GFI Languard is an extensible integrated software suite that can provide the tester with a comprehensive overview of the security status for an entire network or just an individual device. Not only is this an excellent vulnerability assessment tool but the remediation aspects make this almost a one-stop shop for filling the holes the tool has discovered making a really useful administration tool also. GFI Languard allows the user to carry out:
- Vulnerability testing of all computers and mobile devices connected to a network.
- Security patch and service packs enumeration and remediation for Microsoft®, Mac OS X®, and Linux® operating systems and applications.
- Patch management enumeration and remediation for third party applications, including Mozilla Firefox®, Java® Runtime, Adobe®, Apple®, Skype®, WinZip®, Real Player® and more.
- (Including support for both security and non-security patches).
- Automatic detection of unauthorised applications (and un-installation).
- Audit and compliance checking (supporting, PCI DSS, HIPAA, SOX, GLBA, PSN CoCo etc.)
- Network-wide deployment of any custom software and scripts that can run silently.
Catering for both medium to larger sized networks, GFI Languard has a number of extensible components that can be used, thus it is able to reduce the total cost of ownership for a company allowing it to centralise vulnerability scanning, patch management and network auditing. Components include:
- GFI Languard Server (Management Console) - Enables you to manage agents, perform scans, analyze results, remediate vulnerability issues and generate reports.
- GFI Languard Agents - Enable data processing and auditing on target machines; once an audit is finished, result is sent to
GFI Languard Server.
- GFI Languard Update System - Enables configuration to auto–download updates.
- GFI Languard Attendant Service - Background service that manages scheduled operations, including scheduled network security
scans, patch deployment and remediation operations.
- GFI Languard Scanning Profiles Editor - Enables creation of new or modification of existing scanning profiles.
- GFI Languard Command Line Tools - Enables launching network vulnerability scans and patch deployment sessions, importing and exporting profiles and vulnerabilities without loading up the management console.
GFI Languard is available to evaluate for 30 days (albeit limited to 5 IP addresses), after such time a licence is required for corporate use. Licences are usually based on the amount of IP's you wish the tool to scan, a full pricing structure is available from here.
Download the latest version from the website here (Installation manual is available from here).
Simply double-click the executable.
Register with supplied username and registered licence or 30-day evaluation key.
Insert appropriate administrative account details to enable automated and scheduled scans and updates to take place.
Select appropriate path: C:\Program Files\GFI\Languard 11\ (default)
Program will install then automatically launch.
Pre-requisites, (full list here):
Note: - To scan remote machines the following must either be enabled and/or installed:
- Secure Shell (SSH) - Required for UNIX/Linux/Mac OS based scan targets.
- Windows Management Instrumentation (WMI) - Windows 2000+
- File and Printer Sharing.
- Remote Registry.
GFI Languard will then inspect the local machine it is installed on for any associated vulnerabilities by default. As part of this process it will download the latest patch database to enable it to check the require patch level on the local machine.
After initial installation, the default local scan is a nice touch, at least the user will potentially be aware of any glaring holes in their system and appropriately deal with them before utilising the tool for real to scan there's and other networks.
This is set by default to auto update via the GFI update site (update.gfi.com). This site checks to verify the product is licensed (HTTP POST /license/gfilanss.key), verifies the currently available update version number (HTTP GET /lnsupdate/index.txt) then hands off the update mechanism to the actual software download at: software.gfi.com/lnsupdate/ which redirects to http://lnsupdate.gfi.com/ (Several servers seem to be involved in this mechanism, notably the following IP's 220.127.116.11, 18.104.22.168&16 and 22.214.171.124.)
Note: - The serial number of the product together with any email alerting contact details you have setup are passed across in the clear text during this transaction as in the previous version, which is disappointing as a simple hashing of this data should suffice to encrypt it especially if it details extra internal server details and mail addresses (licence key obfuscated below).
It is possible to alter the update mechanism to utilise a proxy and also to manually download all the required update binaries from the directory at http://lnsupdate.gfi.com/ to an alternative web server or local/ network resource. Once configured in this way GFI Languard will attempt to update from there.
