SQLServerCentral.com Rating:
Introduction
Next Generation Security Software is known not only for its security products
such as the Squirrel series for databases, but also for the expertise of its
security researchers, especially in the area of database servers. Typhon III is
another security tool from NGS Software, but instead of being geared towards a
specific product, it is a general vulnerability and security scanner. Other
tools in the same space include Nessus, Retina, and GFI Languard.
Typhon III does not initiate harmful scans or tests in order to probe for
vulnerabilities. Instead, it is intended to be used as part of a regular
scanning process by an organization. Since it is a multi-threaded application,
it can perform such scans in a very rapid manner, with the time depending on
what is installed and exposed on the systems being scanned.
Environment
Typhon III is designed for the Windows platform and supports from Windows NT
4.0 to Windows Server 2003. Minimum hardware specifications are a Pentium III or
Athlon processor running at 1 GHz with a minimum of 256 MB of RAM and 10 MB free
of hard disk space. The recommended configuration is a Pentium 4 at 2 GHz or
Athlon XP 2000+ with at least 512 MB of RAM.
For purposes of this evaluation the product was installed on a Pentium 4 2.8
GHz laptop running Windows Server 2003 SP1 with 1 GB of RAM. It was run against
a mixture of VMware and Virtual PC/Server virtual machines and physical servers
and workstations. Scans were run from a single system to an entire class C
subnet with approximately 175 systems present.
Installation
The installation of this new version of the product is the same as it was
with the version in 2004. Installation of the product was
smooth and without issue as Typhon III uses a standard InstallShield installer.
However, Typhon III does require a few additional steps in order to get the
product up and running. The first step is to generate a license key request. The
license key request is therefore tied to the system on which Typhon III is
installed. Next you forward this license key request to Next Generation
Software. If you've gone through the process of receiving an SSL server
certificate from GeoTrust, Thawte, VeriSign, or other certificate authority,
it's much the same. Then, Next Generation Software responds with a license block
which enables the application. Finally, you install the license block and
activate the software.
Using Typhon III
After starting the application, the first thing to do is to select the
modules with which to scan (Options | Default Module Options...). For instance,
if we just want to scan for SQL Server vulnerabilities, we make sure it's the
only one checked (Figure 1). This is a new, tree-view interface which makes it a
bit easier to configure the scan than the previous version.
Figure 1
Next is to set up any of the advanced settings (like how to
connect via NetBIOS). You can do this through Options | Default Advanced
Settings.... Once that's done it's time to configure what systems to scan (Scan
| Select Host(s)) and then initiating a scan (Scan | Start Scan). Alternately,
you can use the Wizard to go through all of the settings and set up the hosts to
scan by using the wizard (Scan | Wizard). While the Wizard is nice in that it
steps you through getting a scan up and going, after you've used the product
once or twice you won't need it.
Once the scan starts, a pop-up window will appear which will
show the current status of the scanning (Figure 2).
Figure 2
Once a scan is complete the summary results can be seen by
clicking on the server name. Figure 3 shows such a case where SQL Server is
installed and at least one account has been found to have a weak password.
Figure 3
To find out the culprit, drill down until you get to the
vulnerability. Figure 4 shows an example of a SQL Server login with a password
that is the same as the user name (WeakPassword). This is clearly a no-no and
needs to be fixed. Notice in the left-hand pane the different indicators for the
severity of the information/vulnerability. The Weak Passwords is flagged with a
STOP sign, indicating this is a high severity vulnerability. The yellow circles
with exclamation points either indicate a medium/moderate vulnerability or calls
your attention to an issue that the scanner encountered. The blue circle with
the exclamation point is an informational message. Note that Typhon III was able
to pull back the SQL Server logins because the account used to scan had access
to SQL Server. It also reports on the databases on the SQL Server in question.
Figure 4
If you're scanning for multiple modules, it may take a few
minutes to complete all the scans. In that case, selecting the computer name
will show a status of any modules that are running against the computer in
question. This is shown in Figure 5.
Figure 5
As to actual performance, note Figure 6 which shows Typhon III
with 14 threads. Memory utilization is light because it was only scanning one
server at a time. However, it can utilize the processor heavily, depending on
the scans that are running. At the instant of this snapshot the more intensive
scans weren't running, but note the CPU time (3 minutes and 9 seconds). In the
time it was running it made heavy use of the single processor in order to
complete the scans as rapidly as possible.
Figure 6
Typhon III is also able to report on best practices. For
instance, it is generally recommended from Windows 2000 on to disable the
Messenger service (technically, if you didn't have a real need for it the
service should have been disabled in NT 4.0 as well). I had toggled the
Messenger service to Manual before a scan and Typhon III flagged it when it did
a Windows Services module scan (Figure 7). Figure 8 provides verification of the
configuration which was marked by Typhon III as something that needed to be
fixed.
Figure 7
Figure 8
In my scanning I did find a few false positives, but that's par
for the course with any general vulnerability scanner. For instance, with Nessus
it's not unusual to see quite a few false positives, especially if everything
plug-in is toggled and safe scanning is off. Figure 9 shows one such false
positive, due to the installed Internet Explorer 7. However, I flagged this one
because it's not actually an issue with Typhon III itself, but rather with the
file Microsoft provides which contains the list of security updates and fixes
which should be detected (mssecure.xml). Any product which relies on
mssecure.xml would have an issue with IE 7 because it's not covered by the file.
I like how Typhon III alerted on the fact that it didn't have information on IE
7. Some products just ignore the issue. I'd rather see the alert in case it is
truly a problem.
Figure 9
Typhon III does more than just vulnerability scanning, though.
