Monitoring network security is always tricky and time consuming, no matter how you approach it. Nonetheless, it's incredibly important, and having certain tools at your disposal can help in your endeavors. Many people mistakenly think that network security means installing a firewall and forgetting about it. But security is an ongoing, everyday practice of perseverance and diligence. Sure, you need a firewall, but you also need to develop good habits, which include routine checks and analysis. This practice requires some specialized tools to get the job done quickly and easily, and I can recommend a few basic tools that you need in your toolkit and explain how to use them.
Before I start talking about security tools, I want to point out some basic facts that, I hope, will change the way you think about your network systems, especially if you're connected to the Internet. Most network break-ins occur on networks that are already secured but aren't monitored closely enough. In addition, poor password choices are a major culprit in giving an intruder an avenue into your network. If you keep these two important facts in mind as you perform administrative duties, you can maintain a better level of security in your environment and reduce your risks significantly.
With the advent of the Internet, my toolkit has grown to include mainly TCP/IP-related tools, which I think you'll find useful on your network. The products I use are my personal preferences, and you certainly have several other choices available. My Web site, http://www.ntshop.net/security, lists security-related tools available for download.
Let's glance at a few items in my toolkit, and then I'll talk about why I use and recommend them. This short list is by no means complete, but it is a good starting point for building your toolkit. If you're not using some of these tools, consider them because most are great time savers and essential to good security. Here are the most common tools in security administrators' toolkits:
- Port scanner
- Dial-up scanner
- Event log analyzer
- Registry analyzer
- Access control analyzer
- Protocol analyzer and packet sniffer
- Overall security scanners
Port Scanner
Each TCP/IP-related service listens on a port. A port scanner lets you scan ranges of IP
addresses looking for TCP/IP ports that are listening, which means some type of service is running
on that port. This tool immediately reveals systems that are running services you don't want to make
available on your network, such as a private Web site or FTP server that employees run on their
workstation. For port scanning, I use UltraScan, which is super fast and inexpensive. It's
shareware, and registration is $5.
Dial-up Scanner
A dial-up scanner detects actively listening modems. With this tool, you'll find unwanted and
unauthorized modems that are listening for calls on your phone lines. Many employees leave their
system up with a modem online so they can access the corporate LAN and the Internet on the company's
dime after hours, instead of purchasing an Internet account with an Internet Service Provider (ISP).
This practice is bad news because intruders love to find such backdoors into your network. Your
firewall does no good if backdoors are open. Free dial-up scanners are available, many written by
intruders for their use. The good thing is that you too can get copies and use them. I use ToneLoc
because it shows me details in a graphical map, representing information in colored patterns, so I
can see immediately which phone numbers have listening modems. To get a copy of ToneLoc, locate it
with a search engine or download it from my Web site. Keep in mind ToneLoc might be overkill for
your needs--it's designed to scan large blocks of phone numbers--so check my Web site for other good
tools you can try instead.
Event Log Analyzer
Monitoring your system logs is an important task you need to perform regularly. Unfortunately,
it's also a grueling task. Log analyzers let you take a different approach to rifling through all
the logged information. Instead of using the NT Event Log viewer, you can export the data to a
database manager, where you can sift out the items you're looking for and produce reports to your
liking. I prefer the DumpEvt tool by Frank Ramos of Somarsoft. You can download DumpEvt from the
Internet. Somarsoft also has a version of this tool in .dll form that you can incorporate into
custom applications--a nice thing to have, especially if you're a code slinger. Both NT resource kit
CD-ROMs contain a tool called DUMPEL, which also dumps events out of the log, but the Somarsoft tool
does a much nicer job.
