back to article GFI LanGuard 2014: Go on. Find my weaknesses and point them out

GFI has launched GFI LanGuard 2014, version 11.2 of its well-tested vulnerability scanning software. I have used LanGuard since 2001, when version 2.0 was released. It has been an invaluable tool in my sysadmin's toolkit and I am curious to see how the software has evolved over the past 13 years. The basic purpose hasn't …

COMMENTS

This topic is closed for new posts.
  1. CAPS LOCK

    And the price is?

    The GFI web site is suspiciously silent on the matter.

    1. Chris Miller

      Re: And the price is?

      Here

  2. Anonymous Dutch Coward

    Other tools

    I wonder how LanGuard compares to other tools like Nessus (and OpenVAS)?

    1. Christian Berger

      Re: Other tools

      This is a Trevor Pott article, don't expect any insights.

      He probably hasn't heard of Nessus or OpenVAS, or couldn't get it to run. It's not like he knows about computers.

    2. Trevor_Pott Gold badge

      Re: Other tools

      I've been pondering this one pretty much all day. How exactly do you compare a vulnerability assessment tool? The number of knobs there are to turn? How well it's configured default out of the box? Speed? Price?

      If we assume for a moment that - within a reasonable margin of error - all the tools pick up the same number and criticality of vulnerabilities then you're down to "soft" issues. How scriptable is it? How easily does it integrate into other systems? How appropriately does the tool rank vulnerabilities?

      Then we get into other things. Are you going to use the assessment tool mostly in a scripted, automated fashion, or will you basically be living in the UI? If the former then the design doesn't matter. If the latter, then "adjunct functionality" really starts to mean something.

      In most environments I use a combination of OpenVAS for vulnerability assessment, Spiceworks for monitoring and Languard 2.0 for discovery. Cost being the biggest driver for a lot of these folks. But the Languard 2014 can reasonably do all of that - and more - with easier configuration and scriptability. (OpenVAS is cool and all, but I don't find it as easy out of the box, something that matters if you are just showing up to do a sweep on demand.)

      Nessus is something I find easier to use - as I should, given that it's a commercial version of an antecedent of OpenVAS - but more restrictive, despite being more feature rich. I'm intrigued but the "multi-scanner" approach, and I start to wonder if they have enough components and technology to challenge Thousand Eyes and offer that sort of "premises-to-the-cloud" monitoring as part of their offering as well.

      Without question Nessus is a staunch competitor to Languard, and for good reason. The number of plugins available alone has created an ecosystem around Nessus that's hard to ignore. I do happen to like GFI's on-premises tool a bit more then Tenable's offering, but I wonder how much of that is simply habituation and familiarity.

      There's also SAINT, PSI, Retina and whatever that Cisco one got renamed to that we should all consider. Add to the mix Nexpose/Metasploit and CI (if you're rich) and this is a field with bountiful competition.

      So how do we compare A to B, C, D, E, F, G, and H? What matters to you won't necessarily matter to me and we may both differ from that guy over there. It's honestly hard to call a "better" - though I would entertain arguments for CI - when there is such a diversity of need. If the key need is being met (the detection, alerting and remediation of vulnerabilities) the rest is the sort of trite shite that ends up in emacs versus vim arguments or GUI wars.

      At the end of the day, I honestly don't know how to compare these products. I lack the knowledge to do so without greater context for the specific target application. The answer to "which is better" is that ages old IT answer that so rankles certain people who believe in a black-and-white universe: it depends.

      So when I review products in categories like this I measure them on merit alone, largely on the basis of meeting claims put forth. By that measure, I stand by what I said in the article. Languard does a fine job. It does what it says on the tin and does it for what I consider to be a fair price. It is exactly the sort of tool that no sysadmin should be without.

      If Languard itself isn't the precise combination of twiddly knobs that meets your needs, there are others out there worth a look to. More important than which tool you choose is that you choose one and use it. Securing your network makes the internet a safer place for us all.

      Cheers.

  3. Anonymous Coward
    Anonymous Coward

    Blue crystals?

    From Metebelis 3?

  4. Anonymous Coward
    Anonymous Coward

    So licensing that for a year, to scan 88 hosts would cost £1592, if my maths is right. Based on the prices in that link.

    It'd be nice to know whether Nessus, Nexpose, or OpenVAS, or any of the other similar products offer better value for money vs featureset, instead of how well version 12 of Languard compares to version 2 (which is no longer available to buy)

    Nessus would be $1500 a year, for 88 hosts, which is a fair bit cheaper, and it's not hard to use.

    1. Chris Miller

      As a security consultant, I've used the majority of these tools. There isn't a huge variation, either in price (where negotiating skills probably outweigh differences in list price) or performance. They're a bit like AV products: none of them is perfect; they're mostly pretty good; and which one is 'best' varies from month to month. For my purposes, reporting is an important consideration, and I like eEye Retina for its ability to produce nicely formatted CSV output.

