QualysGuard Spots, Reports Flaws

Hardware/service combo tailors analysis and guards data.

Qualys Inc.s QualysGuard Intranet Scanner is worthy of serious consideration when IT managers need to assess vulnerabilities in their network infrastructure.

QualysGuard, which became available last month, combines a $2,995 hardware appliance with a subscription service that analyzes data collected from any device with an IP address. The cost of an annual subscription that allows an unlimited number of scans varies widely: 64 IP addresses are priced at $19,995 ($312 per address), whereas 256 addresses cost $44,995 ($176 per address).

In eWeek Labs test network, every one of our Novell Inc. NetWare, Microsoft Corp. and Sun Microsystems Inc. servers had a range of problems that QualysGuard picked up during its first sweep. Interestingly, when we took our network down over the weekend so that none of the exposures would result in a compromise of our test network, QualysGuard reported problems were "fixed." QualysGuard made this determination based on a comparison of a report that showed a vulnerability one day and the absence of that vulnerability the next.

Even with this slight confusion, QualysGuard quickly mapped the network and pointed out a large number of vulnerabilities in a neat report that also graded the problems on a scale from 1 (low impact) to 5 (urgent). This version enabled us to create reports tailored to show only vulnerabilities in specific devices.

For example, we created a report that included our NetWare file servers so that they were separated from the Sun and Microsoft servers that were also running in the testbed. QualysGuard identified 29 vulnerabilities, which was not surprising because we had not applied any fixes to the NetWare 5.1 system.

As we applied security fixes, vulnerabilities (such as Novell management portal accessibility) were closed and reported fixed by QualysGuard.

In this version, report data is normalized to the Common Vulnerabilities and Exposures list of standardized names (see www.cve.mitre.org for more information). Security administrators who are already using this popular site to categorize vulnerabilities and security exposures can easily fit QualysGuard scans into their workflow. Where possible, QualysGuard reports link to reliable documentation about vulnerabilities, so IT managers can take steps to evaluate and fix these problems.

The vulnerability assessment field is crowded with competitors. Among them are Internet Security Systems Inc.s Internet Scanner and the open-source Nessus, from The Nessus Project. The biggest difference is that QualysGuard analyzes data off-site and makes reports available to administrators via a Web interface.

The QualysGuard system generates strong passwords and sends them via an encrypted e-mail to the IT administrator. No one at Qualys can access the password files, and all vulnerability data is stored in an encrypted database. We believe Qualys has taken the necessary steps to protect data, but IT managers should make this line of questioning a part of their presales check of the company.

Senior Analyst Cameron Sturdevant can be contacted at cameron_sturdevant@ziffdavis.com.