Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 

A Review of Typhon III

By Brian Kelley,

SQLServerCentral.com Rating:

Introduction

Next Generation Security Software is known not only for its security products such as the Squirrel series for databases, but also for the expertise of its security researchers, especially in the area of database servers. Typhon III is another security tool from NGS Software, but instead of being geared towards a specific product, it is a general vulnerability and security scanner. Other tools in the same space include Nessus, Retina, and GFI Languard.

Typhon III does not initiate harmful scans or tests in order to probe for vulnerabilities. Instead, it is intended to be used as part of a regular scanning process by an organization. Since it is a multi-threaded application, it can perform such scans in a very rapid manner, with the time depending on what is installed and exposed on the systems being scanned. 

Environment

Typhon III is designed for the Windows platform and supports from Windows NT 4.0 to Windows Server 2003. Minimum hardware specifications are a Pentium III or Athlon processor running at 1 GHz with a minimum of 256 MB of RAM and 10 MB free of hard disk space. The recommended configuration is a Pentium 4 at 2 GHz or Athlon XP 2000+ with at least 512 MB of RAM.

For purposes of this evaluation the product was installed on a Pentium 4 2.8 GHz laptop running Windows Server 2003 SP1 with 1 GB of RAM. It was run against a mixture of VMware and Virtual PC/Server virtual machines and physical servers and workstations. Scans were run from a single system to an entire class C subnet with approximately 175 systems present.

Installation

The installation of this new version of the product is the same as it was with the version in 2004. Installation of the product was smooth and without issue as Typhon III uses a standard InstallShield installer. However, Typhon III does require a few additional steps in order to get the product up and running. The first step is to generate a license key request. The license key request is therefore tied to the system on which Typhon III is installed. Next you forward this license key request to Next Generation Software. If you've gone through the process of receiving an SSL server certificate from GeoTrust, Thawte,  VeriSign, or other certificate authority, it's much the same. Then, Next Generation Software responds with a license block which enables the application. Finally, you install the license block and activate the software.

Using Typhon III

After starting the application, the first thing to do is to select the modules with which to scan (Options | Default Module Options...). For instance, if we just want to scan for SQL Server vulnerabilities, we make sure it's the only one checked (Figure 1). This is a new, tree-view interface which makes it a bit easier to configure the scan than the previous version.

Figure 1

Next is to set up any of the advanced settings (like how to connect via NetBIOS). You can do this through Options | Default Advanced Settings.... Once that's done it's time to configure what systems to scan (Scan | Select Host(s)) and then initiating a scan (Scan | Start Scan). Alternately, you can use the Wizard to go through all of the settings and set up the hosts to scan by using the wizard (Scan | Wizard). While the Wizard is nice in that it steps you through getting a scan up and going, after you've used the product once or twice you won't need it.

Once the scan starts, a pop-up window will appear which will show the current status of the scanning (Figure 2).

Figure 2

Once a scan is complete the summary results can be seen by clicking on the server name. Figure 3 shows such a case where SQL Server is installed and at least one account has been found to have a weak password.

Figure 3

To find out the culprit, drill down until you get to the vulnerability. Figure 4 shows an example of a SQL Server login with a password that is the same as the user name (WeakPassword). This is clearly a no-no and needs to be fixed. Notice in the left-hand pane the different indicators for the severity of the information/vulnerability. The Weak Passwords is flagged with a STOP sign, indicating this is a high severity vulnerability. The yellow circles with exclamation points either indicate a medium/moderate vulnerability or calls your attention to an issue that the scanner encountered. The blue circle with the exclamation point is an informational message. Note that Typhon III was able to pull back the SQL Server logins because the account used to scan had access to SQL Server. It also reports on the databases on the SQL Server in question.

Figure 4

If you're scanning for multiple modules, it may take a few minutes to complete all the scans. In that case, selecting the computer name will show a status of any modules that are running against the computer in question. This is shown in Figure 5.

Figure 5

As to actual performance, note Figure 6 which shows Typhon III with 14 threads. Memory utilization is light because it was only scanning one server at a time. However, it can utilize the processor heavily, depending on the scans that are running. At the instant of this snapshot the more intensive scans weren't running, but note the CPU time (3 minutes and 9 seconds). In the time it was running it made heavy use of the single processor in order to complete the scans as rapidly as possible.

