Max Patrol 8. Vulnerability Management Tool Overview



    Sooner or later, in any company that thinks about information security, the question arises: "How to detect vulnerabilities in a protected system in a timely manner, thereby preventing possible attacks using it?" Agree, manually monitor which vulnerabilities appear in the public domain, very laborious operation. In addition, after detecting a vulnerability, you need to somehow fix it. As a result, this whole process translates into a large number of man-hours, and any IT specialist immediately naturally has another question: “Is it possible to automate the process of managing vulnerabilities?”

    To solve such problems, so-called vulnerability scanners are used. In this article, we will consider one of the representatives of this kind of solutions, namely Max Patrol 8 from Positive Technologies.

    In this article, we will demonstrate how Max Patrol 8 works by scanning an obviously vulnerable system and demonstrate the functionality of the solution. Let's start the article with the “least interesting”, but from that no less important issue, namely with the licensing schemes for this product.

    Licensing scheme


    Licensing in IT is always a complex and dynamic process, the description of which often takes dozens, and in especially difficult cases, hundreds of pages. The Max Patrol 8 scanner also has a document describing the licensing policy. But, this document is available only to partners and has a signature stamp “for internal use,” and, in principle, reading such technical documentation is boring, and it’s not always possible to understand the first time, but how is the product licensed at all. By hosts? Used resources? Or how? I will try to outline the questions posed in general terms.

    Like many modern IT products, Max Patrol 8 is provided according to the subscription model. That is, this solution has the so-called “cost of ownership” - the amount that you have to pay for each year of using the scanner, which your partner must tell you about, with which the solution is being worked out. If the integrator is silent about such an important moment, then this is an occasion to doubt his good faith, and think about his change. Believe me, explaining to the management of the company that you need to give more money so that your scanner does not turn into a “pumpkin” is not a pleasant pleasure. Therefore, the first important point - the budget for the purchase of a vulnerability scanner should be planned based on the cost of annual product ownership. In all calculations, the partner with whom you are working in this area should help you.

    Licenses for Max Patrol 8 can be exploded by functionality. Three assemblies stand out here:

    PenTest - support for penetration testing;
    PenTest & Audit - support for penetration testing and system checks;
    PenTest & Audit & Compliance - Support for penetration testing, system reviews and industry compliance monitoring.

    A detailed description of the capabilities of these assemblies is beyond the scope of this article, but already from the name you can understand what is the key feature of each of them.

    Additional scanning cores also require additional licenses. Also, the maximum number of hosts that will be scanned affects the cost of a license.

    Scanning platforms



    Max Patrol 8 boasts an abundance of supported platforms. Starting from desktop operating systems, ending with network equipment and industrial control systems. The list of all supported platforms is simply stunning, it is contained on approximately 30 A4 sheets ...

    It includes:

    • Operating Systems
    • network hardware
    • database management systems
    • desktop applications
    • server software
    • security systems
    • business applications
    • APCS
    • cryptographic information security systems

    In fact, Max Patrol 8 out of the box allows you to scan the entire corporate IT infrastructure, including network equipment, Linux and Windows servers, and workstations with all the software installed on them.

    I would like to separately note the fact that Max Patrol 8 copes with the automation of repetitive tasks, such as inventory, technical audit and monitoring of compliance and changes in the information system. Max Patrol 8 has a powerful reporting system. Thanks to this, labor costs for carrying out such routine operations as software inventory at workstations are reduced several times. It is enough to set up a custom report once that solves your problem, set up a schedule for launching the scan, and you can forget about the routine. You will have up-to-date information about the software that is installed at the workplaces of your employees.

    Max Patrol 8 does not use agents during scanning, which helps to avoid possible problems when installing agents on the server. And often, installing agents requires a server reboot. Agree, it is always a little disturbing to install third-party software on the production servers.

    The minimum configuration of the Max Patrol 8 scanner consists of one server.

    MP Server includes:

    • Control module
    • A knowledge base containing information about scans, vulnerabilities and standards
    • Database containing scan history
    • Scanning core

    It was this configuration that was used when writing the article.

    The installation process itself is quite trivial. The installation wizard starts, click on it several times, and voila, the scanner is ready to work if you have a valid license.

    Test Description


    In the process of choosing a distribution kit to demonstrate the operation of the Max Patrol 8 scanner, our eyes fell on the popular distribution Metasploitable 2. This assembly is a kind of simulator for pentesters, researchers and novice experts in the field of information security. Our choice is due to the fact that the assembly is absolutely free, does not require a lot of resources (it starts up and works normally with 512 MB of RAM) and has almost become the de facto standard in the field of training specialists in information security.

    The distribution is built on an Ubuntu server with a large set of vulnerable software installed. In the system you can find many types of vulnerabilities. There are backdoors, SQL injections, and just passwords are not resistant to brute force. Almost every service launched in the system can penetrate the system and increase its privileges.
    This tool is great for demonstrating how vulnerability scanners work, in our case, Max Patrol 8.

