Is Your Network in Compliance? Call in Auditor 16

By Joseph Moran | Posted February 22, 2005

Ask any network administrator what the toughest part of their job is, and he or she will likely respond that it's trying to keep up with the never-ending torrent of security vulnerabilities that plague today's networks. For every well-publicized security hole you've heard of, there are many others that you haven't, and they could be lurking in one or more places on the network.

While dealing with security issues has always been an important part of maintaining a network, an increasing number of companies must now comply with various forms of regulatory legislation like the Sarbanes-Oxley Act, HIPAA (Health Insurance Portability and Accountability Act), and GLBA (Gramm-Leach-Bliley Act). With laws like these, the importance of security takes on a whole new meaning, since failure to comply with these and other data security regulations can result in serious and expensive legal problems (not to mention the possible compromise of sensitive customer data).

The PredatorWatch Auditor 16 appliance aims to help companies improve their network security and remain in compliance with data security laws. The Auditor 16 isn't a firewall — it's a device designed to sit on a network and audit hosts for potential security flaws that violate one or more relevant IT regulations.

Auditor 16 checks the audits it conducts against the CVE list, which is funded by the U.S. Department of Homeland Security and maintained by The MITRE Corporation. CVE is an abbreviation for Common Vulnerabilities and Exposures, and the CVE list is a standardized dictionary of thousands of publicly known security problems affecting a host of products. These include Windows and Linux-based servers like Web, mail, FTP and database applications, as well as operating systems, client applications, routers, firewalls and so forth.

Installation and Set Up
Installing and running the Auditor 16 is a pretty straightforward task — you just need to plug it in to the network (behind the firewall), and then you can configure it with any Web browser.

The first step is to have the Auditor 16 scan the subnet for network hosts, and after doing so I realized that Auditor 16 didn't detect the presence of one of my client workstations. The system turned out to be running the Norton Internet Security 2004 firewall, which by default does not respond to ping queries (which are used to detect systems on the network).


Auditor 16
Play It Safe — Auditor 16 helps you plug security holes in your network and can keep you compliant with a variety of state and federal regulations.

Disabling the firewall allowed the Auditor 16 to detect the system (although it erroneously identified it as running Windows 2003 Server, when it was actually running Windows XP Home). Even after initial detection, you must leave software firewalls turned off in order for Auditor 16 to accurately conduct its audits for those machines.

PredatorWatch says that it has encountered this problem with the firewall that comes with Windows XP Service Pack 2, and that it's developed a client utility called SecurityBooster that can switch off that firewall the during an audit. The company says that it's looking at adding support for other client firewalls as well. For now though, if you plan to conduct regular client audits, the only practical option is to permanently disable the client firewalls (other than XP SP2).

Define and Assign Profiles
When configuring the Auditor 16 to audit your network, you can define multiple profiles and assign specific parameters. This lets you tailor each profile to the type of system you are auditing. (i.e. one profile for critical systems like Web and e-mail servers and another for client machines such as notebooks). You can schedule audits to take place daily, weekly or monthly — on a specific day or time — and you can also opt to have audits take place immediately after the Auditor 16 downloads updated CVE lists.

Auditor places CVEs into one of four risk categories as defined by the CVE dictionary — low, medium, high and serious. You can configure each profile to generate an e-mail notification to the responsible person any time it discovers a CVE of a particular severity. To minimize network bandwidth drain, the Auditor offers a low-bandwidth mode, and as a time saver, you can perform incremental or differential audits that focus only on new systems or newly discovered CVEs.

System Quarantine
One of the neat features of Auditor 16 is that it can interact directly with certain firewalls to quarantine any system that's found to have a CVE, and you can specify the level of CVE severity that will trigger that quarantine. Currently supported firewalls include CyberGuard Classic and SG, Cisco PIX, Juniper NetScreen, and the Secure Computing Sidewinder (PredatorWatch says it plans to add support for additional firewalls).

I configured a profile to audit a group of clients and quarantine any system with a high-level CVE. Sure enough, the audit found an affected system, and it no longer had IP connectivity. If you consider completely blocking IP traffic a tad draconian, you can also configure the quarantine feature to block traffic only on ports specific to the CVE.

Similarly, using the Auditor 16's Dynamic Detection feature, you can configure the device to immediately audit any host as soon as it joins the network. That will prevent the machine from accessing your network or the Internet until the audit is complete.

Keeping You in the Loop
Once an audit is complete — or even while it's still in progress — Auditor 16 will produce detailed reports of the audit findings. It generates the reports in PDF format, making it easy for you to save and print them.

The results of an audit will likely to be of great interest to upper management — including many outside the IT department — so Auditor 16 offers reports in three different flavors — Administration, Management and Executive. The Administration report is intended for the nuts-and-bolts network admin and contains detailed information on all CVEs found, including links to dictionary entries on mitre.org as well as links to instructions on how to fix each problem.

In contrast, the Executive report omits the technical minutiae and simply reports the number of CVEs found and breaks them down by category. Once an audit is complete and the report ready, the Auditor 16 can also send a text message to an administrator's cell phone — complete with a URL pointing to the report's location.

Of course, once you've uncovered security problems on your network, you still need to fix them. While Auditor 16 can scan the network for problems and provide directions on how to plug the holes it discovers, the device can't actually take any corrective action on its own (save for quarantining the device as described earlier). Therefore, the task of actually fixing or removing the CVEs falls to the administrator.

Depending on the specific nature of the CVE found, the fix might be as simple as adding a password to a user account or installing a software patch, or it may involve a more complex set of tasks. PredatorWatch says it's working with vendors (including Microsoft) to help automate the CVE repair process.

Pricing Structure
The Auditor 16 appliance costs $995, and there is a $199 charge for each regulatory compliance module, so for example, if you plan to audit for compliance with all three regulations mentioned at the top of the article, you'd pay an additional $597.

Another optional feature (also $199) is the Basic Policy Builder, which provides the written framework of a comprehensive security policy (covering such topics as use of e-mail, voice mail, the Internet, etc.) that you can customize to suit your organization's needs.

Finally, there a $199 annual maintenance fee that covers ongoing product support and CVE updates.

Factoring in all of the options, you may ultimately pay $1,990 — double the Auditor 16's base price. Still, that could be a bargain compared to the potential costs of regulatory noncompliance, or worse, the consequences of someone actually exploiting vulnerabilities on your network.

Conclusion
There's no such thing as a universal remedy to all potential security ills, and PredatorWatch's Auditor 16 is no exception. It should, however, help you maintain regulatory compliance by keeping you current on the latest threats and letting you address weaknesses as they're discovered.

Price: $995, plus $199 annual maintenance fee; three optional compliance modules at $199 each.

Pros: Can audit network against one or more specific regulatory requirements; can quarantine vulnerable systems until security holes are fixed
Cons: Can't penetrate most client software firewalls; no automated repair — vulnerabilities must be fixed personally by administrator

Joe Moran spent six years as an editor and analyst with Ziff-Davis Publishing and several more as a freelance product reviewer. He's also worked in technology public relations and as a corporate IT manager, and he's currently principal of Neighborhood Techs, a technology service firm in St. Petersburg, FL. He holds several industry certifications, including Microsoft Certified Systems Engineer (MCSE) and Cisco Certified Network Associate (CCNA).

Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!

Comment and Contribute


     

    Get free tips, news and advice on how to make technology work harder for your business.

    Submit
    Learn more
     
    You have successfuly registered to
    Enterprise Apps Daily Newsletter
    Thanks for your registration, follow us on our social networks to keep up-to-date