Evaluation Guide Security Analyzer September 12, 2002 |
|
This document and the software described in this document are furnished under and are subject to the terms of a license agreement or a non-disclosure agreement. Except as expressly set forth in such license agreement or non-disclosure agreement, NetIQ Corporation provides this document and the software described in this document "as is" without warranty of any kind, either express or implied, including, but not li 12312b12m mited to, the implied warranties of merchantability or fitness for a particular purpose. Some states do not allow disclaimers of express or implied warranties in certain transactions; therefore, this statement may not apply to you.
This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data.
This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time.
© 1995-2002 NetIQ Corporation, all rights reserved.
U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government's rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement.
ActiveAgent, ActiveAnalytics, ActiveKnowledge, ActiveReporting, ADcheck, AppAnalyzer, Application Scanner, AppManager, AuditTrack, AutoSync, Chariot, Chariot VoIP Assessor, ClusterTrends, CommerceTrends, Configuration Assessor, ConfigurationManager, the cube logo design, DBTrends, DiagnosticManager, Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, End2End, Exchange Administrator, Exchange Migrator, Extended Management Pack, FastTrends, File Security Administrator, Firewall Appliance Analyzer, Firewall Reporting Center, Firewall Suite, Ganymede, the Ganymede logo, Ganymede Software, Group Policy Administrator, Intergreat, Knowledge Scripts, Log Analyzer, Migrate.Monitor.Manage, Mission Critical Software, Mission Critical Software for E-Business, the Mission Critical Software logo, MP3check, NetIQ, the NetIQ logo, the NetIQ Partner Network design, NetWare Migrator, OnePoint, the OnePoint logo, Operations Manager, Qcheck, RecoveryManager, Security Analyzer, Security Manager, Server Consolidator, SQLcheck, Visitor Mean Business, Visitor Relationship Management, VoIP Manager, W logo, WebTrends, WebTrends Analysis Suite, WebTrends Data Collection Server, WebTrends for Content Management Systems, WebTrends Intelligence Suite, WebTrends Live, WebTrends Network, WebTrends OLAP Manager, WebTrends Report Designer, WebTrends Reporting Center, WebTrends Warehouse, Work Smarter, WWWorld, and XMP are trademarks or registered trademarks of NetIQ Corporation or its subsidiaries in the United States and other jurisdictions. All other company and product names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective companies.
Contents
About This Book and the Library v
Conventions vi
About NetIQ Corporation vii
Chapter 1
Introduction 1
What Is Security Analyzer?
How Security Analyzer Works
What Security Analyzer Provides
Complete and Accurate Vulnerability Assessment
Automated and Customized Workflows
Flexible and Scalable Deployment
Open and Extensible Architecture
How Security Analyzer Helps You
Protect Valuable Business Assets
Reduce System Outages
Ensure Audit Compliance
Proactively Address New Vulnerabilities
Meet Your Unique Requirements
Understanding the Evaluation Process
Chapter 2
Installing Security Analyzer 13
Requirements
Preparing for Your Evaluation
Installing Security Analyzer
Licensing Considerations
Chapter 3
Guided Tour 19
Starting Security Analyzer
Quick Tour
Console Window
Scan Viewer Window
Feature Demonstrations
Performing Scans with Predefined Profiles
Creating a Custom Report
Setting Automatic Distribution of Reports
Scheduling Automatic Scans
Running Security Analyzer as a Service
Providing Remote Access
Feature Tour Summary
Removing Security Analyzer
Chapter 4
Evaluation Criteria Checklist 43
Complete Vulnerability Assessment
Flexible and Scalable Deployment
Full Product Customization
Full Product Automation
Chapter 5
Key Features at a Glance 49
Eliminate Vulnerabilities
Meet Your Unique Requirements
Reduce IT Costs
About This Book and the Library
The Evaluation Guide provides instructions to help you install the NetIQ Security Analyzer product (Security Analyzer) and evaluate its many features and benefits.
Intended Audience
This book provides information for individuals responsible for evaluating Security Analyzer for use in their corporate enterprise environment.
Other Information in the Library
The library provides the following additional information resources:
User Guide
Provides conceptual information about Security Analyzer. The User Guide provides an overview of the Security Analyzer user interfaces and guidance for performing Security Analyzer tasks.
Programming Guide
Provides conceptual information about the product architecture and instructions for creating custom vulnerability tests. The Programming Guide is part of the Security Analyzer Software Development Kit (SDK).
Help
Provides context-sensitive conceptual information, step-by-step guidance for common tasks, and definitions for each field on each window. The Help also includes the SDK documentation.
Conventions
The library uses the following conventions to help you identify items throughout the documentation:
Convention |
Use |
Bold |
Window and menu items Technical terms, when introduced |
Italics |
Book and CD-ROM titles Variable names and values Emphasized words |
Fixed Font |
File and folder names Commands and code examples Text you must type Text (output) displayed in the command-line interface |
Braces, such as |
Required parameters of a command |
Brackets, such as [value] |
Optional parameters of a command |
Logical OR, such as |
Exclusive parameters. Choose one parameter. |
About NetIQ Corporation
NetIQ Corporation is a leading provider of software
solutions for managing, securing, and analyzing all components of your
computing infrastructure. These components include servers, networks,
directories, Web servers, and various applications. With its roots as the
premier provider of Windows infrastructure management, NetIQ Corporation now
provides cross-platform solutions that enhance business performance and
improve returns on infrastructure and Web investments. NetIQ Corporation is headquartered in
NetIQ Products
NetIQ Corporation provides integrated products that simplify and unify systems management, security, and network performance management in your extended enterprise. These products also help organizations prepare for and migrate to Windows 2000 and Windows .NET. NetIQ Corporation offers the following solutions:
Performance and Availability Management
These products allow you to manage, analyze, and report on the health, performance, and availability of your mission-critical Windows and UNIX applications and servers. With these products, you can pinpoint network problems and resolve them quickly and effectively.