      I couldn't use a tool (no matter how good) that took all day to scan 88 systems - Retina does that in 30-45 minutes on my (nothing special) laptop. Since much of the work of these tools consist in firing off a probe packet and waiting to see if there's a response (unless you've found a vulnerability, there probably won't be), CPU performance shouldn't normally be much of a consideration. If you're testing locally (rather than over the Internet) you can probably adjust timeouts to improve performance by an order of magnitude.

      1. K

        thanks for the recommendation, I'll give that a try.

        I did evaluate Nessus and Nexpose before, both detected the sames issues, but the relevance placed on them was different, from what I saw, Nexpose classification made far more sense and much easier to follow.

  5. Anonymous Coward
    Anonymous Coward

    Nice affiliate link you've got there. Paid shil?

    1. Trevor_Pott Gold badge

      On tech journalism shills: a freelancer's view from the bottom

      Hey there, good catch! I didn't even notice that it looked like an affiliate link when I added it. I was asked to add a link to the trial version (which, frankly, I probably would have done without anyone asking me, because it's just nice to do when you're writing about someone's product) and this was the link I was handed. The link itself is as follows:

      http://www.gfi.com/land/Home/adv/lanss/Scan-your-network-effortlessly?adv=220249&loc=9&utm_medium=referral-paid&utm_campaign=languardq1&utm_source=theregister&utm_content=editorial

      The official explanation by one of our commercial guys is as follows:

      "The link in question just goes off to their trial download. It has google analytics code appended to the URL so they can track, via GA, our readers who end up downloading said trial.

      In order that we could also track this, I ran the URL through Reglinkz to output something we can track. However, this type of link won't get caught by ad-blockers etc"

      That suits me, I hope it makes sense to you. To address the "shill" issue more directly: what I wrote about GFI's Languard I wrote because I felt it was accurate. I was asked to review the product and I did so as truthfully and honestly as I was able.

      Dissecting the issue

      Your question, however, raises a valid concern and we should dissect it to its fullest extent. Let's not take the fellow's word on this, but let's use some examination of the evidence and whatever personal experiences I can bring to bear to really examine the situation.

      The link itself contains references to The Register. I was asked by The Register to do the review. I think it's safe to conclude that the on-premises side of GFI asked for a review of the product as part of an advertising campaign, and that the link provided me for the trial version is a means by which the GFI folks track which clicks came from the El Reg article.

      For obvious reasons - writers of articles need to be kept separate from the messy details of where the money comes from in order to maintain objectivity - I'm no expert in the how and why of El Reg getting paid for things. Still, I very seriously doubt that The Register would have an actual "affiliate link" style arrangement with GFI on this. I just don't see that model having long term business viability for an entity the size of The Register.

      Editorial control

      Let me be, 100% clear on this, however: I absolutely have not and will not write nice things about a company because I get paid for it. I think you'll find this true of all El Reg writers.

      One of the reasons I choose to write for The Register is that I get to write whatever I want. Companies pay The Register for advertising, yes. That's a fact of life in this industry. But the editors here will absolutely go to the mattresses for my right to say what I want.

      A great example of this is my writing about Microsoft. Microsoft periodically comes in and runs a campaign about Office 365, Azure, Windows Server or so forth. They phone up El Reg and say something like "we would like 5 reviews of Office 365 to be published over the course of the next 2 months and each will focus on a different major feature."

      My editor will then come to me and ask me to come up with topics that meet this request while still delivering useful technical content to our readership. We'll come up with a list of 7-10 possible review topics to cover the 5 reviews they want, they'll pick amongst them and I'll get hooked up with whatever resources I need to be able to do the review.

      If you have read anything I've ever written about Microsoft you'll know that "Trevor saying nice things" is not something they can purchase.

      A company paying The Register> money can get The Register to commission a review of their product. A company paying The Register money cannot and will not get that reviewer to write nice things.

      If I have a really good idea for an article I can pitch it as a feature. Here I have to duke it out with every other freelancer wanting to write a piece about $topic. In addition to the above, I get to write a fixed number of blogs/reviews/podcasts per month (currently 6 per month) in which I get to pick the topic.

      Talking heads

      As concepts, these are important. If you are an advertiser trying to "shape the message" by "buying reviews" then you're going to have all sorts of problems. Journalists are prickly bastards. We would probably use our "pick your topic" articles to decry such shenanigans.

      If you have followed me as a writer you'll know that I have never shied away from using my little digital soapbox to express my opinion.

      I am – as one example – a VMware vExpert, a designation which I got mostly because I "evangelise" virtualisation. Being a vExpert conveys various interesting advantages and unlocks doors that otherwise I would never even know existed. Despite this, I have called VMware on their crap – both here on The Reigster and over at SearchVMware. I have talked about the stuff I see going on within the community and the company that aren't the shiny, happy world they portray.

      Indeed, even with my commercial writing clients I don't write fluff, I focus on finding the truth and talking about it. I won't take a client I don't think has a good product that can benefit sysadmins and I never try to obfuscate or inflate the benefits of their product when I create content for them.