Registry Analyzer
The Registry holds a lot of NT's security aspects, in addition to other important information
and settings. For this reason, routinely check your Registry settings to reveal incorrectly set
permissions before they lead to disaster. Cruising the Registry manually is incredibly painful work;
therefore, using a good analyzer is the way to go. An analyzer automates the task and produces
reports that are easy to read and understand. Also, such a tool lets you see Registry entries that
newly installed software makes, which is invaluable if you use software from untrusted or unknown
vendors. I prefer Frank Ramos' DumpReg tool, available at Somarsoft's Web site. DumpReg lets me
easily locate keys by the date of last modification or by matching strings. DumpACL reveals the
Registry permission settings.
Access Control Analyzer
Checking Access Control Lists (ACLs) on your shared resources is incredibly important. But like
the Registry, this work can be tedious. ACL analyzers dump the permissions (ACLs) for the file
system, Registry, shares, and printers into a concise and readable format. The report shows any
apparent holes in system security, once you know what you're looking for. I use the Somarsoft tool,
DumpACL, which is available from Somarsoft's Web site. The NT resource kit CD-ROM includes a tool
called cacls, which performs a similar function to DumpACL.
Protocol Analyzer and Packet Sniffer
A protocol analyzer and packet sniffer grabs packets off your network for further analysis,
which is a great capability if your network is acting up. Intruders often take an indirect approach
to penetrating your network, to avoid leaving traces in the NT Event Log. Also, intrusion attempts
can sometimes confuse your network or make it behave in strange ways. If you suspect something is
not quite right, a good packet sniffer can lead you directly to the source of the problem in a
hurry.
My personal favorite is NetXRay from Cinco Networks. NetXRay is a native NT application that also runs on Windows 95. This tool requires that your network card support promiscuous mode, which lets it collect packets destined for any address on your network from one location. Most network cards support this mode of operation. (For a review of NetXRay, see John Enck, "NetXRay by Cinco Networks," August 1996.)
Overall Security Scanners
What the above tools won't do, system security scanners will--or at least they should. Security
scanners tend to include more features than the other tools I've covered, and in most cases, they
scan your network looking for numerous problems with security. The tools I prefer are in Internet
Security Systems' (ISS) SAFEsuite kit, which combines the company's Web Security Scanner, Intranet
Scanner, Firewall Scanner, and System Security Scanner, all for NT networks.
This product set probes your system in-depth looking for potential security problems on many levels. Web Security Scanner audits the operating system underlying your Web servers, the Web server application, and the Common Gateway Interface (CGI) scripts that run on your Web server. This tool tests the Web server configuration, evaluates the underlying file system security, and searches for CGI scripts with known vulnerabilities and attempts to exploit the scripts it finds.
Intranet Scanner scans for more than a hundred known security vulnerabilities. It learns about your network through a discovery process and systematically probes each network device for security vulnerabilities. Systems supported through probing include NT, Win95, UNIX, and X-terminals.
Firewall Scanner audits the security of the operating system the firewall runs on, the firewall application, and the services enabled through the firewall. Firewall Scanner includes tests for packet filtering and application proxy-based firewalls.
System Security Scanner monitors, in realtime, the security profile of individual hosts from an operating system perspective. The scanner continuously checks for file ownership and permissions, operating system configurations, trojan programs, and signs of an intruder's presence. In addition, this tool provides a corrective action capability that lets the administrator choose whether to automate the process of correcting the security vulnerabilities remotely over a distributed network.
ISS has a new product called RealSecure that I've just added to my toolkit. This realtime attack recognition and response system for networks monitors your network traffic in realtime so you know what is happening on your network and can stop unauthorized activity immediately on detection.
An Ounce of Prevention
So now you know some of my security secrets, which lie in the tools in my bag of tricks. You'll
be doing yourself big favor by getting these tools and using them. An ounce of prevention is worth a
pound of cure, and in the case of security, an ounce of prevention might be worth a few tons of
cure.
| The NT Shop |
| http://www.ntshop.net/security |
| UltraScan |
| http://192.217.228.45/UltraScan/ |
| Somarsoft |
| http://www.somarsoft.com |
| Cinco Networks |
| http://www.cinco.com |
| Internet Security Systems |
| http://www.iss.net |
