Qualys_22str

8/3/2019 Qualys_22str

1/22

www.westcoastlabs.org

VULNERABILITY ASSESSMENT SOLUTIONSTECHNOLOGY REPORT

QualysGuard

FEBRUARY 2006


2/22


QualysGuard

Test specifications ....................................................................................3

Vulnerabilities ..........................................................................................6The product ..............................................................................................5

Test report ................................................................................................10

West Coast Labs conclusion ..................................................................20

Security features buyers guide ............................................................21

Appendix..................................................................................................22

West Coast Labs, William Knox House, Britannic Way, Llandarcy,Swansea, SA10 6EL, UK. Tel : +44 1792 324000, Fax : +44 1792 324001.


Contents

2 VULNERABILITY ASSESSMENT SOLUTIONS TECHNOLOGY REPORT


3/22


4/22



Test specifications (continued)

Appliances were provided to WCL in the default shipping state. WCLengineers configured appliances in accordance with documentationprovided. Software solutions state the desired specification and OS of thehardware on which the software is to be installed. WCL engineers installedand configured software in accordance with documentation provided.

All participating solutions were provided together with documentationsupplied to a normal user.

WCL evaluation of the Vulnerability Assessment ReportVulnerabilities on the target network were classified under 4 headings:

CRITICAL VULNERABILITIES those that allow an attacker with

minimal knowledge or skill to compromise the integrity of the network.This may include gaining control of a server or network device,

gaining illegitimate access to network resources or disrupting normalnetwork operations.

SEVERE VULNERABILITIES those that allow illegitimate access to,

or control over, network resources, but that require considerableknowledge or skill on the part of the attacker.

NON-CRITICAL VULNERABILITIES those that allow attackers to

gain access to specific information stored on the network, including

security settings. This could result in potential misuse of networkresources. For example, vulnerabilities at this level may include partialdisclosure of file contents, access to certain files on hosts, directorybrowsing, disclosure of filtering rules and security mechanisms.

INFORMATION LEAKS these allow attackers to collect sensitive

information about the network and the hosts (open ports, services,precise version of software installed etc.)


5/22


QUALYSGUARD 5

Test specifications (continued)

Each product was assessed on:

The ease of deployment of the solution

The number of vulnerabilities correctly identified in each class

The completeness of the report, including identification of any

network changes made

The clarity of presentation of the findings The clarity of advice on remediation

WCL also comments on the level of technical knowledge required tounderstand and act on the information contained in the final report.

Participants in the Technology Report will be eligible for the Checkmarkcertification for Vulnerability Assessment.

In order to achieve the Standard Checkmark Certification, the candidatesolution must identify at a minimum 100% of the Critical Vulnerabilitiesand 75% of the Serious Vulnerabilities. However, those developersidentifying 100% of the Critical Vulnerabilities and a minimum 90% of theSerious Vulnerabilities will be awarded the Premium CheckmarkCertification for Vulnerability Assessment.

All solutions must also provide accurate advice on mitigating the risks

posed by the vulnerabilities.


6/22



Vulnerabilities

So that the test network would mirror that found in many businesses, avariety of operating systems, on different hardware platforms, wereincluded. A Windows domain was set up with three servers and a mix ofworkstations running Windows XP and Windows 2000 professional. SomeSun Servers running Solaris 2.8 provided web services and file storage,assorted Linux boxes running Mandrake and RedHat distributions, and a

Mac completed the mix.

Some of the servers were installed with default settings and varying levelsof patching were applied: some hosts were patched fully up to date whileothers had been left out of the process. Also, a number of commonmisconfigurations were made in setting up servers, and deployingparticular services. For example, Windows servers were configured withopen network shares, ftp servers with anonymous write access, smtpservers configured as open proxies. These are configuration errors that

can have profound effects on network security but can easily beimplemented by a hard-pressed administrator as a temporary quick fix toa connectivity problem.

On the Windows 2000 PDC we installed TightVNC as a service withouttunnelling through SSH, SQLServer with a blank SA password, ActiveDirectory, and IIS 5.0 with the demo applications. The BDC had Exchange2000 and Active Directory installed. DNS was provided by the remainingWindows 2003 server. DNS was configured to allow zone transfers. Inaddition, IIS5.0 was installed with demo applications, and a vulnerableweb application that was specially crafted in-house.

The server was also running Unreal Tournament GOTY edition (version436) along with the UT web interface running on an unusual high port.There were user shares available on the wwwroot and ftproot directoriesand a world-writable FTP server. One of the Sun Blade servers had aVirtual Learning Environment (VLE) installed. The VLE had a default

admin username and password as well as being installed with an old


7/22


QUALYSGUARD 7

Vulnerabilities (continued)

version and vulnerable version of Apache. Vulnerabilities included SSHaccess, Apache installations, Samba and a writable FTP directory.

