VULNERABILITY ASSESSMENT SOLUTIONS TECHNOLOGY REPORTFEBRUARY 2006 QualysGuard www.westcoastlabs.org 2 VULNERABILITY ASSESSMENT SOLUTIONS TECHNOLOGY REPORT Contents QualysGuard Test specifications ....................................................................................3 Vulnerabilities ..........................................................................................6 The product ..............................................................................................5 Test report ................................................................................................10 West Coast Labs conclusion ..................................................................20 Security features buyers guide ............................................................21 Appendix..................................................................................................22 West Coast Labs, William Knox House, Britannic Way, Llandarcy, Swansea, SA10 6EL, UK. Tel : +44 1792 324000, Fax : +44 1792 324001. www.westcoastlabs.org www.westcoastlabs.org The test network was available to each solution for 2 days. some of the servers were installed with default settings. The final report. on different hardware platforms. A small number of virtual hosts were included. Web applications were installed on relevant servers. and restored to its start state before each round of testing for individual solutions. if appropriate. network servers and client machines. Participants in the report may include online services.QUALYSGUARD 3 Test specifications The aim of this Technology Report is to evaluate solutions in the field of Vulnerability Assessment. A variety of Operating Systems were used on the network. Every host on the test network was imaged. together with proposals and recommendations for remediation. managed switches.org . containing the results of the Vulnerability Assessment and any recommendations are addressed in the Test Results that follow. appliances and software tools. In building the network.westcoastlabs. Various levels of patching were applied. TEST ENVIRONMENT Participants in the technology report were invited to provide a vulnerability assessment of a heterogeneous network. www. The network set up by West Coast Labs for evaluation of solutions comprised 24 distinct hosts. In addition a number of common misconfigurations were made in setting up the servers. Where the solution under test was an appliance or software solution then the router was configured to block all access from the internet for the period of test. and in deploying particular services. The test network was protected by a router. ACLs were set on the router to restrict access to the test network from IP addresses specified by the participating vendor. including routers. Software solutions state the desired specification and OS of the hardware on which the software is to be installed. All participating solutions were provided together with documentation supplied to a normal user. gaining illegitimate access to network resources or disrupting normal network operations.) www.westcoastlabs. disclosure of filtering rules and security mechanisms. network resources. services. This may include gaining control of a server or network device. including security settings. precise version of software installed etc. WCL evaluation of the Vulnerability Assessment Report Vulnerabilities on the target network were classified under 4 headings: ■ CRITICAL VULNERABILITIES – those that allow an attacker with minimal knowledge or skill to compromise the integrity of the network. This could result in potential misuse of network resources. WCL engineers configured appliances in accordance with documentation provided. access to certain files on hosts. or control over. but that require considerable knowledge or skill on the part of the attacker.4 VULNERABILITY ASSESSMENT SOLUTIONS TECHNOLOGY REPORT Test specifications (continued) Appliances were provided to WCL in the default shipping state. directory browsing. ■ SEVERE VULNERABILITIES – those that allow illegitimate access to. For example. ■ INFORMATION LEAKS – these allow attackers to collect sensitive information about the network and the hosts (open ports.org . vulnerabilities at this level may include partial disclosure of file contents. WCL engineers installed and configured software in accordance with documentation provided. ■ NON-CRITICAL VULNERABILITIES – those that allow attackers to gain access to specific information stored on the network. In order to achieve the Standard Checkmark Certification.westcoastlabs.org . All solutions must also provide accurate advice on mitigating the risks posed by the vulnerabilities.QUALYSGUARD 5 Test specifications (continued) Each product was assessed on: ■ The ease of deployment of the solution ■ The number of vulnerabilities correctly identified in each class ■ The completeness of the report. those developers identifying 100% of the Critical Vulnerabilities and a minimum 90% of the Serious Vulnerabilities will be awarded the Premium Checkmark Certification for Vulnerability Assessment. Participants in the Technology Report will be eligible for the Checkmark certification for Vulnerability Assessment. However. the candidate solution must identify at a minimum 100% of the Critical Vulnerabilities and 75% of the Serious Vulnerabilities. including identification of any network changes made ■ The clarity of presentation of the findings ■ The clarity of advice on remediation WCL also comments on the level of technical knowledge required to understand