Security Management and Administration
These products provide real-time Windows security event consolidation, configuration management, host-based intrusion detection, centralized assessment and incident management, vulnerability assessment and prevention, firewall log analysis and reporting, and Windows security administration. With these products, you can also manage group policy, administration workflows, and permissions on vital assets throughout your enterprise.
VoIP Management and Network Testing
These products enable you to evaluate your network for Voice over IP (VoIP) traffic before deployment, as well as manage and troubleshoot VoIP during and after deployment. With these products, you can also test application or hardware performance and predict the impact of network changes, such as adding users or new applications.
Web Analytics and Management
These products deliver important insight into every element of Web site visitor activity, as well as improved Web site performance and availability. These solutions enhance your e-business performance, resulting in higher returns on infrastructure and marketing investments and improved visitor-to-customer conversion rates.
Windows and Exchange Management
These products enable you to manage all Windows and Exchange essentials, from ensuring optimal availability and performance to seamless migration, secure administration, and in-depth analysis.
Contacting NetIQ Corporation
Please contact us with your questions and comments. We look forward to hearing from you. For support around the world, please contact your local partner. For a complete list of our partners, please see our Web site. If you cannot contact your partner, please contact our Technical Support team.
Sales: |
713-548-1700 |
Sales Email: | |
Support: | |
Web Site: |
Network security is a growing concern that affects both small and large companies. Whether your company is a small shop or a multi-national enterprise, you are not exempt from unauthorized access to sensitive data, denial of service attacks, intrusion attempts, or other disruptions.
Firewalls and intrusion detection systems are useful, but they do not guard against every threat. Most intrusions break or elude firewalls, and detection systems alert you only after an attack is underway. Security breaches are often initiated by someone who has intimate knowledge of your network. Common threats, such as viruses, worms, and Trojan horses, can cause the most destructive and disruptive breaches by exploiting vulnerabilities from the inside out. To make matters worse, new vulnerabilities are discovered almost daily.
Security Analyzer, a multi-platform vulnerability assessment product, can scour your enterprise regularly and automatically to detect potential security issues. You can quickly and easily find, understand, and eliminate vulnerabilities. Security Analyzer gives you the solution you need to secure valuable network resources before an attack can occur.
Security Analyzer is a flexible, enterprise-scale vulnerability assessment product for Windows, Solaris, and Linux platforms that protects your enterprise from costly downtime and security breaches. Security Analyzer scans computers in your network and provides reports that help you correct problems and comply with company security policies. With the flexible and open architecture, you can quickly integrate your own tests to automatically detect vulnerabilities unique to your environment. Customizability and multiple deployment options make Security Analyzer your best choice in enterprise vulnerability assessment tools.
Security Analyzer identifies security issues that could leave your business open to attack by intruders or disgruntled employees. Then Security Analyzer provides the knowledge you need to correct potential issues and prevent future security breaches.
Security Analyzer uses its built-in test library to enforce defined security policies. Based on settings you specify in a scan profile, Security Analyzer scans your network for specific vulnerabilities. Security Analyzer then stores the scan results in a database. With the XML feature, you can export this data and seamlessly integrate Security Analyzer into your established vulnerability assessment and auditing process. You can also integrate Security Analyzer with other security monitoring products, such as the NetIQ Security Manager product (Security Manager), to automate vulnerability resolutions, set risk thresholds, and detect intrusions.
The following figure illustrates the component relationship and work cycle for Security Analyzer. Security Analyzer uses the latest technology to test for and discover potential vulnerabilities. You can install and deploy this product across Windows, Solaris, and Linux platforms.
Using agents on Windows computers offers the following unique benefits:
Faster performance across your enterprise
More extensive vulnerability assessments
Enhanced security with encrypted data transmission
For more information about Security Analyzer benefits, see "How Security Analyzer Helps You" on page . For more information about deploying agents, see the User Guide.
Security Analyzer provides peace of mind. From a single console, you can analyze computers across your enterprise on demand or at scheduled intervals. You can use these scan results to generate comparative reports, recommend fixes, and prioritize a response.
To accommodate the dynamic environment of security threats, Security Analyzer offers flexible deployment options, extensive automation features, an outstanding selection of customizable reports, and the most comprehensive test library available. NetIQ Corporation provides secure, digitally signed tests that detect many vulnerabilities on computers running Windows, Solaris, or Linux. You can configure scheduled scans that automatically generate and distribute custom reports. In addition, Security Analyzer uses an open and extensible architecture, allowing you to develop and deploy your own vulnerability tests. With this full set of features, you can set up Security Analyzer once and then let it run independently as a service.
Security Analyzer incorporates information from the latest security advisories, providing links to security bulletins, available patches, and other industry resources. Security Analyzer also automatically keeps its test library up-to-date so you continue scanning for the latest known vulnerabilities. NetIQ Corporation regularly develops new tests to address new vulnerabilities, providing rapid and accurate responses. With Security Analyzer, you can proactively protect your enterprise from malicious exploits that could cost you expensive downtime, lost revenue, or a damaged reputation.
