Introduction To Network Security - Part 2

1 of 6

Wednesday, 25 September 2013

Home

http://www.firewall.cx/general-topics-reviews/security-articles/853-n...

Meet The Team!

Networking Topics

Free Cisco Lab

News

Cisco KnowledgeBase

Site Map - Alternative Menu

Linux Tutorials

Recommendations

Hot Downloads

Network Security Articles

Cisco UC500 / CCME Articles

General Topics & Reviews

Recommended Websites

Microsoft KB

General Topics & Reviews

Nework Security Scanner

Server Anti-Spam
Web Monitoring & Web Security
NEW! Network Fax Server !!

Security Articles

search...

Firewall.cx Newsletter

Home

Receive Free notification

on new articles!

Introduction To Network Security - Part 2

Downloads

Search

Site Related

Basic & Advanced Catalyst Layer 3 Switch

Configuration: Creating VLANs, InterVLAN Routing
(SVI), VLAN Security, VTP, Trunk Link, NTP
Configuration. IOS License Requirements for SVI
Routing

Introduction To Network Security - Part 2

Written by Administrator

Name

Tuesday, 06 March 2012 00:00

E-mail

Article Index
Introduction To Network Security - Part 2
***************

2. Penetration-Testing
3. A Brief Walk-through of an Attack
4. Where Can I Find More Information?
5. Conclusion

Firewall.cx Forums

All Pages

Community Forums

Tweet

Facebook Fans

By Sahir Hidayatullah - Firewall.cx Security Advisor

Show your support for

Firewall.cx!

Tools An Attacker Uses

Firewall.cx
Like

Like

Send

17 people like this.

Now that we've concluded a brief introduction to the types of threats faced by both home users and the enterprise, it is time to have a look at
some of the tools that attackers use.

2,016

Keep in mind that a lot of these tools have legitimate purposes and are very useful to administrators as well. For example I can use a network
sniffer to diagnose a low level network problem or I can use it to collect your password. It just depends which shade of hat I choose to wear.
Social Media Channels

General Network Tools

As surprising as it might sound, some of the most powerful tools especially in the beginning stages of an attack are the regular network tools
available with most operating systems. For example and attacker will usually query the 'whois' databases for information on the target. After
that he might use 'nslookup' to see if he can transfer the whole contents of their DNS zone (called a zone transfer -- big surprise !!). This will
let him identify high profile targets such as webservers, mailservers, dns servers etc. He might also be able to figure what different systems do
based on their dns name -- for example sqlserver.victim.com would most likely be a database server. Other important tools include traceroute
to map the network and ping to check which hosts are alive. You should make sure your firewall blocks ping requests and traceroute packets.

Exploits
An exploit is a generic term for the code that actually 'exploits' a vulnerability in a system. The exploit can be a script that causes the target
machine to crash in a controlled manner (eg: a buffer overflow) or it could be a program that takes advantage of a misconfiguration.

Download Your Free

Network Scanner

A 0-day exploit is an exploit that is unknown to the security community as a whole. Since most vulnerabilities are patched within 24 hours,
0-day exploits are the ones that the vendor has not yet released a patch for. Attackers keep large collections of exploits for different systems
and different services, so when they attack a network, they find a host running a vulnerable version of some service and then use the relevant
exploit.

Port Scanners
Most of you will know what portscanners are. Any system that offers TCP or UDP services will have an open port for that service. For example
if you're serving up webpages, you'll likely have TCP port 80 open, FTP is TCP port 20/21, Telnet is TCP 23, SNMP is UDP port 161 and so on.

System Login

A portscanner scans a host or a range of hosts to determine what ports are open and what service is running on them. This tells the attacker
which systems can be attacked.
For example, if I scan a webserver and find that port 80 is running an old webserver -- IIS/4.0, I can target this system with my collection of
exploits for IIS 4. Usually the port scanning will be conducted at the start of the attack, to determine which hosts are interesting.

Username

Password

This is when the attacker is still footprinting the network -- feeling his way around to get an idea of what type of services are offered and what
Operating Systems are in use etc. One of the best portscanners around is Nmap (http://www.insecure.org/nmap). Nmap runs on just about
every operating system is very versatile in how it lets you scan a system and has many features including OS fingerprinting, service version
scanning and stealth scanning. Another popular scanner is Superscan (http://www.foundstone.com) which is only for the windows platform.

