I will review some basic ways to inventory your systems externally. Basically, this will allow you to become more informed while enabling you to check on the work that your network administrator performs.
Networking openings are the most obvious way that external agents can get into your system. Here's an overview on how to check your systems for openings from a different machine on a network. In fact, you can check any machine (or the firewall that protects them) on the Internet. This will let you know how concerned you should be about new security leaks and which software patches may apply to your network.
For example, suppose you have a Sun Solaris Web server running the intranet on your network. When you check the machine, you find out that the print server installed by Solaris is also running on it. This is true even though there is no printer connected, and it's only a Web server--it was installed by default when the computer was set up. In the best case, you receive the CERT advisory CA-2001-15. This will show you that you may be vulnerable to an attack because the print server is turned on. In the worst case, you don't know about the print server and someone scans your network ports. They attack your machine, and now own all the data on your intranet.
To see what may be listening on the computers in your network, you should use a simple hacker's tool known as a port scanner. Software is used across a network listens to network information on a port. There are a number of ports available on most servers. By using a tool known as a port scanner, a hacker checks for every possible piece of network software. If it answers, the hacker tries to find more information about the computer. The hacker then tries to exploit that port. However, you can use it just as a list of what's listening on a computer and check to make sure you don't have unnecessary software running. Here are a few port scanners that you can use.
Online:
A list is available at caleb15.com Here are a few of them:
- http://www.dslreports.com/scan
- http://www.securitymetrics.com/portscan.adp
- http://www.sdesign.com/securitytest/index.html
For download:
These all test the machine that you are using the Web browser from. To scan a remote machine, you have to install software. The simple utility on Linux, BSD, and other UNIX platforms is nmap. For Windows, there are a few. For this article, I used InternetPeriscope from LokBox Software to scan my network.
Download one of the above pieces of software and scan the servers on your network. You may find all sorts of exciting software running on your servers that you weren't aware of. Make a list of these and use it as a secondary inventory to the one your IT guy gave you. This inventory may actually be more important since this is what the rest of your office and potentially the world can see.
Port scans can also be a simple test for your firewall. See if one of the Web tests can get at anything on your computer. Figure out your IP address (this is the address that networks know your machine by) and enter it into one of the Web tests. If it sees anything open on your computer, then you may want to talk to your IT staff about closing ports.
If you are part of a security-conscious organisation with a big IT staff, you will want to let them know before you use a port scan. It will set off alarms and they make think that you are trying to hack into something. On the other hand, if it doesn't and you don't ask for permission it might be fun to let them know what you find out.
Another snag with port scanners is that you cannot do a UDP port scan well. What is a UDP versus a TCP port? Well a TCP port acts like a phone line, making a connection and then letting you know the connection was made (like a ringing or busy signal). UDP is more like a loudspeaker, the sound goes out there but you don't know if your intended recipient heard it. To scan UDP ports you'd need an intelligent scanner that could make specific requests that return responses.
The reason to be aware of UDP services was made clear recently when there was announcement of a far-reaching security risk in SNMP enabled devices. Basically, this is every network device (excluding actual computers) on the Internet. This means that the pieces of the Internet that connect everything together are a security risk.
Knowing what's listening on your network is the first step to understanding the vulnerability of your network. Your next step should be to sign up for mailing lists about your systems and security warnings in general. Good places to start are Security Focus and CERT.
Andrew Lientz is the CTO and Founder of Harvest Solutions, Inc. Harvest Solutions specialises in tracking and analysis solutions for websites and browser based applications. Currently he leads the development effort for the company's products. In the course of securing data and ensuring privacy of customer information, Andrew Lientz has implemented security measures including firewalls, specialised software and kernel patches in the execution of their software.
