8/15/2014
10:25 AM
John H. Sawyer
John H. Sawyer
Commentary

Test Drive: GFI LanGuard 2014

LanGuard worked well in the lab and may prove more beneficial to IT operations than security teams.



[One in an occasional series of IT security product reviews by John Sawyer, a security professional who has worked both as a penetration tester at InGuardians and as a member of the security team in a large enterprise.]

Vulnerability scanners are nothing new. They've been used for years as a part of the security team's toolset for identifying network security issues, by operations to validate patch management, and leveraged by auditors performing compliance audits. Scanners look for outdated software, known vulnerabilities, and misconfigurations so that companies can clean up the low hanging fruit that is easily exploitable by attackers.

I've used quite a few different vulnerability scanners since I first started working as a systems administrator in the late '90s and then transitioned in to security in 2002. Some of them no longer exist, while others have changed owners, gone from open-source to closed-source, or sprung up as new products.

When GFI contacted me about taking a look at its LanGuard 2014 vulnerability scanner, I was immediately interested. For one, I'm a sucker for trying out new tools and products. If it's something that might make my life easier as a penetration tester and security researcher, then I want to take it for test drive to see if it lives up to the hype. Secondly, I'm constantly being asked what tools I would use if I were in someone else's shoes -- and I wouldn't dare make a recommendation for something that I haven't used myself or heard good things about from someone I trust.

Quick and easy install
Since I'm notorious for jumping right in without reading the documentation, I spun up a Window Server 2008 R2 instance, downloaded the installer, and launched it. The install was quick and easy with the only real decision being whether or not I wanted to use a Microsoft Access or SQL Server for the database backend. I opted for the Access database because I only planned to interact with around a dozen endpoints and didn't need the additional performance provided by MS SQL Server.

After the installation, I opened up the LanGuard 2014 interface and it recommended that the local Windows server be scanned. The dashboard began to display the server's current health status after a few minutes and indicated there were a couple of missing patches and configuration issues. Before getting too deep into the scan details, it's worth mentioning that the LanGuard interface is a Windows application. This distinction may be important for some. The scanners that I use on a regular basis use a web interface. Personally, I don't have much of a preference of one interface over the other, as long as they do their job well presenting the information and options I need while still being responsive while in the middle of large scans.

It wasn't until after I'd scanned the local server and started looking at the missing updates that I realized that LanGuard included remediation capabilities -- something that's definitely not in the vulnerability scanners I'm used to. At this point, I started digging into the documentation to see what other fun could be had... uninstalling unwanted software, pushing custom software packages, mobile device scanning, and a few more things that sounded interesting. I quickly pushed the missing patches to my server, rebooted it when the prompt came, and then began scanning other systems in my lab in order to try out the new features I'd just read up on.

I installed the LanGuard agent on a couple of Windows systems to see if there was much of a difference between agent-based scans and agentless ones. Other than the fact that agents are supported only on Windows and other systems (Linux, OSX, mobile devices) require agentless scans, there wasn't a difference in results. However, this was across only a few systems compared to a large corporate network. When scanning hundreds or thousands of systems, agents would certainly be a requirement because they can perform scanning independently of the server and report back their findings as scheduled.

Automated uninstallation
A quick scan of various systems turned up results that allowed me to test out some of the features I'd found in the documentation. The first was uninstalling unwanted software. Nmap seemed like a good target for automated uninstallation since it was on a few different systems. Following the documentation, it took about four steps and less than five minutes to configure Nmap as unwanted, validate that it could be uninstalled automatically on one system, and start a scan on my other systems. Of course, the software I 



tested (Nmap) uses a standard install process so I expected uninstallation to work. I did not test any custom packaged software or software manually installed without a standard installer.

As a quick test of the custom software deployment feature, I downloaded Wireshark and configured it for automatic installation. One thing I didn't consider was how LanGuard would handle a standard installer that prompts you for input as you install it. A pop-up occurred during the automated Wireshark install letting me know that the installer needed my attention. That's when I realized my mistake and found that passing a "/S" to the installer would silently install it with no prompts. After a quick modification of the deployment configuration, Wireshark was able to install silently with no prompting of the user.

As a quick test of the custom software deployment feature, I downloaded Wireshark and configured it for automatic installation. One thing I didn't consider was how LanGuard would handle a standard installer that prompts you for input as you install it. A pop-up occurred during the automated Wireshark install letting me know that the installer needed my attention. That's when I realized my mistake and found that passing a "/S" to the installer would silently install it with no prompts. After a quick modification of the deployment configuration, Wireshark was able to install silently with no prompting of the user.

After exhausting what I could do with Windows systems in my lab, I decided to try LanGuard's "Full Scan (Slow Networks)" scanning profile on a Ubuntu Linux 14.04 server hosted on Amazon EC2. Configuration was a little different this time as my EC2 Linux server requires a SSH private key for authentication instead of a simple username and password. I encountered a problem with my first few attempts to scan because the server's strict firewall rules block pings and only let through 3 TCP ports. Under the configuration tab, LanGuard allowed me to edit what seemed to be every little detail of the scan profile. I disabled pings and set up a custom list of TCP ports that would be used to determine the host was online. My next scan attempt ran normally and came back with a couple of insignificant findings as I expected.

The final thing I wanted to look at was how LanGuard handled scanning mobile devices. Unfortunately, I was unable to test this feature because it requires Microsoft Exchange, Microsoft Office 365, Google Apps for Business, or Apple Profile Manager, none of which I currently have configured in my test lab. But if that changes in the next few months, I'll revisit my LanGuard install and see how well it works.

But can it scale?
As with all lab tests, the caveat is that most testing is done with a limited number of systems compared to what the product will be expected to deal with in an enterprise environment. While it performed incredibly well in my small lab, the real test is to throw a much larger number of systems at it. I’d love to see how it scales to handle thousands and tens of thousands of systems. Most likely you’d need an extremely beefy SQL Server to handle the amount of data returned from scanning so many systems, possibly being more selective in what’s being collected. Additionally, geographically diverse locations and offices on slow WAN links would probably need to leverage Relay Agents that help to offload some of the work of the central LanGuard server and reduce the amount of traffic transferred from endpoints being scanned and/or remediated.

Overall, I was happy with the performance of LanGuard 2014 in my lab. It did a great job with authenticated agentless and agent-based scans on Windows systems, pushing updates and custom software, and uninstalling unwanted software. For Linux systems, it can only perform agentless scans but was able to identify missing patches and misconfigurations on the Ubuntu and Debian systems I tested. I was a little surprised when I scanned a VMware ESXi server and it didn’t recognize it, but a quick email to support let me know that it's not a supported platform, yet.

The only downside I really encountered during testing is that unauthenticated network scans were not quite as comprehensive as some of the pure play vulnerability scanners with which I'm more familiar. LanGuard feels more like a solution that operations teams would use more often than the security team, because of its ability to push (and revert) system updates, uninstall unwanted software, update install malware protection, and enable the Windows Firewall.

Comment  | 
Email This  | 
Print  | 
RSS
More Insights
Copyright © 2020 UBM Electronics, A UBM company, All rights reserved. Privacy Policy | Terms of Service