Transcription
Beginner’s guide:Open source network security tools1
With so manyopen-source toolsavailable to helpwith networksecurity, it can betricky to figure outwhere to start,especially if youare an IT generalistwho has beentasked with security.We all have to startsomewhere.2The question is,where?
The sheer number ofopen-source networksecurity tools availablecan make it difficult tochoose a place to start.This is complicated bythe fact that most ofthese tools often havea very steep learningcurve, and can behazardous to run on aproduction network.Let’s take a look at a few of the tools available,which will not only provide some answers, but alsohelp you learn more about the topic.3
Start smallWe have all heard the advice to “startsmall” when trying to learn somethingnew. Well, it’s hard to get smaller thanthe data packets themselves. Packetanalysis is not only a good place tostart on security, but it is also a goodway to brush up on networking ingeneral. This is a core skill set for anysecurity professional.4While there are a number of toolsout there for packet analysis, noneof them compare to Wireshark. Thisutility is cross-platform, stable, andcomes with a CLI peer application(Tshark) that uses all of the samefilters and can be used to analyze fromhosts without a UI. Wireshark also hasa tremendous wealth of resourcesincluding Documentation , References ,and even Sample Captures todownload and review.This document is intended to include general information for beginners learning about Open Source Security Tools. Use of names of third party companiesin the document are for informational purposes only and do not constitute any endorsement by AT&T CybersecurityCybersecurity (formerly(formerly AlienAlien Vault).Vault).
Discover the network around youIt’s often said, “You can’t manage whatyou can’t measure.” If you want toprotect your network, it’s critical tostart by learning what’s actually on it.A good network discovery tool shouldlet you know not only what devices areon your network, but also what OS isrunning, what ports are listening, andas much detail on what services arelistening on those ports as possible.With a number of tools available, you’llfind a solid contender in the marketwith Nmap. Nmap is a cross platformcommand line utility for networkdiscovery and enumeration. This toolhas an amazing amount of depth,5with so many options available thatthey have literally written entirebooks on the switches available forthis tool. The Nmap team also blazedthe trail on enumeration, with built inflexibility for the type, depth, speed,and aggressiveness of scans.Like Tshark, Nmap also has a partnercross-platform GUI, Zenmap, whichprovides a simpler to use UI, butalso displays the filters used inthe command-line interface (CLI)as a learning aid. Documentationwill also not be an issue with thisutility as Nmap has a very thoroughdocumentation section on their site.This document is intended to include general information for beginners learning about Openopen namesnamesofofthird-partythird partycompaniescompaniesin the document are for informational purposes only and do not constitute any endorsement by AT&T Cybersecurity (formerly AlienAlienVault).Vault).
Catching the scentAlthough most often considered areactive tool, the network intrusiondetection system (IDS) is still avaluable tool for preventing issues,as it can help you discover a varietyof issues that other network securitytools just do not see.There are a number of good opensource tools available, but these areactually one of the more difficultclasses of tools to learn how to useeffectively. The reason for this is thatnetwork IDS tools tend to walk theline on false positives, and the field ofplay is always changing. It’s like playingbaseball on a field where the bases areon tracks that slide along.6Bro IDS, Snort, and Suricata are3 capable Network IDS tools foranalyzing network traffic to detecttarget activity. These tools are betterrun from a server or workstation,than on a mobile unit, because theyrequire configuring port mirroring onthe network infrastructure.continued on next pageThis document is intended to include general information for beginners learning about Openopen namesnamesofofthird-partythird partycompaniescompaniesin the document are for informational purposes only and do not constitute any endorsement by AT&T Cybersecurity (formerly AlienAlienVault).Vault).
Catching the scentcontinuedA good choice for learning these isto install either a standalone server,or to install a SIEM, which includesa Network IDS such as Security Onion.You can then use the same serverwhen you move on to learningabout correlation.You can also install these as modulesin some open source firewalls, such aspfSense. In this particular case, Snortwould be an excellent option, as ithas a much more robust selection ofdocumentation available.7This document is intended to include general information for beginners learning about Openopen namesnamesofofthird-partythird partycompaniescompaniesin the document are for informational purposes only and do not constitute any endorsement by AT&T Cybersecurity (formerly AlienAlienVault).Vault).