Figure 6

Typhon III is also able to report on best practices. For instance, it is generally recommended from Windows 2000 on to disable the Messenger service (technically, if you didn't have a real need for it the service should have been disabled in NT 4.0 as well). I had toggled the Messenger service to Manual before a scan and Typhon III flagged it when it did a Windows Services module scan (Figure 7). Figure 8 provides verification of the configuration which was marked by Typhon III as something that needed to be fixed.

Figure 7

Figure 8

In my scanning I did find a few false positives, but that's par for the course with any general vulnerability scanner. For instance, with Nessus it's not unusual to see quite a few false positives, especially if everything plug-in is toggled and safe scanning is off. Figure 9 shows one such false positive, due to the installed Internet Explorer 7. However, I flagged this one because it's not actually an issue with Typhon III itself, but rather with the file Microsoft provides which contains the list of security updates and fixes which should be detected (mssecure.xml). Any product which relies on mssecure.xml would have an issue with IE 7 because it's not covered by the file. I like how Typhon III alerted on the fact that it didn't have information on IE 7. Some products just ignore the issue. I'd rather see the alert in case it is truly a problem.

Figure 9

Typhon III does more than just vulnerability scanning, though. Figure 10 shows an option where Typhon III can generate a script to be executed in order to solve any registry issues found during the scan. This is a very nice feature I've not seen with other vulnerability scanners.

Figure 10

One last feature I wanted to bring up is the autosave feature. If you're in the middle of a scan of a large # of systems, the scan could take quite a while. Autosave will save the results of the scans up to that point based on a periodic basis. This is shown in Figure 11. One time when I was running a scan I needed immediate use of the full capabilities of the system and I had to exit the program without waiting for it to cancel the scan and gracefully exit out as the currently running modules completed. The majority of the scanning I needed had already been completed and when I exited the program I didn't lose all of those results. Rather, I was able to import the scan results file and see what it had found up to the point where I exited.

Figure 11

One thing I didn't talk about was reports, but they are rather self-explanatory. Once you have a scan complete (or an autosaved scan file), you can export to a report of HTML, Rich Text, XML, or plain text. In addition, you can export to an ODBC data source.

Support

Support for this product is excellent. Any time I had a question I received an email in a few hours if I sent an email on a business day. Even when I sent a question in over the weekend I still received a reply before the weekend was up. Updates are also downloadable and I was able to test a minor update during the evaluation of this product. The update performed flawlessly.

Conclusions

Though the version of the product only reflects a minor version change from the one I evaluated in 2004 (3.0 versus 3.0.1.x), there are a few nice new features such as how to select the modules to use in scanning. I'm a big fan of the autosave feature and I like how much information this tool provides in order to mediate vulnerabilities it finds. Also, this is the best general vulnerability scanner I've found with respect to dealing with security issues for database servers. The product goes beyond a registry check for version or just looking for a blank sa password. Finally, I was impressed with how rapid it was able to perform the scans and how accurate the reports were.

Ratings

I will rate each of the following using a scale from 1 to 5. 5 being the best and 1 being the worst. Comments are in the last column.

