Security Scanner & Patch Management Tools Review
Scanning your network for security holes is probably one of the most important tasks you need to perform to keep your network secure. You obviously need to know what security holes are present on your network and using a security scanner is the easiest/only way to find out.
Scan your network from several viewpoints - scan it from outside your network (as in outside your firewall), from inside your network with admin rights, and from inside your network without admin rights. Scan your DMZ and web servers!
Patch management and security scanning are closely related, simply because a missing patch is essentially a vulnerability. Therefore one needs to scan for missing patches and of course deploy those patches as soon as they come out. Failure to do so makes you doubly vulnerable, not only because the vulnerability is there, but also because it has become publicized so it's more likely to be used.
Installing security hot fixes on operating systems has become a hot topic, and there have been a flurry of new products arriving on the market.
In this review I looked at 1 pure security scanner, a hybrid security scanner/patch management tool and 2 pure patch management tools. All 4 are quite different in their capabilities, but their purpose is the same - to help secure your network.
- Shavlik HfnetchkPro - Silver Rating: 4/5
- GFI LANguard N.S.S - Gold Rating: 5/5
- eEye Retina - Bronze Rating: 3/5
- Microsoft SUS - Gold Rating: 5/5
Shavlik HfnetchkPro is a patch management tool. It checks for missing patches and can install those patches remotely and to multiple computers at a time. It supports not only operating system level patches, but also application patches for applications such as Microsoft Office, Microsoft Exchange and Microsoft SQL server.
Scanning a few machines with HfnetchkPro was pretty straightforward. When you startup the main interface, launch a new scan, a wizard comes up asking what you want to scan, what you want to scan for and when to run the scan. You can scan for patches that need to be installed, and you can also scan what patches need to be installed and what patches have been installed. After this you can choose to run the scan immediately, or schedule it at a later stage. Once you click finish, HfnetchkPro will go out there and scan your network. I found that enumerating the network took a while.
The scan wizard, allows you to scan a machine, an entire domain, a set of machines or an IP range.
The Scan wizard: What to scan for page
Missing Exchange patches on an Exchange server machine
After the scan is complete, you can click on the machine to find out what patches it has missing. Missing patches are listed by product. Internet Explorer and IIS are listed as separate products, although they are integrated with the operating system - this is relevant to note when we talk about Microsoft SUS later on in this review.
After HFNetchkPro has determined what is missing, it's simple to install the missing patch or service pack. Before you can do this, you need to download the patches and service packs to a folder, from which HfnetchkPro will push out the patches and service packs. All patches and service packs must be downloaded to the 'Download Center'. Links to all patches & service packs are provided for easy download.
HfnetchkPro Download center
HfnetchkPro can update most Microsoft Applications and all Microsoft Windows operating systems. It also supports several popular foreign language versions of Microsoft Windows operating systems. This is because these often require different patches.
The actual patch database is provided by Microsoft in the form of an XML file. This file can be downloaded each time you startup Shavlik Hfnetchk, ensuring that you are always scanning your network with the latest patch information.
Patch reports can easily be created
HfnetchkPro also includes a reports interface, which allows you to create reports on what patches are installed or missing on machines in your network. Furthermore, you can automate the process of updating patches using the HfnetchkPro command line interface.
Overall HfnetchkPro is an easy to use tool to check for missing patches and install fixes. However, you'll need a good security scanner to complement it. The fact that it does not do any security scanning is a pity.
Pros: Good database with all patches, wizards make it pretty easy to scan and update your network. Operating system patching is freeware. Patching supports multiple languages such as German, French and Spanish.
Cons: Only does patch management. Interface is a bit 'Windows NT 4' style.
Price: starts at $895
Click here to visit the developer's website.
GFI LANguard Network Security Scanner (N.S.S.)
GFI LANguard N.S.S. is a leading security scanner that also has patch management. I think security scanning and patch management fit very well together, using one tool to do both makes the process more intuitive and more manageable for the administrator.