Remember Me

Network Sniffers
Login With Facebook

Register for this site

Forgot Username?
Forgot Password?

Recommended Downloads
-

Web Security
Server AntiSpam
Network Scanner
IDS Security Manager
Web-Proxy Monitor
FTP / TFTP Servers
Cisco VPN Client
Network Fax Server

A network sniffer puts the computers NIC (network interface card or LAN card) into 'promiscuous mode'. In this mode, the NIC picks up all the
traffic on its subnet regardless of whether it was meant for it or not. Attackers set up sniffers so that they can capture all the network traffic
and pull out logins and passwords. The most popular network sniffer is TCPdump as it can be run from the command line -- which is usually the
level of access a remote attacker will get. Other popular sniffers are Iris and Ethereal.
When the target network is a switched environment (a network which uses layer 2 switches), a conventional network scanner will not be of
any use. For such cases, the switched network sniffer Ettercap (http://ettercap.sourceforge.net) and WireShark (http://www.wireshark.org)
are very popular. Such programs are usually run with other hacking capable applications that allow the attacker to collect passwords, hijack
sessions, modify ongoing connections and kill connections. Such programs can even sniff secured communications like SSL (used for secure
webpages) and SSH1 (Secure Shell - a remote access service like telnet, but encrypted).

Vulnerability Scanners
A vulnerability scanner is like a portscanner on steroids, once it has identified which services are running, it checks the system against a large
database of known vulnerabilities and then prepares a report on what security holes are found. The software can be updated to scan for the
latest security holes. These tools are very simple to use unfortunately, so many script kiddies simply point them at a target machine to find out
what they can attack. The most popular ones are Retina (http://www.eeye.com), Nessus (http://www.nessus.org) and GFI LanScan

25/09/2013 7:48

Introduction To Network Security - Part 2

2 of 6

More Articles
A Networked World:
New IT Security
Challenges
Introduction To
Network Security Part 1
Host-Based IDS vs
Network-Based IDS
(Part 2 - Comparative
Analysis)
Host-Based IDS vs
Network-Based IDS
(Part 1)
Combat Intruders with
LANguard S.E.L.M
What you Need to
Know About Intrusion
Detection Systems
Keeping IDS In-House
What Are IDSes & Why
Are They Worth
Having?
Web Monitoring for
Employee Productivity
Enhancement
Security Threats: A
Guide for Small &
Medium Businesses

http://www.firewall.cx/general-topics-reviews/security-articles/853-n...

(http://www.gfi.com). These are very useful tools for admins as well as they can scan their whole network and get a detailed summary of
what holes exist.

Password Crackers
Once an attacker has gained some level of access, he/she usually goes after the password file on the relevant machine. In UNIX like systems
this is the /etc/passwd or /etc/shadow file and in Windows it is the SAM database. Once he gets hold of this file, its usually game over, he runs
it through a password cracker that will usually guarantee him further access. Running a password cracker against your own password files can
be a scary and enlightening experience. L0phtcrack cracked my old password fR7x!5kK after being left on for just one night !
There are essentially two methods of password cracking :
Dictionary Mode - In this mode, the attacker feeds the cracker a word list of common passwords such as 'abc123' or 'password'. The cracker
will try each of these passwords and note where it gets a match. This mode is useful when the attacker knows something about the target. Say
I know that the passwords for the servers in your business are the names of Greek Gods (yes Chris, that's a shout-out to you ;)) I can find a
dictionary list of Greek God names and run it through the password cracker.
Most attackers have a large collection of wordlists. For example when I do penetration testing work, I usually use common password lists,
Indian name lists and a couple of customized lists based on what I know about the company (usually data I pick up from their company
website). Many people think that adding on a couple of numbers at the start or end of a password (for example 'superman99') makes the
password very difficult to crack. This is a myth as most password crackers have the option of adding numbers to the end of words from the
wordlist. While it may take the attacker 30 minutes more to crack your password, it does not make it much more secure.
Brute Force Mode - In this mode, the password cracker will try every possible combination for the password. In other words it will try aaaaa,
aaaab, aaaac, aaaad etc. this method will crack every possible password -- its just a matter of how long it takes. It can turn up surprising
results because of the power of modern computers. A 5-6 character alphanumeric password is crackable within a matter of a few hours or
maybe a few days, depending on the speed of the software and machine. Powerful crackers include l0phtcrack for windows passwords and
John the Ripper for UNIX style passwords.
For each category, I have listed one or two tools as an example. At the end of this article I will present a more detailed list of tools with
descriptions and possible uses.

