By Cameron Sturdevant  |  Posted 2005-12-12 Print this article Print

Latis Networks Inc. has added vastly improved reporting capabilities to its StillSecure VAM 5.3, beefing up an already-capable network-based vulnerability assessment and management tool.

eWEEK Labs tests show StillSecure VAM 5.3, released in October and priced at $53 per managed IP address, doesnt set any new standards in its fairly competitive space. However, the new reports and passable integration with Microsoft Corp.s SMS (Systems Management Server) 2003, along with what Latis calls Extensible Security Plug-In Architecture, certainly bring the product up to par with rival vulnerability assessment tools.

We tested StillSecure VAM 5.3 using two preinstalled hardware appliances, although the software is usually sold and then installed on server-class equipment by the customer. We used one of the Dell Inc. PowerEdge 1750 2.8GHz dual-processor servers with 2GB of RAM in our downtown San Francisco test lab functioning as the central server, while an identical system was installed at eWEEK headquarters in Woburn, Mass.

During this vulnerability assessment test, we took a slightly different tack from previous tests by looking more closely at false positives rather than concentrating so much on the vulnerabilities that StillSecure VAM 5.3 missed. We took this approach because vulnerability assessment tools have gotten very good at finding weaknesses; the real problem with these systems is the almost-overwhelming number of false positives that can bog down IT administrators with a largely fictitious workload.

For example, we ran scans on a variety of machines running Sun Microsystems Inc.s Solaris; Microsofts Windows 2000 Server and Server 2003, as well as Windows XP and 2000 Professional; Red Hat Inc.s Red Hat Enterprise Linux 3; and Novell Inc.s SUSE Linux 10. The initial reports were truly alarming. But when we actually started working through the weaknesses that VAM reported, we found that nearly half of the reported problems in our Windows systems didnt really exist .

StillSecure VAM 5.3, which relies heavily on Tenable Network Securitys open-source project, Nessus, and Insecure.orgs open-source project, Nmap, was apparently looking at the reply banners from probes of our test systems and wasnt performing intrusive tests that could have more accurately identified potential problems—but likely would also have wreaked havoc with our systems.

We wish to stress that this is not a problem unique to StillSecure VAM 5.3. Nearly every other competitor weve tested generates similarly large numbers of false positives. To its credit, StillSecure VAM 5.3 has a fairly efficient mechanism that allowed us to identify false-firing rules and then ignore them in subsequent scans of our test systems.

Our StillSecure VAM 5.3 system came with more than 8,100 rules, a very common condition with Nessus-based vulnerability assessment tools—which is to say practically every vulnerability tool available today. During a period of three weeks, we were able to tune our StillSecure VAM 5.3 scanner to razor sharpness and, by the end of our tests, had very manageable numbers of false-positive reports, usually less than one per day. We configured our system to update rules from Latis Networks every 3 hours throughout the day and night.

Using StillSecure VAM 5.3s combination of old and new technology, we were able to zero in on potentially troublesome systems in our network. The new technology is Version 5.3s reporting module called Security POV (Point of View).

StillSecure VAM 5.3, on at least a daily basis, downloads information about the The SANS Institutes SANS Top 20 most commonly reported Internet security vulnerabilities. We scheduled the report to run daily against our test systems to compare our machines to likely threats.

Intelligent scanning

device discovery and scanning is easily automated in StillSecure VAM 5.3, with the help of the products unique Intelliscan vulnerability assessment tool. After we selected which scans to run or created our own scans—for example, to see if upgrades made to our systems closed the vulnerability found by StillSecure VAM 5.3—Intelliscan determined relevant scans based on operating system, installed applications and other device attributes and ensured that only these scans were run against the target. This level of specialization can be a tremendous timesaver in large-scale scan-intensive projects.

StillSecure VAMs robust vulnerability repair workflow, which was available in previous versions, let us home in on problem systems. The workflow functions like a mini-help-desk system: As vulnerabilities were discovered in target systems, we could assign repair jobs and rerun scans to ensure that problems got fixed.

We used several of the 60-plus included reports to correlate repair status by machine and technician to ensure that our systems were being repaired in a timely fashion. IT managers will likely find these reports useful for demonstrating compliance with regulations that require companies to show due diligence in making repairs to systems containing private or sensitive information.

Although zero-day exploits emerge every day, patches exist for the most common vulnerabilities. StillSecure VAM 5.3 integrates loosely with Microsofts SMS and reports on deployed and installed patches using Microsofts system. We found the products integration with SMS to be adequate but not as neat as competitors that make patch management tools as complementary products.

StillSecure VAM 5.3 does integrate with the StillSecure Safe Access network-access-control product, as well as the StillSecure Strata Guard intrusion detection/ prevention system.

Next page: Evaluation Shortlist: Related Products.

Cameron Sturdevant Cameron Sturdevant has been with the Labs since 1997, and before that paid his IT management dues at a software publishing firm working with several Fortune 100 companies. Cameron also spent two years with a database development firm, integrating applications with mainframe legacy programs. Cameron's areas of expertise include virtual and physical IT infrastructure, cloud computing, enterprise networking and mobility, with a focus on Android in the enterprise. In addition to reviews, Cameron has covered monolithic enterprise management systems throughout their lifecycles, providing the eWEEK reader with all-important history and context. Cameron takes special care in cultivating his IT manager contacts, to ensure that his reviews and analysis are grounded in real-world concern. Cameron is a regular speaker at Ziff-Davis Enterprise online and face-to-face events. Follow Cameron on Twitter at csturdevant, or reach him by email at csturdevant@eweek.com.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel