 |
|
|
If anyone should know about security auditing it is BindView, having produced a very successful line of NetWare and NT auditing tools over the years. It is only natural, therefore, that they should venture into the Vulnerability Assessment market place. HackerShield takes a slightly different approach to the normal “hacker in a box” type products however. Aimed more at the network administrator than the security professional, it combines elements of vulnerability assessment, security policy enforcement, system auditing and file integrity checking in a single package. Installation is straightforward, with nothing in the way of options to sidetrack or confuse you. Simply log in as a user with admin privileges, pop in the CD and click on “Install”. Once installation has finished, you have the chance to run the product on an evaluation license, or to install a license key to determine the number of IP addresses that can be scanned. HackerShield presents the administrator with an Outlook-style three-pane interface. The icons in the left-hand pane provide access to Reports, Targets, Jobs and Archive. On the right is a network map and a list of target hosts.
Just as with Outlook, it is possible to have both an iconised “shortcuts” toolbar or a hierarchical folder display down the left side of the screen (or both if you wish). It is also possible to quickly add or remove items from the shortcut toolbar in order to personalise it – again, just as with Outlook. This user interface will certainly offer a high degree of familiarity to anyone familiar with Microsoft’s mail client. The Network Map window is where HackerShield goes out to the network and discovers hosts in order to make them available for scanning. This can make getting your first scan going a slower and more fiddly process than it needs to be if you actually know what you are doing and which hosts you want to scan. However, the ability to list all the hosts on a subnet can make life easier for those who are not as confident in such areas. Initially, the Network Mapper scans only the local subnet, but additional subnets can be added by right-clicking with the mouse and entering the IP and net mask details. Once added, these subnets too can be scanned by the Mapper. For hosts which you know exist, but which are not showing up on Mapper scans for some reason, it is possible to manually add a host Once you have your network mapped, you need to drag the individual hosts or complete subnets across to the Target pane before you can scan them. Multiple target groups can be created to logically group machines together for scanning, allowing you to run separate scans easily on your “Sales” PC’s and “Finance” PC’s, for example. It is also possible for the same host to exist in multiple groups. The Target window behaves as your “licensed hosts pool”, and the number of available units is reduced automatically each time one or more hosts is dragged from the Network Map to the Target window. Once you have your Target Groups assembled, right clicking on either a group or an individual host within a group brings up the scanning menu. A small number of pre-defined scanning policies are available for immediate use: Normal – a subset of common checks All – a comprehensive scan (all checks enabled, including dangerous DOS attacks) Latest Update – when RapidFire Update is installed, this policy reflects the new checks from the latest update Quick – a minimal set of checks Password Cracker – password cracking only These are enough to get most administrators off and running with a minimum of fuss, and all that is required is to select a policy and confirm your choice in order to initiate a scan. During the scan HackerShield brings up a very informative real-time status window showing the scan progress for every machine selected, including which module is currently running and how many vulnerabilities have been found so far. Existing policies can be amended and new policies created in the Security Checks window. This is a fairly straightforward process, even for the non-security minded, since there is not much scope for modification or customisation. This means that it has limited scope for the true security professional, but makes the product much more attractive to the average network administrator who is not a security specialist. The available checks are divided into a number of categories such as Denial Of Service (DOS), DNS, C2, FTP, mail server, Web server, file sharing, passwords, user accounts and information gathering (amongst others), with something of a bias towards NT-specific vulnerabilities. It is also apparent that there are nowhere near as many vulnerability checks included in this product as there are in some of the mainstream VA products, but BindView is working hard to rectify this. Entire sections can be selected or deselected using a single check box, or individual tests can also be included or excluded in the same way. Each vulnerability test has a brief description against it, along with a more detailed (and often very extensive) description available at the click of a button. It also has a Security Check Configuration box associated with it, but for most tests this is greyed out and unused.