and act on the information contained in the final report. www. Some Sun Servers running Solaris 2. and a Mac completed the mix. The VLE had a default admin username and password as well as being installed with an old www. a number of common misconfigurations were made in setting up servers. In addition. DNS was configured to allow zone transfers. For example. These are configuration errors that can have profound effects on network security but can easily be implemented by a hard-pressed administrator as a “temporary” quick fix to a connectivity problem. and a vulnerable web application that was specially crafted in-house. were included.6 VULNERABILITY ASSESSMENT SOLUTIONS TECHNOLOGY REPORT Vulnerabilities So that the test network would mirror that found in many businesses. Some of the servers were installed with default settings and varying levels of patching were applied: some hosts were patched fully up to date while others had been left out of the process. and IIS 5. Active Directory. Also. A Windows domain was set up with three servers and a mix of workstations running Windows XP and Windows 2000 professional. On the Windows 2000 PDC we installed TightVNC as a service without tunnelling through SSH. IIS5. DNS was provided by the remaining Windows 2003 server. Windows servers were configured with open network shares.0 was installed with demo applications. The server was also running Unreal Tournament GOTY edition (version 436) along with the UT web interface running on an unusual high port. on different hardware platforms. There were user shares available on the wwwroot and ftproot directories and a world-writable FTP server. a variety of operating systems.org . The BDC had Exchange 2000 and Active Directory installed. assorted Linux boxes running Mandrake and RedHat distributions.0 with the demo applications.8 provided web services and file storage. ftp servers with anonymous write access. One of the Sun Blade servers had a Virtual Learning Environment (VLE) installed. SQLServer with a blank SA password. and deploying particular services. smtp servers configured as open proxies.westcoastlabs. Apache installations. www. An HP printer was added with default settings and open to administrative access via telnet and HTTP. Vulnerabilities included SSH access. If changes were made to the default settings. patch levels. Our test network thus consisted of a series of machines with differing hardware specifications. default username/password and open web admintool and an Apple Mac Power G3 running OS 8. and software installations. Back Orifice was installed on one machine on a high end port.6. over all these devices passwords were set to be blank or easily guessable. operating systems.QUALYSGUARD 7 Vulnerabilities (continued) version and vulnerable version of Apache. Each of the “user” workstations was patched to a different level using official Microsoft Service Packs. Some machines were included in the Windows Domain. ranging from Unreal Tournament client and TightVNC through to IIS 5. historical patches and Windows Update.0 and remote admin.org .westcoastlabs. These machines then had different applications installed. Samba and a writable FTP directory. a Cisco router configured with default settings. and multiple vulnerabilities. conduct automated security audits and ensure compliance with internal policies and external regulations . Qualys say…about the product. appliances for internal scanning and users with hierarchical authorization rights. www.org .com www.8 VULNERABILITY ASSESSMENT SOLUTIONS TECHNOLOGY REPORT The product QUALYSGUARD® ENTERPRISE Qualys describe QualysGuard Enterprise as a scalable vulnerability management solution. which is positioned by Qualys as being suited to large.. which enables organizations to measure and reduce risk by providing a proactive solution to track and remediate security vulnerabilities used for exploitation. According to CERT. QualysGuard enables security managers to strengthen the security of their networks effectively. on demand solution.with no infrastructure to deploy or manage.qualys. 99% of attacks exploit known vulnerabilities. distributed networks that require support for an unlimited number of IPs. QualysGuard Enterprise is an enterprise class.westcoastlabs.. prioritize remediation according to business risk and achieve regulatory compliance .com Qualys say…about the QualysGuard Technical Benefits. QualysGuard on demand platform gives users an automated way to map global assets. QualysGuard gives organizations the ability to mitigate risks by automating the proactive identification and prioritized remediation of security vulnerabilities based on risk to business operations and to ensure regulatory compliance via automated auditing. The on demand architecture offers significant economic advantages with no capital expenditures.com www. identify vulnerabilities on their networks. www. data integrity and ease of use while delivering the lowest total cost of ownership.997% accuracy rate. extra human resources or infrastructure to support and maintain. Its immediate deployment capabilities and strong security model enables security teams to perform scans on geographically distributed and segmented networks both at the perimeter and behind the firewall. QualysGuard allows organizations to audit their networks with the highest degree of accuracy. plus the validity and assurance that comes with third-party assessment.000+). indelible audit trails..westcoastlabs. full security trending reports.org .with no infrastructure to deploy or manage. and access to verified