This would be the ideal situation for air gapped sensitive environments where Internet access is precluded; the scanning machine obtaining updates after having first been virus scanned and verified. Alternatively the updates may be copied directly to the GFI Languard updates folder located at: "C:\ProgramData\GFI\Languard 11\Update\" (Windows Vista+).
Note: - The program will still attempt to verify that it is licensed, but will fail, however, this still allows the update mechanism to complete successfully.
Updating can also be carried out whilst other tasks are running which is a nice improvement over legacy versions of this application.
In the my last review of the previous version (2011) I suggested it may be pertinent to enforce authenticated access to the update site, this still has not been done. This would serve a number of purposes, firstly providing another hurdle to guard against Intellectual Property Right abuse from counterfeit copies of the program and also to deter would be attackers enumerating the web server file structure. In addition I suggested providing an MD5 hash of the updates would allow manual verification of their authenticity, this thankfully has been done with MD5 and CRC32 values provided. There have been, in recent times, more and more instances of exploited web facing depositories; attackers replacing original files with their own backdoored binaries and updates. An SSL/TLS encrypted session would also thwart "sniffing" attacks enabling an attacker to gain a registered licence key and go a long way to prevent MiTM attacks.
A nice feature for the product is the quick overview of updates and news displayed on the dashboard with the option to visit the website for more information or extra news:
Assuming an appropriate profile has either been created (see below) or one of the default options is to be used the following information is all that is required to initiate a scan of a target computer(s):
Scan Target, Single computer, range, list, domain etc.
Current user, Alternative Credentials, null session or SSH Private Keys.
GFI Languard communicates with managed computers (Agents and Agent-less), using the ports and protocols below. The firewall on managed computers needs to be configured to allow Inbound requests on ports:
Pressing scan sets the task off and various different threads are opened by the tool with interim results appearing as particular parts of the scan are completed. Once a scan is finished the user can drill down and view any issues reported in the results screen and dependant on their scope, remediate or report.
Note: - The estimated amount of time left for a scan to complete is displayed whilst in progress but experience shows it cannot fully be relied upon with many test scans displaying 1 minute for a prolonged period of time, he status bar does progress but it would be nice if the amount of audit operations processed decremented periodically to give an indication of how many checks were left, akin to other such tools on the market.
Going to the first dashboard tab provides a nice overview of the scan and a particular part of the scan results can be viewed:
GFI Languard can also be run in two modes either server mode where the server component performs audits over the network; while in Agent mode, audits are done using the scan target's resources and only a result XML file is transferred over the network.
Note: - Where agents are remotely deployed TCP port 1070 is opened and used as the service to send results back to the server. Agents de-install by default after 60 days (although this can be reduced, which I highly recommend).
A number of predefined scanning profiles can be selected when initiating a scan from the drop-down menu. Alternatively a custom profile can be created via the configuration tab which opens the scan editor component. A pre-defined profile can be copied and adapted or a totally custom scan created. Profiles are divided into two areas, Vulnerabilities and Patches with the vulnerabilities portion of individual scans broken down into common families of products and services:
These can be selected and de-selected as deemed necessary. Alternatively the patches options allow a scan to be carried out only looking for missing patches based on their severity:
Both options are extensible and continue on from the previous version being an excellent addition to any tester who needs to carry out a bespoke test, but from a personal perspective, I would like to be able to select vulnerabilities based on the OS, Vendor and services offered as this may provide a more targeted facility which is offered within other vulnerability scanners. In addition an obvious deselect or select all button would be helpful if only certain checks need to be carried out for a family of vulnerabilities.
In this way the amount of checks carried out against a target would be vastly reduced saving on enumeration of checks for applications and services that are not installed and for the wrong OS variant.
An administration and configuration guide is also available here which details how GFI Languard can be extensively customised to better suit certain environments to enable it to be used to its full potential.
GFI Languard has a number of default reporting options and templates which have been sub-divided into General and Compliance Categories which seem to have been revamped and better organised from the previous 2011 release. The reports are easily managed, customisable and can be scheduled, 26 such General reports exist including:
10 Compliance reports covering against a plethora of legislation from around the world include:
In an unabridged form some of the reports, IMHO, contain far too much information, have reams of white space and are generally very bulky for the reader to get their head around the salient points. However, the software developers have thought of this and the templates are easily, (and should be!), customised to suit the tester or organisation.