Security Analyzer identifies your potential security vulnerabilities and tells you how to prevent security breaches. With Security Analyzer, you can take advantage of the following key vulnerability assessment features:
Use the most comprehensive test library available
Security Analyzer tests for and detects vulnerabilities and provides regular updates that include tests for the latest discovered vulnerabilities. NetIQ Corporation provides ongoing security bulletin analysis and prepares tests for the latest known vulnerabilities. The exclusive AutoSync update service automatically speeds new tests to your library on demand or on a regular schedule.
Cross-reference standard vulnerability identification systems
Security Analyzer provides tests that are certified with digital signatures and fully cross-referenced. Security Analyzer responds to advisories from the following respected security advisory standards:
Mitre Common Vulnerabilities and Exposures (CVE)
Microsoft Bulletin ID
BugTraq
CERT
Pinpoint the service pack or update you need
Security Analyzer provides smart links that direct you to the Web site with the right service pack, update, or patch for the current operating system version or software installed on your computers. The intelligent links also bypass obsolete or superceded patches, directing you to the most current update, simplifying the corrective process.
By automating your vulnerability assessment and audit workflows, you provide administrators with proactive command of their enterprise security. By streamlining and customizing your processes, you can save time and resources once spent on exhaustive research, repetitive tasks, and manual distribution of security information. With Security Analyzer, you can take advantage of the following key automation and customization features:
Automate vulnerability assessment and report distribution
Security Analyzer performs scans at scheduled intervals or on demand, automatically producing and distributing a wide variety of customizable reports for IT professionals, managers, or auditors. Comparative reports let you easily assess your security policy compliance and progress. You can post reports to your intranet, email them to your Inbox, or view them from a remote computer using a browser.
Automate security policy enforcement
Security Analyzer integrates with Security Manager to provide an automated risk alert solution. If a computer reports vulnerabilities that exceed your acceptable risk threshold, Security Manager responds with alerts, email notification, or direct action to immediately secure your enterprise. Security Manager can also alert you if your vulnerability test library is not updated within specified time limits.
Security Analyzer provides the flexibility and scalability you need to optimize performance and convenience. With Security Analyzer, you can take advantage of the following key deployment features:
Use network-based and host-based scans across platforms
Security Analyzer scans servers or workstations with network-based scans or comprehensive host-based scans. Innovative network-based scans illustrate how a hacker views your enterprise. Host-based scans provide distributed processing for faster scanning and encrypted data transmission for enhanced security.
Provide Web access to scheduled scans and reports
Security Analyzer lets you provide Web access to scan logs and reports to authenticated users on your network.
Host your own AutoSync server
Security Analyzer lets you set up one AutoSync library update server to retrieve updates from NetIQ Corporation. Other consoles and agents can update their test libraries from that server, reducing exposure to the Internet.
You can customize and extend Security Analyzer by developing your own tests and integrating these vulnerability assessments with your existing in-house tools. With Security Analyzer, you can take advantage of the following key architectural features:
Use the platform for security testing and extensible architecture
The Software Development Kit (SDK) allows you to easily customize Security Analyzer to meet your unique security challenges by integrating your own security expertise with the automation and flexibility of Security Analyzer scanning. With the SDK, you can create vulnerability test scripts in Perl, Visual Basic .NET, JScript .NET, C, or C++.
Export to XML for use in any database or reporting tool
You can export test information and scan data in XML format, and then import the information into any database or reporting tool. From this custom data, you can produce reports that merge results from many business sites into a comprehensive company-wide security report. You can also produce corrective action reports for each computer, complete with detailed instructions. With this unique export-to-XML feature, Security Analyzer lets you analyze and tailor your data for your exact needs.
Your enterprise is secure only if you know which holes to plug. Security Analyzer identifies these vulnerabilities and tells you how to resolve them. With this knowledge, you can secure your enterprise and your company.
When you first start Security Analyzer, you can immediately begin scanning your network for vulnerabilities. Out of the box, Security Analyzer provides several predefined scan profiles that enforce standard security policies. As your security model matures, you can customize these profiles and policies, adding the tests that best reflect your security needs.
With Security Analyzer, you do not need to learn multiple products and processes to accurately assess and correct vulnerabilities across platforms. You can enforce and monitor ongoing security compliance with comparative reports and automated workflows. With progressive reports, you can proactively prevent network outages, avoiding the considerable cost of reactive research and repair. Security Analyzer lets you focus on protecting valuable business assets and maintaining your competitive advantage.
Without a vulnerability assessment solution, your enterprise and business data are at risk. Let Security Analyzer help lock down your enterprise against exploits by disgruntled employees or malicious hackers with the most comprehensive vulnerability scanning and reporting available. With Security Analyzer, you can use predefined network-based and host-based scan profiles to immediately start securing valuable information and revenue streams.
The most cost-effective approach to protecting your business assets is to eliminate known security vulnerabilities before intruders can breach your network. Security Analyzer helps you prevent attacks, protect your critical systems, and secure your valuable information.
Whether you are managing Internet, intranet, extranet servers, or even internal file and application servers, you face a constant barrage of security threats. Security Analyzer provides the features you need to identify and eliminate vulnerabilities that could allow such threats to become disasters. Security Analyzer provides links to the most current upgrades and patches available, and uses industry standards to cross-reference vulnerabilities so you can identify the exact issue to correct.
