to work. I did not test any custom packaged software or software manually installed without a standard installer.

As a quick test of the custom software deployment feature, I downloaded Wireshark and configured it for automatic installation. One thing I didn't consider was how LanGuard would handle a standard installer that prompts you for input as you install it. A pop-up occurred during the automated Wireshark install letting me know that the installer needed my attention. That's when I realized my mistake and found that passing a "/S" to the installer would silently install it with no prompts. After a quick modification of the deployment configuration, Wireshark was able to install silently with no prompting of the user.

As a quick test of the custom software deployment feature, I downloaded Wireshark and configured it for automatic installation. One thing I didn't consider was how LanGuard would handle a standard installer that prompts you for input as you install it. A pop-up occurred during the automated Wireshark install letting me know that the installer needed my attention. That's when I realized my mistake and found that passing a "/S" to the installer would silently install it with no prompts. After a quick modification of the deployment configuration, Wireshark was able to install silently with no prompting of the user.

After exhausting what I could do with Windows systems in my lab, I decided to try LanGuard's "Full Scan (Slow Networks)" scanning profile on a Ubuntu Linux 14.04 server hosted on Amazon EC2. Configuration was a little different this time as my EC2 Linux server requires a SSH private key for authentication instead of a simple username and password. I encountered a problem with my first few attempts to scan because the server's strict firewall rules block pings and only let through 3 TCP ports. Under the configuration tab, LanGuard allowed me to edit what seemed to be every little detail of the scan profile. I disabled pings and set up a custom list of TCP ports that would be used to determine the host was online. My next scan attempt ran normally and came back with a couple of insignificant findings as I expected.

The final thing I wanted to look at was how LanGuard handled scanning mobile devices. Unfortunately, I was unable to test this feature because it requires Microsoft Exchange, Microsoft Office 365, Google Apps for Business, or Apple Profile Manager, none of which I currently have configured in my test lab. But if that changes in the next few months, I'll revisit my LanGuard install and see how well it works.

But can it scale?
As with all lab tests, the caveat is that most testing is done with a limited number of systems compared to what the product will be expected to deal with in an enterprise environment. While it performed incredibly well in my small lab, the real test is to throw a much larger number of systems at it. I’d love to see how it scales to handle thousands and tens of thousands of systems. Most likely you’d need an extremely beefy SQL Server to handle the amount of data returned from scanning so many systems, possibly being more selective in what’s being collected. Additionally, geographically diverse locations and offices on slow WAN links would probably need to leverage Relay Agents that help to offload some of the work of the central LanGuard server and reduce the amount of traffic transferred from endpoints being scanned and/or remediated.

Overall, I was happy with the performance of LanGuard 2014 in my lab. It did a great job with authenticated agentless and agent-based scans on Windows systems, pushing updates and custom software, and uninstalling unwanted software. For Linux systems, it can only perform agentless scans but was able to identify missing patches and misconfigurations on the Ubuntu and Debian systems I tested. I was a little surprised when I scanned a VMware ESXi server and it didn’t recognize it, but a quick email to support let me know that it's not a supported platform, yet.

The only downside I really encountered during testing is that unauthenticated network scans were not quite as comprehensive as some of the pure play vulnerability scanners with which I'm more familiar. LanGuard feels more like a solution that operations teams would use more often than the security team, because of its ability to push (and revert) system updates, uninstall unwanted software, update install malware protection, and enable the Windows Firewall.

Recommended Reading: