 |
|
|
Bindview bv-Control for Internet Secure V3 If anyone should know about security auditing it is BindView, having produced a very successful line of NetWare and NT auditing tools over the years. It is only natural, therefore, that they should venture into the Vulnerability Assessment market place. bv-Control for Internet Security (formerly HackerShield) takes a slightly different approach to the normal �hacker in a box� type products however. Aimed more at the network administrator than the security professional, it combines elements of vulnerability assessment, security policy enforcement, system auditing and file integrity checking in a single package. Installation is straightforward, and is done in two stages with the latest release. This is because BindView has replaced the old HackerShield interface with an MMC-compliant one, which still works in the same way but which now integrates fully with a central console which controls and administers all of the bv-Control product line from a single point. Thus, the installation routine actually installs the console first, and then the console is used to install individual bv-Control modules. Once installation has finished, you have the chance to run the product on an evaluation license, or to install a license key to determine the number of IP addresses that can be scanned. bv-Control presents the administrator with an easy-to-use three-pane interface.
The hierarchical tree menu in the left-hand pane provides access to Reports, Targets, Jobs, Security Checks and the report Archive, whilst on the right is a network map and a list of target hosts. It is also possible to add or remove frequently-used items from the Favourites tab in order to personalise the console. This user interface will certainly offer a high degree of familiarity to anyone familiar with Microsoft�s Management Console (MMC) standard. The Network Map window is where bv-Control goes out to the network and discovers hosts in order to make them available for scanning. Each host is listed with its DNS/NetBIOS name, IP address and operating system. Unfortunately we found that bv-Control incorrectly identified Windows 2000 hosts as Windows 95/98/NT regularly and consistently (though not every Windows 2000 machine on our test network was wrongly identified). Initially, the Network Mapper scans only the local subnet, but additional subnets can be added by right-clicking with the mouse and entering the IP and net mask details. Once added, these subnets too can be scanned by the Mapper. For hosts which you know exist, but which are not showing up on Mapper scans for some reason, it is possible to manually add a host. After using this interface for only a little while, we found ourselves wishing for a similar facility on the competition, instead of having to manually enter a range of IP addresses to scan. Only e-Secure from Networks Vigilance offers such a capability. Once you have your network mapped, you need to drag the individual hosts or complete subnets across to the Target pane in order to scan them. Multiple target groups can be created to logically group machines together for scanning, allowing you to run separate scans easily on your �Sales� PC�s and �Finance� PC�s, for example � an extremely useful capability. It is also possible for the same host to exist in multiple groups. The Target window behaves as your �licensed hosts pool�, and the number of available units is reduced automatically each time one or more hosts is dragged from the Network Map to the Target window. Once you have the Target Groups assembled, right clicking on either a group or an individual host within a group brings up the scanning menu. A number of useful pre-defined scanning policies are available for immediate use:
These are enough to get most administrators off and running with a minimum of fuss. Indeed, most organisations would probably never need to create new policies of their own. The Normal policy will be the one most commonly used by most administrators in order to provide maximum protection without disrupting the network, whilst after each RapidFire update the Latest Update policy will provide assurance (or not) that the network is safe from the latest known hacks. All that is required is to select a policy and confirm your choice in order to initiate a scan. It is very important, however, that the scanning machine is part of the NT domain to be scanned and is logged in with administrator privileges, otherwise many of the NT-related checks cannot be executed. This causes serious problems in environments which do not use domains, but make use of stand-alone NT boxes or workgroups. It would be better for the scanner to attempt to log in to each Windows machine using the user name and password the administrator has used to log in to the scanning host itself (this is the approach taken by CyberCop Scanner, for example). This would provide the means to access each host as an administrator, whilst removing the reliance on NT domains.
During the scan bv-Control brings up a very informative real-time status window showing the scan progress for every machine selected, including which module is currently running and how many vulnerabilities have been found so far. Existing policies can be amended and new policies created in the Security Checks window. This is a fairly straightforward process, even for the non-security minded, since there is not much scope for modification or customisation. This means that it has limited scope for the true security professional, but makes the product much more attractive to the average network administrator who is not a security specialist. The available checks are divided into a number of categories such as Denial Of Service (DOS), DNS, C2, FTP, mail server, Web server, file sharing, passwords, user accounts and information gathering (amongst others). It is apparent, however, that there are nowhere near as many vulnerability checks included in this product as there are in some of the mainstream VA products, but BindView is working hard to rectify this. The company insists that its vulnerability database contains a far higher number of �generic� checks than the competition, resulting in multiple alerts in other products being represented by a far more useful single alert in bv-Control. Whilst this is true in some circumstances, our tests proved that bv-Control consistently missed real vulnerabilities that were being detected by competing products. Entire sections can be selected or deselected using a single check box, or individual tests can also be included or excluded in the same way. Each vulnerability test has a brief description against it, along with a more detailed (and often very extensive) description available at the click of a button. It also has a Security Check Configuration box associated with it, but for most tests this is greyed out and unused.