The number of new vulnerabilities found each year is growing at a tremendous rate, and the costs associated with finding and fixing widespread vulnerabilities can drain IT groups. Security Analyzer helps you prevent security issues, and the associated costs, by identifying vulnerabilities you can correct before they become breaches. Security Analyzer supplies detailed correction instructions to help you close the door on attackers, prevent expensive outages, and meet the five nines of availability (99.999%).
With Security Analyzer, you can obtain the level and type of information you need to verify that your security policies are enforced. Security Analyzer produces comprehensive audit reports that can be used by a number of audiences, including the following security-conscious personnel:
Security analysts can review detailed vulnerability reports to prioritize and correct security vulnerabilities before breaches can occur.
Administrators can examine comparative reports to determine what vulnerabilities exist and which have been corrected, making it easy for you and your auditors to track improvements.
Executives can receive summarized reports to evaluate security across the company.
Security Analyzer seamlessly integrates into your existing security audit process. You can easily set up several automatic scans that routinely enforce your security policies and distribute reports for each vulnerability assessment. For example, you can schedule Security Analyzer to automatically scan your network and deliver reports to an intranet site. With Security Analyzer, you configure less but comply more.
You need the latest security bulletin advisories to secure your enterprise but may not have time to research each one. NetIQ Corporation monitors the most respected security advisory services for you and evaluates all the bulletins. Then, NetIQ Corporation responds immediately, providing tests to detect the latest vulnerability and instructions about how to resolve these security issues. The automatic update service directs these tests from our lab to your library.
By proactively addressing vulnerabilities, you can reduce the time and effort you spend researching new vulnerabilities as well as the time and effort spent reacting to discovered issues. You can relax, confident that your enterprise is secure.
Security Analyzer provides the power and flexibility you need to address your unique security requirements. You can deploy Security Analyzer using host-based or network-based scans for Windows computers or network-based scans for Solaris and Linux platforms. You can integrate your in-house security expertise with Security Analyzer to detect vulnerabilities unique to your environment. And you can quickly tailor Security Analyzer reports to target different audiences such as IT professionals, managers, or auditors.
In addition to its large number of vulnerability checks and its multi-platform support, Security Analyzer gives you the ability to create your own vulnerability tests. Through an open architecture that includes a platform for security testing, you can develop tests suited to the unique security requirements of your enterprise. For more information about creating custom tests, see the Programming Guide.
The remaining chapters in this book guide you through installing and evaluating Security Analyzer. Following the steps in this book, you can quickly install Security Analyzer and immediately begin realizing the benefits this product provides. Follow the guided tour to explore several important features.
When you complete this process, you should understand how to use Security Analyzer to meet your vulnerability assessment needs. You should also be familiar with many of the significant benefits Security Analyzer can offer you, your staff, and your organization.
NetIQ Corporation offers a full range of security-related products that address multiple enterprise management needs, from tracking ACL inheritance to ensuring your Active Directory data is secure at the object level. When combined with Security Manager, Security Analyzer provides a powerful vulnerability assessment solution that is integrated with real-time incident management and intrusion detection for Windows-centric enterprises. For more information about other NetIQ products, see the NetIQ Web site at www.netiq.com or contact your NetIQ representative.
For this product evaluation, install Security Analyzer on a computer in a test environment that is running Windows 2000 Service Pack 3 or later. The following sections outline the requirements for the evaluation computer and describe the evaluation installation process.
The test environment in which you install Security Analyzer must meet the following minimum requirements:
Component |
Requirement |
Evaluation Computer |
133MHz CPU or higher, 500MHz recommended |
Network |
TCP/IP protocol, DNS enabled |
Internet Browser |
Microsoft Internet Explorer 4.0 or later |
The user account you use to log on to the evaluation computer and run Security Analyzer must have the following permissions on that computer:
Read permissions for registry values
Read permissions for all administrative shares
By default, members of either the Domain Admins group or the local Administrator group have these permissions.
For simplicity, the remainder of this guide assumes you are evaluating Security Analyzer on a Windows 2000 host computer. Other installation configurations may have additional requirements. For more information about installation requirements, see the User Guide.
Before you install and evaluate Security Analyzer, ensure your test environment meets the requirements and allows you to fully participate in the feature demonstrations.
To prepare for your evaluation:
Ensure that your test environment supports the product requirements. For more information about product requirements, see "Requirements" on page .
Check the permissions and properties of the LocalSystem account.
One of the feature demonstrations uses this account to run the Security Analyzer Scheduler as a service. Ensure that the LocalSystem account has these permissions:
Act as part of the operating system
Allow service to interact with desktop
Log on as a service
Log on locally
Create a folder to store Security Analyzer data.
To fully participate in the feature demonstrations, create a folder on the local hard drive of your evaluation computer. During the feature demonstrations, you will set Security Analyzer to store scan schedules and reports in this folder.
Ensure that your user account has an associated mailbox.
One of the Security Analyzer feature demonstrations sends an email notification to the person performing the demonstration. To view this email message, enable a mailbox for your evaluation user account. Ensure the mailbox is SMTP or MAPI compliant.
Installing Security Analyzer is easy and fast. The standard setup does not require agents. For more information about installing and using agents, see the User Guide.
Tip
During the installation, you can update the test library from the NetIQ AutoSync Web site. This process ensures you are scanning your evaluation computer with the latest available tests. This update may take a few minutes.
To install Security Analyzer:
Ensure you have prepared your test environment for the product evaluation. For more information about this process, see "Preparing for Your Evaluation" on page .
Log on with an administrator account to the Windows 2000 evaluation computer.
