|
|
Firewalls
A firewall is a
system or group of systems that enforces an access control policy
between two networks. The actual means by which this is accomplished
varies widely, but in principle, the firewall can be thought of as a
pair of mechanisms: one which exists to block traffic, and the other
which exists to permit traffic. Some firewalls place a greater
emphasis on blocking traffic, while others emphasise permitting
traffic. Probably the most important thing to recognise about a
firewall is that it implements an access control policy. If you
don't have a good idea what kind of access you want to permit or
deny, or you simply permit someone or some product to configure a
firewall based on what they or it think it should do, then they are
making policy for your organisation as a whole.
Free Firewall tools on the Internet :
- The TIS
Firewall Toolkit
Provides Basic Firewall
Functionality running on most Unix Systems
- IPChains
IPChains
provides basic packet filtering and Network Address Translation
(NAT) on Linux Systems. IPChains is included with most (probably
all) versions on Linux. The reference above points to a great
technical introduction to IPChains.
- IPFW
Similar
to IPChains, but runs on FreeBSD. The reference points to
another great introduction to firewalls in general and IPFW in
particular.
^ Back to Top
System Hardening Tools
As the name implies,
System Hardening Tools take standard machines, and harden them
against attack. The Hardening process may involve the provision of
improved logging, better detection of attacks and blocking of
unneeded services. In addition to tools themselves, links to some
excellent documentation on the hardening process itself is provided.
Free System Hardening Tools on the Internet :
- Tripwire
Tripwire
allows the easy detection of changed files on a system. The tool
is run once when the system is installed and known to be
'clean', then at intervals afterwards. Results of the clean run
are compared to later run, and differences reported. A great way
to spot 'after the fact' damage and intrusions.
- Tcp
Wrappers
The tcp_wrapper package by Wietse Venema.
Allows monitoring and control over who connects to a hosts
ports/services. Often supplied as standard with many modern
Operating Systems, but rarely configured by default!
- SATAN
The
System Administrator Tool for Analysing Networks, is a network
security analyser designed by Dan Farmer and Wietse Venema.
SATAN scans systems connected to the network noting the
existence of well known, often exploited vulnerabilities. SATAN
provides basic advice about the problem and how best to fix it.
- Saint
Administrator's
Integrated Network Tool (SAINT), an updated and enhanced version
of SATAN. Produces easy to read HTML output.
- PortSentry
A
program designed to detect and respond to port scans against a
target host in real-time. Great for spotting potential attacks
as they happen.
^ Back to Top
Intrusion Detection Systems
Intrusion Detection
Systems (IDS) collect raw network data and analyse it (often in real
time) looking for know attack patterns, and other 'unusual' events.
They generally consist of two parts: a probe which collects the raw
network packets (similar to a 'sniffer'), and an analysis station
which scans the captured data and produces user output. IDS are an
excellent way of gathering evidence of attack/abuse for use in later
legal proceedings.
Free IDS on the Internet :
- Snort
Snort is
a lightweight network intrusion detection system, capable of
performing real-time traffic analysis and packet logging on IP
networks. It can perform protocol analysis, content
searching/matching and can be used to detect a variety of
attacks and probes, such as buffer overflows, stealth port
scans, CGI attacks, SMB probes, OS fingerprinting attempts, and
much more.
- Shadow
Part
of the output of the CIDER (The Cooperative Intrusion Detection
Evaluation and Response) Project carried out by NSWC Dahlgren,
NFR, NSA, the SANS community. Very similar to SHADOW in
operation, though some say slightly more
flexible.
^ Back to Top
Log monitoring and Reporting tools
There are probably
tens of log monitoring tools and hundreds of log reporting tools in
existence, probably due to the fact that nearly everyone appears to
want something different, and they are particularly simple to write
using tools like PERL. We simply introduce a representative 'best of
breed' selection here.
We recommend you take a look at this
excellent
document by Lance Spitzner explaining why log monitoring is
important, and how relatively simple it is to do.
Free Log Tools on the Internet :
- Logcheck
Another
handy program from Psionic.com, created to help in the
processing of UNIX system logfiles. Works great with
Psionic.com's own PortSentry,
Wietse Venema's TCP Wrapper and
the Firewall Toolkit by
Trusted Information Systems Inc.(TIS). Useful for reporting on
common operating system security violations and other strange
events.
- SWATCH
SWATCH,"The
Simple WATCHer and filter", is a perl program developed by Todd
Atkins that monitors your logs in real time. Swatch monitors
your logs for specific triggers, when those triggers are matched
swatch notifies you in a pre-determined manner.