Scanning with GFI LANguard N.S.S. was easy. You can either enter the IP or machine name directly at the top of the scanner interface, or use the scan wizard (accessed from the file menu) to specify which computers to scan. You can scan domains, specific computers and an entire IP range. Click Finish to start the scanning process. You'll see each machine appear in the left hand pane as it is found by GFI LANguard N.S.S. It gives detailed progress information on the right hand pane. That way you know what's going on - it's also interesting to see what the scanner actually does.
What I liked about GFI LANguard N.S.S. is that it groups all vulnerabilities into separate nodes, allowing you to expand only the information that you wish to view.
Patch management with GFI LANguard N.S.S.
As mentioned, GFI LANguard N.S.S. includes complete patch management too. You can use it to install operating system patches, service packs and also custom software. For example, I was able to use GFI LANguard N.S.S. to deploy a client for a server application using the custom patch deployment feature.
After scanning your network, missing patches are listed under the alerts node. All service packs and missing patches are listed. Right clicking on a patch or a service pack will allow you to deploy the missing service pack or patch to a particular computer or all computers. The 'deploy patches' dialog, shown in the screen shot, allows you to easily specify which patches to push out to which computers.
Deploying patches with GFI LANguard N.S.S.
Patches to be downloaded
After you specify which patches to push out, GFI LANguard N.S.S. will give you a list of service packs and patches that need to be downloaded and copied to the LANguard N.S.S download directory. This works in the same way as in HfnetchkPro.
Security scanning with GFI LANguard N.S.S.
GFI LANguard N.S.S. main interface, groups all information into nodes
GFI LANguard N.S.S. excels at security scanning. It scans your network fast and gives a wealth of information about it. Each machine is analyzed, for example what users are configured on the machine, what shares are available, what the password policy is, active services and so on. This information is vital in locking down your network.
After a computer scan is complete, you can expand a node of a particular group of information to get more details. For example, clicking on users will show you which users are available on that machine. Clicking on a particular user will show you whether the account is enabled or disabled and when he/she last logged in. Use this to find inactive accounts for example.
Besides providing the information 'As is', GFI LANguard N.S.S. also interprets the results, and compiles a list of issues, called alerts, which you need to review or fix. All alerts for a particular machine are found under the alerts node and are categorised to the type of alerts. Besides the missing patches and service packs node, there is also a node for mail alerts, services alerts, registry alerts and information.
The services node for example shows users that have never logged on, or the fact that the administrator account has not been renamed.
The services alerts node in GFI LANguard N.S.S.
The registry alerts node, well you guessed it, shows alerts regarding the registry. For example, on this machine (screenshot) guest users have access to the security log.
Filtering the results
If you are looking for particular security information, for example all open ports on a machine or on your network, you can filter the scan results appearing in the left pane. Especially if you are scanning a large network, this is essential. GFI LANguard N.S.S. ships with the following filters as standard:
High Security Alerts
Open TCP ports
For example, setting a filter on High Security Alerts allows you to review key security holes on your network and tackle them.
The open port filter of GFI LANguard N.S.S.
You can also create your own filter, using the 'Report Generator'. The report generator allows you to create filters such as:
All machines with shares
All machines which do not have Service Pack 2 installed.
All machines with port 21 open (indicating FTP server)
These filters are invaluable in closing down your network.
The GFI LANguard N.S.S report generator interface
GFI LANguard N.S.S. has many other powerful features, amongst them, the possibility to compare current scans with previous scans. Use this feature to detect new vulnerabilities automatically and have alerts sent to your email as they occur. This 'Vulnerability detection' is becoming an increasingly important element of a network security strategy.
GFI LANguard N.S.S. is a very powerful product, combining top-notch security scanning with patch management, making the 2 tasks easier to perform. It's also pretty inexpensive. $695 buys you an unlimited IP version. Almost too cheap really.
Pros: Easy to understand interface. Powerful security scanning. Excellent value for money.
Cons: Security reports could be better looking. Currently no way to store past scans in a database (although GFI tells me that they are working on this). Spelling errors in some of the scanning text are a pity.
Price: Starts at $295 for 50 IP's
Click here to visit the developer's website.
eEye Retina Network Security Scanner
eEye Retina is a pure security scanner. It does not do any patch management. However, once you purchase Retina Network Security Scanner, you can purchase UpdateExpert at a bundle price.
