From: Tima Soni (tima.soni@gmail.com)
Date: Tue Jul 31 2007 - 11:21:40 EDT
One important thing-
Qualysguard reports can be custumised easily to document compliance
with regulatory laws like PCI, HIPAA, GLBA, SB 1386 and Sarbanes-Oxley
etc. With the inbuilt ticketing functionality it has, vulnerabilities
can be tracked and remediated by ticket trending by asset group, user
and vulnerability. You can then analyse the groups, users and
vulnerabilities that are being reported frequently ...
GFI Languard, on the other hand can reach even on isolated segments,as
it can be installed even on laptops. So you can connect your laptop to
an isolated device may be by a cross cable and scan it..... But Qualis
guard is a hardware box kept in one segment of the network. Possibly,
you might have to open access to all segments of the network for the
device, so that it cn perform scans. It might not be a good idea
always. GFI can report out all known vulnerabilities reported in the
OVAL, CVE and SANS Top 20 databases. You can even evaluate file folder
permissions with it.
The best solution would be to use two vulnerability scanning tools, so
that a comparative analysis can be done .. One tool has excellent
reporting features (Qualysguard) and the other tool can be used for
more technical indepth of the vulnerabilities and the methods of
fixing them. And even to reach out segments that are not reachable by
the other tool. This also able to discover any false positives
discovered by one scanner....
SO incase you are planning to document compliance with regulatory
laws, Qualysguard will be helpful.
Regards,
Tima
On 7/27/07, US Infosec <usinfosec@gmail.com> wrote:
> I am not sure who told you that Foundstone can not scan public IP
> Addresses, but they do and I use it for that purpose a lot. Also, as
> I think I pointed out before, when you look at Foundstone be sure to
> also check out Preventsys which improves the reporting quite a bit. I
> have no vested interest in your decision and will just tell you that I
> perform vulnerability assessments all the time and frequently will
> scan customers that have Qualys and I end up finding stuff that it
> didn't. So, again I would recommend that you do a proof of concept
> with both in your environment and see which one produces the results
> you are looking for.
>
> One last thought. A lot of places want to "automate" vulnerability
> assessments. You can schedule them but all of the rest of the process
> really needs people involved. As others would probably agree,
> relying on an automated process for vulnerability assessment and then
> patch management can lead to some serious problems and a false since
> of security.
>
> Good Luck
>
> On 7/25/07, Uzair Hashmi <uzair@kse.com.pk> wrote:
> > Hello,
> >
> > First of all I would like to thank everyone in this list who replied to
> > my message and gave enough different perspectives, I really appreciate
> > it. Thankyou very much.
> >
> > Currently we are using Nessus, nmap, nc, Metasploit, and obviously
> > ethereal (I cant breathe without it), for all the Vulnerability
> > Assessment exercises. Security dept. need to entertain Operations dept.
> > and Audit Dept. separately; Giving them compliance report with certain
> > level of authenticity and trust, with specific solutions as well (taking
> > care of change management process, also like what need to be updated and
> > what not). We have 20,000 local IPs and 8 public. With current situation
> > its quite difficult to manage the reporting and change tracking; the
> > whole automation of this process, and giving the reasons to audit why
> > and what we have communicated to. All records has to be maintained.
> >
> > I have evaluated almost all possible products / solutions / services,
> > every person has suggested. For products like ISS, Retina, CoreImpact
> > etc, are not feasible due to various technical and policy based reasons.
> > Also some support issues in the operating city.
> >
> > We are not debating about what tools and processes can make up a
> > credible infrastructure for security management. But to a very very
> > specific area of vulnerability assessment, infact vulnerability
> > assessment automation.
> >
> > Please give technical answers that can really help in taking the
> > decision. The comparative answers I got from most persons in this list,
> > doesn't satisfy at all, because I have no concern what market share and
> > cliental one product have, etc. Also most of the persons comparing
> > QualysGuard and Foundstone looks like that they worked or evaluated only
> > one of the product, or got biased by some marketing strategy.
> >
> > Anyway, here is the cons of both products with vendor justifications:
> >
> > QualysGuard:
> > Data is stored at qualys.com. The vendor mentioned that the data and
> > maps stored are in encrypted format, encryption key is based on the
> > users password. In case if you forget the password, a new account will
> > be created, the old account with whatever data it holds is dumped /
> > deleted. Whereas, Foundstone store all data on its local hard disk. The
> > vendor is willing to sign-up and legal NDA for information disclosure.
> >
> > McAfee Foundstone:
> > Cannot scan public IPs. It is quite possible to scan public IPs from
> > DMZ, but again the Foundstone doesn't target those audience. Also while
> > scanning from DMZ one cannot strictly check the firewalls and other
> > devices configurations from alien perspective. QualysGuard is good at
> > it.
> >
> > Note: Vulnerability database is updated locally before each new scan (if
> > required), and hence need internet availability to download/update the
> > database.
> >
> > Now the pros part, QualysGuard has far better reporting compared to
> > Foundstone also from Retina and Nessus. Both QualysGuard and Foundstone
> > support threat correlation (Foundstone comes with additional cost for
> > this module, not by default). Both support risk management matrix, and
> > role base user access control.
> >
> > I have not considered the scan speed and network utilization, of the two
> > products while evaluating, so if someone can give his/her input in this
> > regards, or any other technical consideration. I look forward and
> > appreciate if someone can really help is selecting one from the two.
> >
> >
> > Best Regards,
> > Uzair
> >
> >
> >
> > _
> > | | o
> > _ _ _ _ _|_ __, , _ | | __ _|_
> > / |/ |/ | |/ | / | / \_|/ \_|/ / \_| |
> > | | |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
> > /|
> > \|
> >
> >
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: Cenzic
> >
> > Need to secure your web apps NOW?
> > Cenzic finds more, "real" vulnerabilities fast.
> > Click to try it, buy it or download a solution FREE today!
> >
> > http://www.cenzic.com/downloads
> > ------------------------------------------------------------------------
> >
> >
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:59 EDT