POPULAR CISCO ARTICLES

Router Introduction
Cisco SDM Installation
Cisco IP SLA
Cisco SmartCare Service
VLAN Security
4507R-E Installation
CCME - UC500 GUI
CallManager Express Intro
VLAN Security & Tips
Wireless LAN Key Generator
Gold Cisco Lab Partners

What is Penetration-Testing?
Penetration testing is basically when you hire (or perform yourself) security consultants to attack your network the way an attacker would do
it, and report the results to you enumerating what holes were found, and how to fix them. It's basically breaking into your own network to see
how others would do it.
While many admins like to run quick probes and port scans on their systems, this is not a penetration test -- a penetration tester will use a
variety of specialised methods and tools from the underground to attempt to gain access to the network. Depending on what level of testing
you have asked for, the tester may even go so far as to call up employees and try to social engineer their passwords out of them (social
engineering involves fooling a mark into revealing information they should not reveal).
An example of social engineering could be an attacker pretending to be someone from the IT department and asking a user to reset his
password. Penetration testing is probably the only honest way to figure out what security problems your network faces. It can be done by an
administrator who is security aware, but it is usually better to pay an outside consultant who will do a more thorough job.
I find there's a lack of worthwhile information online about penetration testing -- nobody really goes about describing a good pen test, and
what you should and shouldn't do. So I've hand picked a couple of good papers on the subject and then given you a list of my favourite tools,
and the way I like to do things in a pen-test.

POPULAR LINUX ARTICLES

Linux Init & RunLevels
Linux Groups & Users
Performance Monitoring
Linux Vim Editor
Linux Samba
Linux DHCP Server
Linux Bind DNS
File & Folder Permissions
Linux OpenMosix
Linux Network Config
Best Rated Content
Product Review - GFI
LanGuard Network
Security Scanner 2011
IPSec - Internet
Protocol Security
Static NAT - Part 1
Installation of a Cisco
Catalyst 4507R-E
Layer 3 Switch
TCP Window Size,
Checksum & Urgent
Pointer - Section 5
Introduction To
Network Security Part 1
Firewall.cx - Cisco
CCIE Experts & Cisco
Press Authors
Collaboration
Annoucement
VLAN Security Making the Most of
VLANs
Software Review:
Colasoft Capsa 7
Enterprise Network
Analyzer
Interview: Vivek
Tiwari CCIEx2 #18616
(CCIE Routing and
Switching and Service
Provider)

This is by no means the only way to do things, it's like subnetting -- everyone has their own method -- this is just a systematic approach that
works very well as a set of guidelines. Depending on how much information you are given about the targets as well as what level of testing
you're allowed to do, this method can be adapted.

Papers Covering Penetration Testing

I consider the following works essential reading for anyone who is interested in performing pen-tests, whether for yourself or if you're planning
a career in security:
'Penetration Testing Methodology - For Fun And Profit' - Efrain Tores and LoNoise, you can google for this paper and find it.
'An Approach To Systematic Network Auditing' - Mixter (http://mixter.void.ru)
'Penetration Testing - The Third Party Hacker' - Jessica Lowery. Boy is this ever a good paper ! (http://www.sans.org/rr/papers
/index.php?id=264)
'Penetration Testing - Technical Overview' - Timothy P. Layton Sr. also from the www.sans.org (http://www.sans.org) reading room

