Earlier this year, the author of the Nmap scanner, Fyodor, released a list of the Top 75 Network Security Tools. The tools on this list, collected and organized with input from the Nmap-hackers mailing list, provide you with a cyber-smorgasbord of cool (and free) tools for down-in-the-trenches security administration.
Of the 75 tools on the list, 20 of them are some kind of vulnerability scanner. Nine are some kind of a monitor or IDS, mostly packet-oriented with a few system/application monitors. Six are "packet manipulators" -- tools designed to inject packets, screw up IDSes or intercept sessions and spoof traffic. Six others are password crackers or authentication system breakers. There's one firewall, one tamper detector and two tools for providing encrypted communications channels.
This list is interesting because it says something about the tools that security people actually use on a regular basis. The high concentration of vulnerability scanners further proves that, as an industry, we are still firmly stuck in the "penetrate and patch" mindset. We continue to look for flaws to fix, rather than design our systems based on sound principles.
You should be "noddingly" familiar with every one of the tools on this list, and have some hands-on experience with at least the top five. The top 10 most popular tools are a little, shall we say, offensive, in that they can be used for both good and evil: vulnerability assessment, packet/traffic analysis, IDS, basic network communications and session tampering.
When you've got a client who absolutely needs to be convinced his network is vulnerable, some of these tools are valuable. But they're also really valuable to the bad guys. (I wish Fyodor would do a survey to see how many of his list members consider themselves "gray hat" or "black hat" hackers.)
I was surprised and disappointed to see that more proactive security tools didn't make it into the top 10 or 20. Firewalls are passé and boring now, but what about things like the squid caching proxy server, the Postfix or Qmail mail transfer agents or the SpamAssassin antispam filter? Even the humble SecureIIS deserves some kind of billing. I guess that playing on the defensive team will always be a little less glamorous than on the offense.
Taking a cue from Fyodor, I'll suggest my own list of top security tools. Like the tools on the insecure.org list, they're all freeware. However, my list contains a better mix of both offensive and defensive tools.
- iptables: Ubiquitous firewall. Basically, every operating system out there now supports some kind of packet screening.
- Squid: Caching and proxying for Web; combine with a firewall for best results, and make sure you log accesses.
- SecureIIS: If you have to go out on a high wire, wear a safety harness! IIS is too insecure for my taste, but this useful tool can block out a lot of "noise" attacks against IIS-based Web servers.
- Postfix: When the mail needs to get through securely. Consider Qmail as an alternate.
- Tiny Personal Firewall: Use this or any other personal firewall that traps outgoing and incoming traffic. Many personal firewall vendors offer freeware for noncorporate use.
- SpamAssassin: Make e-mail tolerable by clobbering spam.
- Tripwire: Know what files have been altered on your system; an absolutely essential postmortem tool.
- Ethereal: Sniffer extraordinaire, packet decoder and session reconstructor.
- Nmap: Hands down, the best network and port scanner; operating system fingerprinting is invaluable.
- Snort: The best free IDS money can buy.
- SSH/Putty: Secure communications for the masses. There's no longer an excuse to use Telnet or FTP!
- Nessus: A VA scanner that tops many commercial tools.
As I reread my list, I realize that there are so many great tools out there; it's a wonder that our networks are still getting hacked to pieces. Obviously, it's not for lack of good technology.
About the author: Marcus Ranum is an independent security consultant and author. He is the founder of NFR Security and built the first commercial firewall product, DEC SEAL.