Catering for both medium to larger sized networks, GFI LanGuard has a number of extensible components that can be used, thus it is able to reduce the total cost of ownership for a company allowing it to centralise vulnerability scanning, patch management and network auditing.  Features include:

• GFI LanGuard management console - enabling the configuration and use GFI LanGuard and analysis of audit results.

• GFI LanGuard attendant service - background service that manages scheduled network security scans, patch deployment and remediation operations.

• GFI LanGuard agent deployment - enabling real time results analysis, reducing network bandwidth consumption. (Agents can be deployed automatically as machines are enumerated or manually on selected computers).

• GFI LanGuard patch agent service - background service handling service pack, patch and software updates on managed assets.

• GFI LanGuard Script Debugger  - allows the ability to write and debug custom VBScripts.

GFI LanGuard is available to evaluate for 30 days, after such time a licence is required for corporate use.  Licences are usually based on the amount of IP's you wish the tool to scan, a full pricing structure is available from here. 
 

Installation:

Download the latest version from the website here (Installation manual is available from here).

• Simply double-click the executable.

• Register with supplied username and registered licence or 30-day evaluation key.

• Insert appropriate administrative account details to enable automated and scheduled scans and updates to take place.

• Select appropriate path: C:\Program Files\GFI\LanGuard 10\ (default)

• Program will install then automatically launch.

Pre-requisites:

• Windows XP SP2+, Windows 2003+ (Some limitations exist on home and home premium editions).

• Microsoft Installer 3.1 Redistributable

• Microsoft .NET 3.5 Service Pack 1

• Microsoft Data Access Components (MDAC) 2.8

• Supported databases:
  • Microsoft Access
  • Microsoft SQL Server 2000 or later
  • MSDE/SQL Server Express Edition

   

Note: - Windows Firewall, if enabled will block some features and as such a prompt will appear requesting access for GFI LanGuard to scan Private/ Public Networks.

GFI LanGuard will then inspect the local machine it is installed on for any associated vulnerabilities by default.  As part of this process it will download the latest patch database to enable it to check the require patch level on the local machine.

After initial installation, the default local scan is a nice touch, at least the user will potentially be aware of any glaring holes in their system and appropriately deal with them before utilising the tool for real to scan there's and other networks.

Updating:

This is set by default to auto update via the GFI update site (update.gfi.com).  This site checks to verify the product is licensed, verifies the currently installed version number then hands off the update mechanism to the actual software download at: software.gfi.com/lnsupdate/. 

Note: - The serial number of the product together with any email contact details you have setup are passed across in the clear text during this transaction. 

It is possible to alter the update mechanism to utilise a proxy and also to manually download all the required update binaries from the directory at http://software.gfi.com/lnsupdate/ to an alternative web server or local/ network resource.  Once configured in this way GFI LanGuard will attempt to update from there. 

This would be the ideal situation for air gapped sensitive environments where Internet access is precluded; the scanning machine obtaining updates after having first been virus scanned and verified.  Alternatively the updates may be copied directly to the GFI LanGuard updates folder located at: "C:\ProgramData\GFI\LANguard 10\Update\" (Windows Vista/7). 

Note: - The program will still attempt to verify that it is licensed, but will fail, however, this still allows the update mechanism to complete successfully.

Updating can also be carried out whilst other tasks are running which is a nice improvement over legacy versions of this application.

It may be pertinent in the future to enforce authenticated access to the software.gfi.com site, this serves a number of purposes, firstly providing another hurdle to guard against Intellectual Property Right abuse from counterfeit copies of the program and also to deter would be attackers enumerating the web server file structure.  In addition providing an MD5 hash of the updates would allow manual verification of their authenticity.  There have been, in recent times, more and more instances of exploited web facing depositories; attackers replacing original files with their own backdoored binaries and updates.  An SSL/TLS encrypted session would also thwart "sniffing" attacks enabling an attacker to gain a registered licence key and go a long way to prevent MiTM attacks.

A nice feature for the product is the quick overview of updates and news displayed on the dashboard with the option to visit the website for more information or extra news:

Execution:

Gone are the days of the 5 step scan wizard with the scan tab being the only area required to run a scan from.  Assuming an appropriate profile has either been created (see below) or one of the default options is to be used the following information is all that is required to initiate a scan of a target computer(s):

• Scan Target, Single computer, range, list, domain etc.

• Scan Profiles

• Credentials, Current user, alternative, null session or SSH Private Keys.

Pressing scan sets the task off and various different threads are opened by the tool with interim results appearing as particular parts of the scan are completed.  An approximate timescale to completion is displayed together with the amount of checks to complete.

Once a scan is finished the user can drill down and view any issues reported in the results screen and dependant on their scope, remediate or report. 

