The Handy Security Toolkit

How to take network security seriously

Monitoring network security is always tricky and time consuming, no matter how youapproach it. Nonetheless, it's incredibly important, and having certain tools at your disposal canhelp in your endeavors. Many people mistakenly think that network security means installing afirewall and forgetting about it. But security is an ongoing, everyday practice of perseverance anddiligence. Sure, you need a firewall, but you also need to develop good habits, which includeroutine checks and analysis. This practice requires some specialized tools to get the job donequickly and easily, and I can recommend a few basic tools that you need in your toolkit and explainhow to use them.

Before I start talking about security tools, I want to point out some basic facts that, I hope,will change the way you think about your network systems, especially if you're connected to theInternet. Most network break-ins occur on networks that are already secured but aren't monitoredclosely enough. In addition, poor password choices are a major culprit in giving an intruder anavenue into your network. If you keep these two important facts in mind as you performadministrative duties, you can maintain a better level of security in your environment and reduceyour risks significantly.

With the advent of the Internet, my toolkit has grown to include mainly TCP/IP-related tools,which I think you'll find useful on your network. The products I use are my personal preferences,and you certainly have several other choices available. My Web site, http://www.ntshop.net/security,lists security-related tools available for download.

Let's glance at a few items in my toolkit, and then I'll talk about why I use and recommendthem. This short list is by no means complete, but it is a good starting point for building yourtoolkit. If you're not using some of these tools, consider them because most are great time saversand essential to good security. Here are the most common tools in security administrators' toolkits:

Port Scanner
Each TCP/IP-related service listens on a port. A port scanner lets you scan ranges of IPaddresses looking for TCP/IP ports that are listening, which means some type of service is runningon that port. This tool immediately reveals systems that are running services you don't want to makeavailable on your network, such as a private Web site or FTP server that employees run on theirworkstation. For port scanning, I use UltraScan, which is super fast and inexpensive. It'sshareware, and registration is $5.

Dial-up Scanner
A dial-up scanner detects actively listening modems. With this tool, you'll find unwanted andunauthorized modems that are listening for calls on your phone lines. Many employees leave theirsystem up with a modem online so they can access the corporate LAN and the Internet on the company'sdime after hours, instead of purchasing an Internet account with an Internet Service Provider (ISP).This practice is bad news because intruders love to find such backdoors into your network. Yourfirewall does no good if backdoors are open. Free dial-up scanners are available, many written byintruders for their use. The good thing is that you too can get copies and use them. I use ToneLocbecause it shows me details in a graphical map, representing information in colored patterns, so Ican see immediately which phone numbers have listening modems. To get a copy of ToneLoc, locate itwith a search engine or download it from my Web site. Keep in mind ToneLoc might be overkill foryour needs--it's designed to scan large blocks of phone numbers--so check my Web site for other goodtools you can try instead.

Event Log Analyzer
Monitoring your system logs is an important task you need to perform regularly. Unfortunately,it's also a grueling task. Log analyzers let you take a different approach to rifling through allthe logged information. Instead of using the NT Event Log viewer, you can export the data to adatabase manager, where you can sift out the items you're looking for and produce reports to yourliking. I prefer the DumpEvt tool by Frank Ramos of Somarsoft. You can download DumpEvt from theInternet. Somarsoft also has a version of this tool in .dll form that you can incorporate intocustom applications--a nice thing to have, especially if you're a code slinger. Both NT resource kitCD-ROMs contain a tool called DUMPEL, which also dumps events out of the log, but the Somarsoft tooldoes a much nicer job.

Registry Analyzer
The Registry holds a lot of NT's security aspects, in addition to other important informationand settings. For this reason, routinely check your Registry settings to reveal incorrectly setpermissions before they lead to disaster. Cruising the Registry manually is incredibly painful work;therefore, using a good analyzer is the way to go. An analyzer automates the task and producesreports that are easy to read and understand. Also, such a tool lets you see Registry entries thatnewly installed software makes, which is invaluable if you use software from untrusted or unknownvendors. I prefer Frank Ramos' DumpReg tool, available at Somarsoft's Web site. DumpReg lets meeasily locate keys by the date of last modification or by matching strings. DumpACL reveals theRegistry permission settings.

Access Control Analyzer
Checking Access Control Lists (ACLs) on your shared resources is incredibly important. But likethe Registry, this work can be tedious. ACL analyzers dump the permissions (ACLs) for the filesystem, Registry, shares, and printers into a concise and readable format. The report shows anyapparent holes in system security, once you know what you're looking for. I use the Somarsoft tool,DumpACL, which is available from Somarsoft's Web site. The NT resource kit CD-ROM includes a toolcalled cacls, which performs a similar function to DumpACL.

Protocol Analyzer and Packet Sniffer
A protocol analyzer and packet sniffer grabs packets off your network for further analysis,which is a great capability if your network is acting up. Intruders often take an indirect approachto penetrating your network, to avoid leaving traces in the NT Event Log. Also, intrusion attemptscan sometimes confuse your network or make it behave in strange ways. If you suspect something isnot quite right, a good packet sniffer can lead you directly to the source of the problem in ahurry.

My personal favorite is NetXRay from Cinco Networks. NetXRay is a native NT application thatalso runs on Windows 95. This tool requires that your network card support promiscuous mode, whichlets it collect packets destined for any address on your network from one location. Most networkcards support this mode of operation. (For a review of NetXRay, see John Enck, "NetXRay byCinco Networks," August 1996.)

Overall Security Scanners
What the above tools won't do, system security scanners will--or at least they should. Securityscanners tend to include more features than the other tools I've covered, and in most cases, theyscan your network looking for numerous problems with security. The tools I prefer are in InternetSecurity Systems' (ISS) SAFEsuite kit, which combines the company's Web Security Scanner, IntranetScanner, Firewall Scanner, and System Security Scanner, all for NT networks.

This product set probes your system in-depth looking for potential security problems on manylevels. Web Security Scanner audits the operating system underlying your Web servers, the Web serverapplication, and the Common Gateway Interface (CGI) scripts that run on your Web server. This tooltests the Web server configuration, evaluates the underlying file system security, and searches forCGI scripts with known vulnerabilities and attempts to exploit the scripts it finds.

Intranet Scanner scans for more than a hundred known security vulnerabilities. It learns aboutyour network through a discovery process and systematically probes each network device for securityvulnerabilities. Systems supported through probing include NT, Win95, UNIX, and X-terminals.

Firewall Scanner audits the security of the operating system the firewall runs on, the firewallapplication, and the services enabled through the firewall. Firewall Scanner includes tests forpacket filtering and application proxy-based firewalls.

System Security Scanner monitors, in realtime, the security profile of individual hosts from anoperating system perspective. The scanner continuously checks for file ownership and permissions,operating system configurations, trojan programs, and signs of an intruder's presence. In addition,this tool provides a corrective action capability that lets the administrator choose whether toautomate the process of correcting the security vulnerabilities remotely over a distributed network.

ISS has a new product called RealSecure that I've just added to my toolkit. This realtimeattack recognition and response system for networks monitors your network traffic in realtime so youknow what is happening on your network and can stop unauthorized activity immediately on detection.

An Ounce of Prevention
So now you know some of my security secrets, which lie in the tools in my bag of tricks. You'llbe doing yourself big favor by getting these tools and using them. An ounce of prevention is worth apound of cure, and in the case of security, an ounce of prevention might be worth a few tons ofcure.