I recently installed and tested WebTrend Corporation's WebTrends Security Analyzer 3.0, a system-scanner tool that helps administrators and security professionals discover and repair security holes. I tested the Enterprise Edition version of the software, which supports Linux, Sun Microsystems Solaris, and Microsoft Windows systems. For this review, I tested the software in a Windows-only environment.
Features and Benefits
WebTrends Security Analyzer helps you discover security vulnerabilities on Internet, intranet, and extranet deployments. Like most other security scanners, the software offers advice about the vulnerabilities it detects. The product lets you scan on demand or schedule scans at a desired interval.
WebTrends Security Analyzer secures servers, firewalls, and routers, and Windows 2000 (Win2K), Windows NT, Windows 9x, and UNIX systems and services. The software includes an agent for each OS that quickly executes a scan by performing most of the work for the application and then reporting the results. The Enterprise Edition supports the simultaneous analysis of an unlimited number of IP addresses in multiple subnets. However, the license doesn't let you scan systems outside the organization for which you purchased the license.
The scanner includes a variety of tests for common vulnerabilities in Web servers, mail servers, FTP servers, Web browsers, mail clients, and password strength (on both NT and UNIX). The product checks your systems for game servers and can test for vulnerabilities specific to proxy servers and firewalls. Security Analyzer also checks file access control, Registry access control, system policies, NT privileges, and NT services.
As new exploits emerge, you can use the software's AutoSync feature to either schedule automatic updates to the WebTrends security test libraries or launch AutoSync on demand. WebTrends Security Analyzer lets you create custom security analysis profiles to meet the requirements of your organization’s security policies by choosing which hosts to scan and which tests to run on those hosts. You can then save and edit these profiles as necessary.
The WebTrends Security Analyzer viewer lets you see the status of your scan as the product evaluates each host you have selected. This feature lets you explore results by host, vulnerability, service, user, and fix. Fix information includes hyperlinks to Web pages that provide the patch or configuration information you need to resolve security vulnerabilities. The viewer also lets you create a variety of customizable reports. Whether you're reporting to management or technical administrators, you can get the information you need in a clear and concise manner. WebTrends Security Analyzer generates reports in either HTML or Microsoft Word format, which makes editing and changing the reports simple and easy.
In addition to its scanning features, the software includes a security development kit known as the Platform for Open Security Testing (POST) that lets you customize or write your own security test scripts. You can even create automatic patch updates and on-the-fly vulnerability fixes. To write a security script, you must first create a BULLET file and a category file, if necessary, and then write the security test script
The BULLET file defines the security test and acts as the main configuration file for the test. You can use this file to reference other files, such as PERL scripts or DLLs. You can create a BULLET file using a simple text editor. The category file defines a test category. Each test is grouped by the category membership that the category file specifies. When you create custom security test scripts, you need to only create the category (.cat) file if one of the preset categories does not already include the script. You can write the security test scripts in either C or PERL. WebTrends Security Analyzer comes with a complete 170-page manual to help you create security test scripts.
Installation and Use
Installing WebTrends Security Analyzer went smoothly and didn't require a reboot. On first launch, the product asked me to register my copy of the software via the Internet. Once I completed the registration process, the software automatically updated the security test libraries to ensure that I was scanning for the latest vulnerabilities.
WebTrends Security Analyzer gives you the option of either running remote scans on each host or installing the WebTrends Security Agent on each host. When you use the agents, the WebTrends console instructs each host to scan itself. If an agent detects a vulnerability, that agent sends information back to the WebTrends console for further analysis or reporting. Using the agents can dramatically decrease the time it takes to scan a large network and reduce the amount of network traffic caused by a remote scan. The agents also evaluate each host internally, as if someone had breached access to the system. Although I see great value in using these agents, I performed only remote scans for this review.
When you launch WebTrends Security Analyzer, the software displays the Security Analyzer viewer, as Screen 1 shows. To create a new scan, you simply click the Scan button on the toolbar. A dialog box appears that asks you to either select one of the preset policies or create your own. You can specify each host you want to scan by either IP address or host name.
I created a policy and selected every scan module available so I could test my machines for every possible vulnerability. The product took approximately 14 minutes to scan each host, which is slightly faster than other security scanner products I've reviewed. I'm confident that this performance would improve with the use of the software's agents. WebTrends Security Analyzer will also scan more than one host at a time. To get an average scan time, I first scanned only one host.
WebTrends Security Analyzer found several vulnerabilities, many of them on a Microsoft Internet Information Server (IIS) system on my test network. I was impressed with how easily I was able to view each host and the vulnerabilities found. Like most scanner products, WebTrends Security Analyzer classifies each vulnerability as high, medium, or low risk. For each vulnerability it found, the software presented me with a description and a link to the vendor’s Web page containing the fix. I was disappointed to not see a recommended fix for every vulnerability found. Also, although the links to vendor Web pages for additional information are helpful, the software doesn't offer as much information if you're running the product on a machine without Internet connectivity.
After the scan completed, I generated a report in HTML format and one in Word format. Both reports, which were identical, contained a high-level view complete with bar graphs, pie charts, and a more in-depth technical explanation of each vulnerability found. Screen 2 shows the results of the HTML scan report for my host.
Over the years, I've watched WebTrends Security Analyzer evolve from its first to its latest version, and I'm impressed with the improvements WebTrends has made. However, I noticed that the scan I performed took longer than another security scanner product I've reviewed. And, although I understand how the agents can boost scan performance and in some cases improve the quality of each scan, I don't like the process involved in setting up each agent. Manually distributing an agent to each machine you want to scan can add more work than some administrators have time for. Giving future versions of WebTrends Security Analyzer the ability to push the agent automatically to each host would be a step in the right direction. The completeness of the recommended fixes for each vulnerability found also has room for improvement, and I personally don’t like relying on an Internet connection to get complete vulnerability information.
Having more than one security scanning product in your security toolkit can be beneficial, and WebTrends has released a strong product. The company even offers a licensing option for consultants. Unfortunately, for the price; I don't see enough benefit in WebTrends Security Analyzer to add it to my security toolkit.
Corporation * (503) 294-7025
Price: $4999 for Enterprise Edition; contact WebTrends for other licensing options; $11,999 per copy per year for traveling license for consultants
Pros: A broad range of security checks and fast response; reports are easy to read and understand; Enterprise Edition supports simultaneous scans across multiple subnets.
Cons: Installing agents on each host is more work than some administrators might want to tackle; fix information is available for some, but not all, vulnerabilities; cost is higher than similar products; a few false positives (e.g., WebTrends detected Microsoft FrontPage extension-related problems that didn't exist).