One example of where HackerShield will prove too limited for a real security professional is with TCP port scanning. You would expect the Security Check Configuration to allow you to select the range of ports to be scanned, as well as the type of scan to carry out (full connect, SYN stealth, FIN stealth, and so on). Unfortunately, HackerShield allows none of this, and nor is there any clear indication of what sort of port scan is performed or over what range of ports. However, as we have already said, whilst this lack of flexibility may be an issue for some, it certainly has the effect of making the product very easy to run by almost anyone – no hacking knowledge required. Some of the competition requires an in depth knowledge of what the tests are actually doing in order to configure them effectively, and that could lead to incorrect configurations resulting in some of the tests being invalid. HackerShield is obviously designed to steer the administrator in the right direction wherever possible. Another example of this is the Scan Wizard, which hand-holds the user through all the steps just described, in order to create a new scan job. Once completed, scans can be run immediately or saved as jobs for scheduling at off-peak times or for repeated running. This provides the means for an administrator to maintain a constant watch over his network, continuously scanning for security holes that can occur when hardware, software and users are added to or modified on the network. When security holes are discovered during a scheduled scan, HackerShield automatically issues an alert via e-mail or an SNMP trap. One very powerful feature of HackerShield is the ability to auto-fix certain problems it finds during a scan. There is nothing worse than a vulnerability scan throwing up tens or even hundreds of potential problems in your Registry or file permission settings, leaving the poor administrator to work his way through them and apply the suggested changes manually. Not only is this time consuming, but it is error-prone too.
HackerShield can be configured to auto-fix problems with Registry values, file permissions and Registry permissions whenever they are found. If the administrator decides that the fixes were inappropriate for any reason, however, there is also an “undo” feature that allows restoration to a previous configuration by undoing fixes that have been carried out from a past date up until the current date and time. A RapidFire Update option provides regular updates to the vulnerability database, and these can be applied automatically via a scheduled process. BindView uses secure, PGP-signed email to deliver updates of the latest security threats directly to HackerShield. New security checks are automatically incorporated into HackerShield’s database and run during the next scan. Once the scan has finished, the resulting report can be accessed from the Reports icon in the shortcut toolbar, which provides a number of very flexible viewing and configuration options. The reports are generally excellent, provided in HTML format and can be viewed directly from the console (albeit slowly in some cases, presumably due to the HTML output). Selecting a job from the job list brings up the appropriate report in the main Report window, with a navigation frame to the left, that allows you to sort the report into different views (by host, by IP address, by vulnerability, and so on) as well as include or exclude individual sections at the click of a button. All the detected vulnerabilities are displayed with full explanations accessible via hyperlinks, and if the security check produced any output (such as the list of open TCP ports from the port scan) then this too is available via a hyperlink. Finally, if an auto-fix is available, this can also be triggered from the report. Reports are saved in the Reports windows once they have been completed, and remain there until they are no longer needed, whereupon they can be deleted or moved to the Archive window. HackerShield also provides the means to compare two reports in order to assess the progress of your security policy over time by monitoring changes in detected vulnerabilities between two scans. Reports can be printed directly from the console (there is a print preview facility available too) and various options are available to allow you to include or exclude report sections such as summary information, the detailed security check descriptions, auto-fix information, and so on. A number of pre-defined report templates are included, or new ones can be created as required.
Reports can also be exported in a variety of formats, including HTML, Crystal Reports, MDB (Microsoft Database files) or Word documents. We tried a straight export to HTML, but found that the resulting “report” was nothing more than a jumble of HTML files with no single index file to pull the whole thing together. Not particularly useful. All in all, HackerShield is extremely easy to use and provides an excellent tool for a continuous, automated security scan with the ability to fix some problems automatically and raise alerts on others (though it does not detect as many vulnerabilities as the other VA products we have tested). In general, HackerShield is much more of a security – and particularly NT security – auditing tool than the “hacker in a box” that is provided by some of the competition. The bias towards NT security checks (including the C2 tests) plus the auto-fix of Registry and file permission problems makes HackerShield a good choice for NT shops, and is the reason that some organisations may well want to purchase this product along with one of the more “traditional” VA scanners. Company name:
BindView Address: UK Distribution: Click here
to return to the BindView HackerShield Questionnaire
|
 |
Send mail to [email protected] with
|
