Skybox View 3.0 from Skybox Security
Price: Skybox Assure starts at $50,000; Skybox Secure starts at $75,000
Skybox has created a powerful tool to give IT, audit and security teams a comprehensive view of threats, as well as the ability to virtualize penetration testing through an innovative modeling scheme. Skybox View builds a detailed map of your network and assesses threats against it based on feeds from VA scanners and SIMs. The result is a unique and flexible approach for assessing and managing specific threats and overall risk to your digital assets.
We installed Skybox View on one machine without any difficulty, but your network may require several installations. The thorough documentation provides a complete workflow.
Skybox builds your network model by analyzing firewall, router and switch configurations; it also uses vulnerability and SIM data and manually imported host information. Modeling your network is fairly straightforward--as long as it is comprised of supported devices, including Check Point Software Technologies, Cisco Systems and Juniper Networks' NetScreen firewalls. When you import a supported device, you just need to view the interfaces and assign them to a "zone" (internal, DMZ). Other devices require a little more time, but aren't difficult to set up. For these, we manually created the ACLs and then assigned zones to the interfaces.
Skybox View has two components: Skybox Secure tools identify, analyze and visualize risks to your organization, and the business impact of those threats; Skybox Assure takes care of change policies and the compliance of your network devices.
Taking on the role of security consultants who perform regular penetration testing, we spent most of our time in Skybox Secure, manipulating the graphical network model, changing vulnerabilities and ACLs, and looking at how an attacker could actually compromise a specific network asset. You can identify the most severe vulnerabilities--those that are most likely to be exploited, giving an attacker the greatest access to your network and threatening your most valuable assets. This allows you to prioritize threats and take remedial action, first by adjusting ACLs to cut off the attack path, and then by correcting configurations and/or patching.
Skybox's extensive dictionary of threats provides an accurate view of risks and vulnerabilities. Dollar amounts can be assigned to assets to place a real cost on potential compromises. There are a number of useful modeling features, such as running "what if" scenarios against your live network, and simulating new and emerging threats.
We really appreciated the device analyzer, which compares your configurations against best practices, such as NIST. For example, it looks for places where you allow traffic from external to internal networks, and allow Telnet to the Internet. This saves hours of work manually analyzing configurations.
Reports can consist of vulnerability findings, access policy data, firewall changes or risks, drawing from all the data feeds and analytics. Risk reports are particularly useful in showing your security posture for compliance with specific regulations like Sarbanes-Oxley and GLBA. These reports break down policies into different sections, showing exactly where and why you are noncompliant.
Testing from a consulting perspective, we still didn't touch all the capabilities of this far-reaching tool. It provides a complete framework for analyzing threats and configuring your network to limit intruder access.
We installed Skybox View on a 2 GHz machine with 2 GB of RAM, meeting the minimum requirements of Skybox View for networks with less than 500 nodes. Network simulation was modeled on our lab environment and data provided by Skybox.
This article originally appeared in the December 2006 edition of Information Security magazine.