Each of the user workstations was patched to a different level usingofficial Microsoft Service Packs, historical patches and Windows Update.These machines then had different applications installed, ranging from

Unreal Tournament client and TightVNC through to IIS 5.0 and remoteadmin. Some machines were included in the Windows Domain. BackOrifice was installed on one machine on a high end port.

An HP printer was added with default settings and open to administrativeaccess via telnet and HTTP, a Cisco router configured with defaultsettings, default username/password and open web admintool and anApple Mac Power G3 running OS 8.6. If changes were made to the defaultsettings, over all these devices passwords were set to be blank or easily

guessable. Our test network thus consisted of a series of machines withdiffering hardware specifications, operating systems, patch levels, andsoftware installations, and multiple vulnerabilities.


8/22



The product

QUALYSGUARD ENTERPRISE

Qualys describe QualysGuard Enterprise as a scalable vulnerabilitymanagement solution, which enables organizations to measure andreduce risk by providing a proactive solution to track and remediatesecurity vulnerabilities used for exploitation. According to CERT, 99% ofattacks exploit known vulnerabilities.

QualysGuard Enterprise is an enterprise class, on demand solution, whichis positioned by Qualys as being suited to large, distributed networks thatrequire support for an unlimited number of IPs, appliances for internalscanning and users with hierarchical authorization rights.

Qualys sayabout the product...

QualysGuard enables security managers to strengthen the security of

their networks effectively, conduct automated security audits and ensurecompliance with internal policies and external regulations - with noinfrastructure to deploy or manage.

www.qualys.com


9/22


QUALYSGUARD 9

The product (continued)

Qualys sayabout the QualysGuard Business Benefits.

QualysGuard on demand platform gives users an automated way to mapglobal assets, identify vulnerabilities on their networks, prioritizeremediation according to business risk and achieve regulatory compliance- with no infrastructure to deploy or manage. QualysGuard gives

organizations the ability to mitigate risks by automating the proactiveidentification and prioritized remediation of security vulnerabilities basedon risk to business operations and to ensure regulatory compliance viaautomated auditing, indelible audit trails, plus the validity and assurancethat comes with third-party assessment. The on demand architectureoffers significant economic advantages with no capital expenditures, extrahuman resources or infrastructure to support and maintain.

www.qualys.com

Qualys sayabout the QualysGuard Technical Benefits...

QualysGuard allows organizations to audit their networks with the highestdegree of accuracy, data integrity and ease of use while delivering thelowest total cost of ownership. Companies receive daily updates aboutnew security vulnerabilities, full security trending reports, and access toverified remediesall without the cost and burden of deploying andmaintaining complex software. QualysGuard has the most comprehensiveKnowledgeBase of vulnerability signatures in the industry (5,000+), andperforms over 6 million scans per month with a 99.997% accuracy rate. Itsimmediate deployment capabilities and strong security model enablessecurity teams to perform scans on geographically distributed andsegmented networks both at the perimeter and behind the firewall.

www.qualys.com


10/22



Test report

Introduction

QualysGuard is a Vulnerability Assessment tool aimed at large distributednetworks. It consists of a series of one or more Scanner Appliance devicesplaced within the corporate network. These are accessed and scans are

launched via a web-based management tool. The compact hardwarearrived at West Coast Labs with a Quick Start Guide, AdministratorsGuide, a Rackmount kit, power and Cat5 cables, and a set of documentsrelating to the latest news and the regulatory compliance of the device.


11/22


QUALYSGUARD 11

Test report

Installation and Configuration

The installation was a straightforward three-stage process. After havingbeen provided with login credentials to the web interface, the set up of thehardware following the clearly formatted manuals proved to be simple -

networking can be set up using the LCD screen and navigational buttonson the fascia of the unit. These keys are responsive and do not have theproblem of key lag common to this kind of interface. The product thenneeds to be activated by first logging into the web application and then into

the unit itself.


12/22



Test report

The InterfaceThe web application is the main interface point of the solution and hasbeen designed with ease of use in mind. The interface is far fromutilitarian, however, and has an understated elegance that serves it well.Upon logging in, the user is presented with a selection of the latest

vulnerabilities from the knowledgebase with relevant information such ascategory, Bugtraq ID and, crucially, the severity. These knowledgebaseentries are updated regularly so that the users can be assured that thefunctionality of the solution is as up to date as possible.

Basic help is provided at this point via a pop up window that offers ahelpful set of pointers that are in the form of a QuickStart Guide. Each ofthe links offered here direct the user to the relevant section of the interfaceand the overall layout provides a suitably structured introduction to

performing asset maps and vulnerability scans.Further help can be accessed at any point during the use of the interfaceeither by the main Help link at the top as part of the general menustructure, or via the Quick Help button that appears on every page. Theseserve different functions, as the Quick Help relates specifically to thescreen that the requestis made from whereasthe main Help is moregeneral and covers useof the entire interface,split into chapters in asimilar format to thestandard Windows helpfiles.


