SQLServerCentral Article

Review: Typhon III from NGSSoftware

,

Introduction

Typhon III is a general security scanner from Next Generation Software.

Unlike specialized tools like NGSSquirrel (for Oracle or SQL Server), Typhon III

doesn't concentrate on any one product. Rather, it is designed for an

administrator scanning his or her entire network for vulnerabilities on a mix of

systems. Other tools in the same class include GFI Languard and Nessus.

Typhon III is designed to be as minimally intrusive as possible; it does not

scan in a manner that could result in a system's denial of service (DoS) or

eating up too many resources. Instead, Typhon III looks for tell-tale signs of

issues without performing the attack such as missing or incorrect registry

entries or parsing banners and the like. If you are familiar with Nessus, it

functions similar to how Nessus does when Nessus is configured to scan using

"safe checks" only: parsing the text that comes back from a connection

is how the vulnerability is diagnosed rather than actually carrying out the

exploit. 

Environment

Typhon III is a standard Windows application designed to run on Windows NT

4.0 and up. It requires a minimum of 128 MB of RAM and a Pentium III as the

platform. If you're running on the Windows NT 4.0 platform, the system must have

service pack 6a as well as the Active Directory Client extensions (which are

included with Windows 2000 and Windows XP).

Installation

Installation of the product was smooth and without issue as Typhon III uses a

standard InstallShield installer. However, Typhon III does require a few additional steps in order to get the product up and running. The first step is to

generate a license key request. The license key request is therefore tied to the

system on which Typhon III is installed. Next you forward this license key request to Next Generation Software. If you've gone through the process of

receiving an SSL server certificate from GeoTrust, Thawte,  VeriSign, or

other certificate authority, it's much the same. Then, Next Generation Software responds with a license block which enables the application. Finally,

you install the license block and activate the software.

Using Typhon III

If you've never used Typhon III before (or any security scanner, for that

matter), not to worry. Typhon III starts up with the set of instructions to get

you started in the right pane (Figure 1). But like most security products,

before starting with step 1 you should always check for patch updates (Tools |

Update Patch Checking File).

Figure 1: Typhon III Start-up

The first step when beginning a scan with Typhon III is to set the module

options (Options | Default Module Options or Options | Host Module Options).

Figure 2 shows a sample set of options I selected to scan my local system. I

have removed some of the options because I know they aren't present on the

system I decided to run the scan against. For instance, the system doesn't have

an SMTP server nor does it have an X-Windows server installed

and running. If you aren't sure, don't worry. Typhon III can detect whether or

not it needs to run a given module on an individual system if you've checked the

option to include the module. Therefore, if you're uncertain about an option,

check it.

Figure 2: Module Options

The next step is to select any advanced settings that may be necessary for

the scan (Options | Default Advanced Settings or Options | Host Advanced

Settings). For instance, if you need to specify a different username and

password combination in order to scan systems on your network with your

administrative account, you'd do so here. Since I logged on as a privileged user

to test Typhon III, I selected to run the scan using the current credentials

(Figure 3). Also, I chose to only report problems though Typhon III can report

all the tests it's running and the results of those tests, if you'd like. 

Figure 3: Advanced Options

The last thing to do before beginning a scan is to set the host(s) to be

scanned (Scan | Select Select Host(s)...). In my case I only selected the local

system (Figure 4) though you can add multiple systems individually or specify a

range of IP addresses.

Figure 4: Selecting What to Scan

Here is where I found the only glitch in the program. You can specify

hostnames rather than IP addresses and generally this works. If I have a host

named "Brian" Typhon III adds it just fine. However, if there is a

dash in the name (a perfectly legal character in names), Typhon III returns an

error (Figure 5) indicating only alphanumeric characters are allowed. That means

"Brian" is legal, but "Brian-SQL" is not.

Figure 5: Error when Specifying a Name with a Dash

Update from the Editor: Upon being informed of this bug from the review, NGS Software notified us that it had been corrected within 24 hours.

Brian used the application to download the update and the issue was corrected.

