Tools That Augment Your Firewall Protection
If you already have a firewall installed, you should spend some time testing it. Just assuming that your firewall works is as bad as not having a firewall at all. Use these tools on your own network only or with the permission of the network's owner. Just as your employer would not appreciate your trying to open the office safe for educational purposes, most network owners would not appreciate the use of these tools on their networks by unauthorized people and may respond accordingly.
Sam Spade is one of the most comprehensive network investigation tools in existence. It comes as both an online version and a downloadable version that you can install on your computer. Sam Spade acts as a sleuth that finds as much public information about an IP address or DNS address as you can imagine. Suppose that your logs show that someone tried to scan your network for open ports and the log lists the potential intruder's IP address. No problem — Sam Spade to the rescue!
You can use Sam Spade to find more information about the IP address, such as who the address is registered to and the route between your computer and the computer at the remote IP address. Then you can query the registration records for this IP address and find out the Internet Service Provider (ISP) who owns the IP address, including the contact information. This is just one example of the many tools included with Sam Spade that you can use to track down information. Check it out for yourself by using the online tool or by downloading the free standalone Windows version. However, be prepared to spend a little time becoming familiar with the features of this tool, which is not always very intuitive.
Nmap is one of the best port scanners available. It checks your computers or firewalls to see which ports are open and then reports the results. Hackers use port scanners to probe systems for TCP ports on which there is a reply. After an open TCP port has been located, the hacker can try to break into the computer by using this port. Like many tools that hackers may find useful, a port scanner is also of tremendous value to anyone who wants to secure a network. You can use a port scanner to check for open ports that may signal vulnerabilities.
The strength of Nmap is that it uses a number of different techniques to map a network — some of which are rather sneaky and are designed to bypass detection. Nmap can do a number of other things, too. It uses specially crafted IP packets to bypass some protection mechanisms and it uses the responses to these packets to make an educated guess about what hosts are running on your network, what operating system they are running, and how firewalls are configured. Nmap runs on Windows and several Linux versions, and it's free.
To test your firewall, run a port scan against it and make sure that your firewall replies only on those ports that you have set up for authorized connections from the Internet into your network. You can configure Nmap to check any range of ports, and you can even tell it to scan an entire range of IP addresses, so you can check your entire network at once. You can download this program from Nmap.Just make sure that you run a port scan against only computers on which the owner has given you permission to do so. Running this tool against other computers may result in your getting reported to your ISP — which may cancel your account.
Netstat is a TCP/IP tool that comes with most versions of Windows and UNIX. It's the quickest way to check what TCP and UDP ports are in use on a computer. Best of all, because it's a built-in utility, it's available on most computers. You don't need to download anything. After you use Netstat to provide a list of ports in use, you can check to see whether all of them should indeed be in use. The output from the netstat command can also give you pointers to programs that are running on your computer and that may present vulnerability. In addition, you can use Netstat to list all current connections that your computer has established to other computers, as well as what incoming connections exist. You get results about both open connections and listening ports by using the –a option, as in netstat–a. Because Netstat is most likely included with your operating system, you can use it directly from a command line.
Sometimes the Netstat command takes some time to complete because it tries to resolve all IP addresses to DNS names. You can speed up the operations by using the –n option, as in netstat–n, which instructs Netstat to skip the time-consuming name lookups and just show IP addresses.
Despite its funny name, Snort is a capable intrusion detection system that works well on smaller networks. Snort performs real-time network traffic logging and analysis. For example, you can configure Snort to capture all packets on a network segment and scan them for the telltale signs of intrusion attempts. Although Snort is very capable, you should be prepared to spend some time learning how to use it. Also, if you want to customize Snort to look for newly discovered attacks, you may have to spend additional time configuring and customizing it. Snort is available for Windows and several UNIX platforms.
Before you run Snort, make sure that you either own the network that you run it on or that you have permission from the network's owner or administrator. Snort captures all network traffic that could potentially be used for illegitimate purposes. Because of this, many organizations have strict policies on the use of such tools; usually, only network administrators are authorized to use them. Snort works well on smaller networks, but is not designed for larger networks. If you find that your intrusion detection needs go beyond the capabilities of this program, you should evaluate other intrusion detection systems, such as RealSecure by Internet Security Systems.
Internet Scanner, a product from Internet Security Systems (ISS), is a network security scanner. It scans computers on your network for known vulnerabilities. This may include problems, such as misconfigured Web servers or user accounts with weak passwords. Unlike an intrusion detection system, which performs real-time analysis based on actual network traffic, Internet Scanner gives you an assessment for your current system configuration, either for a single computer or for an entire network.