With the increasing demands of today’s network security, more and more network professionals are looking for ways to quickly locate and fix holes in their security matrix. Network security is not just about implementing a firewall and then leaving it alone. You should be auditing, reviewing logs, running scans, and developing good security policies that will keep your network protected. This article will show you some tools that can help you manage network security in a Windows network.
A port scanner will probe your system for open TCP and UDP ports. This is a good tool to help you determine what ports you may or may not need to keep open on your firewall and routers. It will also help you determine whether you have any active Trojans (placed by hackers) on your system that are listening on open ports. Here are two port scanners that will help you identify open ports on your systems.
SuperScan is a free download that allows you to check a range of ports or to scan a range of IP addresses. It comes with a slick and easy to use GUI, as shown in Figure A.
FScan is a command-line port scanner (Figure B) that allows you to scan ports and redirect the results to a text file of your choice. In addition to scanning TCP ports, you can scan UDP ports. This tool can scan over 200 ports per second. To download FScan, click here and then click Scanner, FScan, and Download Now.
TCP/IP tools in Windows
When administering security, you need to have a good grasp of the basic TCP/IP tools. The following are command-line TCP/IP tools that are built in to Windows NT/2000:
- Ping—Everyone should be familiar with the Ping command. It allows you to test network connectivity between a host system and another system using the IP address, NetBIOS name, or host name. The syntax is simply ping [hostname, IP address, or NetBIOS name].
- Tracert—This utility goes a step further than Ping by allowing you to trace the hops between one system and a destination system (Figure E). It is helpful in determining where your connection is failing along the way to its destination. You invoke this tool using tracert [domain name, hostname, IP address, or NetBIOS name].
In addition to the above command-line tools, the following tools may also be useful:
- TcpView—This utility is a free download that basically gives you the same information as Netstat but lets you view it graphically.
- TDimon—This utility gives you TCP and UDP activity in real time on the system that is being scanned (Figure G). You can download this tool here.
Network security scanner
After using some of the tools recommended above, you can add another level of protection to your network by downloading a security scanner. Scanners look for security holes and vulnerabilities and display the results. Two of my favorite security scanners include RealSecure Network Protection from Internet Security Systems and NetIQ Security Analyzer from WebTrends.
These products will cost you some money, but they can save a lot of the time it would take you to manually find the holes in your network. They also can often point out things you would probably miss otherwise. This especially includes some security best practices that are not technically flaws or vulnerabilities. Both of these products can act like an in-house security consultant.
A packet sniffer grabs packets off your network and allows you to analyze them at a basic level. Windows 2000 Server comes with a built-in sniffer called Network Monitor. You can install it from the Add/Remove Components applet in the Control Panel, if it is not already installed. After installation, you can use the analyzer to sniff packets on your network for any suspicious activity, such as DoS attacks and other hacker exploits.
Another useful—and free—resource is the Sam Spade tool and Web site. This is probably one of the most robust and helpful sites on the Internet for gathering network information. You can either use the online version of Sam Spade or download a small Windows program that does the same things and more.
Sam Spade allows you to find out a ton of information about an IP address or FQDN. Let’s say, for example, that in one of my security logs I discovered an IP address that was repeatedly scanning my systems (most likely a hacker trying to find open ports and vulnerabilities). I could take this IP address and do a Whois query and/or a Dig query to find out more about where the attacker is coming from and try to take action against the person via his or her company or ISP.
Sam Spade includes a number of other useful tools. I recommend that you read the article "Sam Spade: The Swiss Army Knife of network analysis" and spend some time working with Sam Spade to get to know all of the features it offers.
Network security is obviously critical at this stage in the IT game. To be successful, you should have many tools at your disposal. The tools we've looked at here, combined with your security policy and firewall, will help you keep your network secure.