Scanning your network.
The Retina interface reminds me of Microsoft Outlook. You can customize the interface though and remove the shortcuts. Scanning your network is straightforward enough. You can input a machine name, IP or IP range. Unfortunately it does not allow you to specify a windows domain name. This is not a big problem, but both LANguard and Shavlik make this easier for you.
Once you have entered the IP's or machine names, Retina will start scanning. The scan results will be shown in the right hand pain. It's difficult to know when its done, because there is no real progress monitor, results just appear as found in the right hand pain. The scan results are split up into
Audits - security issues found
Machine - machine information
Ports - shows open ports
Services - shows services installed on target machine
Shares - shows shares open on machine
Users - users configured on target machine
The retina main window with the scan results in the right hand pain
Audits are the same as alerts in GFI LANguard N.S.S. It shows you all security issues that have been found and need fixing. Clicking on a particular issue shows you additional information in the bottom pane. Retina provides extensive information on each issue, with tips on how they can be resolved.
There isn't a section for missing patches. Rather, the vulnerability is highlighted, after which, by double-clicking on it you find out that the vulnerability can be fixed by installing a patch. Technically speaking, this is not incorrect, however I prefer to see exactly which patches are missing, rather then having the vulnerability listed together with all the other vulnerabilities.
Retina allows you to setup multiple policies to scan your network. This means that you can customize in detail what should be scanned for per scan. You can also consider it a 'scan profile'. Doing this allows you to skip all scans that are not needed for your network, and thus increase the speed of the scan. GFI LANguard N.S.S. allows you to do this too, but only as a global setting. With Retina you can have multiple policies and apply different policies to different scans.
Configuring a policy for a particular scan
One of Retina security scanner's strong points is its reporting features. It's easy to create a good-looking security report on your network. Retina ships as standard with a number of reports, including an executive report (use that to make a good impression on management J). You can customize the reports too, both its' contents and the style of a report. After you have selected and customised a report, Retina will create a good looking HTML report, showing you the most vulnerable machines, vulnerabilities by risk level, by type of vulnerability and more.
Creating a report in Retina
Retina report output
Retina is undoubtedly a good security scanner. It has a very comprehensive database of security issues (with strong support for UNIX), with extensive information on how to fix certain things. It also has a very good reporting module. However it's not as easy to use as GFI LANguard N.S.S. and does not clearly indicate missing patches. Neither does it have any Patch management or integration with a patch management tool.
Pros: Extensive vulnerability database especially for UNIX, Good reporting module
Cons: Not easy to find out which patches are missing. No way to specify to scan a whole domain. Very expensive
Price: Starts at $995 for 16 IPs
Click here to visit the developer's website.
Microsoft Software Update Services (SUS)
Microsoft SUS server is a free patch management tool provided by Microsoft to help network administrators deploy security patches more easily. In very simple terms, Microsoft SUS server is a version of Windows Update that you can run on your network. Instead of each workstation connecting to the Internet to update Windows, each workstation will connect to your Microsoft SUS server and update from there.
Microsoft SUS server, will connect to Windows Update itself, and provides notification of critical updates as well as automatic distribution of those updates to your workstations and servers. Only the Microsoft SUS server requires access to the public Internet. Microsoft SUS server offers the following features (from Microsoft website):
An administrator-controlled content synchronization service within the intranet. The synchronization service is a server-side component that retrieves the latest critical updates from Windows Update. As new updates are added to Windows Update, the server running Software Update Services automatically downloads and stores them, based on an administrator-defined schedule.
An intranet-hosted Windows Update server - the Microsoft SUS server. This server acts as the virtual Windows Update server for client computers. It contains the synchronization service and administrative tools for managing updates. It services requests for approved updates by the client computers connected to it using the HTTP protocol.
Administrator control over updates. The administrator can test and approve updates from the public Windows Update site before deployment on the corporate intranet. Deployment takes place on a schedule created by the administrator.
