Vulnerability assessment and patch management go hand-in-hand as essential network and end point security administration. There are a lot of products that scan for vulnerabilities such as open TCP ports, open shares, unused user accounts, weak passwords and missing security updates.
Combining those scans with automated deployment of new patches for operating systems, applications, security software and custom applications moves these products from diagnosis to remediation. From the smallest home office to the largest multinational company, conducting proactive vulnerability assessment and patch management is a time consuming-yet necessary-task.
GFI LANguard traces its heritage to the days when a vulnerability assessment tool could survey and scan the network and then generate a report that an administrator would have to follow up on separately. Yet, as networks have grown in size and complexity, simply scanning and reporting missing patches doesn’t provide a complete and proactive solution. LANguard can scan and report vulnerabilities as well as take corrective action such as deploying patches to machines running Microsoft Windows.
GFI LANguard 9.0 is the most recent update to a tried-and-true network vulnerability assessment and patch management software utility that adds the ability to tell whether a scanned machine is real or virtual, one-click launching of a remote desktop connection to scanned Windows clients, and automatic remediation of unauthorized applications. I’ve used this product for more than five years in my consulting practice, typically to conduct a network security “needs assessment” at client sites which can then be included in proposals.
GFI LANguard 9.0 is an essential component of a network security consultant’s toolbox and can also be helpful for SMBs, although very large enterprises should look for a more scalable solution. I began this review by downloading and installing LANguard 9.0, GFI Report Center and the GFI LANguard Report Pack.
Installation went without a hitch, and then I launched LANguard. From the startup screen I chose Scan Entire Network, which performed a complete audit of a range of IP addresses. A compete audit includes OVAL, SANS Top 20, CVE and about 15,000 other vulnerabilities, and takes quite a bit of time depending on your network’s size. After running a complete audit, I configured LANguard to run abbreviated scans by running the Custom Scan Wizard and to run regularly scheduled scans and e-mail reports to me with the New Scheduled Scan wizard. Not only are common tasks wizard-driven, but context-sensitive help is thorough and informative; this is a highly accessible security tool.
Little Administrative Effort
While configuring scans, I had the option of providing Windows or SSH credentials to gain access to systems in order to perform deeper scans. I could also apply rules for auto-remediation, such as download and install missing patches or services packs, or uninstall non-whitelisted applications. In a simple environment, the auto-remediation features provided by the combination of LANguard and WSUS (Windows Software Update Services) could keep endpoints ship-shape with almost no administrative effort. Just let everything run as planned and review reports when you get to work in the morning.
Patch management is provided via tight integration with WSUS, a free tool provided by Microsoft that can be used to deploy updates to Microsoft Windows Server 2000 and higher, Windows XP and higher, and other Microsoft applications, such as Exchange 2003 and higher and Office XP and higher. WSUS allows a local administrator to test and approve updates from the public Windows Update site before company-wide deployment. Patch deployment can be scheduled and reported.
LANguard adds the ability to deploy third-party software and patches as well as deployment to Windows NT.
Once I installed WSUS on my Windows Server 2008 and pushed the clients to my Windows XP Professional SP3 workstations, scanning and patching was easy. I had a great deal of control over when security updates and service packs were downloaded, plus I could approve each patch before pushing it to clients. In the event of an incompatibility, I could remove patches just as easily as I applied them.
Report Center and the Report Pack, offered as free add-ons, are strong points of the solution. After running a scan, I launched the GFI LANguard ReportPack and imported scan results with the click of a button. From there I was given a list of different reports grouped by topic.
Executive reports provide overview and trend analysis with such reports as Network Vulnerability Summary and Network Vulnerability Trend. Statistical reports provide information related to vulnerability and operating system and include OS Service Pack Distribution, Vulnerability Distribution by Host and Vulnerability Distribution by OS. Technical reports provide technical information on vulnerabilities, missing patches and open ports, including reports such as Installed Patches Grouped by Host, Missing Patches Grouped by OS, Open Trojan Ports by Host and Vulnerability Listing by Host.
I could quickly generate reports such as Open Trojan Ports, Vulnerable Hosts based on Missing Patches and Vulnerable Hosts based on Open Ports. These reports can be scheduled and automatically distributed via e-mail, printed or exported to HTML, PDF, XLS, DOC or RTF for inclusion in more comprehensive reports of network health. A feature that made my life easier is the ability to bookmark the reports that I found the most useful. However, I found the mechanic of running scans in one application and running reports in another to be unwieldy and cumbersome; it’s best to filter (by workstation, for example) before exporting from LANguard, but that requires knowing what you want to see in a report before even launching Report Center.
A one-year license starts at $32 per IP address, $10 per IP for 100-249 IP addresses, $4 per IP for 3,000-3,999 IP addresses.
Matthew D. Sarrel is executive director of Sarrel Group, an IT test lab, editorial services, and consulting firm in New York City.