There are many tools available to test the security of systems and networks. Some of these tools are open source while others are commercial tools that require licensing.
Software tools that can be used to perform network testing include:
- Nmap/Zenmap – This is used to discover computers and their services on a network, therefore creating a map of the network.
- SuperScan – This port scanning software is designed to detect open TCP and UDP ports, determine what services are running on those ports, and to run queries, such as whois, ping, traceroute, and hostname lookups.
- SIEM (Security Information Event Management) – This is a technology used in enterprise organizations to provide real time reporting and long-term analysis of security events.
- GFI LANguard – This is a network and security scanner which detects vulnerabilities.
- Tripwire – This tool assesses and validates IT configurations against internal policies, compliance standards, and security best practices.
- Nessus – This is a vulnerability scanning software, focusing on remote access, misconfigurations, and DoS against the TCP/IP stack.
- L0phtCrack – This is a password auditing and recovery application.
- Metasploit – This tool provides information about vulnerabilities and aids in penetration testing and IDS signature development.
Note: Network testing tools evolve at a rapid pace. The preceding list includes legacy tools, and its intent is to provide an awareness of the different types of tools available.
Nmap and Zenmap
Nmap is a commonly used, low-level scanner that is available to the public. It has an array of excellent features which can be used for network mapping and reconnaissance.
The basic functionality of Nmap allows the user to accomplish several tasks, as follows:
- Classic TCP and UDP port scanning – This searches for different services on one host.
- Classic TCP and UDP port sweeping – This searches for the same service on multiple hosts.
- Stealth TCP and UDP port scans and sweeps – This is similar to classic scans and sweeps, but harder to detect by the target host or IPS.
- Remote operating system identification – This is also known as OS fingerprinting.
Advanced features of Nmap include protocol scanning, known as Layer 3 port scanning. This feature identifies Layer 3 protocol support on a host. Examples of protocols that can be identified include GRE and OSPF.
While Nmap can be used for security testing, it can also be used for malicious purposes. Nmap has an additional feature that allows it to use decoy hosts on the same LAN as the target host, to mask the source of the scan.
Nmap has no application layer features and runs on UNIX, Linux, Windows, and OS X. Both console and graphical versions are available. The Nmap program and Zenmap GUI can be downloaded from the internet.
SuperScan
SuperScan is a Microsoft Windows port scanning tool. It runs on most versions of Windows and requires administrator privileges.
SuperScan version 4 has a number of useful features:
- Adjustable scanning speed
- Support for unlimited IP ranges
- Improved host detection using multiple ICMP methods
- TCP SYN scanning
- UDP scanning (two methods)
- Simple HTML report generation
- Source port scanning
- Fast hostname resolution
- Extensive banner grabbing capabilities
- Massive built-in port list description database
- IP and port scan order randomization
- A selection of useful tools, such as ping, traceroute, and whois
- Extensive Windows host enumeration capability
Tools, such as Nmap and SuperScan, can provide effective penetration testing on a network and determine network vulnerabilities while helping to anticipate possible attack mechanisms. However, network testing cannot prepare a network administrator for every security problem.
SIEM
Security Information Event Management (SIEM) is a technology used in enterprise organizations to provide real time reporting and long-term analysis of security events. SIEM evolved from two previously separate products: Security Information Management (SIM) and Security Event Management (SEM). SIEM can be implemented as software, integrated with Cisco Identity Services Engine (ISE) or as a managed service.
SIEM combines the essential functions of SIM and SEM to provide:
- Correlation – Examines logs and events from disparate systems or applications, speeding detection of and reaction to security threats.
- Aggregation – Aggregation reduces the volume of event data by consolidating duplicate event records.
- Forensic analysis – The ability to search logs and event records from sources throughout the organization provides more complete information for forensic analysis.
- Retention – Reporting presents the correlated and aggregated event data in real-time monitoring and long-term summaries.
SIEM provides details on the source of suspicious activity, including:
- User information (name, authentication status, location, authorization group, quarantine status)
- Device information (manufacturer, model, OS version, MAC address, network connection method, location)
- Posture information (device compliance with corporate security policy, antivirus version, OS patches, compliance with mobile device management policy)
Using this information, network security engineers can quickly and accurately assess the significance of any security event and answer the critical questions:
- Who is associated with this event?
- Is it an important user with access to intellectual property or sensitive information?
- Is the user authorized to access that resource?
- Does the user have access to other sensitive resources?
- What kind of device is being used?
- Does this event represent a potential compliance issue?