Pen-test Setup
I don't like working from laptops unless its absolutely imperative, like when you have to do a test from the inside. For the external tests I use
a Windows XP machine with Cygwin (www.cygwin.com) and VMware (www.vmware.com) most linux exploits compile fine under cygwin, if
they don't then I shove them into vmware where I have virtual machines of Red Hat, Mandrake and Win2k boxes. In case that doesnt work,
the system also dual boots Red Hat 9 and often I'll just work everything out from there.
I feel the advantage of using a microsoft platform often comes from the fact that 90% of your targets may be microsoft systems. However the
flexibility under linux is incomparable, it is truely the OS of choice for any serious hacker.. and as a result, for any serious security
professional. There is no best O/S for penetration testing -- it depends on what you need to test at a point in time. That's one of the main
reasons for having so many different operating systems set up, because you're very likely to be switching between them for different tasks.
If I don't have the option of using my own machine, I like to choose any linux variant.
I keep my pen-tests strictly to the network level, there is no social engineering involved or any real physical access testing other than basic
server room security and workstation lockdown (I don't go diving in dumpsters for passwords or scamming employees).
I try as far as possible to determine the Rules Of Engagement with an admin or some other technically adept person with the right
authorisation, not a corporate type. This is very important because if you do something that ends up causing trouble on the network, its going
to make you look very unprofessional. It's always better to have it done clearly in writing -- this is what you are allowed to do.
I would recommend this even if you're an admin conducting an in-house test. You can get fired just for scanning your own network if its against
your corporate policy. If you're an outside tester, offer to allow one of their people to be present for your testing if they want. This is
recommended as they will ultimately be fixing most of these problems and being in-house people they will be able to put the results of the test
in perspective to the managers.

Tools
I start by visiting the target website, running a whois, DNS zone transfer (if possible) and other regular techniques which are used to gather as
much network and generic information about the target. I also like to pick up names and email addresses of important people in the company
-- the CEO, technical contacts etc. You can even run a search in the newsgroups for @victim.com to see all the public news postings they have
made. This is useful as a lot of admins frequent bulletin boards for help. All this information goes into a textfile. Keeping notes is critically
important, it's very easy to forget some minor detail that you should include in your end report.

25/09/2013 7:48

Introduction To Network Security - Part 2

3 of 6

http://www.firewall.cx/general-topics-reviews/security-articles/853-n...

Now for a part of the arsenal -- not in any order and far from the complete list.
Nmap - Mine (and everyone elses) workhorse port scanner with version scanning, multiple scan types, OS fingerprinting and firewall evasion
tricks. When used smartly, Nmap can find any Internet facing host on a network.
Nessus - My favourite free vulnerability scanner, usually finds something on every host. Its not too stealthy though and will show up in logs
(this is something I don't have to worry about too much).
Retina - A very good commercial vulnerability scanner, I stopped using this after I started with nessus but its very very quick and good. Plus
its vulnerability database is very up-to-date.
Nikto - This is a webserver vulnerability scanner. I use my own hacked up version of this perl program which uses the libwhisker module. It
has quite a few IDS evasion modes and is pretty fast. It is not that subtle though, which is why I modified it to be a bit more stealthy.
Cisco Scanner - This is a small little windows util I found that scans IP ranges for routers with the default password of 'cisco'. It has turned up
some surprising results in the past and just goes to show how even small little tools can be very useful. I am planning to write a little script
that will scan IP ranges looking for different types of equipment with default passwords.
Sophie Script - A little perl script coupled with user2sid and sid2user (two windows programs) which can find all the usernames on a windows
box.
Legion - This is a windows file share scanner by the erstwhile Rhino9 security group. It is fast as hell and allows you to map the drive right
from in the software.
Pwdump2 - Dumps the content of the windows password sam file for loading into a password cracker.
L0phtcrack 3.0 - Cracks the passwords I get from the above or from its own internal SAM dump. It can also sniff the network for password
hashes or obtain them via remote registry. I have not tried the latest version of the software, but it is very highly rated.
Netcat - This is a TCP/UDP connection backend tool, oh boy I am lost without this ! Half my scripts rely on it. There is also an encrypted
version called cryptcat which might be useful if you are walking around an IDS. Netcat can do anything with a TCP or UDP connection and it
serves as my replacement to telnet as well.
Hping2 - A custom packet creation utility, great for testing firewall rules among other things.
SuperScan - This is a windows based port scanner with a lot of nice options. Its fast, and has a lot of other neat little tools like NetBIOS
enumeration and common tools such as whois, zone transfers etc.

Ettercap - When sniffing a switched network, a conventional network sniffer will not work. Ettercap poisons the ARP cache of the hosts you
want to sniff so that they send packets to you and you can sniff them. It also allows you to inject data into connections and kill connections
among other things.
Brutus - This is a fairly generic protocol brute forcing tool. It can bruteforce HTTP, FTP, Telnet and many other login authentication systems.
This is a windows tool, however I prefer Hydra for linux.