Going to the first dashboard tab provides a nice overview of the scan and a particular part of the scan results can be viewed:

Scanning Profiles:

A number of predefined scanning profiles can be selected when initiating a scan from the drop-down menu.  Alternatively a custom profile can be created via the configuration tab, under the scanning profiles menu via the scanning profiles management common task.  A pre-defined profile can be copied and adapted or a totally custom scan created.  Profiles are divided into two areas, Vulnerabilities and Patches with the vulnerabilities portion of individual scans broken down into common families of products and services: 

These can be selected and de-selected as deemed necessary.  Alternatively the patches options allow a scan to be carried out only looking for missing patches based on their severity:

Both options are extensible and a welcome addition to any tester who needs to carry out a bespoke test, but from a personal perspective, (see also comments on remediation below), I would like to be able to select vulnerabilities based on the OS, Vendor and services offered as this may provide a more targeted facility. In this way the amount of checks carried out against a target would be vastly reduced saving on enumeration of checks for applications and services that are not installed and for the wrong OS variant.

An administration and configuration guide is also available here listing how GFI LanGuard may be customised to better suit certain environments giving the ability to use it to its full potential.

Reporting:

GFI LanGuard has a number of default reporting options and templates:

• Network Security Overview

• Vulnerability Status

• Full Audit

• Scan- based full audit

• Software Audit

• Scan History

• Remediation History

• Baseline Comparison

• PCI DSS Requirements - (60 distinct pre-configured reports available).

In an unabridged form the reports do, in my opinion, contain too much information and are very generalised, however, the software developers have thought of this and the templates are easily customised.  When generating a report the customised advanced settings option can be selected allowing the tester to specify what information from the template is required.  In this way the report can be very succinct, concentrating on the key areas requested from the test and it looks all that more professional with extraneous information removed if not required.  As each tasking will be unique, the customers report should be also, they have their own scope the test should be adhered too and the beauty of GFI LanGuard is that reporting can be geared to that also.

There is also an option to save these filters as a new template which saves quite a bit of work for future tests.

As an example, two reports have been produced after carrying out an audit of a Buffalo NAS, one unfiltered which contained a number of errors due to access being denied to the device and superfluous information and the more professional one with just the information required: Unfiltered Filtered

To get an idea of the format of the report produced, a sample is displayed before the report is generated.  Those not familiar with the application can then get an idea of the content it will produce and either tailor there needs to suit or use another report template

Remediation:

A key selling point for this product is the ability to perform remediation based on discovered results.  Keep systems patched and secure for any system administrator is a major heartache and having a product such as this that will identify all missing patches, both application and OS yet also allowing compliance testing and removal of unauthorised software is of definite benefit to them.  To enable remediation to take place, it must be configured as patch auto-download is not enabled by default, this can be achieved easily from within the configurations tab. All potential patches can either be downloaded or only those identified as previously missing to the default installation directory "C:\Program Files\GFI\LANguard 10\Repository" or alternatively a path can be specified to the WSUS content folder. 

Even before patches can be deployed they need to be approved, which ties in nicely to organisation with configuration control mechanisms and regular update strategies.  The facility to do this I found to be a little basic allowing the user to either approve all Microsoft patches, all Microsoft Service Packs or non-Microsoft patches for deployment. 

Alternatively certain individual bulletins may be selected for deployment but carrying out the approval process in this way can be a little laborious.

It may be prudent in future releases to offer a more selective and extensible strategy which would help within those networks wishing to deploy to certain OS only and potentially clients and not servers.  This may provide a little more extensibility and ease of use, with something in the form of radio buttons suggested with options for:

Vendor, OS, Service Pack, Platform, Language i.e. Microsoft XP 2 32-bit en

To carry out remediation, the remediate tab allows selection of a number of options, selecting deploy security patches allows for any patches identified as missing to be selected for install:

Selecting the patches you wish to deploy, (Adobe Air in the above), then clicking the remediate button starts the install process.  Alternative credentials may be supplied if required.  The patches will be automatically downloaded and silently installed on the target computer.  A pop-up notification will potentially appear and the target may automatically reboot if required and configured appropriately to do so.

This is a nice option for being able to selectively deploy patches to multiple computers who have the appropriate GFI LanGuard agent deployed to them or you have full administrative privileges for.

Rating:

Overall I really like this product, it is especially useful within Windows Networks with the remediation aspect its key selling point, giving it the edge over the majority of other vulnerability scanners. The one thing, though, that reduces the effectiveness of this excellent product is its support for OS other than windows and as such carrying out a test within a network with multiple OS deployed, other scanners would be my preferred option.  This said, I have been using this product for many years and the support for other OS is growing release on release, so I can foresee it gaining ground on similar scanners in the field quite rapidly. Overall, even with the nuances mentioned, it is a sound product and provides a great tool and resource for any vulnerability analyst and system administrator alike.  You can't really go wrong if you use this combined with other scanners to compliment your toolkit.  I would definitely rate this product as 4 out of 5.