1 / 119

Freeware Security Tools You Need

Freeware Security Tools You Need. Randy Marchany VA Tech Computing Center Blacksburg, VA 24060 Marchany@vt.edu 540-231-9523. Suggested Strategy. Use freeware tools to gain experience with your system/network environment.

zoie
Download Presentation

Freeware Security Tools You Need

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Freeware Security Tools You Need Randy Marchany VA Tech Computing Center Blacksburg, VA 24060 Marchany@vt.edu 540-231-9523

  2. Suggested Strategy • Use freeware tools to gain experience with your system/network environment. • Gain experience with the features provided by these tools in order to better analyze a vendor tool. • Freeware tools provide a good short-term solution. • Vendor tools may provide better long-term solution.

  3. The Tools • Audit/Port Scanning Tools • Nessus • Saint • Sara • Nmap, strobe • Tripwire, AIDE • “Personal” Firewall • TCP Wrappers • Portsentry,ipfilters • ZoneAlarm, BlackIce, NeoWorks

  4. The Tools • Syslog Scanners • Logcheck • Sniffers • Snoop, iptrace, tcpdump • Netwatch (NT) • Snort

  5. The Tools • Sysadmin Tools • Big Brother • Password Checkers • Crack, nt-crack, l0phtcrack,npasswd, passwd+ • Lsof, inzider (NT) • Sudo (unix) • Remote Control Tools • VNCviewer • Homegrown Tools • Network Mgt Tools that can be used for Incident Response

  6. Audit/Port Scan Tools • These tools can be used to scan your systems and network for vulnerabilities. • Some tools can perform integrity checks on designated files. • They have very good reporting tools usually based on HTML.

  7. Nessus • Available from www.nessus.org • Best of the scanning tools • Easy to build for Linux, harder for Solaris, need to work on other OS. • Requires GNU tools • Provides HTML based reports • Has distributed architecture: clients (Windows, Unix) & engines (Unix only)

  8. Nessus – Building It • Linux • Download the RPMs • Add nessus user • Start up nessusd daemon • Start up nessus client • Start testing

  9. Nessus – Pros/Con • Pro • Easy to install if you have linux • Most comprehensive tests for your money • Con • Not that easy to understand at first • Non-linux builds require GNU software • Some inconsistency in quality of checks • Must use Unix server for specific user accounts

  10. X

  11. SAINT • Based on SATAN, developed by World Wide Security, Inc. (www.wwdsi.com) • Security Administrator’s Integrated Network Tool • Gathers info on remote hosts/nets • Looks at finger, NFS, NIS, ftp, tftp, rexd, statd • Can run heavy, moderate or light probes on targets. • Will check for the SANS Top 10 Threats

  12. SARA • Security Auditor’s Research Assistant • www.www-arc.com/sara • Checks for SANS Top 10 Threats • Does Unix/Windows vulnerability tests • Has CVE dictionary support • Search engine for post audit analysis • Has a Report Writer

  13. Port Scanning Tools • Strobe was one of the earliest port scanning tools. • Available from ciac.llnl.gov • Nmap is the more sophisticated grandson of strobe • Available from www.insecure.org

  14. Tripwire • Available from www.tripwire.com • First of the file integrity checkers • Unix and NT versions available • Network capable versions available • Academic version is free. Commercial and NT versions are not. • Useful in finding trojan programs

  15. Tripwire • Generates a “signature” for each file based on checksums and other characteristics. • These signatures are stored in a database file that should be kept offline. • This is the baseline. • Latest threat involves dynamic exec redirection. This is part of the newer Kernel Module Rootkits.

  16. Tripwire • List of files to check: tw.config • All files in a directory will be checked. • Can prune directories from the check step. • Can examine just the directory and nothing else. • Can check by access time but not recommended since you’ll get a report of everything that changed. Everything!

  17. Tripwire • To initialize the DB: tripwire –initialize • Update DB interactively: tripwire -interactive • Non-interactive DB update: tripwire – update <FN>

  18. Tripwire • Security Issues • Need to protect the DB • Need to protect the vulnerable executables • Advantages • Simple interface, good choice of crypto hash functions, good all-around tool • Disadvantages • Kernel mod attacks, initial tw.config takes some time to customize, NT version is good but costs $$$, no network security

  19. Personal Firewall Tools • These tools monitor connection attempts to your system and give you the option of allowing or denying the access • They log the connection attempt to standard log files • More valuable than real Firewall, IMHO.

  20. Portsentry/TCP Wrappers • Available from www.psionic.com • TCP Wrappers available from ciac.llnl.gov and a ton of other sites • Any host that scans a list of “banned” ports is placed in an /etc/hosts.deny file • Need TCP Wrappers installed on the machine • Tcpwrappers logs attempts to connect to services

  21. TCP Wrappers • Everyone should buy Wietse Venema dinner for writing this tool.  • Purpose • Log network connections to a system • Allow you to filter who connects to the system • Needs an inetd-like program to act as the dispatcher of network services

  22. TCP Wrappers Features • Allows you to monitor/filter incoming requests for SYSTAT, FINGER, FTP, TELNET, R-Commands, TFTP, TALK and other network services. • Provides access control to restrict what systems connect to what network daemons. • Provides some protection from host spoofing

  23. TCP Wrapper Installation • Easy to do • “Advanced Installation” easier than “Easy Installation” IMHO • Install done by Makefile • make <os-type> • Creates 5 modules that are ready to use.

  24. TCP Wrappers • 4 components • Tcpd – the actual wrapper program • Tcpdmatch, tcpdchk – ACL testing programs • Try-from – tests host lookup function • Safe-finger – a better version of finger • Logs hostname, IP address and username (identd if possible) via syslog facility. Typically, it logs to the mail facility logs • Change this by editing Makefile: • FACILITY=LOG_AUTH • FACILITY=LOG_WARN

  25. TCP Wrappers • Access Control is enabled by default. • 2 files • /etc/hosts.deny – restrict access if IP addr here • /etc/hosts.allow – allow access if IP addr here • Can restrict to username@host if services are enabled • Reverse lookup is done. Paranoid selection terminates the connection immediately if there’s a mismatch. • Set KILL_IP_OPTIONS in Makefile to refuse connections that use source routing. This prevents IP spoofing although your routers should do this.

  26. TCP Wrappers • IDENT service • Remote username lookup required remote host to run ident (RFC 1413) protocol. • Works only for TCP not UDP • Limitations • TCP – checks the 1st connection for each instance of the daemon • UDP – 1st datagram only for the service • RPC/TCP – no checking since portmapper does this.

  27. TCP Wrappers • Advantages • Logs and applies access controls to remote connections • Lets you define which daemons are wrapped • Does good reverse lookup on hosts • Disadvantages • Ident service not reliable • Only looks at network daemons spawned by inetd • Doesn’t wrap ALL services (RPC) • Could give a false sense of security

  28. Portsentry • Available from www.psionic.com • Monitors ports and performs an action when an attempt to access the port is made. • Usually access is denied to the probing systems. • Monitors TCP and UDP traffic. A little more flexible than TCP Wrappers

  29. Portsentry Configuration Files • Portsentry.conf contains the list of ports to be monitored. • 3 levels of paranoia 

More Related