Bunch of common exploits effeciently sorted

This is my collection of exploits in source and binary form. I sort them in subdirectories by operating system, then depending on how they
attack - Remote / Local and then according to what they attack - BIND / SMTP / HTTP / FTP / SSH etc etc. The binary filenames are arbitrary
but the source filenames instantly tell me the name of the exploit and the version of the software vulnerable.

This is essential when you're short on time and you need to 'pick one'. I don't include DoS or DDoS exploits, there is nobody I know who would
authorise you to take down a production system. Don't do it -- and tell them you arent doing it.. and only if they plead with you should you do
it.

Presenting Reports
This is the critical part -- it's about presenting what you found to people who probably don't understand a word of what your job is about other
than you're costing them money. You have to show them that there are some security problems in your network, and this is how serious they
might be.
A lot of people end the pen-test after the scanning stage. Unless someone specifically tells me to do this, I believe it is important you exploit
the system to at least level 1. This is important because there is a very big difference in saying something is vulnerable and actually seeing
that the vulnerability is executable. Not to mention when dealing with a corporate type, seeing 'I gained access to the server' usually gets
more attention than 'the server is vulnerable to blah blah'.
After you're done, make a VERY detailed chronological report of everything you did, including which tools you used, what version they are, and
anything else you did without using tools (eg. SQL injection). Give gory technical details in annexes -- make sure the main document has an
executive summary and lots of pie charts that they can understand. Try and include figures and statistics for whatever you can.
To cater to the admins, provide a report for each host you tested and make sure that for every security hole you point out, you provide a link
to a site with a patch or fix, . Try to provide a link to a site with detailed information about the hole preferably bugtraq or some well known
source -- many admins are very interested in these things and appreciate it.

A Brief Walk-through of an Attack

This is an account of how an attacker in the real world might go about trying to exploit your system. There is no fixed way to attack a system,
but a large number will follow the similar methodology or at least the chain of events.
This section assumes that the attacker is moderately skilled and moderately motivated to breaking into your network. He/She has targeted
you due to a specific motive -- perhaps you sacked them, or didn't provide adequate customer support (D-link India are you listening ? ;)).
Hopefully this will help you figure out where your network might be attacked, and what an attacker might do once they are on the inside.
Remember that attackers will usually choose the simplest way to get into the network. The path of least resistance principle always applies.

Reconnaissance & Footprinting

Here the attacker will try to gather as much information about your company and network as they can without making a noise. They will first
use legitimate channels, such as google and your company webpage to find out as much about you as they can. They will look for the following
information:

Technical information is a goldmine, things like a webpage to help your employees log in from home will be priceless information to them.
So also will newsgroup postings by your IT department asking how to set up particular software, as they now know that you use this software
and perhaps they know of a vulnerability in it.
Personal information about the company and its corporate structure. They will want information on the heads of IT departments, the CEO
and other people who have a lot of power. They can use this information to forge email, or social engineer information out of subordinates.
Information about your partners. This might be useful information for them if they know you have some sort of network connection to a
supplier or partner. They can then include the supplier's systems in their attack, and find a way in to your network from there.

25/09/2013 7:48

Introduction To Network Security - Part 2

4 of 6

http://www.firewall.cx/general-topics-reviews/security-articles/853-n...

General news. This can be useful information to an attacker as well. If your website says that it is going down for maintenance for some
days because you are changing your web server, it might be a clue that the new setup will be in its teething stages and the admins may not
have secured it fully yet.
They will also query the whois databases to find out what block of IP addresses you own. This will give them a general idea of where to start
their network level scans.
After this they will start a series of network probes. The most basic of which will be to determine if you have a firewall, and what it protects.
They will try and identify any systems you have that are accessible from the Internet.
The most important targets will be the ones that provide public services. These will be :
Webservers - usually the front door into the network. All webserver software has some bugs in it, and if you're running home made CGI
scripts such as login pages etc, they might be vulnerable to techniques such as SQL injection.
Mail servers - Sendmail is very popular and most versions have at least one serious vulnerability in them. Many IT heads don't like to take
down the mail server for maintenance as doing without it is very frustrating for the rest of the company (especially when the CEO doesn't get
his mail).
DNS servers - Many implementations of BIND are vulnerable to serious attacks. The DNS server can be used as a base for other attacks,
such as redirecting users to other websites etc.
Network infrastructure - Routers and switches may not have been properly secured and may have default passwords or a web
administration interface running. Once controlled they can be used for anything from a simple Denial of Service attack by messing up their
configurations, to channeling all your data through the attackers machine to a sniffer.
Database servers - Many database servers have the default sa account password blank and other common misconfigurations. These are
very high profile targets as the criminal might be looking to steal anything from your customer list to credit card numbers. As a rule, a
database server should never be Internet facing.
The more naive of the lot (or the ones who know that security logs are never looked at) may run a commercial vulnerability scanner such as
nessus or retina over the network. This will ease their work.

