Take advantage of free tools to benchmark your network

For every IT organization, security is a vital concern. Security expert Mike Mullins examines a couple of free tools that no administrator should be without.

When it comes to the confidentiality, integrity, and availability of your corporate network, it should go without saying that security is a vital concern. Of course, accepting this fact doesn't mean you automatically know where to begin. The task of securing a variety of platforms can be overwhelming, particularly if you don't have the time or resources to do it thoroughly.

However, industry best practices for security have evolved enough that there is plenty of free information available out there to help you secure your network. Every network security project should begin with performing a security benchmark of the devices that run on your network.

You don't need to be an expert on every O/S and platform; you just need to know where to look for the right tools. Let's take a look at a couple of free tools that no administrator should be without.

For several years, members of the National Institute of Standards and Technology, the Defense Information Systems Agency, the National Security Agency, the General Services Administration, the SANS Institute, and the Center for Internet Security have collaborated on a joint project to address security concerns in networked information systems. These agencies combined their substantial experience and technical capabilities to provide users with an automated system and guidelines to verify and modify the baseline of your network devices to meet an industry standard benchmark of security—free of charge.

This project's main offering is the Computer Information Systems (CIS) scoring tool. Available from the Center for Internet Security, the CIS scoring tool analyzes your system against a security benchmark and available hot fixes for the specific platform you're checking.

The CIS scoring tool is a nondestructive process, which you can run against both new installations and production systems. The resulting report guides you in an in-depth approach to the steps you need to take to harden your systems.

Currently, you can use the CIS scoring tool against the following operating systems, devices, and applications: Windows XP Professional, Windows Server 2003, Windows 2000 Professional, Windows 2000 Server, Windows 2000 (for both servers and workstations), Windows NT, FreeBSD, Solaris, Linux, HP-UX, Cisco IOS Router, Cisco PIX, Oracle Database, and Apache Web Server.

To take advantage of this tool, read the implementation guide, install the tool, and run the tool against the platform you want to benchmark. Each platform has an accompanying guide that describes in detail how the developers created the scoring method as well as how to increase your platform security to meet industry standards.

As an added bonus, instead of chasing down individual fixes, several security configuration templates are available. You can apply these templates to your systems, and they'll modify the security configuration to meet current benchmark standards.

One word of caution: Read the information about the security configuration templates carefully. Some of them are specifically for highly secure environments, and they might not be appropriate for your organization's operational systems.

It's that simple—nothing to buy and no in-depth knowledge necessary. Read a guide, run a tool, and fix your security.

In addition to the CIS scoring tool and the accompanying benchmark guides, the National Institute of Standards and Technology maintains a publicly available resource of more than 50 Security Technical Implementation Guides (STIGs) and checklists. Covering a wide variety of platforms, these resources provide a detailed step-by-step approach for implementing and documenting security settings that are the accepted standards of the U.S. government.

The security of your local network is a global concern. Be a good Internet neighbor, and take a good look at these guidelines.

Final thoughts

Approximately 28 seconds after you connect a device to the Internet, a remote host scans it. Your only defense is to apply a level of security against a known benchmark and follow industry best practices.

There are no ruby red slippers to click when it comes to network and systems security. However, taking advantage of free security tools is a good place to start to secure your corporate network.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

Editor's Picks

Free Newsletters, In your Inbox