One example of where bv-Control will prove too limited for a real security professional is with TCP port scanning. You would expect the Security Check Configuration to allow you to select the range of ports to be scanned, as well as the type of scan to carry out (full connect, SYN stealth, FIN stealth, and so on). Unfortunately, bv-Control allows none of this, and nor is there any clear indication of what sort of port scan is performed or over what range of ports (the actual results of the port scans are not even explicitly displayed in the finished reports) However, as we have already said, whilst this lack of flexibility may be an issue for some, it certainly has the effect of making the product very easy to run by almost anyone � no hacking knowledge required. Some of the competition requires an in depth knowledge of what the tests are actually doing in order to configure them effectively, and that could lead to incorrect configurations resulting in some of the tests being invalid. bv-Control is obviously designed to steer the administrator in the right direction wherever possible. Another example of this is the Scan Wizard, which hand-holds the user through all the steps just described, in order to create a new scan job. Once completed, scans can be run immediately or saved as jobs for scheduling at off-peak times or for repeated running. This provides the means for an administrator to maintain a constant watch over his network, continuously scanning for security holes that can occur when hardware, software and users are added to or modified on the network. When security holes are discovered during a scheduled scan, bv-Control automatically issues an alert via e-mail or an SNMP trap. One very powerful feature of bv-Control is the ability to auto-fix certain problems it finds during a scan. There is nothing worse than a vulnerability scan throwing up tens or even hundreds of potential problems in your Registry or file permission settings, leaving the poor administrator to work his way through them and apply the suggested changes manually. Not only is this time consuming, but it is error-prone too. bv-Control can be configured to auto-fix problems with Registry values, file permissions and Registry permissions whenever they are found. If the administrator decides that the fixes were inappropriate for any reason, however, there is also an �undo� feature. This allows restoration to a previous configuration by undoing fixes that have been carried out from a past date up until the current date and time. Other products provide the auto-fix capability, but bv-Control is the only one, to our knowledge, that offers a roll-back feature. This allows administrators to apply auto-fixes with much more confidence, knowing they can be quickly undone if they should cause problems. A RapidFire Update option provides regular updates to the vulnerability database, and these can be applied automatically via a scheduled process. BindView uses secure, PGP-signed email to deliver updates of the latest security threats directly to bv-Control. New security checks are automatically incorporated into bv-Control�s database and run during the next scan, or the Latest Update policy can be run to check out the latest set of checks in isolation. Whilst the secure e-mail delivery option is useful, and something we would like to see incorporated into competing products, it might not suit everyone. It is quite difficult, for example, to bring a new installation completely up to date since there is no way of telling just which updates have already been applied. It would be useful to see BindView include � alongside the existing delivery mechanism - the more common HTTP/FTP type of automated update that is used by CyberCop Scanner or Internet Scanner. Once the scan has finished, the resulting report can be accessed from the Reports icon in the shortcut toolbar, which provides a number of very flexible viewing and configuration options. The reports are generally excellent, provided in HTML format, and can be viewed directly from the console. Report viewing seems to be much quicker in version 3 than in previous releases. Selecting a job from the job list brings up the appropriate report in the main Report window, with a navigation frame to the left, that allows you to sort the report into different views (by host, by IP address, by vulnerability, and so on) as well as include or exclude individual sections at the click of a button. All the detected vulnerabilities are displayed with full explanations accessible via hyperlinks, and if the security check produced any output (such as an SMTP banner) then this too is available via a hyperlink. Finally, if an auto-fix is available, this can also be triggered from the report. Individual auto-fixes can be selected in the report and applied in one sweep via the Auto-Fix button on the Report window tool bar. Selecting the Undo Fixes button allows the administrator to undo all fixes previously applied by bv-Control within a specified time period. Reports are saved in the Reports windows once they have been completed, and remain there until they are no longer needed, whereupon they can be deleted or moved to the Archive window. When subsequent reports are run on the same target group, an existing report is moved automatically to the Archive window. bv-Control then provides the means to compare two reports which have been run on the same set of machines in order to assess the progress of your security policy over time by monitoring changes in detected vulnerabilities between two scans. The latest release also provides the means to consolidate multiple reports into a single one.
Reports can be printed directly from the console (there is a print preview facility available too) and various options are available to allow you to include or exclude report sections such as summary information, the detailed security check descriptions, auto-fix information, and so on. A number of pre-defined report templates are included, or new ones can be created as required. Reports can also be exported in a variety of formats, including HTML, Crystal Reports, MDB (Microsoft Database files) or Word documents. The Word document format is excellent, but we also tried a straight export to HTML and found that the resulting �report� was nothing more than a jumble of HTML files with no single index file to pull the whole thing together. Not particularly useful. All in all, bv-Control is extremely easy to use and provides a useful tool for a continuous, automated security scan with the ability to fix some problems automatically and raise alerts on others. In general, however, bv-Control is much more of a security � and particularly NT security � auditing tool than the �hacker in a box� that is provided by some of the competition. There are a number of reasons for this. The lack of control over how individual tests are performed means that bv-Control might not be as attractive to many security professionals, although that very �limitation� would make it a good choice for the less security literate network administrator. As a pure IP-based scanner it is also very limited, finding far fewer real potential vulnerabilities than some of the competition. BindView has attempted to keep the number of false positives to a minimum by making the testing much more specific and extensive wherever possible. It also combines many related vulnerabilities into a single entry in the final report rather than report them all individually. This is to be commended, but unfortunately this minimalist approach does mean the product tends to miss genuine potential vulnerabilities. Whether this is because of over-zealous checking that is too specific in some cases, or because the vulnerability database is simply not extensive enough it is hard to tell. However, our opinion is that we would rather sift through a few false positives than have a vulnerability scanner that misses genuine proble It also relies on being part of an NT domain in order to perform many of its NT-related scans, which makes it a poor choice for may security consultants who may have to scan NT-based devices outside a domain environment. However, this reliance on NT domains for authentication coupled with the wealth of NT-related security checks would make it extremely suitable for NT environments where the administrator wants to carry out continuous security assessments of an internal network. So bv-Control is more a tool for the general network administrator than the security consultant. The ease of use and wealth of NT security checks (including the C2 tests) plus the auto-fix of Registry and file permission problems makes bv-Control a good choice for NT shops, and is the reason that some organisations may well want to purchase this product along with one of the more �traditional� VA scanners that are stronger in pure IP-based active scanning. Company name:
BindView
Click here
to return to the bv-Control Questionnaire |
Security Testing |
Send mail to webmaster
with questions or
|