Exploitation Phase
After determining which are valid targets and figuring out what OS and version of software they are using (example which version of Apache or
IIS is the web server running), the attacker can look for an exploit targeting that particular version. For example if they find you are running
an out of date version of Sendmail, they will look for an exploit targeting that version or below.
They will first look in their collection of exploits because they have tested these. If they cannot find one, they will look to public repositories
such as http://www.packetstormsecurity.nl. They will probably try to choose common exploits as these are more likely to work and they can
probably test them in their own lab.
From here they have already won half the game as they are behind the firewall and can probably see a lot more of the internal network than
you ever intended for them to. Many networks tend to be very hard to penetrate from the outside, but are woefully unprotected internally.
This hard exterior with a mushy interior is a recipe for trouble -- an attacker who penetrates the first line of defense will have the full run of
your network.
After getting in, they will also probably install backdoors on this first compromised system to provide them with many ways in, in case their
original hole gets shut down. This is why when you identify a machine that was broken into, it should be built up again from scratch as there is
no way of knowing what kind of backdoors might be installed. It could be tricky to find a program that runs itself from 2:00AM to 4:00AM every
night and tries to connect to the attackers machine. Once they have successfully guaranteed their access, the harder part of the intrusion is
usually over.

Privilege Escalation Phase

Now the attacker will attempt to increase his security clearance on the network. He/She will usually target the administrator accounts or
perhaps a CEO's account. If they are focused on a specific target (say your database server) they will look for the credentials of anyone with
access to that resource. They will most likely set up a network sniffer to capture all the packets as they go through the network.
They will also start manually hunting around for documents that will give them some interesting information or leverage. Thus any sensitive
documents should be encrypted or stored on systems with no connection to the network. This will be the time they use to explore your internal
network.
They will look for windows machines with file sharing enabled and see what they can get out of these. Chances are if they didn't come in with a
particular objective in mind (for example stealing a database), they will take whatever information they deem to be useful in some way.

Clean Up Phase
Now the attacker has either found what they were looking for, or are satisfied with the level of access they have. They have made sure that
they have multiple paths into the network in case you close the first hole. They will now try to cover up any trace of an intrusion. They will
manually edit log files to remove entries about them and will make sure they hide any programs they have installed in hard to find places.
Remember, we are dealing with an intruder who is moderately skilled and is not just interested in defacing your website. They know that the
only way to keep access will be if you never know something is amiss. In the event that there is a log they are unable to clean up, they may
either take a risk leaving it there, or flood the log with bogus attacks, making it difficult for you to single out the real attack.

Where Can I Find More Information?

Without obviously plugging our site too much, the best place for answers to questions relating to this article is in our forums. The
Security/Firewalls Forum is the best place to do this -- so you can ask anything from the most basic to the most advanced questions concerning
network security there. A lot of common questions have already been answered in the forums, so you will quite likely find answers to
questions like 'Which firewall should I use ?'.
As far as off-site resources are concerned, network security is a very vast field and there is seemingly limitless information on the subject. You
will never find information at so-called hacker sites full of programs. The best way to learn about network security is to deal with the first word
first -- you should be able to talk networking in and out, from packet header to checksum, layer 1 to layer 7.
Once you've got that down, you should start on the security aspect. Start by reading a lot of the papers on the net. Take in the basics first, and
make sure you keep reading. Wherever possible, try to experiment with what you have read. If you don't have a home lab, you can build one
'virtually'. See the posts in the Cool Software forum about VMware.
Also, start reading the security mailing lists such as bugtraq and security-basics. Initially you may find yourself unable to understand a lot of
what happens there, but the newest vulnerabilities are always announced on these lists. If you follow a vulnerability from the time its
discovered to when someone posts an exploit for it, you'll get a very good idea of how the security community works.. and you'll also learn a
hell of a lot in the process.
If you're serious about security, it is imperative that you learn a programming language, or at least are able to understand code if not write
your own. The best choices are C and assembly language. However knowing PERL and Python are also valuable skills as you can write
programs in these languages very quickly.

