Monitoring network security is always tricky and time consuming, no matter how you approach it. Nonetheless, it's incredibly important, and having certain tools at your disposal can help in your endeavors. Many people mistakenly think that network security means installing a firewall and forgetting about it. But security is an ongoing, everyday practice of perseverance and diligence. Sure, you need a firewall, but you also need to develop good habits, which include routine checks and analysis. This practice requires some specialized tools to get the job done quickly and easily, and I can recommend a few basic tools that you need in your toolkit and explain how to use them.
Before I start talking about security tools, I want to point out some basic facts that, I hope, will change the way you think about your network systems, especially if you're connected to the Internet. Most network break-ins occur on networks that are already secured but aren't monitored closely enough. In addition, poor password choices are a major culprit in giving an intruder an avenue into your network. If you keep these two important facts in mind as you perform administrative duties, you can maintain a better level of security in your environment and reduce your risks significantly.
With the advent of the Internet, my toolkit has grown to include mainly TCP/IP-related tools, which I think you'll find useful on your network. The products I use are my personal preferences, and you certainly have several other choices available. My Web site, http://www.ntshop.net/security, lists security-related tools available for download.
Let's glance at a few items in my toolkit, and then I'll talk about why I use and recommend them. This short list is by no means complete, but it is a good starting point for building your toolkit. If you're not using some of these tools, consider them because most are great time savers and essential to good security. Here are the most common tools in security administrators' toolkits:
- Port scanner
- Dial-up scanner
- Event log analyzer
- Registry analyzer
- Access control analyzer
- Protocol analyzer and packet sniffer
- Overall security scanners
Each TCP/IP-related service listens on a port. A port scanner lets you scan ranges of IP addresses looking for TCP/IP ports that are listening, which means some type of service is running on that port. This tool immediately reveals systems that are running services you don't want to make available on your network, such as a private Web site or FTP server that employees run on their workstation. For port scanning, I use UltraScan, which is super fast and inexpensive. It's shareware, and registration is $5.
A dial-up scanner detects actively listening modems. With this tool, you'll find unwanted and unauthorized modems that are listening for calls on your phone lines. Many employees leave their system up with a modem online so they can access the corporate LAN and the Internet on the company's dime after hours, instead of purchasing an Internet account with an Internet Service Provider (ISP). This practice is bad news because intruders love to find such backdoors into your network. Your firewall does no good if backdoors are open. Free dial-up scanners are available, many written by intruders for their use. The good thing is that you too can get copies and use them. I use ToneLoc because it shows me details in a graphical map, representing information in colored patterns, so I can see immediately which phone numbers have listening modems. To get a copy of ToneLoc, locate it with a search engine or download it from my Web site. Keep in mind ToneLoc might be overkill for your needs--it's designed to scan large blocks of phone numbers--so check my Web site for other good tools you can try instead.
Event Log Analyzer
Monitoring your system logs is an important task you need to perform regularly. Unfortunately, it's also a grueling task. Log analyzers let you take a different approach to rifling through all the logged information. Instead of using the NT Event Log viewer, you can export the data to a database manager, where you can sift out the items you're looking for and produce reports to your liking. I prefer the DumpEvt tool by Frank Ramos of Somarsoft. You can download DumpEvt from the Internet. Somarsoft also has a version of this tool in .dll form that you can incorporate into custom applications--a nice thing to have, especially if you're a code slinger. Both NT resource kit CD-ROMs contain a tool called DUMPEL, which also dumps events out of the log, but the Somarsoft tool does a much nicer job.
The Registry holds a lot of NT's security aspects, in addition to other important information and settings. For this reason, routinely check your Registry settings to reveal incorrectly set permissions before they lead to disaster. Cruising the Registry manually is incredibly painful work; therefore, using a good analyzer is the way to go. An analyzer automates the task and produces reports that are easy to read and understand. Also, such a tool lets you see Registry entries that newly installed software makes, which is invaluable if you use software from untrusted or unknown vendors. I prefer Frank Ramos' DumpReg tool, available at Somarsoft's Web site. DumpReg lets me easily locate keys by the date of last modification or by matching strings. DumpACL reveals the Registry permission settings.
Access Control Analyzer
Checking Access Control Lists (ACLs) on your shared resources is incredibly important. But like the Registry, this work can be tedious. ACL analyzers dump the permissions (ACLs) for the file system, Registry, shares, and printers into a concise and readable format. The report shows any apparent holes in system security, once you know what you're looking for. I use the Somarsoft tool, DumpACL, which is available from Somarsoft's Web site. The NT resource kit CD-ROM includes a tool called cacls, which performs a similar function to DumpACL.
Protocol Analyzer and Packet Sniffer
A protocol analyzer and packet sniffer grabs packets off your network for further analysis, which is a great capability if your network is acting up. Intruders often take an indirect approach to penetrating your network, to avoid leaving traces in the NT Event Log. Also, intrusion attempts can sometimes confuse your network or make it behave in strange ways. If you suspect something is not quite right, a good packet sniffer can lead you directly to the source of the problem in a hurry.
My personal favorite is NetXRay from Cinco Networks. NetXRay is a native NT application that also runs on Windows 95. This tool requires that your network card support promiscuous mode, which lets it collect packets destined for any address on your network from one location. Most network cards support this mode of operation. (For a review of NetXRay, see John Enck, "NetXRay by Cinco Networks," August 1996.)
Overall Security Scanners
What the above tools won't do, system security scanners will--or at least they should. Security scanners tend to include more features than the other tools I've covered, and in most cases, they scan your network looking for numerous problems with security. The tools I prefer are in Internet Security Systems' (ISS) SAFEsuite kit, which combines the company's Web Security Scanner, Intranet Scanner, Firewall Scanner, and System Security Scanner, all for NT networks.
This product set probes your system in-depth looking for potential security problems on many levels. Web Security Scanner audits the operating system underlying your Web servers, the Web server application, and the Common Gateway Interface (CGI) scripts that run on your Web server. This tool tests the Web server configuration, evaluates the underlying file system security, and searches for CGI scripts with known vulnerabilities and attempts to exploit the scripts it finds.
Intranet Scanner scans for more than a hundred known security vulnerabilities. It learns about your network through a discovery process and systematically probes each network device for security vulnerabilities. Systems supported through probing include NT, Win95, UNIX, and X-terminals.
Firewall Scanner audits the security of the operating system the firewall runs on, the firewall application, and the services enabled through the firewall. Firewall Scanner includes tests for packet filtering and application proxy-based firewalls.
System Security Scanner monitors, in realtime, the security profile of individual hosts from an operating system perspective. The scanner continuously checks for file ownership and permissions, operating system configurations, trojan programs, and signs of an intruder's presence. In addition, this tool provides a corrective action capability that lets the administrator choose whether to automate the process of correcting the security vulnerabilities remotely over a distributed network.
ISS has a new product called RealSecure that I've just added to my toolkit. This realtime attack recognition and response system for networks monitors your network traffic in realtime so you know what is happening on your network and can stop unauthorized activity immediately on detection.
An Ounce of Prevention
So now you know some of my security secrets, which lie in the tools in my bag of tricks. You'll be doing yourself big favor by getting these tools and using them. An ounce of prevention is worth a pound of cure, and in the case of security, an ounce of prevention might be worth a few tons of cure.
|The NT Shop|
|Internet Security Systems|