Run Setup.exe in the root folder of the installation kit.
Notes
When you place the CD in the drive, the setup program should start automatically.
To install Security Analyzer through a Windows Terminal Services session, run the setup program through the Add/Remove Programs application in Control Panel.
Click Check Version on the Setup tab of the setup program. This compares the product version in the installation kit with the newest available product version on the NetIQ Web site.
Click Begin Setup on the Setup tab
Review the terms of the License Agreement. If you agree to the terms of the License Agreement, click Accept.
Click Install purchased software, and then click Next.
If you are installing Security Analyzer on a Windows 2000 computer, Setup displays a window that reports Windows 2000 is detected. Read the message and implement the steps it suggests. Click Next.
If the Microsoft .NET Framework is not installed, Setup displays a window reporting that the Microsoft .NET Framework is not detected and that is required to run Security Analyzer. To install the Microsoft .NET Framework, click Next
Click OK and then follow the steps to install the Microsoft .NET Framework.
When the Microsoft .NET Framework installation is complete, click OK.
Specify the folder in which you want to install Security Analyzer, and then click Next.
Type the provided trial serial number in the New License Number field, and then click Add License.
Click Next.
Review the summary window, and then click Next.
Select Program and program files, and then click Next.
Click Next.
Select whether to update the Security Analyzer test library:
To update the Security Analyzer test library now, click Yes to run the AutoSync service. When the process is complete, click Close.
To update the Security Analyzer test library later, click No.
a Specify a default set of computers to scan using the following controls, or click Skip to use the alias localhost as the default computer to scan:
Starting IP address
Ending IP address
Host name
b To continue, click OK.
After setup is complete, click Finish and close the browser window.
Each trial license requires a unique serial number. To use Security Analyzer, you must submit this serial number. If you downloaded Security Analyzer from the NetIQ Web site, use the serial number included in the NetIQ Product Registration email sent by NetIQ Technical Support. If you are installing Security Analyzer from the CD, use the serial number included with the evaluation kit. The trial license for Security Analyzer expires 14 days after activation. For more information about additional licensing options, contact your NetIQ Sales Representative.
This chapter guides you through a quick tour of the Security Analyzer user interface and then presents feature demonstrations to illustrate the power and scope of Security Analyzer.
The setup program creates a desktop shortcut for Security Analyzer. You can use this shortcut to start Security Analyzer from your desktop or you can click NetIQ Security Analyzer in the NetIQ Security Analyzer program group.
The Security Analyzer user interface consists of the main console window, the Scan Viewer, the Scheduler, the Report interface, the command-line interface (CLI), and the Software Development Kit (SDK). The main console provides access to all Security Analyzer features and user interfaces except the CLI and the SDK. For more information about the CLI, see the User Guide. For more information about the SDK, see the Programming Guide.
This quick tour guides you through the console window and the Scan Viewer. The feature demonstrations address additional interfaces.
The Security Analyzer console window provides a single point of reference for all your vulnerability assessment tasks. From this window, you can perform and schedule scans, create profiles and policies, generate reports, and set configuration options. The following figure shows some of the Security Analyzer features and navigation tools.
The console window provides a number of navigational tools to help you quickly perform vulnerability assessment tasks:
Menu bar
Provides access to Security Analyzer functions.
Toolbar icons
Provide quick access to features, such as the Report interface, Scheduler, and Scan Viewer.
Profile list
Displays the pre-defined profiles, their associated policies, and the set of hosts to scan.
Description and test policy
Provides description of the selected profile, the associated policy, and some additional information to help you identify the selected profile.
When you click the Scan icon on the console window toolbar, Security Analyzer prompts for a new or previous scan and then displays the Scan Viewer window.
The Scan Viewer window provides a number of navigational tools and features to help you quickly understand the results of your vulnerability assessment:
Menu bar
Provides access to Security Analyzer features related to scanning.
Toolbar icons
Provide quick access to features such as the Report interface, search, and Help.
Selected scan
Displays the name, date, and timestamp of the selected scan.
Scan progress
Displays the progress of the selected scan. The progress indicator tells you the scan status.
Tree sort tabs
Let you sort the results of the vulnerability scans by hosts, vulnerabilities, services, or other items into a convenient and easy-to-navigate tree view. The Scan Viewer window displays the tree view on the left and a details pane on the right. Select an item in the tree to view details about child items in the right pane.
Status and description tabs
Display scan status, scan summary, host information, vulnerability description, and fix instructions.
Summary bar
Displays the number of high risk (red icon), medium risk (orange icon), and low risk (yellow icon) vulnerabilities detected in the current scan for at-a-glance security status. Also displays the scan duration.
This guided tour explores several vulnerability assessment features available through the console window. These feature demonstrations illustrate the range and flexibility Security Analyzer can provide, from performing out-of-the-box scans to setting up remote access through a Web server.
Tip
The guided tour performs a host-based scan of your evaluation computer and then uses the vulnerability assessment results to demonstrate several features. You can expand this tour by scanning computers across your enterprise. To scan additional computers, you can create a new scan profile that specifies computers by individual IP addresses, ranges of IP addresses, or computer name.
When you first start Security Analyzer, you can immediately begin scanning your network for vulnerabilities. Predefined profiles give you a quick and easy way to implement common security policies.
For example, to scan your host computer using tests for high-risk vulnerabilities, you can select the predefined Full network-based Analysis profile. This profile includes a predefined security policy that specifies which tests your scan will use.
