Scanning and reviewing your network on a regular basis can provide you with important information, not only to locate security problems, but know (at least to some extent) when you don't have problems.

Getting started can often be intimidating, due to the large and complex nature of most products out there that perform security scanning. Taking a simple walk before you can run approach is often best. Your goal is to give yourself baseline knowledge of what is running on your network and where, as well as to get yourself a documented procedure in place stating what you do run and how often to obtain this knowledge. Having such a thing in place goes a long way in terms of answering questions about your network, or your network's security.

• 1) Start simple. if you are starting from nothing, at a minimum, run some sort of scanning software such as nmap over your network. It should detect your servers as being servers. What else does it find? document this and know where your servers are. Run this on a regular basis and watch for changes.
• 2) If possible, monitor your network traffic at your ingress and egress points to your network. Traffic volume moving from your network to external sites can be viewed by authenticating at netuse.cns.ualberta.ca. Reviewing this information on a regular basis at a minimum will help you know what machines typically generate traffic on your network.
• 3) If you maintain your own authentication (password) mechanisms, you should ensure you have some mechanism of enforcing and noticing password quality. tools like Cain & Abel or John the Ripper can be used to check your passwords for crack-ability.

In all cases, pick something and run it on a regular basis. You may not have time to learn the most sophisticated tools at first, so start simple. Document what you are running, how often you are running it, and what you do to notice and react to what you see.

Make sure what you see makes sense. If you run a port scan, or vulnerability scan over your network, you should see the servers you know about showing up as servers. If a desktop machine shows up running server software, investigate! does it make sense to be running this there?

Notice changes. If a new server crops up, does this make sense? did you or someone else install a real server there, or has something been compromised. Are large amounts of network traffic to be expected from particular machines, or not.

When you notice a change, investigate and react to it.

Your goal is not to find as many problems as possible, your goal is to firstly, familiarize yourself with the "picture" of your environment the tools you run paint for you. Once you have done that, your goal is to notice when the picture changes. With this in place and this procedure documented you have something which can be used when you are asked questions like "How do you know XXXX is or is not happening on the network" - you pull out your documentation of the tools you are using, their output and your procedure for reviewing the output and changes in it on a regular basis.

It is far more important to do regular basic scanning and document what you do, and how you react, than it is to perform the most detailed vulnerability scanning available. Below are some of the most common available tools that can do the job for you if you familiarize yourself with them. This list is far from exhaustive, but rather a list of the most commonly used tools and tools we in CNS use for these purposes.

Network Scanning Tools

• nmap is a basic port scanner with OS detection that runs on pretty much any Unix or windows platform. It is a good choice for a starting point if you have not done any sort of network scanning before. A basic nmap run will give you a good picture of what machines are up on your network, and which ones are running servers of some sort. nmap doesn't do a lot of vulnerability scanning, but regular use of nmap, combined with a traffic monitor such as ipaudit or argus will give you a relatively complete picture of what is running and doing what on your network to avoid nasty surprises. While it's output is verbose, it is a reasonable starting point as it does not require a Unix server like nessus. It's drawback is that while it will provide a picture of where services are listening, it does not perform known vulnerability scanning like nessus does.
• Nessus is the premier open-source vulnerability scanning tool, and what many of the commercial toolkits are actually based on. It will require a Unix server of some flavour to run scans from, although there is a nicely full featured windows client program. Nessus has many extensive features and takes some getting used to, although running it regularly on a network (even simply as a scanner) will produce a nice regular report letting you know what is going on, nessus can be used to do some extensive vulnerability testing and can be very helpful in this regard. Nessus has some fairly extensive documentation, as well as several books.

Traffic Monitoring

In addition to the netuse.cns.ualberta.ca traffic page, its helpful to regularly monitor the traffic going on and off your network. If you lan uses managed switches, you may be able to obtain statistics on a regular basis directly from the switch on a port by port basis. Alternatively, or in addition to this, you can install a host to monitor inbound and outbound traffic to and from your network.

• Ethereal is a well put together real time traffic analyzer that runs on just about anything. Having just such a machine strategically located to watch traffic on your network is an excellent way to both see what is normally going on, and to react when problems occur.
• IPaudit is a Unix based tool that includes a web interface module. IPaudit can be used to produce network traffic summaries of what is going where. While this tool takes some getting used to to set up, it is well worth the effort in terms of being a powerful monitor.
• Argus is another Unix based tool that can output XML based statistics. Similar functionality to IPaudit.

Wireless Scanning

More and more you may need to be aware of what wireless connectivity is available in your area, both to ensure that any your provide is working correctly, and to ensure that rogue access points aren't being used or bridged onto your network. Regular use of a tool such as below will enable you know when new wireless access shows up:

• Network Stumbler is pretty much the de-facto standard for windows based wireless scanning. Will work from any windows machine with the right wireless cards.
• Kismet is a good choice for Unix or mac users. will track base stations, weak wep keys, and can be integrated with maps or GPS.

Password Cracking and Sniffing

If you run your own authentication source, you probably should have something running on a regular basis to both look for poorly chosen passwords, as well as watching for password exposure. Be sure to document where you are running such a thing, why, and what you do when you find an exposed or poor password. When running such tools you should make sure that persons of responsible authority in your area are aware that you are running them and know why.

• John the Ripper is a password cracking tool used to check encrypted password hashes against dictionary words. Commonly used and very fast, works on most Unix based passwords, kerberos hashes,and Windows LanMAN hashes. John will require you to acquire the password hashes to feed to it, it does not sniff itself. John runs on just about anything Unix or windows.
• Cain and Abel is a Windows only password sniffer and cracker, which can be used to sniff for, and crack vulnerable Windows passwords on a network
• Dsniff is a Unix only password sniffer, designed to look for and sniff passwords on many varieties of protocols. useful for looking for password exposures.

Host tools

The standard Virus Detection and prevention software toolkits for windows should always be considered. Use what comes with your anti-virus software. however, some more generic tools exist.

These tools are often useful when you want to know why a machine is doing what it's doing. Usually, you will want to download these tools and run them on a machine that you know what it is doing, so you gain the ability to recognize what to expect and what processes are normal.

• Fport, a free download from McAfee is an excellent way to find out what is sending or receive ing traffic on a Windows machine - This tool will list which applications are listening or sending on the network.
• lsof is the classic Unix tool to find what programs have what resources open, including network sockets. Be aware that these days many modern Unix-like operating systems support the same functionality in the netstat and/or fstat commands.