With the increasing demands of today’s network security, more and more network professionals are looking for ways to quickly locate and fix holes in their security matrix. Network security is not just about implementing a firewall and then leaving it alone. You should be auditing, reviewing logs, running scans, and developing good security policies that will keep your network protected. This article will show you some tools that can help you manage network security in a Windows network.
A port scanner will probe your system for open TCP and UDP ports. This is a good tool to help you determine what ports you may or may not need to keep open on your firewall and routers. It will also help you determine whether you have any active Trojans (placed by hackers) on your system that are listening on open ports. Here are two port scanners that will help you identify open ports on your systems.
SuperScan is a free download that allows you to check a range of ports or to scan a range of IP addresses. It comes with a slick and easy to use GUI, as shown in Figure A.
FScan is a command-line port scanner (Figure B) that allows you to scan ports and redirect the results to a text file of your choice. In addition to scanning TCP ports, you can scan UDP ports. This tool can scan over 200 ports per second.
TCP/IP tools in Windows
When administering security, you need to have a good grasp of the basic TCP/IP tools. The following are command-line TCP/IP tools that are built in to Windows NT/2000:
Netstat—Windows administrators should be very familiar with this tool. It can quickly tell you what TCP and UDP ports are in use on a system. From the command line, simply type netstat –a for a list of open and listening ports, such as the one shown in Figure C.
Ipconfig—This utility displays the TCP/IP configuration of your computer. Type ipconfig /all, as shown in Figure D, to display the TCP/IP configuration.
Ping—Everyone should be familiar with the Ping command. It allows you to test network connectivity between a host system and another system using the IP address, NetBIOS name, or host name. The syntax is simply ping [hostname, IP address, or NetBIOS name].
Tracert—This utility goes a step further than Ping by allowing you to trace the hops between one system and a destination system (Figure E). It is helpful in determining where your connection is failing along the way to its destination. You invoke this tool using tracert [domain name, hostname, IP address, or NetBIOS name].
Nslookup—This utility allows you to gather valuable host, IP address, and domain information (Figure F). You can use this command by entering nslookup [fully qualified domain name or IP address] or by simply issuing the command nslookup, which will take you into interactive mode (with the > prompt). At that point, you can enter just the IP address or fully qualified domain name. Interactive mode is best to use when you’re doing multiple lookups.
In addition to the above command-line tools, the following tools may also be useful:
TcpView—This utility is a free download that basically gives you the same information as Netstat but lets you view it graphically.
TDimon—This utility gives you TCP and UDP activity in real time on the system that is being scanned (Figure G).
Fport—This little tool displays all TCP and UDP ports and maps them to their owning application. This tool can aid you in determining what ports to open or close on your firewall.
Network security scanner
After using some of the tools recommended above, you can add another level of protection to your network by downloading a security scanner. Scanners look for security holes and vulnerabilities and display the results. Two of my favorite security scanners include RealSecure Network Protection from Internet Security Systems and NetIQ Security Analyzer from WebTrends.
These products will cost you some money, but they can save a lot of the time it would take you to manually find the holes in your network. They also can often point out things you would probably miss otherwise. This especially includes some security best practices that are not technically flaws or vulnerabilities. Both of these products can act like an in-house security consultant.
A packet sniffer grabs packets off your network and allows you to analyze them at a basic level. Windows 2000 Server comes with a built-in sniffer called Network Monitor. You can install it from the Add/Remove Components applet in the Control Panel, if it is not already installed. After installation, you can use the analyzer to sniff packets on your network for any suspicious activity, such as DoS attacks and other hacker exploits.
Another useful—and free—resource is the Sam Spade tool and Web site. This is probably one of the most robust and helpful sites on the Internet for gathering network information. Sam Spade allows you to find out a ton of information about an IP address or FQDN. Let’s say, for example, that in one of my security logs I discovered an IP address that was repeatedly scanning my systems (most likely a hacker trying to find open ports and vulnerabilities). I could take this IP address and do a Whois query and/or a Dig query to find out more about where the attacker is coming from and try to take action against the person via his or her company or ISP.
Sam Spade includes a number of other useful tools. I recommend that you read the article “Sam Spade: The Swiss Army Knife of network analysis” and spend some time working with Sam Spade to get to know all of the features it offers. You will get to read some of Jason Hiner’s retro material back before he became famous.
Network security is obviously critical at this stage in the IT game. To be successful, you should have many tools at your disposal. The tools we’ve looked at here, combined with your security policy and firewall, will help you keep your network secure. Do you have tools that you use in your toolbelt that are not listed in this post? If so, please share in the discussion below.