Automatic Updates on computers (desktops or servers). Automatic Updates is a Windows feature that can be setup to automatically check for updates published on Windows Update. Software Update Services uses this Windows feature to publish administrator-approved updates on an intranet. You can configure Windows to install updates on a schedule.
Installing Microsoft SUS server
Since Microsoft SUS server is not really a desktop based scanning tool, but rather an automated server, designed to work in the background, it's a little harder to set-up then the other patch management tools. However, once you have set it up, the patch management process is automated, so it's well worth the extra effort.
Installing it is quite simple. You install the Microsoft SUS server (requires IIS), and configure it to check for updates. Then you need to ensure that your workstations & servers have either Windows 2000 SP3 installed or have the Microsoft SUS client installed.
You can push out the SUS client using Active Directory quite easily, since the file is only 1 megabyte. After you have done this, you have to use Group Policy again to configure the client workstations to get their automatic updates from your SUS server. All this is clearly described in the documents accompanying Microsoft SUS.
Administering the Microsoft SUS server
The administration of Microsoft SUS server is all web based, allowing you to administer it remotely. The Microsoft SUS server will download all available updates automatically and notify you by email of new updates. New updates can be approved or rejected for deployment, ensuring that you still have full control over what gets installed on your network. The approval interface is very similar to updating a single machine using Windows Update.
Approving updates via the Microsoft SUS server administration interface
The Microsoft SUS Client
Once you have installed both Microsoft SUS server and the Microsoft SUS client, all updates are pushed out automatically. As an administrator you can configure how this should happen. You can set the schedule to control when this should happen, and allow the user to have some sort of control over this process, should you wish to do so. The screenshot below shows the options available. Of course these options can be locked down using group policy.
Automatic Updates control panel with options
After you have configured the Microsoft SUS client, patches will be deployed automatically. The user will be notified through a message in the task bar (see picture)
User receives feedback that updates are about to be installed
Microsoft SUS Server limitations
As good as it is, Microsoft's patch management tool does have a few limitations;
It does not push out service packs! You will need a separate solution for that.
It only does operating system level patches (Which includes Internet Explorer and IIS), not application patches such as Microsoft Office, Microsoft Exchange Server, Microsoft SQL server etc.
It requires Windows 2000 and up, so it can not patch Windows NT 4 systems
It cannot deploy custom patches for third party software.
This means that you still need to use a patch management solution to perform the above tasks. Microsoft does not plan to add the above features, since it promotes Microsoft SMS server as a tool for that. I still recommend using Microsoft SUS for operating system patches, and a patch management tool to perform the above functions.
Microsoft SUS is a very good patch management tool. On top of that it's free. However it does not deploy service packs, nor does it deploy patches to application software such as Office, Exchange or SQL server. Furthermore it has no scanning capability - You have to review the logs whether patches have been deployed successfully or not. You will need to use Microsoft SUS in tandem with a security scanner and a tool that can deploy patches to applications.
Pros: Free. Excellent patch management tool that allows deployment of Spanish, French German and other language patches too.
Cons: Does not deploy service packs, does not deploy application patches. Does not scan network to check if patches have been installed.
Click here to visit the developer's website.
Security scanning & Patch management conclusions
So what to do for security scanning and patch management? I believe that you should deploy Microsoft SUS server for operating system patch management. Although you can use a patch management product instead, using Microsoft SUS server will save you time in the long run. Once set-up, it's easy to keep your network up to date. Coupled with the fact that Microsoft SUS server is free, it makes for an easy decision.
However, Microsoft SUS server does not perform all patch management. Therefore you have to use a patch management solution in addition to Microsoft SUS server. Shavlik HfnetchkPro & LANguard N.S.S. are equally capable tools in this field, you can decide based on the interface or simply based on the cost. Both products are available for trial download.
You'll need a security scanner too. Although Retina is a good tool, I believe that a Windows network administrator might find the LANguard N.S.S. interface a little easier to use. Furthermore it's a lot cheaper then Retina. If you run a 250 machine/IP network, Retina will set you back some $6500, whilst LANguard N.S.S. costs about $450. I can't see the justification for that price difference. Keep in mind too, that LANguard N.S.S. can do patch management too. But again, try out both products - this is a matter of opinion.