    Installing the distribution is very simple. Either from the OVF template, or simply copying the virtual machine files to the local disk, and launching the vmx file. It is possible to run in Virtual Box. As soon as you start the virtual machine and you see the invitation, you need to enter the combination msfadmin / msfadmin as the login and password, which is what the banner of the invitation says.



    Now it remains to log in to the system and find out which ip address our virtual machine received. By default, the network interface settings indicate that the ip address should be assigned via DHCP. This is suitable for our testing, so just enter the ifconfig command and get the address that we will enter in Max Patrol 8 as the target.

    Target scan


    So, with the goal we decided, now we need to create a scan task. At this stage, we dwell in more detail, and describe the process of creating a task, and scanning the selected target.

    In order to start a scan, you need to create a task.

    In the parameters of the task, we specify the scan profile. For our demonstration, we will select the Fast Scan profile. In essence, this is a simple port scan, with the version of the service that is listening on the port.



    As you can see in the screenshot, the scanner has several predefined profiles. The description of all profiles deserves a separate article, and is beyond the scope of today's review.
    Next, we need to set the scan node, that is, we need to enter the ip address of our Metasploitable.

    In the future, this task can be launched on a schedule, applied to separate groups of servers or workstations. This allows you to create granular policies whose tasks will be only those services that are relevant for a server or PC. This allows you to correctly allocate resources for scanning. Agree, spending resources on scanning a domain controller for web vulnerabilities is not the right idea.

    So, we launch our task, and on the main dashboard we see execution statistics.



    A simple port scan, with the definition of the application or service and its version, took us about 15 minutes.

    Scan results can be found in the history section.



    In the “Scans” section, we see a list of completed scan tasks. As you can see in the screenshot, it is possible to sort tasks by name and date. The system also has the ability to build various filters, which certainly makes it easier to find results, especially if the scan is carried out in a large infrastructure, and scheduled scanning is configured.

    Scan Results and Reporting Functionality


    So we got to the most interesting part of this review, namely, to view the scan results, and to the reporting functionality. Select the scan we need in the right window, and open it with a double click. In a new window, granularity of the scan results will open.
    The main page displays general information about the node that we scanned.



    As a result, the MaxPatrol scanner found 288 vulnerabilities in the scanned system. The same number is indicated in the Metasploitable distribution description. That is, the scanner detected all vulnerabilities present in the system being scanned. To view detailed information, go to the “navigator” section and expand the tree by clicking on the plus sign.



    Expanding the tree, we see a list of open ports on which vulnerable services or applications were discovered. The color immediately shows which ports have critical vulnerabilities. By far the most interesting part is the description of vulnerabilities.

    Take for example port 22, and open the tree further.



    In the list that opens, we see a list of vulnerable applications that listen to the specified port. In our case, it can be seen that the vulnerable OpenSSH server application is hanging on port 22. Having opened the list further, we get to all the vulnerabilities that were discovered in the specified application. On the right, in the information section, you can see what kind of vulnerability was discovered and how to fix it. This report also publishes links to additional sources of information about the vulnerability found. All information in the reports is published in Russian.

    Well, in conclusion of the review, I want to show how reporting is built in the MaxPatrol 8 scanner. Even in our example, with one single server, it can be seen that the scanner generates a lot of information. And if the tasks indicate scanning 100 nodes? In this case, it will be very laborious to search for the information you need. To solve such problems, there is a reporting functionality. The system has pre-configured templates, and you can also create custom reports depending on your tasks.

    Here is a list of report templates that are already in the system.



    Suppose we need to get information about the most vulnerable nodes in our infrastructure. If there are many nodes, then manually collecting and consolidating information from each task is very laborious. Therefore, we can use a template that is already in the system. It is called the “Most vulnerable nodes in the scan.” Double-click on the desired template, and we get into the report settings window.



    In the settings you need to specify the task, and the scan from which the report will be generated.
    Since we had one node in the scan, we will not see comparisons in this report.



    This report contains the formula by which the rating of vulnerable nodes is built. The higher the integral vulnerability, the more vulnerable the node. The reporting functionality in the MaxPatrol scanner is simply huge, and its description deserves a separate article. Reporting can be run on a schedule, and sent to e-mail to IT and IS employees.

    Conclusion


    In this article, we examined with you the basic features of the MaxPatrol 8 vulnerability scanner. From our experiment it is clear that in order to start working with the scanner, you do not need to undergo additional training and take a long time to study the administrator’s manuals. The whole interface is intuitive, and completely in Russian. Of course, we showed the simplest scenario of scanning a single node. And such a scenario does not require fine-tuning the scanner. In practice, the Max Patrol 8 scanner can solve much more serious, and confusing scenarios. Not only will the use of a vulnerability scanner help significantly increase the security of your infrastructure, it will also help in the implementation of important but unloved tasks for inventorying all elements of the IT infrastructure, including software installed on users' workstations.

    Also popular now: