GFI Languard Security Scanner (N.S.S)

• Vulnerability scanning
• Patch management
• Network and software auditing.

I have used GFI for well over 5 years now and have seen the product mature a lot along the way branching away from a Microsoft Windows centric scanner to one that can provide good results when enumerating and scanning disparate OS.  To sum up I would say from a testing perspective that GFI surpasses Nessus when targeting Windows hosts, but has a little way to go to grab the functionality and results that Nessus provides for Unix/Linux OS. 

Version 8 sees an improvement over previous versions, not only with a softer slick user interface but with added and improved features including:

• Graphical Threat Level indicator based on discovered vulnerabilities.

• Vastly improved scan wizard.

• Improved Vulnerabilities Database incorporating OVAL, CVE, SANS and Bugtraq information.

• Customisable security checks.

• Improved network-wide deployment of patch and service pack management.

• Ability to deploy third party software i.e. Antivirus updates.

• Improved reporting via the included N.S.S. ReportPack.

• Support for Vista, Office 2007 and Exchange Server 2007.

A couple of issues with previous versions of N.S.S have also been addressed with this new release:

• Dependencies on administrative shares have been removed through the addition of a new option in the scanning profiles. N.S.S. now temporarily creates and uses a custom hidden share during scans.
• An option has been added which, (with proper credentials), will temporarily start remote registry on the remote machine during the scan.

GFI N.S.S is available from here. 

It is available to evaluate for 30 days, after such time a licence is required.  Licences are usually based on the amount of IP's you wish the tool to scan, starting at 32, 64, 128,256,512,1024 etc.

Installation:

Simply double-click the executable.

Note: - The N.S.S report pack requires you to have the GFI Report Centre Framework 3.5 installed so it is essential to choose the right download or download and install this separately.

Execution:

By default, after installation a much improved and fully flexible 5 step scan wizard is started unless deselected every time the application is started.  This wizard replaces the rather unhelpful wizard in previous versions.  

The five steps are as follows:

Scan Job Operation

Scan Profiles

Scan Type, Single computer, range, list, domain etc.

Select Target Computer, dependant on previous choice, domains should be automatically detected and offered as a choice.

Credentials, Current user, alternative, null session or SSH Private Keys.

I still prefer selecting these details myself by inserting the relevant into the user interface myself, but the wizard does help standardise a scan and ensures all relevant details and functions are selected.

Gone is also the old "default" scan to be replaced with a full scan and a number of other options.

Once a scan is finished the user can then drill down and view any issues reported in the Scan results screen:

Obviously from the above I was scanning an almost fully patched VMWare XP SP2 host, but the scanner still identified a number of issues.

As an alternative a user can use one of the Results filtering options and save the respective html page of the results:

From the above, I was a little concerned with the threat level indicator rating the machine so highly vulnerable.  The Oracle 9i server the application found was actually client and management software.  No listener was present and no database.  Again this boils down to the analyst reviewing the results carefully and adjusting their report accordingly.  The application in this case reported wrongly, however, it did find the application and give the analyst a prompt to look a bit deeper at the possible installed Oracle instance.  Essentially I would rather it be found than not!    

Rating:

Overall I really like this application, it has a couple of nuances, below, but on the whole, it is sound and provides a good tool for any vulnerability analyst.  You can't really go wrong if you use this combined with other scanners to compliment your toolkit.  I would definitely rate this product as 4 out of 5.

Issues:

I still get false positives, this though is not always down to the application itself and obviously every tool has them. 

Auditing and Password Policy for example are displayed by the tool, but this is actually the local policy and may not correspond with group policy so this should not be relied upon in your report.

I still also get false positives when scanning some hosts that the tool reports as having Port 21 FTP open, when with all other tools it is reported as closed.  This may be down to the interpretation of returned data or a malformed response from a host but it is something to watch. 

The threat level indicator can tend to indicate a machine is more at risk than it actually is.  A more balanced approach, I think, would be to use a weighed scoring scheme and have an overall score based on this rather than it based on it finding a vulnerability on the system whose rating is severe.