remedies—all without the cost and burden of deploying and maintaining complex software.. QualysGuard has the most comprehensive KnowledgeBase of vulnerability signatures in the industry (5. www.QUALYSGUARD 9 The product (continued) Qualys say…about the QualysGuard Business Benefits. and performs over 6 million scans per month with a 99.qualys.qualys. Companies receive daily updates about new security vulnerabilities. org . and a set of documents relating to the latest news and the regulatory compliance of the device.westcoastlabs. www. The compact hardware arrived at West Coast Labs with a Quick Start Guide. Administrators Guide. It consists of a series of one or more Scanner Appliance devices placed within the corporate network. a Rackmount kit.10 VULNERABILITY ASSESSMENT SOLUTIONS TECHNOLOGY REPORT Test report Introduction QualysGuard is a Vulnerability Assessment tool aimed at large distributed networks. These are accessed and scans are launched via a web-based management tool. power and Cat5 cables. QUALYSGUARD 11 Test report Installation and Configuration The installation was a straightforward three-stage process.org . After having been provided with login credentials to the web interface.westcoastlabs. www. The product then needs to be activated by first logging into the web application and then into the unit itself. These keys are responsive and do not have the problem of key lag common to this kind of interface. the set up of the hardware following the clearly formatted manuals proved to be simple networking can be set up using the LCD screen and navigational buttons on the fascia of the unit. www. the user is presented with a selection of the latest vulnerabilities from the knowledgebase with relevant information such as category.org . crucially. Each of the links offered here direct the user to the relevant section of the interface and the overall layout provides a suitably structured introduction to performing asset maps and vulnerability scans. The interface is far from utilitarian. and has an understated elegance that serves it well. Bugtraq ID and. Further help can be accessed at any point during the use of the interface either by the main Help link at the top as part of the general menu structure. however. These knowledgebase entries are updated regularly so that the users can be assured that the functionality of the solution is as up to date as possible. the severity. split into chapters in a similar format to the standard Windows help files.12 VULNERABILITY ASSESSMENT SOLUTIONS TECHNOLOGY REPORT Test report The Interface The web application is the main interface point of the solution and has been designed with ease of use in mind. as the Quick Help relates specifically to the screen that the request is made from whereas the main Help is more general and covers use of the entire interface. Basic help is provided at this point via a pop up window that offers a helpful set of pointers that are in the form of a QuickStart Guide. Upon logging in.westcoastlabs. These serve different functions. or via the Quick Help button that appears on every page. Once the scans have completed they can be viewed either as text or in a diagrammatic format. the interface makes it as simple as possible by guiding the user through it in stages. Scans. Map. This allows for discovery scans to be made by IP range or domain name. www. but notification emails can be configured so that an administrator is aware of the successful completion of this phase. When attempting to discover a network’s liabilities. This signed java applet allows the user to drag individual devices around the interface in order to lay the target network out in different arrangements to best suit the presentation and can also be used to launch scans against individual devices. the starting point for any new customer should be the Map section. whilst the latter is a well thought out and presented interactive view.QUALYSGUARD 13 Test report The Interface (continued) The main menu for the system consists of several sections: Home. and Preferences with further links for Support and Help. A quick process to set underway. A screen within the set up of each Map process includes a tick box that must be checked to ensure that the user has the legal right to scan the IP range entered. Length of the scan will obviously depend on the number of hosts within the range to be scanned. The former is in list format with tick boxes along side each entry to enable selection of each asset for scanning or insertion into Asset Groups.westcoastlabs. and the scan can then be undertaken. Reports.org . Remediation. There are also sets of advanced options that relate to corporations that use IDS systems and some further options related to the types of packets sent. the internal appliance. whether to scan dead hosts. load balancing detection.14 VULNERABILITY ASSESSMENT SOLUTIONS TECHNOLOGY REPORT Test report The Interface (continued) Once the devices on the network have been discovered via mapping. the scanner to be used (whether the default for the group. the different types of vulnerability detection and various types of authentication to try. they may then be scanned either as individual concerns or as Asset Groups. SANS top 20 and RV-10. the degree of brute password forcing to apply. or custom scans can be constructed using a link found under the Preferences menu. performance levels. Three initial profiles are provided: Initial (default). a title and an option profile for the scan. It is easy to alter the settings for each of these scans if so desired. Again. www. or Qualys’ own