 |
|
NAI CyberCop Scanner 5.5
Brief
product description
CyberCop
Scanner identifies security holes to prevent intruders from accessing data.
It unveils weaknesses, validates policies and enforces corporate security
strategies. It tests for
vulnerabilities in Windows, Unix, and Novell machines, and performs perimeter
audits of firewalls and routers.
Architecture
� brief description
Scanner
is a host-based solution for scanning the clients on a network.
Management and reporting are configured via a Win32 based Security
Management Interface (SMI) console.
Documentation
SMI
Getting Started Guide (SMI10NGS.pdf) and CyberCop Scanner 5.5 Getting Started
Guild (CSC55NGS.pdf) are available with the product or by contacting Network
Associates Inc.
What
are the minimum/recommended console OS and hardware requirements?
Windows NT 4.0 with Service Pack 4.0
Internet Explorer 4.0 SP1
266 MHz Pentium II processor
128 MB of RAM
200 MB of free disk space
On
what platforms is this certified to run? Will it work on Windows 2000?
Windows
NT 4.0, Windows 2000
At
what layer of the protocol stack is the product working? Is a raw packet driver
installed?
CyberCop
Scanner runs at the application layer while its raw packet driver (ntbpf)
operates at the network layer. The modules within the product scan for vulnerabilities in
the application, presentation, session, transport and network layers.
Can
multiple scanning engines be deployed and configured from a central console,
i.e. define a single scanning policy centrally and deploy this to all scanners
automatically?
The current version does not support distributed scanning agents.
Authentication
between console and engines � Is it available? What algorithm/key lengths?
Authentication
will be available with the distributed scanning engines.
The current version does not place any agents on the hosts being scanned.
Secure
logon for policy management?
At
this time scanner does not have a logon process, if a user has logon rights to
the box scanner is installed on, they can intern run the program.
How
are policies distributed to scanners?
In
the current version, policies are manually defined in a template.
These templates can be shared between multiple scanners.
How
are policy changes handled? Will the central console detect which scanning
agents are using a changed policy and redeploy automatically, or does the
administrator have to do this manually? Can it be done once from a central
location or do all scanners have to be updated individually?
In
the current version, policies are manually defined in each scanner.
The administrator must change policies and re-deploy them to each scanner
individually.
How
many attack signatures?
The
CyberCop Scanner is updated regularly. The
current vulnerability count is about 800.
Which
platforms (i.e. NT, Windows 2000, Linux) and network resources (i.e. firewalls,
routers, printers, Web/mail/FTP servers) are covered by the attack
signatures?
CyberCop
Scanner currently scans any device that has an IP address connected to the
network. The specific operating
systems and devices include: all versions of Windows, Free BSD, NetBSD, OpenBSD,
BSDI, Linux, IRIX, HPUX, AIX, Solaris, SunOS, Novell, Cisco, Ascend, MacOS and
HPLaserJet. It also includes
specific utilities that test firewalls and intrusion detection systems and
specific modules that test routers, Web servers and FTP servers for example.
Can
it perform accurate OS detection?
CyberCop
Scanner includes patent pending technology that detects the OS running on any
network device. All of the vulnerability tests that are not relevant to the
identified OS can be automatically deactivated. Since banner checks are prone to
false positives, this feature uses an algorithm to ensure accuracy.
What
types of port scans can be performed?
UDP,
TCP, TCP SYN, TCP ACK, TCP FIN, RPC, FTP
Can
the administrator define custom attack signatures?
CyberCop
Scanner includes our exclusive Custom Audit Scripting Language (CASL).
CASL is a C like language that enables the user the construct data
packets from a graphical interface. These
scripts can also be selected and deployed across the network like any of the
vulnerabilities in the database. CyberCop
Scanner also supports a VB Scripting engine for users that prefer to audit in a
VB environment.
Can
it perform true DoS attacks
CyberCop
Scanner performs true DoS attacks. Each
of these tests are not selected in the default testing templates and are clearly
marked in the list of vulnerability tests because they should not be used in a
production environment.
How
are new attack signatures obtained and deployed?
Each
month PGP Security posts vulnerability updates to a ftp server.
CyberCop Scanner includes an AutoUpdate feature that automatically
connects to the ftp server to download the new checks.
Frequency
of updates? Provide dates of all updates in the last year.
Updates
are posted on the 15th of every month.