No open-door policyWhile a good patch managementpolicy will help address manyvulnerability issues on your network,it will never be able to close all holes,and any door left open is much easierto walk through. For this reason,vulnerability testing is an absolutenecessity for any network.This brings up animportant set of pointson vulnerability scanners.8
Vulnerability scanner tipsVersion analysisWhile necessary, version analysis is not enough. Some vulnerability scannerscheck the advertised version of a service or system and compare it to a listof known versions. While this is important, it does not account for systemsconfigured not to report version, or to deliberately misreport this information.Because of this fact, we need to scan for other factors.9
Vulnerability scanner tipsBehavioral analysisBehavioral analysis should also be a component of any scanner. Keep inmind, however, that BA does not account for features that are not currentlyenabled, or for conditional faults (our favorite conditional fault is a previousinternet information services (IIS) defect that is only exploitable if there is afolder with a 15 character or longer name starting with an “a” in the root ofthe public folder).10
Vulnerability scanner tipsFalse positives may not befun, but they are muchbetter than any false negativeVulnerability scanners work on the edge, testing for vulnerabilities that cannotbe confirmed without causing damage to the system. As this is a rather largegray area to work in, even the best vulnerability scanner can be expected togenerate some false positives. This is, unfortunately, part of the game here.11
Vulnerability scanner tipsA false positive could also bea conditionally false positiveNever assume that a result is a false positive because it was last time. A numberof vulnerabilities are highly conditional. A configuration change, an updateto the operating system, another application on the system, or a simplefile or folder saved in the wrong place or with the wrong name can create avulnerability that needs attention.12
Vulnerability scanning toolsA very popular vulnerability scanningtool is OpenVAS , which is a fork ofNESSUS. Documentation on the projectis more than a little behind, but thetheory of operation is documentedvery well with the now-closed-sourceNESSUS tool.Like the IDS solutions described above,these tools are often best installed aspart of a static server—it is difficult toconfigure, is very resource intensive,13and tends to be very slow to scan.You could consider installing a SIEMthat includes one or more of thesetools. Conveniently, AlienVault UnifiedSecurity Management (USM ) byAT&T Cybersecurity provides such acapability, with integrated networkIDS, vulnerability scanning andmanagement and network assetdiscovery, with host IDS as well, givinga very clear picture of what’s going onin your network.This document is intended to include general information for beginners learning about Openopen namesnamesofofthird-partythird partycompaniescompaniesin the document are for informational purposes only and do not constitute any endorsement by AT&T Cybersecurity (formerly AlienAlienVault).Vault).
Taking the game to themThe next step is to look at a penetrationtesting distribution, or pentesting.Pentesting is a way of proactivelytaking on security, because the bestway to know if something can beexploited is to exploit it.Assuming you have written permissionto perform these tests, this allows youto probe the network carefully, usingthe same techniques that an infiltratorwould use, and is one of the bestmethods for discovering how security ispracticed, and how it is compromised.There are several pentestingdistributions on the market (Pentoo,NodeZero, Kali, and BackBox are14good examples) loaded with tools andutilities. Unfortunately, these offer somany tools, they don’t help answer thequestion of where to start. So, it boilsdown to personal preference; you candownload and try each of them to findwhich you are most comfortable with.Hopefully, this will get you started inthe right direction as you explore opensource network security tools. Onceyou start rolling, you will be able tostart adding new tools to your toolsetpretty regularly, and move right out ofthat “beginners” category.This document is intended to include general information for beginners learning about Openopen namesnamesofofthird-partythird partycompaniescompaniesin the document are for informational purposes only and do not constitute any endorsement by AT&T Cybersecurity (formerly AlienAlienVault).Vault).
About AT&T CybersecurityAT&T Cybersecurity’s edge-to-edge technologies provide phenomenal threatintelligence, collaborative defense, security without the seams, and solutions thatfit your business. Our unique, collaborative approach integrates best-of-breedtechnologies with unrivaled network visibility and actionable threat intelligencefrom Alien Labs researchers, Security Operations Center analysts, and machinelearning—helping to enable our customers around the globe to anticipate andact on threats to protect their business.AT&T CybersecurityUnified Security ManagementPhenomenalThreat fenseManagedSecurity ServicesSoftware-DefinedPlatformSecurityWithout the SeamsAT&TAlien LabsThis document is intended to include general information for beginners learning about Open Source Security Tools. Use of names of third party companiesin the document are for informational purposes only and do not constitute any endorsement by AT&T Cybersecurity (formerly Alien Vault).15 2019 AT&T Intellectual Property. All rights reserved. AT&T, Globe logo and other marks are trademarks and service marks of AT&T Intellectual Propertyand/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information contained herein is not anoffer, commitment, representation or warranty by AT&T and is subject to change. 14243-042619
source network security tools. Once you start rolling, you will be able to start adding new tools to your toolset pretty regularly, and move right out of that “beginners” category. Taking the game to them This document is intended to include general information for beginners learning about open source security tools.