To start a scan:
On the Security Analyzer tab, select the predefined profile you want to use for your scan. For this demonstration, click Full Network-based Analysis.
Click Scan.
Security Analyzer opens the Scan Viewer window and displays the scan results through an Explorer-like interface. You can use the vulnerability descriptions and links to security resources to fully understand each security issue. You can use the suggested fixes to immediately address the vulnerability. Each scan offers the following valuable information:
Prioritizes found vulnerabilities by degrees of risk (high, medium, or low) so you know which issue to address first
Includes straight-forward descriptions that link to related security bulletins, industry standards, and knowledge base articles so you can easily understand the issue
Provides links so you can download and install available patches, service packs, and updates, to quickly fix your security issue and maintain compliance
For example, a critical scan on a host computer that has not yet been secured may uncover dozens of violations and vulnerabilities, as shown in the following figure.
For each detected vulnerability, Security Analyzer provides detailed instructions on how to correct the issue and strengthen your security. Simply select the vulnerability you want to address, and then click the Fix tab.
When the scan is complete, the results are stored automatically in a scan database. From the Scan Viewer window, you can publish the scan results by generating a report. You can choose from a variety of report styles to meet your needs.
The Report interface allows you to save and distribute vulnerability reports from your scans. When creating a report, you can define the report style and contents, and then generate the report based on this specification.
Security Analyzer provides several predefined report templates so you can immediately distribute vulnerability assessments and use scan information in your audit process. Security Analyzer also lets you use these templates to define custom reports. You can define a custom report by specifying the report type, format, distribution method, style, and contents.
To create a custom report for the current scan:
Click Report on the Scan Viewer window.
Select the appropriate report in the Memorized Report list box. For this demonstration, select Complete Security Report (HTML).
On the Type tab, click Scan Report to create a report for the current scan.
In this case, you are creating a Complete Security Report for the scan you just performed. Security Analyzer will format this report as an HTML file, using the default style. You can choose any style you want. For example, you can use the Style Editor to define a custom report style for your specific needs. Security Analyzer provides a style wizard that guides you step-by-step through creating a new style.
On the Content tab, select the sections or content categories you want to include in this report.
Because you selected a complete report, Security Analyzer includes all available sections by default. You can determine which data you need and tailor the report contents accordingly by including only those sections you want.
To save your specifications as a new report template, click Memorize.
Type My Complete Security Report (HTML) in the Description field, and then click Save.
To generate this report, click Start.
Once you save your custom report, you can configure Security Analyzer to automatically generate and distribute this report when Security Analyzer performs the associated scan.
Security Analyzer lets you automatically distribute reports by saving report files to a network share, emailing report files to a distribution group or an individual, or posting report files to an FTP site. You can set up Security Analyzer so it automatically distributes the report file whenever you generate a report.
You can specify multiple distribution scenarios. For example, you can email summary reports to a distribution group of IT managers. You can email comparative reports to a distribution group of auditors. And you can save complete reports to a test depot, such as a network share, and email a copy to your operations lead. If you save the report in HTML format, you can upload it to your intranet site.
Tip
Before starting this feature demonstration, ensure that the email settings under General Options are correct. To check your email settings, click Options on the console window, click General in the left pane, and view the settings on the Email tab.
To automatically distribute reports:
If you are not currently using the Report interface, click Report on the console window.
Select the appropriate report in the Memorized Report list box. For this demonstration, select My Complete Security Report (HTML).
On the Save As/Mail To tab, select mailto.
Specify the path and file name for this report in the Save Report As text box. For this demonstration, specify the path for the folder you created and the name you want to assign to the report file.
You can also save this report to a network share. To specify a share, use the following format: \\computer name\share name\report name.
Type your email address in the email Address text box.
To save your specifications, click Memorize, and then click Save.
To fully automate report generation and distribution, you can associate a report template and scan profile with a scheduled scan event.
Security Analyzer treats scans as events, allowing you to schedule automatic scans and log the scan status. You can automate and monitor your entire vulnerability assessment workflow.
When you schedule a scan, you associate the event with a scan profile and a report template. When Security Analyzer performs the scheduled scan, the Scheduler runs the appropriate tests on the computers specified by the profile. The Scheduler then uses the specified report template to automatically generate and distribute the vulnerability assessment results. Security Analyzer ensures that the right people get the right data at the right time.
To schedule automatic scans:
Click Scheduler on the console window.
Click Add on the Scheduled Events tab.
Select a scan profile in the Profile list box. For this demonstration, select Full Network-based Analysis.
Specify the time and date Security Analyzer should begin the first scan. For this demonstration, select the next hour and today's date.
Specify the interval at which Security Analyzer should repeat the selected scan. You can specify any interval from minutes to months. For this demonstration, select 1 Days.
Click Next.
Select the appropriate report in the Memorized Report list box. For this demonstration, select My Complete Security Report (HTML).
Security Analyzer displays the distribution settings specified in the report template.
Click Next.
Clear the Pre-processing option, and then click Next.
This option tells Security Analyzer to run an application or batch file executable before running the scan. For example, you can use this option to automatically ensure that the folder in the specified report path has the correct permissions. If the folder does not have the correct permissions, you can specify a different report path.
Clear the Post-processing option, and then click Next.
This option tells Security Analyzer to run an application or batch file executable after running the scan. For example, you can use this option to automatically delete reports that are more than a week old.
Specify the
priority for the selected scan when your evaluation computer processes this
event. For this demonstration, select
Click Finish to schedule this scan and close the wizard window.