scanners).org .westcoastlabs. This allows the user to specify a title. it functions by specifying an IP range or asset group. and then various sets of options for Scanning or Mapping including the levels of scanning for TCP and UDP ports. The building of a scan is initiated from the Scans menu and has been made incredibly easy by using similarity to the mapping interface. Once the scans have been executed. This is turned on by default and may be disabled under the Preferences menu.westcoastlabs. Potential Vulnerabilities. an administrator may choose to receive a notification by email. target groups.QUALYSGUARD 15 Test report The Interface (continued) Using Qualys’ own appliances rather than an in house device is a viable option for scanning external IP addresses. The email contains a link to the online report as well as a summary of the principle points of concern. and it is possible to set a default Scanning Appliance for a given Asset Group to make this process even easier. option profile and the user that initiated the scan. number of hosts scanned and number of hosts active.org . These are grouped by severity. These contain the assigned title of the scan. and Information Gathered. however private IP ranges may only be scanned if there is a Scanner Appliance in place within the network. www. Further to this there are summaries of discovered Vulnerabilities. The choice of which scanner to use makes it possible to split the workload so that one device does not necessarily become overloaded with requests. and a differential figure between the current scan and the last scan for each level of severity is also provided. the start time and duration. XML. www. or an MHT web archive are available and may be downloaded to a local machine. or both. zipped HTML. however. groups of assets broken down by IP address. consists of clearly presented graphical representations of the severity of vulnerabilities.16 VULNERABILITY ASSESSMENT SOLUTIONS TECHNOLOGY REPORT Test report Reports The online reports are well formatted and are available in several flavours.westcoastlabs. and services detected along with a textual synopsis to back these images up. The description of each liability contained within the reports is given a severity rating between one and five and is organised in order of most dangerous and highest rated first. from an executive summary for non-technical management to a technical report including recommended resolutions to give to the corporate IT staff. The Summary section for each report. operating systems detected. Potential Vulnerabilities and Information Gathered. Each report may be saved in several different formats: PDF. The majority of the reports are taken up by the descriptions of the vulnerabilities and their remediation organised on a per asset basis. The section of the report given over to Detailed Results contains three major sections – Vulnerabilities. This gives a corporate IT department the ability to tackle the most important problems immediately but it is important to be aware that the other vulnerabilities should not be overlooked just because they come lower down the scale. For those reports that cover a large range of assets there a drop down menu at the top of each generated report allowing the user to see a summary of vulnerabilities.org . These tickets can then be viewed under the Remediation section of the interface that offers a variety of filters that can be applied to the tickets. Alongside this there is an assessment of the threat of each. www. and a Result section that shows returned values if appropriate.westcoastlabs. These filters include user. date range. status.org . remediation advice that includes links to external web sites where appropriate. asset. This data includes similar data to the knowledgebase entries seen upon first login such as BugTraq ID. This allows the administrator to assign the remediation of the problem to any user registered on the system and set a deadline as well as provide some descriptive text to accompany the ticket.QUALYSGUARD 17 Test report Reports (continued) Each report also includes a detailed data on a per vulnerability basis. The ticket itself consists of data regarding the assignation of the ticket. the vulnerability details taken from the report. an impact evaluation that describes how the vulnerability may be exploited. vulnerability and severity and allow for a detailed summation to be constructed of the current state of remediation across the network. CVE ID and category. and a section for the user to add further comments and apply actions such as resolving or reassigning if their permissions allow. Alongside each description there is also a status for the vulnerability and a drop down menu allowing the administrator to either ignore the vulnerability or create a ticket using the inbuilt ticketing system. action (such as logging in to the interface or launch / completion of a scan).18 VULNERABILITY ASSESSMENT SOLUTIONS TECHNOLOGY REPORT Test report Reports (continued) The Preferences section covers various areas including as previously noted the construction of custom scan parameters. www. It is also easy to adjust Asset Groups in various ways including organising them into Business Units. The level of interface interaction that a user gets depends upon their permissions and certain tabs and sections within the QuickStart Guide are not available to given levels of user privileges.org .westcoastlabs. There is also the possibility within this section of the interface to look at usage logs for the interface. It is possible to alter assets