25/09/2013 7:48

Introduction To Network Security - Part 2

5 of 6

http://www.firewall.cx/general-topics-reviews/security-articles/853-n...

For now, here are a few links that you can follow for more information:
www.securityfocus.com - A very good site with all the latest news, a very good library and tools collection as well as sections dedicated to
basics, intrusion detection, penetration testing etc. Also home of the Bugtraq mailing list.
www.sans.org - A site with excellent resources in its reading room, people who submit papers there are trying for a certification and as a
result its mostly original material and of a very high calibre.
www.security-portal.com - A good general security site.
www.cert.org - The CERT coordination center provides updates on the latest threats and how to deal with them. Also has very good best
practice tips for admins.
www.securityfocus.com/archive/1 - This is the link to Bugtraq, the best full disclosure security mailing list on the net. Here all the latest
vulnerabilities get discussed way before you see them being exploited or in the press.
www.insecure.org - The mailing lists section has copies of bugtraq, full disclosure, security-basics, security-news etc etc. Also the home of
nMap, the wonderful port scanner.

seclists.org - This is a direct link to the security lists section of insecure.org.

www.grc.com - For windows home users and newbies just interested in a non technical site. The site is home to Shields Up, which can test your
home connection for file sharing vulnerabilities, do a port scan etc, all online. It can be a slightly melodramatic site at times though.
www.eeye.com - Home of the Retina Security Scanner. Considered the industry leader. The E-Eye team also works on a lot of the latest
vulnerabilities for the windows platform.
www.nessus.org - Open source vulnerability scanner, and IMNSHO the best one going. If you're a tiger team penetration tester and you don't
point nessus at a target, you're either really bad at your job or have a very large ego. If there's a vulnerability in a system, nessus will find it.
www.zonelabs.com - ZoneAlarm personal firewall for windows, considered the best, and also the market leader.
www.sygate.com - Sygate Personal Firewall, provides more configuration options than ZoneAlarm, but is consequently harder to use.
www.secinf.net - Huge selection of articles that are basically windows security related.
www.searchsecurity.com - A techtarget site which you should sign up for, very good info. Chris writes for searchnetworking.com its sister site..
I don't think the references could be much better.
www.antioffline.com - A very good library section on buffer overflows etc.
www.packetstormsecurity.nl - The largest selection of tools and exploits possible.

Conclusion
This 10-page article should serve as a simple introduction to network security. The field itself is too massive to cover in any sort of article, and
the amount of cutting edge research that goes on really defies comprehension.
Some of the most intelligent minds work in the security field because it can be a very challenging and stimulating environment. If you like to
think out-of-the-box and are the sort of person willing to devote large amounts of your time to reading and questioning why things happen in a
particular way, security might be a decent career option for you.
Even if you're not interested in it as a career option, every admin should be aware of the threats and the solutions. Remember, you have to
think like them to stop them !
If you're interested in network security, we highly recommend you read through the networking and firewall sections of this website. Going
through the whole site will be some of the most enlightening time you'll ever spend online.
If you're looking for a quick fix, here are a few of the more important areas that you might want to cover:
Introduction to Networking
Introduction to Firewalls
Introduction to Network Address Translation (NAT)
Denial Of Service (DoS) Attacks
Locking down Windows 9X
Introduction to Network Protocols

Also check out the downloads section where you will find lots of very good security and general networking tools.
We plan on putting up a lot of other security articles in the near future. Some will be basic and introductory like this one, while some may deal
with very technical research or techniques.
As always feel free to give us feedback and constructive criticism. All flames however will be directed to /dev/null.

R E L A T E D A R T IC L E S
Using SSH Keys Instead Of Passwords
Installing Software On Linux
Testing Your Cluster
Acunetix Web Vulnerability Scanner
GFI Network Server Monitor Online Review - Road Test

25/09/2013 7:48