Figure 10 shows an option where Typhon III can generate a script to be executed
in order to solve any registry issues found during the scan. This is a very nice
feature I've not seen with other vulnerability scanners.
Figure 10
One last feature I wanted to bring up is the autosave feature.
If you're in the middle of a scan of a large # of systems, the scan could take
quite a while. Autosave will save the results of the scans up to that point
based on a periodic basis. This is shown in Figure 11. One time when I was
running a scan I needed immediate use of the full capabilities of the system and
I had to exit the program without waiting for it to cancel the scan and
gracefully exit out as the currently running modules completed. The majority of
the scanning I needed had already been completed and when I exited the program I
didn't lose all of those results. Rather, I was able to import the scan results
file and see what it had found up to the point where I exited.
Figure 11
One thing I didn't talk about was reports, but they are rather
self-explanatory. Once you have a scan complete (or an autosaved scan file), you
can export to a report of HTML, Rich Text, XML, or plain text. In addition, you
can export to an ODBC data source.
Support
Support for this product is excellent. Any time I had a question I received
an email in a few hours if I sent an email on a business day. Even when I sent a
question in over the weekend I still received a reply before the weekend was up.
Updates are also downloadable and I was able to test a minor update during the
evaluation of this product. The update performed flawlessly.
Conclusions
Though the version of the product only reflects a minor version change from
the one I evaluated in 2004 (3.0 versus 3.0.1.x), there are a few nice new
features such as how to select the modules to use in scanning. I'm a big fan of
the autosave feature and I like how much information this tool provides in order
to mediate vulnerabilities it finds. Also, this is the best general
vulnerability scanner I've found with respect to dealing with security issues
for database servers. The product goes beyond a registry check for version or
just looking for a blank sa password. Finally, I was impressed with how rapid it
was able to perform the scans and how accurate the reports were.
Ratings
I will rate each of the following using a scale from 1 to 5. 5 being the best and 1 being the worst. Comments are in the last column.
| Ease of Use | 5 | When I compare this to products in the same space, such as eEye's Retina or the free Nessus, this tool is easier to setup and do specific scans than either of those products, hands down. As a matter of fact, as I was evaluating this product, a co-worker was looking at Retina and was frustrated at how I could lock down on to say, SQL Server scans, with a few mouseclicks where he had to start a whole new scan setup and scroll through a ton more options just to get the same thing (well, as much SQL Server scanning as Retina provides, which isn't as much as Typhon III does). |
| Feature Set | 5 | Since this is a general vulnerability scanner and not a database specific one, you'd have to wonder how deep it can go into the various database products. It can scan for weak passwords, scan for default passwords, and scan for specific vulnerabilities which aren't answerable with a hot fix or service pack on SQL Server and Oracle, which is more than its main competitors do. Therefore, from a database perspective, this tool is the cream of the crop for general vulnerability scanners. |
| Value | 4 | Given that there are free/open source tools available that do a lot of the things this product can do, I cannot give it a 5. However, if you need to audit general weaknesses on SQL Server and Oracle beyond just patch levels, you want to give this product a look. If you need to go in depth, then NGS Software's Squirrel series is your answer. But this product certainly is extremely good... we are looking at it as a general vulnerability scanner where I am employed. |
| Technical Support | 5 | In the previous review and in this one, NGS Software has been extremely prompt answering emails I had with questions on how the product worked as well as thoughts for how things might work better (I figured as long as I had someone's ear, I would ask for a few things on my wish list that I wish all vulnerability scanners would include). Even a response sent over the weekend was answered before the weekend was out. |
| Lack of Bugs | 5 | This only real issue I encountered is the product relies on Microsoft's mssecure.xml (the file that contains information about all the security updates and used by tools like hfnetchk, Microsoft Baseline Security Analyzer until the most recent build). Microsoft has decided to go with a new format and there are products that aren't covered in mssecure.xml, which is being phased out. As a result, the product can't detect anything with respect to those products. This isn't NGS Software's fault but it does lead to the STOP sign alerts, which need to be investigated. |
| Documentation | 5 | The documentation is awesome, especially when it discovers a vulnerability. For instance, we scanned an Oracle instance and it detected an insecure Listener. The developer running said Oracle instance was amazed that the product told exactly how to fix the issue without us resorting to have to search for the information in Oracle's docs or on the Internet. |
| Performance | 5 | This application is multi-threaded and gets through the scans as quickly as possible. If you've ever tried to do vulnerability scanning on a single-threaded application, you know that it can take forever if you're trying to do a thorough job. I was quite impressed with how quickly I could scan using all the options across a C class subnet. |
| Installation | 5 | Standard clean installation with an easy method for activating the license. This hasn't changed from the previous version because it didn't need to. |
| Learning Curve | 5 | When I compare this product with others in its space, I was able to get a scan up and running in minutes. It's been a couple of years since I used the product but that didn't matter. Also, there is a wizard to walk you through what to scan if you need it. |
| Overall | 4.89 | I really liked the product two years ago. When NGS Software indicated they had improved it I was all for trying it again. They certainly have improved it. Although I dropped them in the value score, this is more a reflection at the number of free tools that are out there than any strike against Typhon III's quality. If you are responsible for securing systems in your organization, certainly give this product a look, especially if you're in a smaller organization without dedicated DBAs. This product could save you a lot of embarrassment when the auditors show up. |
SQLServerCentral.com Rating:
Product Information
http://www.ngssoftware.com/
Developer: Next Generation Security Software
sales@ngssoftware.com for a single instance license
2006 by K. Brian Kelley. | Web Site | Brian's Blog | |