Can something really good get better? That was the question that faced us when we were assigned to review GFI's Languard Network Security Scanner, Version 8 , already well loved (and glowingly reviewed) at Version 5.
All vulnerability scanners for Windows environments fulfil the same basic function, but as the old saying goes “It's not what you do; it's the way that you do it”. GFI have kept all the good points from their previous releases and built on them; and the result is a tool that does everything you would want with an excellent user interface that is both task efficient and a real pleasure to use.
Visit GFI's website and you can download a fully-functional version that you can try before you buy; for ten days if you prefer to remain anonymous or for thirty days if you swap your details for an evaluation code. The download is 32Mb expanding to 125Mb on your disk when installed.
Installation is straightforward. All the software needs is an account to run under, details of its back-end database and a location to reside. MS Access, MSDE or MS SQL Server databases are supported and you can even migrate your data from one to another if needs be.
First of all, if you have a license key you can enter it during installation to save time later – just a little thing, but it shows this software has been designed in a very logical manner.
You're then asked for an account to run the Attendant service, the first of the Version 8 enhancements. This, as its name suggests, is a Windows service that sits in your system tray and allows you easy access to the program and its documentation plus a handy window that lets you see everything the scanner is doing as it works away in the background.
After this you're asked whether you'd like your scan results stored in Microsoft Access or SQL Server (2000 or higher). This is another nice feature, particularly if you're using the tool to audit, patch and secure an entire infrastructure.
One feature we really liked is the ability to run unattended scheduled scans and email the results. This is a feature you won't find in any other similar product.
GFI's LANguard scanner doesn't just find vulnerabilities, it will also download the updates that fix them and patch your machines for you.
Finally, you can tell the software where to install itself and sit back while the installation completes.
Each time you start the scanner it checks with GFI for more recent versions and for updated vulnerabilities and patches. You can turn this off if you don't always have internet access.
You'll also get a wizard to walk you through the most common scanning tasks. This is great for new users and again you can turn it off once you become familiar with the product.
Everything takes place in one uncluttered main screen as shown below. As our first review task we closed the wizard and simply ‘had a go' without having read a single line of documentation. It's a testament to the good design of the interface that within a few mouse clicks we were scanning our first test system without any problems.
The left hand pane contains the tools, menus and options available to you. This is split over three tabs, an improvement over Version 5 where everything sat in one huge list. To the right of this are two panes that display the information or settings relating to the option you've chosen, and the results the product has obtained. Below them is a results pane that shows what the scanner is up to, tabbed again to let you view the three scanner threads or the overall network discovery.
Performance and Results
It's fast. While performance obviously depends on your system and network we were pleasantly surprised by the efficiency and speed of the scan.
Speed is nothing however without results, and the product doesn't disappoint. Results are logically presented as an expanding tree beneath an entry for each scanned machine. Select one of the areas in the left pane and you'll get the detail in the right pane. Right-click there and you can take appropriate action; in the example shown right-clicking will attempt a connection on that port:
Vulnerabilities are similarly presented with rich and helpful descriptions, while references for further information from Microsoft and others plus the ability to deploy the relevant patches are just a right-click away:
The scanner is also surprisingly resilient. We decided to be mean and ran a scan of a desktop PC on a large network – via a VPN tunnel within a VPN tunnel across the public internet with an 11Mb/s wireless LAN connection on the other end. The scan took about ten minutes but completed fine.
Finding vulnerabilities is only half the story; this product will also help you fix them. One click at the machine level of the scan results opens yet another helpful screen that gathers all your options in one place. You can elect to remotely patch the errant machine, shut it down or even berate the operator, and a particularly nice touch is the list of your top five most pressing problems:
Patch deployment is similarly intuitive. The product can download the required patches for you, either now or at a scheduled time, and can access files already downloaded by a WSUS server if you have one. Once you have the files available you can patch now or schedule the deployment, and either way installation is automatic.
Alongside this is another Version 8 feature which gives you access to the same mechanism to deploy and install software of your choice. We tested this by push-installing some freeware tools, but all you need is a fully scripted install for unattended installation and you can deploy anything you like out to your remote machines. This is where the Attendant Service comes in again as the tray application provides a neat log of what's scheduled and what's happened. The example shows how good the error reporting is (we deliberately supplied the wrong credentials):
This powerful feature is also remarkably configurable –you can specify where the copied files should go, check the OS before installation, change the user credentials (important for file system access and for push-installing the Patch Agent service), reboot afterwards or even seek user approval before going ahead. We've used other tools before for software deployment and we felt right at home with the facilities here.
Scripting and Tools
Another plus for the busy administrator is the facility to schedule scans to run when you'd rather be away doing something else. You can schedule a simple timed scan and have the results emailed to you, or you can set up repeating scans and have the product compare the current results with the previous and only alert you if something has changed. If you don't want your inbox battered you can sleep soundly knowing you can still consult the database next morning to review the results. And if you have mobile users your group scan (or patch) jobs can stay active until your last elusive road warrior has appeared on the network and been processed. Resistance is futile!
Under the Tools tab there are a few more goodies including an SNMP audit to find insecure community strings. This was the site of our only disappointment with the product – we would have liked the ability to write our own tools and add them in here, but it seemed we'd finally found something GFI hadn't thought of.
Having said that, all the other scripting and tweaking facilities you'd expect are there, including a comprehensive command-line interface for both scanning and patch deployment and the ability to write custom vulnerability definitions in VBScript. All this and more is adequately documented in the well-written on-line help and user manual, and if you're still stuck there's a link to GFI's knowledgebase from within the program itself.
We were really impressed by this product. GFI have done an excellent job here and produced a great tool, which combines vulnerability scanning and patch management , with heavyweight features and an excellent user interface that is a joy to work with.