by assigning them to specific users and changing the way they are tracked via IP address. and their role. There are several levels of users from Manager down to Contact and each may be assigned the responsibility for different asset groups. This gives a good way of tracking access to the system from different locations and users. These include date and time. DNS host name or NetBIOS host name. the user to which the entry refers. the IP address of login. Scans may be scheduled from within this section of the interface so that a long scan that may potentially interfere with network traffic can be set to run overnight on a one-off or regular basis. User permissions are also set and assigned here. in order to ensure that the latest versions are available. Further information is provided by another screen called Account Info . open tickets by severity level.org . The scanner operating system version and signature database version are provided for both Qualys’ external scanners and for any internal Scanner Appliances that are registered.QUALYSGUARD 19 Test report System Oversight Oversight of the entire system comes from the section labelled Home. It is also possible from within the Home interface to run a Risk Matrix report mapping given vulnerabilities against assets or Asset Groups – this is a useful tool allowing newly released vulnerabilities to be run against registered devices for an instant risk assessment.westcoastlabs. www. This contains the Knowledgebase that is displayed upon initial login. top ten open tickets and top ten vulnerabilities. This is a useful overview of the vulnerabilities. Finally. access to support documents and a group for Tips and Techniques.this includes details of the latest scans run and when the next scheduled scans are due. but also includes the Dashboard. there is a section called Resources that contains release notes. There is also a link to email the assigned Qualys contact for the corporation and the number of IP addresses registered in the corporate account. This section also includes various version numbers including the Web Application. During our testing QualysGuard detected all of the Critical and the majority of the Serious vulnerabilities with ease. West Coast Labs. This solution should be considered by any corporation looking to mitigate the risks to their network through a thorough liability detection system. The installation and set up is well documented and trouble-free and the interface offers a deceptively simple user experience. William Knox House. The quality of scans and subsequent remediation advice is paramount in solutions of this nature. Swansea. Tel : +44 1792 324000. The ability to assign tickets within the interface ensures that administrators and those responsible for the security of a corporate network can keep on top of the workload and have information at their fingertips whenever it is needed. and QualyGuard delivers admirably. From design to user interaction.org www. Britannic Way.org .westcoastlabs. www. and we are therefore pleased to announce that QualysGuard has been awarded the Vulnerability Assessment Premium Checkmark. Llandarcy. SA10 6EL.20 VULNERABILITY ASSESSMENT SOLUTIONS TECHNOLOGY REPORT West Coast Labs Conclusion QualysGuard is a comprehensive vulnerability assessment and remediation solution. Fax : +44 1792 324001.westcoastlabs. UK. QualysGuard offers everything necessary for the user to improve the security of their network in a very short time frame. org . CVSS and OVAL standards support ■ Automatic.QUALYSGUARD 21 Security features buyers guide as stated by Qualys ■ Unlimited number of Network Maps ■ Unlimited scanning of servers and workstations ■ 24x7 email and telephone Customer Support ■ Scheduled and on-demand Security Audits ■ VPN and wireless access point scanning ■ Remediation workflow management with automatic trouble ticket creation ■ Executive summary reports for managers ■ Detailed technical reports ■ Vulnerability ticket reporting with full remediation instructions ■ Differential reports with trending graphs ■ Differential network inventory reports ■ Built-in PCI compliance reports for self certification ■ Full remedy information for each vulnerability ■ Distributed Scanning with centralized data repository for reporting ■ Ability to create multiple users with flexible access privileges for distributed management ■ API/SDK capabilities for automation and integration with other security products ■ Internal and external scanning provides a 360-degree view of network vulnerabilities ■ CVE. MHT.com www.qualys. PDF and XML formats ■ Executive Dashboard to track progress and enforce compliance ■ End-to-end encryption of vulnerability data ■ Immediate deployment capabilities www.westcoastlabs. daily updates to vulnerability KnowledgeBase (over 5000 unique checks) ■ 100% non-intrusive detection techniques ■ Inference-based scanning engine optimized for speed and bandwidth efficiency ■ Scans configurable for optimum performance ■ Both trusted and non-trusted scanning capabilities ■ Scans configurable for optimum performance ■ Six-Sigma scanning quality ■ Export reports to HTML. org/cm-briefingdocs.22 VULNERABILITY ASSESSMENT SOLUTIONS TECHNOLOGY REPORT Appendix Vulnerability Assessment Premium Level Certification Within the framework of the testing carried out in this Technology Report. http://westcoastlabs.org . those developers identifying 100% of the Critical Vulnerabilities and a minimum 90% of the Serious Vulnerabilities are awarded the Premium Checkmark Certification for Vulnerability Assessment.asp www.westcoastlabs.