Review by Alan Drury and John Watters
With LanGuard 2011 GFI has left behind its old numbering system (this would have been Version 10), perhaps in an effort to tell us that this product has now matured into a stable and enterprise-ready contender worthy of serious consideration by small and medium-sized companies everywhere.
Well, after reviewing it we have to agree.
In terms of added features the changes here aren’t as dramatic as they were between say Versions 8 and 9, but what GFI have done is to really consolidate everything that LanGuard already did so well, and the result is a product that is rock-solid, does everything that it says on the tin and is so well designed that it’s a joy to use.
As usual for GFI we downloaded the fully-functional evaluation copy (124Mb) from its website and received our 30-day trial licence by email shortly afterwards. Permanent licences are reasonably priced and on a sliding scale that gets cheaper the more target IP addresses you want to scan. You can discover all the targets in your enterprise but you can only scan the number you’re licensed for.
Installation is easy. After selecting your language your system is checked to make sure it’s up to the job:
The installer will download and install anything you’re missing but it’s worth noting that if you’re on a secure network with no internet access then you’ll have to get them yourself.
Once your licence is in place the next important detail is the user account and password LanGuard will use to access and patch your machines. We’d suggest a domain account with administrator privileges to ensure everything runs smoothly across your whole estate. And, as far as installation goes, that’s pretty much it.
LanGuard opened automatically after installation and we were delighted to find it already scanning our host machine:
The home screen (above) shows just how easy LanGuard is to use. All the real-world tasks you’ll need to do are logically and simply accessible and that’s the case all the way through. Don’t be deceived, though; just because this product is well-designed doesn’t mean it isn’t also well endowed.
Here’s the first treasure – as well as scanning and patching multiple versions of your Windows OS’s LanGuard 2011 interfaces with other security-significant programs. Here it is berating us for our archaic versions of Flash Player, Java, QuickTime and Skype:
This means you can take, from just one tool, a holistic view of the overall security of your desktop estate rather than just a narrow check of whether or not you have the latest Windows service packs. Anti-virus out of date? LanGuard will tell you. Die-hard user still on an older browser? You’ll know. And you can do something about it.
Not only will LanGuard tell you what’s missing, if you click on Remediate down in the bottom right of the screen you can ask the product to go off and fix it. And yes, that includes the Java, antivirus, flash player and everything else:
Want to deploy some of the patches but not all? No problem. And would you like it to happen during the dark hours? LanGuard can do that too, automatically waking up the machines, shutting them down again and emailing you with the result. Goodness, we might even start to enjoy our job!
LanGuard can auto-download patches, holding them ready for use like a Windows SUS server, or it can go and get them on demand. We just clicked Remediate and off it went, downloaded our updated Adobe AIR and installed it without any fuss and in just a couple of minutes.
Agents and Reports
Previous versions of LanGuard were ‘agentless’, with the central machine scanning, patching and maintaining your desktop estate over the network. This was fine but it limited the throughput and hence what could be achieved in a night’s work. While you can still use it like this, LanGuard 2011 also introduces a powerful agent-based mode. Install the agent on your PCs (it supports all the current versions of Windows) and they will do the work while your central LanGuard server merely gives the orders and collects the results. The agents give you a lot of power; you can push-install them without having to visit every machine, and even if a laptop strays off the network for a while its agent will report in when it comes back. This is what you’d expect from a scalable, enterprise-credible product and LanGuard delivers it in style.
The reports on offer are comprehensive and nicely presented. Whether you just want a few pie charts to convince your boss of the value of your investment or you need documentary evidence to demonstrate PCI DSS compliance, you’ll find it here:
A particularly nice touch is the baseline comparison report; you define one machine as your baseline and LanGuard will then show you how your other PCs compare to it, what’s missing and/or different:
What else can this thing do? Well there’s so much it’s hard to pick out the best points without exceeding our word limit, but here are a few of our favourites:
- A comprehensive hardware audit of all the machines in your estate, updated regularly and automatically, including details of the removable USB devices that have been used
- An equally comprehensive and automatic software audit, broken down into useful drag-and-drop categories, so you’ll always know exactly who has what installed. And this doesn’t just cover applications but all the stuff like Java, flash, antivirus and antispyware as well
- The ability to define programs and applications as unauthorised, which in turn allows LanGuard to tell you where they are installed, alert you if they get installed and – oh joy, automatically remove them from the user’s machines
- System reports including things like the Windows version, shared drives, processes, services and local users and groups including who logged on and when
- Vulnerability reports ranging from basic details like open network ports to detected vulnerabilities with their corresponding OVAL and CVE references and hyperlinks for further information
- A page of useful tools including SNMP walk, DNS lookup and enumeration utilities
We really liked this product. If you have a shop full of Windows desktops to support and you want complete visibility and control over all aspects of their security from just one tool then LanGuard 2011 is well worth a look. The real-world benefits of a tool like this are undeniable, but the beauty of LanGuard 2011 is in the way those benefits are delivered. GFI has drawn together all the elements of this complicated and important task into one seamless, intuitive and comprehensive whole and left nothing out, which is why we’ve given LanGuard 2011 the coveted Firewall.cx 10/10 award.