When generating a chosen report it can be further customised via the advanced settings option; allowing the tester to specify what information from the template is required. In this way the report can be very succinct, concentrating on the key areas requested from the test and it looks all that more professional with extraneous information removed if not required. As each tasking will be unique, the customers report should be also, they have their own scope the test should be adhered too and the beauty of GFI Languard is that reporting can be geared to that also.
There is also an option to save these filters as a new template which saves quite a bit of work for future tests.
Two types of example reports have been produced after carrying out an audit of a Windows 8 Desktop:
To get an idea of the format of the report produced, a sample is displayed before the report is generated. Those not familiar with the application can then get an idea of the content it will produce and either tailor there needs to suit or use another report template
A key selling point for this product is the ability to perform remediation based on discovered results. Keep systems patched and secure for any system administrator is a major heartache and having a product such as this that will identify all missing patches, both application and OS yet also allowing compliance testing and removal of unauthorised software is of definite benefit to them. To enable remediation to take place, it must be configured as patch auto-download is not enabled by default, this can be achieved easily from within the configurations tab. All potential patches can either be downloaded or only those identified as previously missing to the default installation directory "C:\Program Files\GFI\Languard 11\Repository\" or alternatively a path can be specified to the WSUS content folder.
Even before patches can be deployed they need to be approved, which ties in nicely to organisation with configuration control mechanisms and regular update strategies. The facility to do this, I had previously found in GFI 2011 to be a little basic allowing the user to either approve all Microsoft patches, all Microsoft Service Packs or non-Microsoft patches for deployment but thankfully in the new version it looks far more extensible and lots of thought has gone into this area.
Certain individual bulletins may be selected for deployment or selecting and right-clicking allows multiple to be selected. Carrying out the approval process in this way at first may be a little laborious but once a regular download, testing and release strategy is in use within the enterprise, this should not be too onerous.
It may be prudent in future releases to offer a select/de-select all button to make approving quicker and the ability to find or select by date (posted) range.
To carry out remediation, the remediate tab allows selection of a number of options, selecting deploy security patches allows for any patches identified as missing to be selected for install (Note: - patches marked as not available I had not downloaded these via the tool):
Selecting the patches you wish to deploy, then clicking the remediate button starts the install process. Alternative credentials may be supplied if required. The patches will be automatically downloaded and silently installed on the target computer. A pop-up notification will potentially appear and the target may automatically reboot if required and configured appropriately to do so.
This is a nice option for being able to selectively deploy patches to multiple computers who have the appropriate GFI LanGuard agent deployed to them or you have full administrative privileges for.
One of the other really nice features of GFI is the ability to carry out remote support from within the remediation tab window itself. This facility allows the user to open a remote desktop session to a host they have previously scanned, this would be useful for general administration but also from a testing perspective to manually verify results and carry out other such checks. It would be nice to accommodate other OS and have the ability to open an SSH session within this area also.
Overall the product has been improved from previous versions some of the things I would have liked to see which were missing from Languard 2011 having been implemented :-). I do still really like this product, it is especially useful within Windows Networks with the remediation aspect its key selling point, giving it the edge over the majority of other vulnerability scanners. The one thing last time I reviewed the product that reduced its effectiveness was its support for OS other than windows but it is good to see they have addressed this and are making in-roads into making it more extensible and OS agnostic. My one concern with the tool is as it adds in more support and uses it is getting a little "bloaty" and thought may be given to separating out the remediation and scanner portions either into two separate tools or have two disparate engines to reduce system CPU usage and processing. Nessus went from an all-in-one executable to web based product which could be used to call different functions and be run remotely, I wonder if they have any thoughts on following that model?
Overall, even with the nuances mentioned, it is a really sound product and still provides a great tool and resource for any vulnerability analyst and system administrator alike. You can't go wrong really if you use this combined with other scanners to compliment your toolkit.
I would definitely rate this product as 4 out of 5.