      I can't speak for other writers. I never went to journalist school or took political science. I don't have an MBA or any time spent doing sales. People hire me because I tell the truth. It doesn't always make me friends – lots of people don't like the truth – but it is all I know. I'm a lazy sort by nature and trying to keep up a tangled web of lies is too much effort for me to expend for any reason.

      The price of a man

      I'm not unrealistic about the world. I have a price. My price is eight figures. Meet this price and I'll say whatever you want me to say. This price is way – way – beyond what anyone has ever offered me. I'm just not important enough for someone to have tried to buy me yet.

      It's easy to level accusations of "shill." I've done it myself when I think so lowly of the other party that I honestly believe they could be bought for a half-eaten hamburger. We all know the guy who bought an computer product or service that was far more expensive than the competition just because he got a fancy lunch. Why not assume that journalists are as easy to buy?

      The truth lies in the profession itself. If The Register were to become known for being "purchasable" then it would simply cease to exist. The readership would dry up and the value of advertising on the site would evaporate immediately thereafter.

      The same is true for me, personally, as a journalist. If I have any "value" in this profession it is because I am known for being a hardass that truly and honestly believes in El Reg's motto: biting the hand that feeds IT. Companies seek me out to do reviews because they believe that if they can get a good review out of me people will believe it. If I accept a payoff then I lose my livelihood[1].

      Fear and loathing in Silicon Valley

      Consider Chris Mellor. I know for a fact that there are several hundred storage PR and marketing people who live in mortal terror of that man. When I started to write the odd piece about storage for The Register they all popped out of a portal desiring to woo me because they hoped (in vain, I might add) that I would be less blunt.

      Mellor has earned a reputation for being fierce that, quite frankly, I envy. He tells the truth as he sees it. It is journalists like him that are why I have been a reader and fan of The Register for over a decade.

      I get far more of a thrill out of talking about the elephant in the room than I ever will get out of some bit of techno-gadgetry. I don't need Yet Another 4-bay NAS. I don't need Yet Another NFR Software License. I have a pretty cool testlab already, and I am absolutely transparent about where I got my gear.

      To be perfectly honest, I personally haven't wanted for shiny computer widgets for home use in over a decade (long before I started writing for El Reg) and I am only rarely interested in any of the new stuff that I see hit the tradeshow floors. I write about this stuff, I even practice this stuff professionally, but my life's ambition is not the accumulation of techno-tat. I want to write a science fiction trilogy. The gizmo of the week isn't going to make that happen any sooner.

      If you honestly think that The Register is peopled by shills then I invite you to do some digging on your own. Talk to PR people. Ask them. They will tell you the same tales as I have told you above, but with more four-letter words and a lot of repressed bitterness. We do not make their lives easy.

      I hope that the above explains the world of writing for The Register as seen from the world of a freelancer such as me. With any luck, I've helped explain a little of "how we writers get paid" and how the absolute wall between the monies paid and the writers is maintained by the editors. Thanks for your time, and I hope you choose to keep on reading El Reg.

      [1]This, incidentally, is where my "purchase price" comes in. I will say anything you want me to say if and only if you pay me enough money to say it such that I never ever have to worry about money again and retire the next day.

      1. K
        Thumb Up

        Re: On tech journalism shills: a freelancer's view from the bottom

        Trevor, hell of a response to a troll (or sarcy comment).. you should have just asked if he was jealous?! :)

        Regarding the link, its not usual for them to be in such a format, companies like GFI invest huge sums in online advertising, so they want to know where their traffic is coming from, such URLs just give them visibility.

        1. Trevor_Pott Gold badge

          Re: On tech journalism shills: a freelancer's view from the bottom

          It was a Monday. I dislike Mondays. I decided the only way to be sure I quashed the relevant bug was to deorbit several dozen kinetic rods directs on top of the target.

          It is the only way to be sure.

          Besides, this way I can link back to it the next time someone accuses me of the same thing, yawn, and go back to sleep.

  6. This post has been deleted by its author

  7. rm -rf

    Nessus v LanGuard

    I've used LanGuard, Nessus & Retina. Like the writer, I like to use to older versions of LanG for a quick scan. As far as results, for the most part, LanGuard & Nessus had similar findings. Depending on what I threw at Retina, I'd get a different result from the other two products. YMMV.

    What I like most about LanGuard is the reporting... easy to use, good-looking, some already made for you to run out-of-the-box, easy to customise. Good to see that it makes full use of th CPU & available memory to scan. Sometimes I'd just start it and leave it to run overnight as it did take a few hours to scan networks when full scans were selected. Not a bad price for the $, either.

    No harm in having Nessus or Retina in your toolkit either, especially if cost is a factor. You can't beat free. DON'T treat the output of any scanner as the gospel truth - use more than one, compare results to be sure, then use your judgement on whether that critical vul'n really exists on that server or not.

This topic is closed for new posts.