nCircle’s Configuration Compliance Manager 5.2 helps IT managers at medium to large-sized companies satisfy the demands of regulatory compliance by collecting information relevant to PCI, SOX and HIPAA compliance requirements from a wide variety of IT infrastructure devices, such as servers, routers and firewalls.
While nCircle has offered this compliance scanning solution since May 2007, when the firm acquired the agentless configuration auditing product line of Cambia Security, nCircle has recently bolstered CCM 5.2 by offering the option of pairing the software with its appliance-based Device Profiler 3000 (DP3000).
Together, CCM 5.2 and the DP3000 appliance pack a powerful punch for organizations that must conform to multiple regulatory requirements. The DP3000 can scan up to three separate physical networks using built-in NICs to bypass firewalls and routers and intrusion prevention systems that would otherwise hamper data collection efforts.
Prior to the addition of DP3000 appliance support, security managers deploying CCM had to install a software scan engine in each network and configure rules to enable the scan results to be sent back to the CCM data repository.
The 1U DP3000 appliance, which had previously served as the hardware-based scanning appendage of nCircle’s IP360 vulnerability assessment and configuration monitoring platform, sells for $5,150 on its own, or may be acquired as part of a $55,126 package that includes the CCM 5.2 software, a DP3000 appliance and a license for 250 servers and 50 network devices/workstations.
IT buyers should be aware that while that scan engine in the DP3000 can work with either the CCM or the IP360 but not both at the same time. Company officials said that the goal is for a completely integrated scan engine. I found it rather clumsy to reboot the device into its separate service modes, as I had to issue the commands from a serial port-connected terminal, rather than over the network via SSH.
I used the DP3000 with nCircle’s (CCM) to scan my lab network to determine if configuration settings conformed to requirements in PCI-DSS (Payment Card Industry-Data Security Standards) and to ensure compliance with SOX (Sarbanes-Oxley) control objectives. Out of the box, the DP3000 is also able to scan for HIPAA compliance as well.
CCM can use the DP3000 to scan systems running Solaris, HP-UX, Linux, operating systems for strict security settings according to a number of different organizations including the Center for Internet Security. I was able to scan my Cisco switches running IOS and Web servers running Apache for these same strict security settings as well.
CCM uses the information gathered by the DP3000’s agentless collection methods to create audit reports. These reports can be used by senior managers to get an overall compliance picture, while system administrators can get detailed reports that show what actions should be taken to bring a system or application up to snuff. In addition, these reports can be used to quickly provide auditors with the information they require to vet an organization’s compliance posture.
I created several test reports on the system and found that while the reports are easy to create, managers will likely have to spend at least a week after getting the product up and running to fine tune reports to provide the needed information. As it was, my initial attempts at reporting often created results that ran into the thousands of pages.
Scanning the network for systems and showing the discovered resources in the management console was the easy part of using the DP3000. The real work revolved around applying the various PCI and SOX policies to groups of systems or individual machines. Security managers will need to work closely with business managers to ensure that the appropriate policies are applied to the correct systems in the network.
While the duo of the CCM and the DP3000 handle virtual machine-based network denizens in the manner as physical systems, it’s less clear how compliance scanning will or should operate in the face of the dynamic creation and decommissioning of virtual systems. I’d like to see nCircle and other vendors address these issues by adding capabilities to ensure the automatic application of policy to these systems, perhaps based on a profile that might use operating system plus application plus logical location to equal automatic PCI compliance policy enforcement.
IT managers who deploy CCM should consider taking a training class from nCircle to learn how to modify policies and tests in order to best customize them to suit the individual needs of their organizations.
CCM scans can be customized to accommodate Cisco IOS and PIX, SNMP, Check Point firewall, Microsoft SQL Server and Oracle database connectivity and authentication. Scans can also be user-customized to address Apache Web servers and Symantec antivirus products.
The list of supported operating systems and applications should cover most smaller enterprises that are using commonly available servers and operating systems. Large enterprise managers should check the scan policy library to be sure that it appropriately accommodates the range of systems that must be scanned to complete an audit.