Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

8/15/2014
10:25 AM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

Test Drive: GFI LanGuard 2014

LanGuard worked well in the lab and may prove more beneficial to IT operations than security teams.

tested (Nmap) uses a standard install process so I expected uninstallation to work. I did not test any custom packaged software or software manually installed without a standard installer.

As a quick test of the custom software deployment feature, I downloaded Wireshark and configured it for automatic installation. One thing I didn't consider was how LanGuard would handle a standard installer that prompts you for input as you install it. A pop-up occurred during the automated Wireshark install letting me know that the installer needed my attention. That's when I realized my mistake and found that passing a "/S" to the installer would silently install it with no prompts. After a quick modification of the deployment configuration, Wireshark was able to install silently with no prompting of the user.

As a quick test of the custom software deployment feature, I downloaded Wireshark and configured it for automatic installation. One thing I didn't consider was how LanGuard would handle a standard installer that prompts you for input as you install it. A pop-up occurred during the automated Wireshark install letting me know that the installer needed my attention. That's when I realized my mistake and found that passing a "/S" to the installer would silently install it with no prompts. After a quick modification of the deployment configuration, Wireshark was able to install silently with no prompting of the user.

After exhausting what I could do with Windows systems in my lab, I decided to try LanGuard's "Full Scan (Slow Networks)" scanning profile on a Ubuntu Linux 14.04 server hosted on Amazon EC2. Configuration was a little different this time as my EC2 Linux server requires a SSH private key for authentication instead of a simple username and password. I encountered a problem with my first few attempts to scan because the server's strict firewall rules block pings and only let through 3 TCP ports. Under the configuration tab, LanGuard allowed me to edit what seemed to be every little detail of the scan profile. I disabled pings and set up a custom list of TCP ports that would be used to determine the host was online. My next scan attempt ran normally and came back with a couple of insignificant findings as I expected.

The final thing I wanted to look at was how LanGuard handled scanning mobile devices. Unfortunately, I was unable to test this feature because it requires Microsoft Exchange, Microsoft Office 365, Google Apps for Business, or Apple Profile Manager, none of which I currently have configured in my test lab. But if that changes in the next few months, I'll revisit my LanGuard install and see how well it works.

But can it scale?
As with all lab tests, the caveat is that most testing is done with a limited number of systems compared to what the product will be expected to deal with in an enterprise environment. While it performed incredibly well in my small lab, the real test is to throw a much larger number of systems at it. I’d love to see how it scales to handle thousands and tens of thousands of systems. Most likely you’d need an extremely beefy SQL Server to handle the amount of data returned from scanning so many systems, possibly being more selective in what’s being collected. Additionally, geographically diverse locations and offices on slow WAN links would probably need to leverage Relay Agents that help to offload some of the work of the central LanGuard server and reduce the amount of traffic transferred from endpoints being scanned and/or remediated.

Overall, I was happy with the performance of LanGuard 2014 in my lab. It did a great job with authenticated agentless and agent-based scans on Windows systems, pushing updates and custom software, and uninstalling unwanted software. For Linux systems, it can only perform agentless scans but was able to identify missing patches and misconfigurations on the Ubuntu and Debian systems I tested. I was a little surprised when I scanned a VMware ESXi server and it didn’t recognize it, but a quick email to support let me know that it's not a supported platform, yet.

The only downside I really encountered during testing is that unauthenticated network scans were not quite as comprehensive as some of the pure play vulnerability scanners with which I'm more familiar. LanGuard feels more like a solution that operations teams would use more often than the security team, because of its ability to push (and revert) system updates, uninstall unwanted software, update install malware protection, and enable the Windows Firewall.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
theb0x
50%
50%
theb0x,
User Rank: Ninja
8/15/2014 | 9:39:53 PM
To scan or not to scan
Great post John and very informative. I have used Rapidfire Tools and I feel that in comparison it too is more of remedation than a security tool. On an internal scan it requires the Remote Registry service to be running on all the target systems. That is how the application determines what patches are missing. The exploit itself is never actually verified by any means. Also, both GFI and RapidFire are very noisy making them practically useless in a pentest even if just used for reconnaissance.

 

 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12512
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
CVE-2020-12513
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
CVE-2020-12514
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd
CVE-2020-12525
PUBLISHED: 2021-01-22
M&M Software fdtCONTAINER Component in versions below 3.5.20304.x and between 3.6 and 3.6.20304.x is vulnerable to deserialization of untrusted data in its project storage.
CVE-2020-12511
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a Cross-Site Request Forgery (CSRF) in the web interface.