The Essential Security Toolbox
From protocol analyzers to vulnerability scanners, here are some tools that can help keep your network secure.
Having the right tools for the job makes all the difference in the world. It's
no exception when the job is information security. In this column, I thought
it would be helpful to talk about some of the tools that have come to be indispensable
components of my own toolbox and how they can be useful to you.
Not Your Father's Network Monitor
When tracking security issues, you have to know exactly what's happening on
your network. A protocol analyzer (also called a packet sniffer) is an indispensable
tool for this task. For years, I've used Microsoft's Network Monitor to listen
in on my network.
Over the years, the open source Wireshark (formerly known as Ethereal) added
more features, so that became my preferred protocol analyzer. However, Microsoft
recently released Network Monitor 3. Containing a range of new features -- including
vastly improved customization options -- this product has moved back to the
top of my list. With the new version, I can capture data on any network traffic
I want and dissect it to my heart's content. It helps me determine exactly what's
going on in my network and it's a free download.
Reviewing logs of all kinds, from Windows security logs to IIS logs, is an important
part of securing and monitoring your network. These tasks can quickly become
overwhelming, even in a small network, and important events can go unnoticed.
There are many commercial applications for consolidating logs, but one of the
most capable tools is another free download from Microsoft: the Log Parser.
This tool takes entries from pretty much any log format imaginable. You can
then create customized reports from all that data.
However, there's a catch: To make Log Parser truly useful you'll have to do
a lot of customizing and tweaking. Fortunately, the tool's author maintains
a Web site with Log Parser samples. He's even written an entire book on how
to use Log Parser. Like Network Monitor, Log Parser should definitely be part
of your toolbox.
A wireless network can be a great convenience, but when an employee connects
to an uncontrolled wireless access point in your network, there's a serious
security risk. Netstumbler is an 802.11 sniffer that tells you which wireless
networks and access points are available in your vicinity. You should regularly
scan for unauthorized access points to keep your network secure. You can also
use Netstumbler to find available wireless networks as you travel.
Mapping the Net
Nmap is a free network mapper that lets you scan an entire network, find all
the computers and devices that are connected to the network and identify or
"fingerprint" each device. It sends specially crafted network packets
to target IP addresses and examines the replies for telltale signs of specific
operating systems or network stacks. Hackers regularly use Nmap to map out targeted
networks. Administrators can use it to find rogue computers or unexpected devices.
Who says bad guys should have all the fun? Sure, you can use password cracking
to break into networks. Those same techniques can help you identify weak user
passwords or recover lost passwords. Several tools are available to automate
The two I use most often are John the Ripper and Cain & Abel. John the
Ripper has been around for a long time. It runs brute-force attacks against
Windows password hashes and several other sources. Cain & Abel uses more
advanced decryption methods and a much larger variety of input sources, including
Revealing the Root
Rootkits are a relatively new threat to computers. They use advanced stealth
methods to make themselves almost undetectable. Many virus protection tools
can't detect these rootkits, so you'll have to do additional scanning.
RootkitRevealer from Sysinternals is one of the best free rootkit scanners
available. Because Sysinternals was acquired by Microsoft, you can download
this tool from Microsoft. While you're there, take a look at the other Sysinternal
tools you can download for free. Many of them also deserve a prominent place
in your security toolbox, including Autoruns (which shows you all programs started
during the boot and log-in phases) or TCPView (which lets you know which programs
use which network ports).
You know your network is under constant threat. You know the hackers are out
to get you. Just how vulnerable are your servers and client computers? One good
way to find out is to run an automated vulnerability scanner.
One of the best vulnerability scanners available is Nessus. It has long been
available in Unix and Linux, but now also runs on Windows. While Nessus is no
longer just open source software, it's still free. There's an extensive collection
of plug-ins to test for specific vulnerabilities, while the active user base
keeps contributing new ones.
Nessus checks for a wide range of vulnerabilities on all systems. Whether you
want to check a Windows Server or MySQL running on Fedora, Nessus has you covered.
Using Nessus requires a small investment of time to learn how to use it, but
it's time well spent.
To Google or Not To Google
Google is an indispensable tool for anyone using the Internet. Besides the many
things Google indexes, it also catalogs incorrectly secured password files,
error messages that reveal confidential information and data that identifies
a server as being vulnerable to an attack.
Using clever queries to find this information is called Google Hacking. Johnny
Long wrote a book about Google Hacking techniques and maintains a Web site with
a database of vulnerabilities. You can use what's known about Google Hacking
as part of your penetration testing efforts to see whether there's any information
online that might help someone else break into your network.
These are some of my favorite tools, but there are many more out there. If
you think I've left out an essential tool or want to make suggestions for future
columns, write to me at firstname.lastname@example.org.
More InformationCome and Get It
Here's where you can review and download the tools mentioned in this column:
Joern Wettern, Ph.D., MCSE, MCT, Security+, is the owner of Wettern Network Solutions, a consulting and training firm. He has written books and developed training courses on a number of networking and security topics. In addition to helping
companies implement network security solutions, he regularly teaches seminars and speaks at conferences worldwide.