Networking

What is in your security toolbelt?


With the increasing demands of today’s network security, more and more network professionals are looking for ways to quickly locate and fix holes in their security matrix. Network security is not just about implementing a firewall and then leaving it alone. You should be auditing, reviewing logs, running scans, and developing good security policies that will keep your network protected. This article will show you some tools that can help you manage network security in a Windows network.

Port scanners A port scanner will probe your system for open TCP and UDP ports. This is a good tool to help you determine what ports you may or may not need to keep open on your firewall and routers. It will also help you determine whether you have any active Trojans (placed by hackers) on your system that are listening on open ports. Here are two port scanners that will help you identify open ports on your systems. SuperScan SuperScan is a free download that allows you to check a range of ports or to scan a range of IP addresses. It comes with a slick and easy to use GUI, as shown in Figure A.

FScan FScan is a command-line port scanner (Figure B) that allows you to scan ports and redirect the results to a text file of your choice. In addition to scanning TCP ports, you can scan UDP ports. This tool can scan over 200 ports per second.

TCP/IP tools in Windows When administering security, you need to have a good grasp of the basic TCP/IP tools. The following are command-line TCP/IP tools that are built in to Windows NT/2000: Netstat—Windows administrators should be very familiar with this tool. It can quickly tell you what TCP and UDP ports are in use on a system. From the command line, simply type netstat –a for a list of open and listening ports, such as the one shown in Figure C.

Ipconfig—This utility displays the TCP/IP configuration of your computer. Type ipconfig /all, as shown in Figure D, to display the TCP/IP configuration.

Ping—Everyone should be familiar with the Ping command. It allows you to test network connectivity between a host system and another system using the IP address, NetBIOS name, or host name. The syntax is simply ping [hostname, IP address, or NetBIOS name]. Tracert—This utility goes a step further than Ping by allowing you to trace the hops between one system and a destination system (Figure E). It is helpful in determining where your connection is failing along the way to its destination. You invoke this tool using tracert [domain name, hostname, IP address, or NetBIOS name].

Nslookup—This utility allows you to gather valuable host, IP address, and domain information (Figure F). You can use this command by entering nslookup [fully qualified domain name or IP address] or by simply issuing the command nslookup, which will take you into interactive mode (with the > prompt). At that point, you can enter just the IP address or fully qualified domain name. Interactive mode is best to use when you're doing multiple lookups.

In addition to the above command-line tools, the following tools may also be useful:

TcpView—This utility is a free download that basically gives you the same information as Netstat but lets you view it graphically. TDimon—This utility gives you TCP and UDP activity in real time on the system that is being scanned (Figure G). Fport—This little tool displays all TCP and UDP ports and maps them to their owning application. This tool can aid you in determining what ports to open or close on your firewall. Network security scanner After using some of the tools recommended above, you can add another level of protection to your network by downloading a security scanner. Scanners look for security holes and vulnerabilities and display the results. Two of my favorite security scanners include RealSecure Network Protection from Internet Security Systems and NetIQ Security Analyzer from WebTrends.

These products will cost you some money, but they can save a lot of the time it would take you to manually find the holes in your network. They also can often point out things you would probably miss otherwise. This especially includes some security best practices that are not technically flaws or vulnerabilities. Both of these products can act like an in-house security consultant.

Packet sniffer A packet sniffer grabs packets off your network and allows you to analyze them at a basic level. Windows 2000 Server comes with a built-in sniffer called Network Monitor. You can install it from the Add/Remove Components applet in the Control Panel, if it is not already installed. After installation, you can use the analyzer to sniff packets on your network for any suspicious activity, such as DoS attacks and other hacker exploits. Sam Spade Another useful—and free—resource is the Sam Spade tool and Web site. This is probably one of the most robust and helpful sites on the Internet for gathering network information. Sam Spade allows you to find out a ton of information about an IP address or FQDN. Let’s say, for example, that in one of my security logs I discovered an IP address that was repeatedly scanning my systems (most likely a hacker trying to find open ports and vulnerabilities). I could take this IP address and do a Whois query and/or a Dig query to find out more about where the attacker is coming from and try to take action against the person via his or her company or ISP.

Sam Spade includes a number of other useful tools. I recommend that you read the article "Sam Spade: The Swiss Army Knife of network analysis" and spend some time working with Sam Spade to get to know all of the features it offers. You will get to read some of Jason Hiner's retro material back before he became famous.

Network security is obviously critical at this stage in the IT game. To be successful, you should have many tools at your disposal. The tools we've looked at here, combined with your security policy and firewall, will help you keep your network secure. Do you have tools that you use in your toolbelt that are not listed in this post? If so, please share in the discussion below.
11 comments
Doug Vitale
Doug Vitale

Nmap, Nessus, Retina, Angry IP Scanner, SuperScan, Wireshark, netcat, the list goes on. The tools you use are determined by the computing environment (operating systems, databases, web servers, etc). I agree with the other poster that Nmap is a glaring omission from this article. I wrote blog posts on several of the tools mentioned, for those interested. SuperScan: http://dougvitale.wordpress.com/2011/11/03/mcafee-superscan/ TCP/IP tools: http://dougvitale.wordpress.com/2011/12/11/troubleshooting-faulty-network-connectivity-part-2-essential-network-commands/ SamSpade: http://dougvitale.wordpress.com/2011/11/21/samspade-and-samspade-org/

KeReleaseSpinLock
KeReleaseSpinLock

FREE from Microsoft Download area. Network Monitor 3.1 is a protocol analyzer. It allows you to capture network traffic, view and analyze it. Version 3.1 is an update and replaces Network Monitor 3.0. Network Monitor 3.x is a complete overhaul of the previous Network Monitor 2.x version. Cheers, PANIC_STACK_SWITCH

jmgarvin
jmgarvin

Wow...I can't imagine a list without those...

IT cowgirl
IT cowgirl

Thanks for the blog post! We sometime forget the simple basics when we get caught up using so many software tools available. It is really nice to see an article about the basic tools we should use every day. Great work!

thamilton
thamilton

In my opinion, wireshark and ettercap are much better sniffers than Network Monitor is. Its capabilitiy to allow custom filters lets you use the sniffer for more than just sniffing.

Steven S. Warren
Steven S. Warren

You just put it there lol. Can you put a link out for our peops?

snideley59
snideley59

As a name anyway. I've never used ettercap. Netmon is just sniffer lite.

fortinw4
fortinw4

Kushinara Incoming! is a great program that allows you to sniff packets NOT ONLY on a hardwired connection but on a wireless connection as well, something Ethereal, Wireshark, or most other intrusion detection tools won't allow you to do. Download it here for free: http://packet-sniffer.kushinara.com/

snideley59
snideley59

If you look at the source code, the OS detection portion looks at how the target box responds to "wacky packets", or TCP packets that don't occur naturally like SYN ACK RST (or something like that) flags set. Very cool. And really fast. A must have. I'm not very familiar with it on the Windows side, but on the *nix side, it's wonderful.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

I have browsed the insecure.org a number of times and I am always amazed about how much info they have on network security. I highly recommend anyone looking to learn more about network security take a look at this site. Nmap is one of the best tools I have seen. It has more capability than I will ever use. I especially like the OS detection feature. This is something that I haven't really seen elsewhere and I find it is accurate on all major operating systems. Bill