Security Advisor

The Essential Security Toolbox

From protocol analyzers to vulnerability scanners, here are some tools that can help keep your network secure.

• By Joern Wettern
• 07/01/2007

Not Your Father's Network Monitor
When tracking security issues, you have to know exactly what's happening on your network. A protocol analyzer (also called a packet sniffer) is an indispensable tool for this task. For years, I've used Microsoft's Network Monitor to listen in on my network.

Over the years, the open source Wireshark (formerly known as Ethereal) added more features, so that became my preferred protocol analyzer. However, Microsoft recently released Network Monitor 3. Containing a range of new features -- including vastly improved customization options -- this product has moved back to the top of my list. With the new version, I can capture data on any network traffic I want and dissect it to my heart's content. It helps me determine exactly what's going on in my network and it's a free download.

Parse This
Reviewing logs of all kinds, from Windows security logs to IIS logs, is an important part of securing and monitoring your network. These tasks can quickly become overwhelming, even in a small network, and important events can go unnoticed. There are many commercial applications for consolidating logs, but one of the most capable tools is another free download from Microsoft: the Log Parser. This tool takes entries from pretty much any log format imaginable. You can then create customized reports from all that data.

However, there's a catch: To make Log Parser truly useful you'll have to do a lot of customizing and tweaking. Fortunately, the tool's author maintains a Web site with Log Parser samples. He's even written an entire book on how to use Log Parser. Like Network Monitor, Log Parser should definitely be part of your toolbox.

Going Wireless
A wireless network can be a great convenience, but when an employee connects to an uncontrolled wireless access point in your network, there's a serious security risk. Netstumbler is an 802.11 sniffer that tells you which wireless networks and access points are available in your vicinity. You should regularly scan for unauthorized access points to keep your network secure. You can also use Netstumbler to find available wireless networks as you travel.

Mapping the Net
Nmap is a free network mapper that lets you scan an entire network, find all the computers and devices that are connected to the network and identify or "fingerprint" each device. It sends specially crafted network packets to target IP addresses and examines the replies for telltale signs of specific operating systems or network stacks. Hackers regularly use Nmap to map out targeted networks. Administrators can use it to find rogue computers or unexpected devices.

Password Cracking
Who says bad guys should have all the fun? Sure, you can use password cracking to break into networks. Those same techniques can help you identify weak user passwords or recover lost passwords. Several tools are available to automate this process.

The two I use most often are John the Ripper and Cain & Abel. John the Ripper has been around for a long time. It runs brute-force attacks against Windows password hashes and several other sources. Cain & Abel uses more advanced decryption methods and a much larger variety of input sources, including VoIP conversations.

Revealing the Root
Rootkits are a relatively new threat to computers. They use advanced stealth methods to make themselves almost undetectable. Many virus protection tools can't detect these rootkits, so you'll have to do additional scanning.

RootkitRevealer from Sysinternals is one of the best free rootkit scanners available. Because Sysinternals was acquired by Microsoft, you can download this tool from Microsoft. While you're there, take a look at the other Sysinternal tools you can download for free. Many of them also deserve a prominent place in your security toolbox, including Autoruns (which shows you all programs started during the boot and log-in phases) or TCPView (which lets you know which programs use which network ports).

Feeling Vulnerable?
You know your network is under constant threat. You know the hackers are out to get you. Just how vulnerable are your servers and client computers? One good way to find out is to run an automated vulnerability scanner.

One of the best vulnerability scanners available is Nessus. It has long been available in Unix and Linux, but now also runs on Windows. While Nessus is no longer just open source software, it's still free. There's an extensive collection of plug-ins to test for specific vulnerabilities, while the active user base keeps contributing new ones.

Nessus checks for a wide range of vulnerabilities on all systems. Whether you want to check a Windows Server or MySQL running on Fedora, Nessus has you covered. Using Nessus requires a small investment of time to learn how to use it, but it's time well spent.

To Google or Not To Google
Google is an indispensable tool for anyone using the Internet. Besides the many things Google indexes, it also catalogs incorrectly secured password files, error messages that reveal confidential information and data that identifies a server as being vulnerable to an attack.

Using clever queries to find this information is called Google Hacking. Johnny Long wrote a book about Google Hacking techniques and maintains a Web site with a database of vulnerabilities. You can use what's known about Google Hacking as part of your penetration testing efforts to see whether there's any information online that might help someone else break into your network.

These are some of my favorite tools, but there are many more out there. If you think I've left out an essential tool or want to make suggestions for future columns, write to me at [email protected].