^ Back to Top
Scanning Tools
Port Scanners are
used to identify 'listening services' or 'ports' on a machine. By
identifying which services are running on a server, hackers can
formulate the best means of attack. Port Scanners are very useful as
a security enhancing tool. Since hackers will almost certainly be
running such scans against your machines, its useful to know what
they can see, and more importantly, that it's what you expect that
they can see. A simple audit of this type on your firewall and
outward facing machines can save the considerable cost of cleaning
up after an intrusion.
Free Port Scanners on the Internet :
- NMAP
A
small extract from the NMAP website summarises things very
nicely - "Nmap is a utility for network exploration or security
auditing. It supports ping scanning (determine which hosts are
up), many port scanning techniques (determine what services the
hosts are offering), and TCP/IP fingerprinting (remote host
operating system identification). Nmap also offers flexible
target and port specification, decoy scanning, determination of
TCP sequence predictability characteristics, sunRPC scanning,
reverse-identd scanning, and more." It's the hackers tool of
choice, so it probably should be
yours.
^ Back to Top
Network Sniffing Tools
Sniffers collect raw
data from a network and present it in human readable form. They are
useful for network debugging and protocol analysis, but their use is
more commonly associated with hackers - particularly their use in
password theft, etc. Running a sniffer on your network is a great
way of actually seeing what protocols are actually present, and
collecting evidence of abuse, etc. There are many free sniffers to
choose from, so we present a very small selection here.
Free Sniffers on the Internet :
- tcpdump
Tcpdump
is distributed with most versions of Unix in one guise or other,
so it's fair to assume it is widely available. It is continually
updated and expanded, so even if you have it already, it may be
worth downloading the source pointed to by the link
above.
- NetWatch
Similar
in function to tcpdump, but runs on NT and Win9x via a GUI
frontend.
- AntiSniff
AntiSniff
is a sniffer that detects sniffers ... the arms race continues
:)
^ Back to Top
Free Password Checkers/Crackers
Password Checkers
are tools that can be used to check passwords meet whatever inhouse
criteria must be met (eg length, inclusion of special characters,
etc), or to crack existing passwords, thus enabling unauthorised
access to a system. What you choose to call them is merely a
question of emphasis. We present two of many here; one for Unix
based systems, and one for Microsoft.
Free Password Checkers/Crackers on the Internet
:
- Crack
The
weapon of choice for Unix password cracking. Running crack on
password files on a regular basis is a great way of making sure
you know about weak passwords before an intruder does.
- Lopht
Crack
The weapon of choice for Microsoft password
cracking. Though not strictly speaking a wholly free product
(you can evaluate for free for 15 days, them you must register
for $100), it is unquestionably the best option for serious
users.
^ Back to Top
Free Operating Systems
Free Operating
Systems provide both a cheap and easy way to host tools, and to
learn about security in general. Though some question the wisdom of
using free OS's in a production environment, they are widely used
and well supported. As noted above, both Linux and FreeBSD offer
firewall functionality, and the majority of the tools mentioned have
been ported to run on both platforms.
Free Operating Systems on the Internet :
- Linux
Linux is
a free Unix-type operating system originally created by Linus
Torvalds with the assistance of developers around the world.
Developed under the GNU General Public License , the source code
for Linux is freely available to everyone.
- Free
BSD
FreeBSD is an advanced BSD UNIX operating system
for the Intel compatible (x86), DEC Alpha, and PC-98
architectures
^ Back to Top
What does 'Free' really mean?
The term 'Free
Software' covers a multitude of sins. In its simplest form, it can
mean that the software is absolutely free in terms of cost, what you
do with it, and who you allow to use it. In other circumstances, it
may only be free if you are an educational institution, or use the
software for non-commercial purposes.
In all but a few cases, all software mentioned above includes a
License that explains exactly what you can and cannot do with it. In
other cases (particularly in source distributions) the license may
actually be contained in 'help' screens, or code comments.
It is absolutely vital that you take the time to read and
understand this and all other documentation concerning a given tool.
As with all software, it is the user's responsibility to make sure
Licensing Terms are complied with.
^ Back to Top
Free Hardware! (...well almost)
Most of the tools
mentioned above require very modest hardware for evaluation or lab
environments, and marginally greater for production.
Clearly, precise requirements will depend upon what you are
trying to do, but as a rough guide ... A basic Linux or FreeBSD
based firewall or IDS can be successfully evaluated on very low-end
Pentium-1 machines with a few hundred megs of disk space and upwards
of 32MB of RAM. These are just the kind of desk top machine that
many companies 'replace' every day, or can be purchased for £200-£300
second hand.
All trademarks acknowledged
|
|
Need More Information?
|
 Call us on
01977 687 980
|
|