13/22


QUALYSGUARD 13

Test report

The Interface (continued)The main menu for the system consists of several sections: Home, Map,Scans, Reports, Remediation, and Preferences with further links forSupport and Help. When attempting to discover a networks liabilities, thestarting point for any new customer should be the Map section. This allows

for discovery scans to be made by IP range or domain name. A quickprocess to set underway, the interface makes it as simple as possible byguiding the user through it in stages.

A screen within the set up of each Map process includes a tick box thatmust be checked to ensure that the user has the legal right to scan the IPrange entered, and the scan can then be undertaken. Length of the scanwill obviously depend on the number of hosts within the range to bescanned, but notification emails can be configured so that an administrator

is aware of the successful completion of this phase.Once the scans have completed they can be viewed either as text or in adiagrammatic format. The former is in list format with tick boxes along sideeach entry to enable selection of each asset for scanning or insertion intoAsset Groups, whilst the latter is a well thought out and presentedinteractive view. Thissigned java appletallows the user to dragindividual devicesaround the interface inorder to lay the targetnetwork out in differentarrangements to bestsuit the presentationand can also be used tolaunch scans againstindividual devices.


14/22



Test report

The Interface (continued)Once the devices on the network have been discovered via mapping, theymay then be scanned either as individual concerns or as Asset Groups.The building of a scan is initiated from the Scans menu and has beenmade incredibly easy by using similarity to the mapping interface. Again, it

functions by specifying an IP range or asset group, the scanner to be used(whether the default for the group, the internal appliance, or Qualys ownscanners), a title and an option profile for the scan. Three initial profiles areprovided: Initial (default), SANS top 20 and RV-10.

It is easy to alter the settings for each of these scans if so desired, orcustom scans can be constructed using a link found under thePreferences menu. This allows the user to specify a title, and then varioussets of options for Scanning or Mapping including the levels of scanning

for TCP and UDP ports, whether to scan dead hosts, performance levels,load balancing detection, the degree of brute password forcing to apply,the different types ofvulnerability detectionand various types ofauthentication to try.

There are also sets ofadvanced options thatrelate to corporationsthat use IDS systemsand some furtheroptions related to thetypes of packets sent.


15/22


16/22



Test report

ReportsThe online reports are well formatted and are available in several flavours,from an executive summary for non-technical management to a technicalreport including recommended resolutions to give to the corporate IT staff.For those reports that cover a large range of assets there a drop downmenu at the top of each generated report allowing the user to see asummary of vulnerabilities, groups of assets broken down by IP address,or both. Each report may be saved in several different formats: PDF, XML,zipped HTML, or anMHT web archive areavailable and may bedownloaded to a local

machine.

The majority of the

reports are taken up bythe descriptions of thevulnerabilities and theirremediation organisedon a per asset basis.The Summary sectionfor each report,however, consists of clearly presented graphical representations of the

severity of vulnerabilities, operating systems detected, and servicesdetected along with a textual synopsis to back these images up.

The section of the report given over to Detailed Results contains threemajor sections Vulnerabilities, Potential Vulnerabilities and InformationGathered. The description of each liability contained within the reports isgiven a severity rating between one and five and is organised in order ofmost dangerous and highest rated first. This gives a corporate ITdepartment the ability to tackle the most important problems immediatelybut it is important to be aware that the other vulnerabilities should not beoverlooked just because they come lower down the scale.


17/22


QUALYSGUARD 17

Test report

Reports (continued)Each report also includes a detailed data on a per vulnerability basis. Thisdata includes similar data to the knowledgebase entries seen upon firstlogin such as BugTraq ID, CVE ID and category. Alongside this there is anassessment of the threat of each, an impact evaluation that describes how

the vulnerability may be exploited, remediation advice that includes links toexternal web sites where appropriate, and a Result section that showsreturned values if appropriate.

Alongside each description there is also a status for the vulnerability anda drop down menu allowing the administrator to either ignore thevulnerability or create a ticket using the inbuilt ticketing system. This allowsthe administrator to assign the remediation of the problem to any userregistered on the system and set a deadline as well as provide some

descriptive text to accompany the ticket. The ticket itself consists of dataregarding the assignation of the ticket, the vulnerability details taken fromthe report, and a section for the user to add further comments and applyactions such as resolving or reassigning if their permissions allow.

These tickets can then be viewed under the Remediation section of theinterface that offers avariety of filters that canbe applied to the tickets.These filters includeuser, asset, date range,status, vulnerability andseverity and allow for adetailed summation tobe constructed of thecurrent state ofremediation across thenetwork.


