Home

Editor's Corner

Akibia Case Study:
Achieving PCI Compliance

Secure Your Virtualized Environment

Network Versus Host-Based Security Approach

Network Management
and Control

eDiscovery Electronics Communications Compliance

Check Point VPN-1
UTM Edge Wireless

Akibia News

Akibia Partners

Contact Akibia

 

akibia

 

 

 

 

Network Versus Host-Based
Approach to Managing
Vulnerabilities and Assuring Compliance
By Bob Tesh - Senior Manager of Product Marketing, NetIQ

NetIQ provides policy templates for assessing best practices,
such as those detailed in CIS benchmarks.

 

A common element in a multi-layered security approach is network-based vulnerability scanning. The most basic form of this is port scanning (or testing) to determine which TCP/UDP ports are open and potentially vulnerable to attack. More sophisticated network-based scanning tools often include capabilities for discovering and mapping all systems on the network; their operating systems, the applications running on them, and the vulnerabilities of each.

However, there is an increase in deployments of host-based vulnerability management solutions. In fact, IDC forecasts a compound annual growth rate in this category of 12.3%, resulting in a market size of $355 million in 2009. With such factors as new attack tools to defeat perimeter defenses, premature commercial software releases and unpatched servers to contend with, it’s no wonder that users have realized that a strategy focused on perimeter security defense via network scanning is just not enough.

“Perhaps the biggest driver for host-based vulnerability is, of course, regulatory compliance,” says Todd Tucker, NetIQ Director of Product Marketing. “A focus on the host’s vulnerabilities is no longer just an important security component; it’s the law, for many industry verticals and public corporations.”

Network-Based Approach Limitations

There are literally hundreds of network-based vulnerability scanning tools on the market. IT auditors typically use either open source tools such as Nessus or Nmap, commercially available scanners or a managed security service. While these are important tools and common in the arsenal of IT auditors, they are subject to several limitations:

  • They are unable to prove compliance with policies and standards, either regulatory or internal. They essentially present a hacker’s view of system security – a view from the outside – versus an administrator’s view.
  • Network scanners rarely can determine if a system has already been compromised. For example, most scanners cannot identify the presence of a worm, like MS Blaster.
  • Network scanners often give inaccurate views of security. For one, they are hindered by network-level controls such as firewalls and router ACLs and can only “see” what they are allowed to see.
  • They can be dangerous to use. Since scanners often are capable of performing invasive or even disruptive tests, denial of service and corruption of services is possible. Users must be careful to restrict scans to only the safe tests.
  • They can overwhelm users. Scanners often lead to information-overload, reporting hundreds of vulnerabilities per system. Moreover, they often fail to provide metrics at high levels, so that auditors can assess risk and compliance levels rather than just by qualitative factors (e.g., vulnerability descriptions).

Hosted-Based Approach Advantages

In contrast, a host-based approach can not only identify vulnerabilities, but can also confirm the security posture of the system and determine compliance with security configuration policies. Specifically, your solution should meet the following criteria:

  • Assesses compliance with policies, regulations, standards, and leading practices. Compliance with applicable policies and standards (e.g., benchmarks) and other drivers (e.g., Sarbanes-Oxley, Basel II) are important in today’s business. The approach should facilitate compliance by identifying exceptions from policies and standards.
  • Provides a combined assessment of security posture across the company’s critical, heterogeneous technologies. IT security audits are generally performed across heterogeneous environments, not on just a single platform. The solution should assess all needed critical platforms together, similar to the work of an auditor.
  • Provides an accurate assessment of security posture. IT security audits should provide a comprehensive picture of security from an “administrator’s point of view.” It should provide a view from the inside out, so that it is clear where you have compliance exceptions and vulnerabilities. That is, a snapshot of your current configurations should be compared to a database of best practices, known vulnerabilities or the gold standard build of the asset.
  • Supports continuous auditing. The solution should be completely automated and enable assessments to be scheduled on a recurring basis, performed during off hours, and hold the results and data securely for subsequent reporting and analysis. The database of best practices and vulnerabilities should be frequently and automatically updated as well.
  • Reduces the workload of IT auditors and other involved personnel. Any IT security auditing approach should be efficient. It should leverage technology to audit technology where possible, and minimize the amount of manual procedures.

It’s important to note that today “host-based” does not necessarily mean “agent-based.” Rather, it refers to the point of view of the tool. A few host-based tools on the market now provide the ability to assess servers and workstations without installing an agent. While agents usually offer certain benefits, you should look for a tool that supports both agent-based and agent-less assessments to give you the flexibility in deployment.

NetIQ distinguishes itself from not only network-based vulnerability scanners, but also host-based vulnerability scanners, through a more comprehensive offering known as NetIQ Secure Configuration Manager.

NetIQ Secure Configuration Manager audits system configurations and compares them to corporate policies, previous snapshots, and/or other systems. It also leverages this configuration information to reliably identify vulnerabilities and exposures, using the latest security intelligence, delivered automatically to customers. NetIQ Secure Configuration Manager allows you to demonstrate regulatory compliance and manage IT risks via scored reporting to direct remediation efforts toward issues of highest priority.

For more information about NetIQ Secure Configuration Manager and how to demonstrate IT compliance through security configuration management, regulatory mapping, and compliance and risk reporting visit www.akibia.com/netiq

About the Author
Bob Tesh has more than 20 years experience in the computer software, industrial automation and telecommunications industries. As Senior Manager of Product Marketing, Mr. Tesh is responsible for positioning, go-to-market strategies and sales enablement of NetIQ’s security solutions. Prior to NetIQ, he held management positions at Vieo, Inc., BindView and BMC Software. Mr. Tesh earned his bachelors degree from North Carolina State University in Industrial Engineering and graduated with honors. He also earned an MBA from Xavier University.