Network Scanning

Network scanning and monitoring tools can help you find weaknesses in your network. Remember that the output from these tools contain information that could help hackers and intruders — so make sure to secure the results, either by encrypting them or copying them to a secure disk. Here are some useful open source tools for discovering points of vulnerability:

• nmap scans for ports and devices that are “listening”, or staying open to requests. Designed to rapidly scan large networks, this cross-platform utility can map out actual and potential communication channels.
• Nessus is a more targeted, proactive tool for network scanning. It actively sweeps the network, looking for viruses, flaws and other vulnerabilities based on plug-ins that you’ve given it.
• OS-SIM is a customisable architecture for monitoring all resources within your organisation. It tries to learn what is normal for your network, gathering information from everywhere into a centralised framework that improves your ability to detect intrusions.

File System Scanning

Evidence of a computer break-in can usually be found on the file system, especially if any back doors have been left open. By performing regular file-system checksums and saving the results, you can know about a break-in soon after it happens — allowing you to prevent intrusion on further systems. Open source tools for scanning the file system are:

• Tripwire detects changes by doing a checksum on every file on a computer. By running Tripwire on a daily basis, you can check for changes to files and directories that shouldn’t ever be changing.
• radmind is a client/server suite of command-line tools for administering the file systems of multiple UNIX machines. Like Tripwire, it detects changes to any managed file-system object. But radmind goes further: because it stores the client loadsets on the server, it can automatically check for changes and optionally roll back changes to the file system.

Network Intrusion Detection

By deploying an automated Network Intrusion Detection System (NIDS), you can take your eyes off the network, resting assured that the system will notify you in the event of intrusion. Open source NIDS include:

• Snort is a suite of UNIX tools that perform real-time traffic analysis and packet-logging on IP networks. Using user-defined preprocessors and rulesets for protocol analysis and content searching/matching, Snort can detect a variety of attacks and probes — such as stealth port scans, CGI attacks and OS fingerprinting attempts. When it discovers a suspicious packet, it can take a pre-defined action, including alerting an administrator.
• Spade is a powerful add-on to Snort that listens to each packet and assigns it a “suspiciousness” score using a statistical model. You can set a threshold score at which Spade will notify you about suspicious activity on your network. Spade also has a learning mode, similar to the Junk feature in Apple’s Mail application, that enables it to adjust the threshold score based on the traffic it detects.
• HenWen provides a Mac OS X GUI for Snort and Spade, enabling you to get a NIDS up and running quickly. That means you can configure software that scans network traffic for undesirable packets — no compiling or command-line use required.