Security Analyzer lets you take this automation further. For example, you can run Security Analyzer as a service. You can also establish Web access to scheduled scans, allowing you to remotely monitor scan status and view reports.
You can run Security Analyzer as a service. This configuration allows Security Analyzer to automatically scan your network for vulnerabilities and distribute the analysis reports without any intervention from you. When Security Analyzer runs as a service, it runs the Scheduler as a stand-alone background task. You do not need to be logged onto the computer. The Scheduler manages your vulnerability assessment workflow, performing scheduled scans and then generating and distributing the specified reports. This flexibility increases the productivity of your IT staff and lets them focus on strengthening and maintaining your enterprise security.
Tip
Before starting this feature demonstration, check the event list on the Scheduled Events tab in the Scheduler window to ensure no scheduled scans are in progress. Also ensure the LocalSystem account has the appropriate permissions. For more information about required permissions, see "Preparing for Your Evaluation" on page .
To run Security Analyzer as a service:
If you are not currently using the Scheduler, click Scheduler on the console window.
Click Service
If you want to run the Scheduler service with an account other than LocalSystem, type the user name and password of the preferred account in the Username and Password fields. For this demonstration, leave these fields blank.
Click Start Service.
You can easily monitor the Scheduler service locally through Security Analyzer or remotely through the Remote Scheduling server. The Remote Scheduling server provides access to the Scheduler through a Web server. With this feature, you can check scheduled scans and view reports using a standard browser interface from any Web-enabled computer.
Security Analyzer lets you remotely access scans and view reports. This remote scheduling feature allows you to monitor your vulnerability assessments and troubleshoot results from any location at any time.
When you enable remote scheduling, you allow Security Analyzer to use the evaluation computer as a Web server. This Web server is called the Remote Scheduling server. Once the Remote Scheduling server is enabled, you can use the IP address assigned to your evaluation computer to remotely access the Scheduler features. This Web-based interface is called the Remote Scheduling Center.
Tip
Before starting this feature demonstration, ensure the Scheduler is running as a service. For more information about running the Scheduler as a service, see "Running Security Analyzer as a Service" on page .
To provide remote access:
If you are not currently using the Scheduler, click Scheduler on the console window.
Click Remote Scheduling
Select Enable Remote Scheduling Server.
To access the Remote Scheduling server through any IP address assigned to this computer, complete the following steps:
a Select Bind all IP addresses.
b Type the port number in the Port field.
To maintain a log of the Remote Scheduling server activities, complete the following steps:
a Select Enable logging of Server activities.
b Specify the path and file name for this log in the Log Save As Path text box. For this demonstration, specify the path for the folder you created and the name you want to assign to the log file.
You can also save this report to a network share. To specify a share, use the following format: \\computer name\share name\log name.
Click Start Server.
Click Close to close the Scheduler window.
You can access the
The
Using the
Check pending scans
Start a scheduled scan
Verify the status of a scan
View reports for completed scans
The
This remote scheduling feature provides convenience and flexibility. By implementing the Remote Scheduling server, you can remotely access Security Analyzer to track vulnerability resolutions and monitor policy enforcement without compromising the security of your Web site.
As you have seen, Security Analyzer addresses a full range of vulnerability assessment needs and issues. With Security Analyzer, you can harness the following solutions:
Start securing your enterprise with little or no configuration, achieving immediate benefit and return
Customize every aspect of the vulnerability assessment process
Completely automate your vulnerability assessment and audit workflows
Remotely access your scans through a secure Web server so you can safely and easily monitor your enterprise security from any location
Security Analyzer provides the flexibility and power you need to effectively secure and manage your enterprise.
After you have evaluated Security Analyzer, you may want to remove the program files and test data from your evaluation computer.
To uninstall Security Analyzer:
Run Add/Remove Programs on the Control Panel window.
Select NetIQ Security Analyzer, and then click Change/Remove.
Click OK.
Select Automatic on the Select Uninstall Method window, and then click Next.
Click Finish on the Perform Uninstall window.
This chapter provides evaluation criteria checklists to help you evaluate Security Analyzer and compare it to other products. Each item in the checklist identifies a feature.
Using a scale of 0 to 5, rate how significant each feature is in your environment. Next, rate how well the feature is implemented in Security Analyzer and the other product. Then, calculate the weighted score for each product feature by multiplying the item significance by the product score.
The following vulnerability assessment features accurately identify and locate potential security issues across your enterprise.
Item Description |
Item significance score (0-5) |
SA score (0-5) |
Other product |
SA weighted |
Other product weighted score (0-25) |
1. Cross-references detected issues using vulnerability ID standards, such as CVE, CERT /CC, and BugTraq. | |||||
2. Draws knowledge from entire security community expertise. | |||||
3. Scans on demand or on schedule. | |||||
4. Checks operating system files, application files, routers, services, TCP/IP, DNS and NetBIOS, ports, Windows registries, user permissions, encryption settings, and more. | |||||
5. Provides ability to customize tests to meet your specific security requirements. | |||||
6. Provides predefined scan profiles and security policies. | |||||
7. Links to upgrades and patches, bypassing unnecessary updates. | |||||
8. Supplies instructions for correcting vulnerabilities, with direct links to security bulletins and service packs. | |||||
9. Prioritizes risks so you can immediately address the highest risks and schedule corrective actions for lower risk vulnerabilities. | |||||
10. Provides more than 2,300 tests for Windows, Solaris, and Linux. | |||||
11. Receives automatic updates to detect the latest security vulnerabilities. |
The following flexible and scalable deployment features ensure that you can easily integrate Security Analyzer into your existing environments.
