Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

8/15/2014
10:25 AM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

Test Drive: GFI LanGuard 2014

LanGuard worked well in the lab and may prove more beneficial to IT operations than security teams.

tested (Nmap) uses a standard install process so I expected uninstallation to work. I did not test any custom packaged software or software manually installed without a standard installer.

As a quick test of the custom software deployment feature, I downloaded Wireshark and configured it for automatic installation. One thing I didn't consider was how LanGuard would handle a standard installer that prompts you for input as you install it. A pop-up occurred during the automated Wireshark install letting me know that the installer needed my attention. That's when I realized my mistake and found that passing a "/S" to the installer would silently install it with no prompts. After a quick modification of the deployment configuration, Wireshark was able to install silently with no prompting of the user.

As a quick test of the custom software deployment feature, I downloaded Wireshark and configured it for automatic installation. One thing I didn't consider was how LanGuard would handle a standard installer that prompts you for input as you install it. A pop-up occurred during the automated Wireshark install letting me know that the installer needed my attention. That's when I realized my mistake and found that passing a "/S" to the installer would silently install it with no prompts. After a quick modification of the deployment configuration, Wireshark was able to install silently with no prompting of the user.

After exhausting what I could do with Windows systems in my lab, I decided to try LanGuard's "Full Scan (Slow Networks)" scanning profile on a Ubuntu Linux 14.04 server hosted on Amazon EC2. Configuration was a little different this time as my EC2 Linux server requires a SSH private key for authentication instead of a simple username and password. I encountered a problem with my first few attempts to scan because the server's strict firewall rules block pings and only let through 3 TCP ports. Under the configuration tab, LanGuard allowed me to edit what seemed to be every little detail of the scan profile. I disabled pings and set up a custom list of TCP ports that would be used to determine the host was online. My next scan attempt ran normally and came back with a couple of insignificant findings as I expected.

The final thing I wanted to look at was how LanGuard handled scanning mobile devices. Unfortunately, I was unable to test this feature because it requires Microsoft Exchange, Microsoft Office 365, Google Apps for Business, or Apple Profile Manager, none of which I currently have configured in my test lab. But if that changes in the next few months, I'll revisit my LanGuard install and see how well it works.

But can it scale?
As with all lab tests, the caveat is that most testing is done with a limited number of systems compared to what the product will be expected to deal with in an enterprise environment. While it performed incredibly well in my small lab, the real test is to throw a much larger number of systems at it. I’d love to see how it scales to handle thousands and tens of thousands of systems. Most likely you’d need an extremely beefy SQL Server to handle the amount of data returned from scanning so many systems, possibly being more selective in what’s being collected. Additionally, geographically diverse locations and offices on slow WAN links would probably need to leverage Relay Agents that help to offload some of the work of the central LanGuard server and reduce the amount of traffic transferred from endpoints being scanned and/or remediated.

Overall, I was happy with the performance of LanGuard 2014 in my lab. It did a great job with authenticated agentless and agent-based scans on Windows systems, pushing updates and custom software, and uninstalling unwanted software. For Linux systems, it can only perform agentless scans but was able to identify missing patches and misconfigurations on the Ubuntu and Debian systems I tested. I was a little surprised when I scanned a VMware ESXi server and it didn’t recognize it, but a quick email to support let me know that it's not a supported platform, yet.

The only downside I really encountered during testing is that unauthenticated network scans were not quite as comprehensive as some of the pure play vulnerability scanners with which I'm more familiar. LanGuard feels more like a solution that operations teams would use more often than the security team, because of its ability to push (and revert) system updates, uninstall unwanted software, update install malware protection, and enable the Windows Firewall.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
theb0x
50%
50%
theb0x,
User Rank: Ninja
8/15/2014 | 9:39:53 PM
To scan or not to scan
Great post John and very informative. I have used Rapidfire Tools and I feel that in comparison it too is more of remedation than a security tool. On an internal scan it requires the Remote Registry service to be running on all the target systems. That is how the application determines what patches are missing. The exploit itself is never actually verified by any means. Also, both GFI and RapidFire are very noisy making them practically useless in a pentest even if just used for reconnaissance.

 

 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
The Yellow Brick Road to Risk Management
Andrew Lowe, Senior Information Security Consultant, TalaTek,  11/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14190
PUBLISHED: 2020-11-25
Affected versions of Atlassian Fisheye/Crucible allow remote attackers to achieve Regex Denial of Service via user-supplied regex in EyeQL. The affected versions are before version 4.8.4.
CVE-2020-29074
PUBLISHED: 2020-11-25
scan.c in x11vnc 0.9.16 uses IPC_CREAT|0777 in shmget calls, which allows access by actors other than the current user.
CVE-2020-14191
PUBLISHED: 2020-11-25
Affected versions of Atlassian Fisheye/Crucible allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the MessageBundleResource within Atlassian Gadgets. The affected versions are before version 4.8.4.
CVE-2020-29070
PUBLISHED: 2020-11-25
osCommerce 2.3.4.1 has XSS vulnerability via the authenticated user entering the XSS payload into the title section of newsletters.
CVE-2020-26212
PUBLISHED: 2020-11-25
GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of ever...