18/22



Test report

Reports (continued)The Preferences section covers various areas including as previouslynoted the construction of custom scan parameters. It is possible to alterassets by assigning them to specific users and changing the way they aretracked via IP address, DNS host name or NetBIOS host name. It is also

easy to adjust Asset Groups in various ways including organising theminto Business Units. Scans may be scheduled from within this section ofthe interface so that a long scan that may potentially interfere with networktraffic can be set to run overnight on a one-off or regular basis.

User permissions are also set and assigned here. There are several levelsof users from Manager down to Contact and each may be assigned theresponsibility for different asset groups. The level of interface interactionthat a user gets depends upon their permissions and certain tabs and

sections within the QuickStart Guide are not available to given levels ofuser privileges.

There is also the possibility within this section of the interface to look atusage logs for the interface. These include date and time, action (such aslogging in to the interface or launch / completion of a scan), the user towhich the entry refers,the IP address of login,and their role. Thisgives a good way oftracking access to thesystem from differentlocations and users.


19/22


QUALYSGUARD 19

Test report

System OversightOversight of the entire system comes from the section labelled Home. Thiscontains the Knowledgebase that is displayed upon initial login, but alsoincludes the Dashboard. This is a useful overview of the vulnerabilities,open tickets by severity level, top ten open tickets and top ten

vulnerabilities. Further information is provided by another screen calledAccount Info - this includes details of the latest scans run and when thenext scheduled scans are due.

There is also a link to email the assigned Qualys contact for thecorporation and the number of IP addresses registered in the corporateaccount. This section also includes various version numbers including theWeb Application. The scanner operating system version and signaturedatabase version are provided for both Qualys external scanners and for

any internal Scanner Appliances that are registered, in order to ensure thatthe latest versions are available.

It is also possible from within the Home interface to run a Risk Matrixreport mapping given vulnerabilities against assets or Asset Groups thisis a useful tool allowing newlyreleased vulnerabilities to be runagainst registered devices for aninstant risk assessment. Finally,there is a section called Resourcesthat contains release notes, accessto support documents and a groupfor Tips and Techniques.


20/22



West Coast Labs Conclusion

QualysGuard is a comprehensive vulnerability assessmentand remediation solution. The installation and set up is welldocumented and trouble-free and the interface offers adeceptively simple user experience.

The quality of scans and subsequent remediation advice isparamount in solutions of this nature, and QualyGuard

delivers admirably. During our testing QualysGuarddetected all of the Critical and the majority of the Seriousvulnerabilities with ease, and we are therefore pleased toannounce that QualysGuard has been awarded the VulnerabilityAssessment Premium Checkmark.

The ability to assign tickets within the interface ensures that administratorsand those responsible for the security of a corporate network can keep ontop of the workload and have information at their fingertips whenever it is

needed.

From design to user interaction, QualysGuard offers everything necessaryfor the user to improve the security of their network in a very short timeframe. This solution should be considered by any corporation looking tomitigate the risks to their network through a thorough liability detectionsystem.

West Coast Labs, William Knox House, Britannic Way, Llandarcy,Swansea, SA10 6EL, UK. Tel : +44 1792 324000, Fax : +44 1792 324001.



21/22


QUALYSGUARD 21

Security features buyers guide as stated by Qualys

Unlimited number of Network Maps Unlimited scanning of servers and workstations 24x7 email and telephone Customer Support Scheduled and on-demand Security Audits VPN and wireless access point scanning Remediation workflow management with automatic trouble ticket creation Executive summary reports for managers Detailed technical reports Vulnerability ticket reporting with full remediation instructions Differential reports with trending graphs Differential network inventory reports Built-in PCI compliance reports for self certification Full remedy information for each vulnerability Distributed Scanning with centralized data repository for reporting Ability to create multiple users with flexible access privileges for

distributed management API/SDK capabilities for automation and integration with other security

products Internal and external scanning provides a 360-degree view of network

vulnerabilities CVE, CVSS and OVAL standards support Automatic, daily updates to vulnerability KnowledgeBase (over 5000

unique checks) 100% non-intrusive detection techniques

Inference-based scanning engine optimized for speed and bandwidthefficiency Scans configurable for optimum performance Both trusted and non-trusted scanning capabilities Scans configurable for optimum performance Six-Sigma scanning quality Export reports to HTML, MHT, PDF and XML formats Executive Dashboard to track progress and enforce compliance End-to-end encryption of vulnerability data

Immediate deployment capabilities www.qualys.com


22/22


Appendix

Vulnerability Assessment PremiumLevel Certification

Within the framework of the testing carried out in thisTechnology Report, those developers identifying 100% ofthe Critical Vulnerabilities and a minimum 90% of theSerious Vulnerabilities are awarded the PremiumCheckmark Certification for Vulnerability Assessment.

http://westcoastlabs.org/cm-briefingdocs.asp

Qualys_22str

Documents

Transcript of Qualys_22str