Item Description |
Item significance score (0-5) |
SA score (0-5) |
Other product |
SA weighted |
Other product weighted score (0-25) |
1. Scans computers running Windows, Solaris, or Linux. | |||||
2. Supports most comprehensive set of Windows-based platforms available, from Windows 95 to Windows XP. | |||||
3. Runs host-based scans or network-based scans (with or without agents). | |||||
4. Lets you host a centralized test library update server. | |||||
5. Provides Web-based remote access to scheduled scans and reports. | |||||
6. Uses efficient rules-based testing. | |||||
7. Lets you configure computer scans using ranges of IP addresses or ports. | |||||
8. Distributes workload and improves vulnerability searches with agents. | |||||
9. Runs Security Analyzer as a service. |
The following customization features allow you to configure Security Analyzer to meet your unique needs.
Item Description |
Item significance score (0-5) |
SA score (0-5) |
Other product |
SA weighted |
Other product weighted score (0-25) |
1. Allows scheduled updates of built-in test library. | |||||
2. Provides summarized, detailed, and comparative report templates for different audiences. | |||||
3. Allows full customization of reports. | |||||
4. Allows full customization of scan profiles. | |||||
5. Allows full customization of security polices and predefined tests. | |||||
6. Provides a platform for security testing so you can develop custom vulnerability tests. | |||||
7. Compiles reports in Microsoft Word or HTML format. | |||||
8. Exports to XML so you can integrate vulnerability assessments into existing databases. | |||||
9. Exports scan data to any reporting tool. |
The following automation features provide peace of mind by ensuring security policies are enforced, audit reports are generated, and issues are addressed.
Item Description |
Item significance score (0-5) |
SA score (0-5) |
Other product |
SA weighted |
Other product weighted score (0-25) |
1. Schedules scans as events that occur automatically at regular intervals. | |||||
2. Generates reports automatically. | |||||
3. Distributes reports automatically. | |||||
4. Updates built-in test library automatically to ensure most current tests and advice. | |||||
5. Integrates with NetIQ Security Manager to further automate security issue management and vulnerability resolution. | |||||
6. Runs Security Analyzer as a service. |
This chapter highlights the important benefits of Security Analyzer and itemizes the key features that work together to offer these benefits. The following attributes set Security Analyzer apart from other vulnerability assessment products:
Simple |
Provides features that are easy to install, deploy, and use. |
Open |
Provides scriptable interfaces that support familiar languages, such as Perl and Visual Basic .NET so you can easily interact with other data sources or develop proprietary tests that enforce company-specific security policies. |
Comprehensive |
Provides many tests, multi-platform support, and detailed analyses so you are always fully armed against potential threats. |
Flexible |
Lets you scale and customize the product to meet your dynamic security needs. |
Efficient |
Lets you automate your entire vulnerability assessment workflow. |
Secure |
Ensures you have the exact information you need to strengthen your enterprise security. |
Eliminate Vulnerabilities |
Includes more than many tests, providing the most complete vulnerability assessment data on the market
Supports multi-platform environments so you can use a single vulnerability assessment solution across your enterprise
Updates automatically through the AutoSync feature so you are always working with the most current tests and data available
Allow you to start securing your enterprise with little or no configuration, providing immediate benefit for you and your company
Include comprehensive data, such as vulnerability descriptions, links to industry resources, and degrees of risk, so you can fully understand the issues
Provide complete instructions on how to correct vulnerabilities, with links to the latest upgrades, service packs, and patches, so you know exactly how to secure your enterprise
Become building blocks you can use to strengthen and expand your security model as your enterprise grows and matures
Allow you to quickly implement vulnerability assessment testing as part of your daily security maintenance routine, so you can immediately begin monitoring the changing threats to your environment
Meet Your Unique Requirements |
Allows you to customize tests in the Security Analyzer test library, changing the product scope as your security policies change
Integrates with existing in-house test library so that you can incorporate internal expertise, enforce company security policies, and address custom configurations
Provides a platform for security testing so you can develop new tests tailored to your specific security needs
Integrates with existing knowledge database by exporting vulnerability assessment data to XML
Operates either with or without agents, increasing scalability across large enterprise deployments
Allows remote Web-based access to scheduled scans and the associated reports so you can monitor your enterprise security
Lets you establish a centralized test library server, which you can automatically update through AutoSync
Runs Security Analyzer as a service, providing round-the-clock analysis and report distribution as an automatic background task
Allow you to create custom report templates that specify the style and content for each audience or data set
Provide several automatic distribution options so you can deliver vulnerability assessments immediately, allowing your IT staff to respond as quickly and effectively as possible
Monitors status and reports for scheduled scans while you let Security Analyzer run as a service
Provides immediate, secure access to vulnerability assessment data regardless of your location
Reduce IT Costs |
Allow you to schedule scans at specific intervals, ensuring ongoing enforcement of your security policies and optimal network performance
Allow you to schedule different scans at different times, so you can more effectively allocate IT resources, maintain productivity, and meet your goals
Allow seamless integration into your established vulnerability assessment and auditing workflows so you do not need to revisit processes, retrofit tests, or reconfigure existing tools
Ensure timely responses to detected vulnerabilities so you can avoid system outages and the associated costs
Ensure audit compliance by providing regular, comparative reports, so you can better manage security across the company
|