Here’s an upfront declaration of our agenda in writing this blog post. Our Elastic Detector network vulnerability assessment delivers – or integrates with – the features from the following six tools (and much more) in a seamless way. But if you prefer to roll up your sleeves and integrate (often free) tools yourself … these are the products we suggest you consider to achieve for a basic level of security.
So, having got the commercial message out of the way at the very start of this story … let’s get straight into the respected individual tools that can help you address network security threats.
We’ve split our comments on these tools into three sections: Vulnerability Analysis, Configuration Analysis and Log Analysis.
First, a list of the six tools we’ve included in this roundup:
1. Nmap / port scanner.
2. OpenVAS / vulnerability scanner.
3. Arachni / web vulnerability scanner.
4. Lynis / linux configuration audit.
5. MBSA / MS configuration audit.
6. ELK / Elasticsearch Logstash Kibana.
Of course there’s more you may want to do, and expand your action into such things as passwords checks, real time security monitoring or other refinements, not to forget getting stats and following KPIs about your system security trend. Elastic Detector can help in all these cases. But if you’re happy with the minimum set and you can spend the necessary time to handle the process manually, there’s an overview of each product at the end of this article.
The Three-Stage Process for DIY Network Security.
A ‘Do It Yourself’ network security process will involve three key stages: vulnerability, configuration and log analysis.
You might be auditing your network because you have already been attacked, or to better understand your network SI security level, or as the first step in planning a security strategy.
But in all cases, the flow of vulnerability then configuration then log analysis is a prudent way to approach your project.
Stage 1. Vulnerability Analysis.
A combination of tools can help you to prepare a vulnerability analysis. We suggest you carry out the checks in a certain order as there is a hierarchy to the actions you’ll take, and dependencies to consider (ie, fixing one problem can affect a different function.)
Step 1. Use Nmap to create an inventory of your network assets. This will identify the various services that are visible and accessible by users (or hackers).
Step 2. Use the OpenVAS vulnerability scanner to detect flaws based on the Nmap inventory. OpenVAS includes over 35,000 threat alerts from the open community.
Step 3. Use Arachni to provide a deep search of web application vulnerabilities. Depending on your network assets, you might also use other scanners to ‘dive deep’ into specific network components.
Stage 2. Configuration Analysis.
To quote Microsoft Research and the University of California:
“Configuring networks is arduous because policy requirements (for resource management, access control, etc.) can be complex and configuration languages are low level. Consequently, configuration errors that compromise availability, security, and performance are common.”
– Use MBSA (Microsoft Baseline Security Analyzer) for Windows environments.
– Use Lynis for Linux environments.
Stage 3. Log Analysis.
A log analysis enables you to search system logs for patterns that could reveal hacking attempts. The ELK suite consists of four key components which – between them, can help you identify irregular network intrusions.
– Use ELK suite components.
Summary. Managing the Complexity of Vulnerability.
Between those six software tools, network security managers can implement a threat assessment protocol.
If you’ll allow us to re-iterate our own commercial message, Elastic Detector does at least all the above from within a single, integrated package.
– Automated, daily enterprise threat assessment.
– Security alerts and remediation tips.
– Free 30-day trial.
If you still want to review the six individual tools, to save you a few minutes we grabbed the outline description for each of our ‘top six’ IT network security tools from their respective websites. Those overviews are below:
Nmap (“Network Mapper”) is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.
Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.
It was designed to rapidly scan large networks, but works fine against single hosts.
The Open Vulnerability Assessment System (OpenVAS) is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution.
The actual security scanner is accompanied with a daily updated feed of Network Vulnerability Tests (NVTs), over 35,000 in total (as of April 2014).
All OpenVAS products are Free Software. Most components are licensed under the GNU General Public License (GNU GPL).
Arachni is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications.
It is smart, it trains itself by monitoring and learning from the web application’s behavior during the scan process and is able to perform meta-analysis using a number of factors in order to correctly assess the trustworthiness of results and intelligently identify (or avoid) false-positives.
Unlike other scanners, it takes into account the dynamic nature of web applications, can detect changes caused while travelling through the paths of a web application’s cyclomatic complexity and is able to adjust itself accordingly. This way, attack/input vectors that would otherwise be undetectable by non-humans can be handled seamlessly.
Lynis is an open source security auditing tool. Used by system administrators, security professionals, and auditors, to evaluate the security defenses of their Linux/Unix-based systems. It runs on the host itself, so it performs more extensive security scans than vulnerability scanners.
Lynis is flexible and easy to use. Installation is optional. Just copy it to a system, and use “./lynis audit system” to start the security scan. It is written in shell script and released as open source software (GPL).
During the scan, technical details about the scan are stored in a log file. At the same time findings (warnings, suggestions, data collection), are stored in a report file.
The Microsoft Baseline Security Analyzer provides a streamlined method to identify missing security updates and common security misconfigurations. MBSA 2.3 release adds support for Windows 8.1, Windows 8, Windows Server 2012 R2, and Windows Server 2012.
MBSA 2.3 runs on Windows 8.1, Windows Server 2012, and Windows Server 2012 R2, Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, Windows Server 2003 and Windows XP systems and will scan for missing security updates, rollups and service packs using Microsoft Update technologies.
To assess missing security updates, MBSA will only scan for missing security updates, update rollups and service packs available from Microsoft Update. MBSA will not scan or report missing non-security updates, tools or drivers.
The Logstash / Kibana setup has four main components:
– Logstash: The server component of Logstash that processes incoming logs.
– Elasticsearch: Stores all of the logs.
– Kibana: Web interface for searching and visualizing logs, which will be proxied through Nginx.
– Logstash Forwarder: Installed on servers that will send their logs to Logstash, Logstash Forwarder serves as a log forwarding agent that utilizes the lumberjack networking protocol to communicate with Logstash.