With everything configured, the only thing left to do is run the scan (Scan |

Start Scan). Typhon III reports findings as it performs the scan or you can wait

until Typhon III completes (Figure 6). It does a good job of categorizing the

potential vulnerabilities and the icons convey the severity of what it has found

at a glance. Explanations are given for each vulnerability if you're not sure of

what the issue is. Also, Typhon III usually gives a recommendation, if one is

available, on a good control or setting should the "vulnerability" be

related to a configuration setting rather than due to a bug. 

Figure 6: Vulnerability or Issue Found

First Impressions

The first thing that struck me about Typhon III was how easy it was to get

the scanner up and running. For an administrator, getting the scan setup and

running takes very little time at all. For someone who is new to security or

whose job functions mean little time can be dedicated to that endeavor, Typhon

III is easy to use and simple to understand.

Most of the time I use Nessus and while Nessus is fairly quick to get up and

running, configuring it to really do what you want can take some time.

Vulnerabilities are grouped together like in Typhon III but the list can be

quite intimidating for someone who hasn't used Nessus before.  Also, if

you're not careful with Nessus, you can take a system down if it's not properly

secured and up-to-date on all security patches. Having witnessed another

well-trained security administrator crash a system, it's nice not to have to

worry about this with Typhon III. In that security administrator's defense, we

had both been working 60 hour weeks trying to get an application out the door

and in his exhaustion he typed a 1 instead of a 2 when specifying the system to

scan. But that does illustrate why you may want the safety in Typhon III. 

No scanning tool is very useful without reporting. Typhon III does well in

this regard. Generating reports was easy and you have the option of several

formats, including dumping the results straight to an ODBC data source. The

reports are clean and easy to read.  

Conclusions

Overall I was favorably impressed with Typhon III. It's quick and easy... and

safe. Also, it does a good job explaining the vulnerability or issue when it

finds one and this is a great help. Quite simply, with so many security

vulnerabilities and exploits coming out each week, it's hard to keep track. And

Typhon III is pretty detailed and in-depth. For instance, it can go in and check

databases and database roles within SQL Server. Nessus, for instance, isn't

capable of this out of the box (and it's not something that would be

straight-forward and easy to do with Nessus, either). 

There are  two things I didn't like about Typhon III. The first  is that you're completely

dependent upon Next Generation Software for updates. Unless you're interested in

writing your own scans, though, this is a non-factor. And from what I can

tell,  they do a good job keeping up with updates. For 99.9% of people out

there, this doesn't matter. I'm one of those types that like the flexibility to

write my own plug-in if the need arises. The second is prior to running a scan,

you can't obtain a list of what is being scanned for beforehand. Again, this

isn't that big a deal, but it is a feature that would be nice if it were

included.

Ratings

Here is how I rate this product:

CategoryRating

Comments

Ease of Use5You can get a fairly comprehensive scan up and running in

minutes.

Feature Set5The product's features work as advertised. A very

expansive set of scanning options in a simple, easy to understand

interface.

Lack of Bugs5Minor issue with the name, but NGS fixed this bug within 24 hours.
Value5If you need a security scanner, this is a great product.
Technical Support5The only bug I found was corrected within 24 hours of the vendor being notified of it.
Documentation4The product documentation was light, but covered everything

needed to use Typhon III. Documentation on vulnerabilities and issues

was good. 

Performance5Overall this product performs well. It is a very fast

scanner, which is critical if you've got a large number of systems to

examine. 

Installation5A smooth install. Very quick turn around time to get the

license key and I was up and running.

Learning Curve5This product is very intuitive and except for the fact I

needed to rate the documentation, I didn't refer to the docs when

running the tool.

Product Information

Typhon III is available from Next Generation Software.

Product:Typhon III
Company:Next Generation Software
Version:3.0
Single License Price:Contact sales@ngssoftware.com 
Vendor's Product Page:http://www.nextgenss.com/typhon.htm

 

 ©

2004 by K. Brian Kelley.

http://www.truthsolutions.com/

 Author of Start to Finish Guide to SQL Server Performance

Monitoring (http://www.netimpress.com).

Rate

You rated this post out of 5. Change rating

Share

Share

Rate

You rated this post out of 5. Change rating