Ease of Use 5 When I compare this to products in the same space, such as eEye's Retina or the free Nessus, this tool is easier to setup and do specific scans than either of those products, hands down. As a matter of fact, as I was evaluating this product, a co-worker was looking at Retina and was frustrated at how I could lock down on to say, SQL Server scans, with a few mouseclicks where he had to start a whole new scan setup and scroll through a ton more options just to get the same thing (well, as much SQL Server scanning as Retina provides, which isn't as much as Typhon III does).
Feature Set 5 Since this is a general vulnerability scanner and not a database specific one, you'd have to wonder how deep it can go into the various database products. It can scan for weak passwords, scan for default passwords, and scan for specific vulnerabilities which aren't answerable with a hot fix or service pack on SQL Server and Oracle, which is more than its main competitors do. Therefore, from a database perspective, this tool is the cream of the crop for general vulnerability scanners.
Value 4 Given that there are free/open source tools available that do a lot of the things this product can do, I cannot give it a 5. However, if you need to audit general weaknesses on SQL Server and Oracle beyond just patch levels, you want to give this product a look. If you need to go in depth, then NGS Software's Squirrel series is your answer. But this product certainly is extremely good... we are looking at it as a general vulnerability scanner where I am employed.
Technical Support 5 In the previous review and in this one, NGS Software has been extremely prompt answering emails I had with questions on how the product worked as well as thoughts for how things might work better (I figured as long as I had someone's ear, I would ask for a few things on my wish list that I wish all vulnerability scanners would include). Even a response sent over the weekend was answered before the weekend was out.
Lack of Bugs 5 This only real issue I encountered is the product relies on Microsoft's mssecure.xml (the file that contains information about all the security updates and used by tools like hfnetchk, Microsoft Baseline Security Analyzer until the most recent build). Microsoft has decided to go with a new format and there are products that aren't covered in mssecure.xml, which is being phased out. As a result, the product can't detect anything with respect to those products. This isn't NGS Software's fault but it does lead to the STOP sign alerts, which need to be investigated.
Documentation 5 The documentation is awesome, especially when it discovers a vulnerability. For instance, we scanned an Oracle instance and it detected an insecure Listener. The developer running said Oracle instance was amazed that the product told exactly how to fix the issue without us resorting to have to search for the information in Oracle's docs or on the Internet.
Performance 5 This application is multi-threaded and gets through the scans as quickly as possible. If you've ever tried to do vulnerability scanning on a single-threaded application, you know that it can take forever if you're trying to do a thorough job. I was quite impressed with how quickly I could scan using all the options across a C class subnet.
Installation 5 Standard clean installation with an easy method for activating the license. This hasn't changed from the previous version because it didn't need to.
Learning Curve 5 When I compare this product with others in its space, I was able to get a scan up and running in minutes. It's been a couple of years since I used the product but that didn't matter. Also, there is a wizard to walk you through what to scan if you need it.
Overall 4.89 I really liked the product two years ago. When NGS Software indicated they had improved it I was all for trying it again. They certainly have improved it. Although I dropped them in the value score, this is more a reflection at the number of free tools that are out there than any strike against Typhon III's quality. If you are responsible for securing systems in your organization, certainly give this product a look, especially if you're in a smaller organization without dedicated DBAs. This product could save you a lot of embarrassment when the auditors show up.

SQLServerCentral.com Rating:

Product Information

Web Site: http://www.ngssoftware.com/

Developer: Next Generation Security Software

Pricing: Contact sales@ngssoftware.com for a single instance license

 

  2006 by K. Brian Kelley. | Web Site | Brian's Blog |

 

Total article views: 5734 | Views in the last 30 days: 3
 
Related Articles
ARTICLE

Review: Typhon III from NGSSoftware

Every shop with any sort of IT organization should be scanning for vulnerabilities and issues with t...

BLOG

New Review: NGS Software's Typhon III

I recently had the opportunity to review NGS Software's updated Typhon III general vulnerability sca...

ARTICLE

SQL Server Vulnerabilities

A remote code execution vulnerability affects 200 and 2005.

BLOG

Presenting on Top SQL Server Vulnerabilities

On February 19th, 2014, I’ll be giving a webinar from 3-4 PM Eastern on the Top SQL Server Vulnerabi...

BLOG

Vulnerability announcements coming for Windows products

I'm a little late on this one, but Cesar Cerrudo has announced he's going to demonstrate exploits to...

Tags
product reviews    
reviews    
 
Contribute

Join the most active online SQL Server Community

SQL knowledge, delivered daily, free:

Email address:  

You make SSC a better place

As a member of SQLServerCentral, you get free access to loads of fresh content: thousands of articles and SQL scripts, a library of free eBooks, a weekly database news roundup, a great Q & A platform… And it’s our huge, buzzing community of SQL Server Professionals that makes it such a success.

Join us!

Steve Jones
Editor, SQLServerCentral.com

Already a member? Jump in:

Email address:   Password:   Remember me: Forgotten your password?
Steve Jones