Network administrators and information systems departments: Has your budget been cut in the current economic downtown? If so, that's no excuse for not testing your company's network security.
At the RSA Data Security Conference in San Francisco earlier this month, some of the most popular sessions focused on the free technologies that can help companies find holes in their network, keeping intruders and viruses out and sensitive data in. The upshot: While some software packages cost tens of thousands of dollars, you needn't think you have to break the bank to check your network security. "The right free tools can certainly rival some of the paid tools out there," said George McBride, network security manager of Lucent Technologies' Asia Pacific division, during a packed session at the conference.
By using free vulnerability assessment tools, network administrators can not only verify the accuracy of a company's existing security software, McBride said, but they can also show executives whether they should allot more of the budget to security products.
Before striking out in search of free assessment tools online, McBride recommended that network administrators start by studying their company's security policy to learn more about the data and computer systems that employees, suppliers, partners and customers should be able to access. Then they should determine exactly how data is created, stored, accessed and backed up, and interview anyone who might be affected by a breach of security. That includes system administrators, Webmasters, content managers, application developers, help desk personnel and corporate security officers. Next, they should assess the physical security of the office by checking card-key access logs and video cameras, to see whether guards are always on duty and whether employees use screensavers. They should also note if passwords have been left in easy-to-find locations and if sensitive documents are left on desks.
After doing this, the security assessment can be as extensive or minimal as the company wants.
While the corporate network may use a firewall and intrusion-detection software, modems are lone islands and, thus, relatively insecure. Therefore, a good place to start is with modem-assessment software, which checks the security of desktops, McBride said, by identifying the modems in operation and the systems they're attached to.
The next step is to check the network using free network or traffic sniffers, network mappers, port scanners and Web or database scanners.
Network Sniffers
Network sniffers monitor the traffic passing over the network, allowing network administrators to monitor suspicious traffic. Linux systems can be found at TCPDump.org, and Windows systems can be found at a University of California at Berkeley-run site. McBride recommended keeping a log of the traffic.
Network Mappers
These tools can create a visual representation of the computers on a network to help an administrator better monitor activity. Programs like Cheops NG can help generate a network diagram, albeit with a lot of manual labor.
Scanners
Using a port scanner, a network administrator can send queries to Internet servers, called hosts, to determine which services the hosts offer, such as e-mail or telnet, and learn how secure the host is. The Network Mapper is a tool for port-scanning large networks, though it also works for single hosts.
Also available are an NT version of a port scanner, an accurate, easy-to-use TCP scanner called SuperScan and a Windows scanner.
McBride strongly recommended the Nessus remote security scanner. It requires a computer running Linux or Unix, and although the installation can be cumbersome and the documentation is light, there are lots of mailing list archives containing helpful information, according to McBride.
Other Web server assessment tools are available at Apache.org and through Microsoft. Meanwhile, database scanners will perform brute-force dictionary attacks against all kinds of databases. Cerberus (now @Stake) has a database scanner, and more information and links to SQL Server security checklists can be found at SQLSecurity.com.
In addition to citing these specific tools, McBride offered some general advice about conducting vulnerability assessments: Be careful
