GFI LanGuard 2014: Go on. Find my weaknesses and point them out

Review GFI has launched GFI LanGuard 2014, version 11.2 of its well-tested vulnerability scanning software. I have used LanGuard since 2001, when version 2.0 was released. It has been an invaluable tool in my sysadmin's toolkit and I am curious to see how the software has evolved over the past 13 years.

The basic purpose hasn't changed: LanGuard scans your network, identifies the systems that exist on it and then attempts to determine what vulnerabilities they may possess.

LanGuard 2014 has evolved hugely since the days of my trusted version 2.0 but it remains true to its roots.

That was then

LanGuard 2014 is significantly bulkier than version 2.0. The older version occupies less than 3MB, whereas LanGuard 2014 will take up more than 1GB when fully installed. You get an awful lot of functionality for the additional resources consumed.

I keep 2.0 around because it is a fantastic lightweight IP scanner that can tell me which IP addresses are in use without costing me much in the way of resources.

Its vulnerability scanning, however, is so laughably out of date as to serve no real purpose in today's world. In contrast, the vulnerability assessment capabilities of LanGuard 2014 make it one of the best applications in its class.

LanGuard 2014 will pick up a multitude of vulnerabilities. They range from autorun being enabled to untrusted search path vulnerabilities to missing patches, malware, vulnerable services and even user accounts that haven't been logged in.

The complete list is much longer than I have room for here, but it is one of the most complete I have seen so far.

Like its predecessors, LanGuard 2014 will do port scanning. This helps identify which applications are running on a computer and whether or not they have ports open that are likely to be used by malware.

When provided the right credentials to access a system remotely – or with use of an agent – LanGuard can also detect applications running on a system more directly.

The software offers the ability to remediate certain issues such as missing patches. GFI claims support for more than 60 third-party applications, making LanGuard 2014 a very useful tool in defending against Flash, Java and other unwanted security threads.

LanGuard also offers asset tracking and a good general overview of where you might have gone wrong with anything from security settings to configuring your mobile device management.

It also offers an incredible array of reports, including a number of compliance reports that can be generated on demand. You will also find some useful utilities such as DNS lookup, traceroute, whois, and even SNMP and SQL audits.

Fetch and carry

Test driving an application begins at the beginning, and for once I actually like the an application’s installer. LanGuard 2014's installer is simple and to the point, telling you which additional items you need to make the thing go.

If you are lacking something – such as Microsoft Data Access Components – it will fetch and install them. Why can't everything install this easily?

LanGuard 2014 gets thumbs up from me for being a properly heterogeneous tool. Not only does it do vulnerability assessment and patch management for Windows, Linux and Mac OS, it also does vulnerability assessment for mobile devices.

I wish it were realistic to build remediation for mobile vulnerabilities into the software. Unfortunately, mobiles don't get patches in the same way as desktop or server operating systems. Far too many either need to be connected to a desktop for the update or require the carrier to push the updates out.

Until that magical day where we can remotely patch our smartphone fleets effectively, just having mobile vulnerability assessed in a way that can be included in standard compliance reporting is a huge step forward for most companies.

The extent of the additional vulnerabilities checked for completely dwarfs that of its predecessor

After spending some time with the network scanner, I find it noticeably slower than the one in LanGuard 2.0. A full scan with all the blue crystals added will complete on my network in about 10 minutes with my older version.

The extent of the additional vulnerabilities checked for in LanGuard 2014 so completely dwarfs that of its predecessor that LanGuard 2014 takes five hours on a dual-core system to fully scan a network of 88 systems.

One thing I am happy about is that the network scanner in LanGuard 2014 is able to take full advantage of the resources available to it. LanGuard 2.0 never could and it would always take the same amount of time, no matter what hardware you threw at it.

Run LanGuard from an eight-core server and watch that same five-hour scan drop to below two hours.

That isn't to say you must run a full scan every time. There are a number of built-in scanning profiles ranging from "ping them all", which completes in seconds, to a hardware audit, which takes minutes.

Vulnerability, with a nice link to the nasty details.

More intense scans, such as the full vulnerability scan, probably shouldn't be run during business hours from a PC you intend to use.

You can also install agents on various systems, which will de-install by default after 60 days. The LanGuard 2014 agents are lightweight and make scans proceed much faster.

Agents also bypass the issues encountered by all agentless scanning programs: namely the need to open ports and create vulnerabilities in the very systems you are vulnerability scanning.

Whereas LanGuard 2.0 was very much a one-shot tool, run on an as-needed basis, with LanGuard 2104 you are not so limited. You can queue up and schedule various scans and compliance reports, as well as monitor activity in real time. I highly recommend using the agents for any planned long-term deployment.

Heart’s desires

I am rather a fan of the dashboard view and its ability to manage your network as a whole – especially the ability to look at your hardware as a group and see how many models of motherboard that you have in play, for example.

I can even generate regular audits for software, hardware, open shares and just about anything else I can think of. Just as scans can be audited, the reporting can too, and the system will deliver to my email inbox information on anything interesting it discovers. Pleased though I am with the evolution of one of my favorite products, there are some sources of frustration that remain to be addressed. One is that I can't enter multiple credential sets for a single scan.

A great example of where this is useful is scanning computers in a demilitarised zone (DMZ) where different system classes have different credential sets.

There are some ways around this in the interface: you can specify different credentials for a given system or group of systems. Still, I'd love to have more flexibility so I could do neat things like run different scans at different times of day, each with different user credentials.

I also would like to be able to specify non-standard ports at scan time. I do not, for example, leave SSH on port 22. LanGuard can add and edit scanning profiles where (among many other options) you can add non-standard SSH ports.

This is great for scripting or scheduled scans, but a form field allowing overrides during manual scans would be handy.

Automated compliance makes life easy

LanGuard is able to detect unwanted applications, but I'd really like it to tell me which systems don't have a given application.

An example of this would be scanning all Linux hosts in the DMZ and telling me which systems do not have Fail2Ban installed. Bonus points if they could combine that sort of detection with the ability to remediate missing applications.

Nearly perfect

I am naturally lazy and not easily impressed by management tools. They usually have a steep learning curve, cost way too much and never quite do what I want them to.

LanGuard 2014 impresses me. It is easy to use, it is intuitive, it is priced appropriately and I can find no major flaws in it.

Nothing is perfect and I have a wish list of additional features, but all in all I'd say that GFI LanGuard 2014 is a credit to its lineage. It identifies vulnerabilities and misconfigurations that we have missed.

It is exactly the type of tool that no sysadmin should be without. ®