it was rather cool being mentioned in NWFusion Compendium with my recent ru-in with Salesman Steve from Citadel. He remained ever vigilant repeatedly calling back after that first day run-in, and calling me twice in the next 3 days. I finally relented and agreed to do a demo with NT network admin. The product would fulfill a niche between vulnerability discovered, and it being mitigated by patch or action.
The demo went well, but it became apparent that some faults were the reliance upon a third party scanner for the quality of the Hercules product. Obviously the scans from ISS, Nessus, eEye Retina, and certainly MBSA would be varying levels of value. If I wanted to know the weak level of passwords – like being “password”, my vulnerability scanner would have to include some sort of dicitonary attack. Citadel’s Hercules, although it could remediate an action (force a password change or disable an account), wouldn’t know about it unless some gave it a clue. The weak password issue is just one example of where the product is deficient. Also an interesting focus on the meeting was Citadel’s focus on change management procedures, which was one of the things Information Security Magazine gigged them on. The product would seem dangerous in the hands of the uninformed (or too trusting of Citadel’s engineers) applying remediations without first evaluating every remediation in a test environment first. I like have suggested actions, but reenforcing the sign off procedure for new remediation could certainly be more manual process in my hands — rather than just download all the new remediations from the Citadel Vflash server. Without looking at each remediation it is difficult to accurately judge what judgements were made by the engineers (such as anonymous sessions) and what the likelihood that it may break something.
One of the other “features” was it implemented the Gold standard security template from C1 organization. This is based upon a freely released baseline template, which I coincidentally used as our baseline standard already. The benefit in using the Hercules product would be the reporting of those boxes currently out of compliance. Applying the security template using secedit.exe just doesn’t have the same features, but in the end, it applies the template in the same manner. Reporting in the end is probably the most noticeable and eye-catching feature. Crystal Reports could probably generate the same reports, but again it would take a lot of work to implement in the same fashion.
Then of course came the hard sell from Steve, and “how can we (Citadel) get your business” talk. It was remarkably like the car process in the end, and I fully expect in the coming days, “I’ll have to talk to my manager.” (I will really laugh if he says he’ll call the owner @ home ala Carvantage) When we asked the price for the software, he responded “nine ninety-five per server.” Now I have to admit my initial thought was $10 per server — WOW — that is a good deal. I however quickly regained my senses to realize he was talking approximately $1000 per server. HOLY COW!!! Sticker shock hit hard, and I could barely stop from laughing at my previous thought.
These are just one person’s initial impression to the software package, and the true product may differ. However, I highly doubt that a product in the $1k per server range is going to pass management inspection when they realize the actual scanning is coming from a collaboration of open source software. Sure the reporting and making the NT admin’s job easier in rectifying vulnerabilities is important, but I dare bet management is going to value the $$ over the admin’s late night hours (who even if the product was implemented would still have to monitor the process).