Can
one signature update file be downloaded to the local network and used to update
all scanners from a central location, or is it necessary to initiate a live
connection to the Internet download server for each scanner?
Updates
can be downloaded to a local CyberCop Scanner workstation or can be downloaded
and distributed from an internal/external ftp server.
Can
signature updates be scheduled and fully automated?
The
update procedure can be done manually, via automatic download or scheduled.
Are
scan results available in real time during scan?
Yes.
As a scan is running, the results of the scan can be easily viewed from
the Scan Results window in the user
interface.
Are
scan results (even as a summary) available on-screen following a scan without
having to run a separate report?
Yes.
CyberCop Scanner's main screen identifies the number of nodes scanned,
the number of vulnerabilities identified, the risk levels of the identified
vulnerabilities and the time elapsed for the session.
Advice
on preventative/corrective action when vulnerabilities found?
Security
concerns and recommended fixes are provided for each identified vulnerability.
Additional information includes risk factor for the vulnerability,
complexity of the attack, ease of fix, root cause, popularity of the
vulnerability and business impact. Each
criteria is set with recommended values, but can be customized to meet the users
corporate security policy.
Capability
to auto-fix certain vulnerabilities? If so, is there an �interactive mode�
and/or an undo facility?
CyberCop
Scanner includes Fix-It Modules that enable the user to fix Windows registry and
policy settings. Each of these modules are clearly marked with a "wrench
icon" in the Scan Results window.
Automatic
alerting if severe vulnerabilities are found during a scan?
Severe
vulnerabilities are clearly labelled as such, but no alerting capabilities are
included. A pre-defined report
template ranks vulnerabilities by order of severity.
Integration
with other scanning/IDS products?
Not
supported at this time.
Management
reporting � range of reports/custom reports/how easy is it to filter and
extract detail? Different reports for technicians and management/end users?
CyberCop
Scanner ships with Crystal Reports for both canned and customized reporting.
This reporting engine allows one to create very granular reports for the
security administrators and those that need to resolve the issues, up to the
high-level reporting designed for the CIO and IT Manager within an organization.
These reports include graphical, as well as detailed text outlining the
vulnerability, resolution, risks and other options.
Crystal Reports is known for it�s ease of use in creating custom
reports, but PGP has also included many �canned� reports so one can
immediately start processing reports.
What
are the limitations and restrictions on enterprise-wide alerting and reporting?
Is it possible to combine reports from several scanners?
CyberCop
Scanner, with Crystal Reports, fully supports differential reporting to compare
separate results databases. Users
could also merge multiple results databases into a single larger database if
desired. (Not supported as part of the product)
Report
management � archiving? Can historical scans be consolidated/compared for
trend analysis/comparisons
Differential
reporting also allows a user to identify what has changed on a given range of
nodes, since the last assessment. This
allows a security administrator to identify new vulnerabilities that have been
created or old vulnerabilities that have been resolved since the last
assessment.
Can
scans/reports be scheduled for automatic production? Can the results be e-mailed
to administrators or published straight to a Web site?
The
current version of CyberCop Scanner is not able to perform automated or
scheduled scans, but this functionality will be returning in future versions.
Results can be presented in various formats including HTML for web publishing.
Does
the product incorporate IDS evasion techniques to test IDS effectiveness? If so,
describe in detail how these are implemented.
Yes.
CyberCop Scanner is one of the few assessment tools that includes full blown IDS
auditing support. Scanner will leverage the power of the CASL engine to provide
a full module set of checks, scans and probes to audit your IDS.
How
is it licensed? How is the license enforced?
CyberCop
Scanner is licensed on a per-node basis for full enterprise coverage, or per
server if the customer only wishes to use the product for assessing their
servers. We do not build any
enforcement mechanisms into the product that might restrict or increase the
difficulty of use in the product. The
customer must identify how they plan to use the product, we will license it for
that use. Any use beyond their license will be a license violation, but no
mechanisms will prevent the use on systems not licensed to use the product.
[Editor�s Note: This is the most flexible licensing policy we have encountered
� excellent]
End
user pricing information
$48
/ node at 250 node price point
$512 / server at 50 server price point
Ongoing
cost of maintenance/updates
Standard
Maintenance and Updates are included in the costs quoted above.
Additional support contracts are also available.
Click here
to return to the NAI CyberCop Scanner Review
Click here to return
to the NAI CyberCop Scanner Results
Click here to return to the VA Index Section
Send mail to webmaster
with questions or
|