Ask the Experts: Network Security

Last fall, we invited readers to send in their network security questions to our panel of experts. Issues ranged from investigative tools to patch management to hardening networks. We selected half a dozen queries from those sent in and set our panel to work. Read on to get advice from the pros.
Our panelists are Douglas Schweitzer, an Internet security specialist with a focus on malicious code; Marcia J. Wilson, CISSP, founder and CEO of Wilson Secure LLC; Steven Hofmeyr, chief technology officer and founder of Sana Security Inc.; experts at Avanade Inc., a Microsoft technology integrator; and Vince Tuesday and Mathias Thurman, security managers and co-authors of
Computerworld's weekly Security Manager's Journal feature.
The issues:


blue_square.gif

Tools for Microsoft critical patches

blue_square.gif

Forensic tools

blue_square.gif

Alternatives to the Windows Update site

blue_square.gif

Tracking down huge traffic spikes

blue_square.gif

Securing MS BizTalk for client file FTPs

blue_square.gif

Defending against nonapproved devices trying to connect to the network

Q: How can I best keep current on Microsoft critical patches when I'm not in an Active Directory environment and can't physically patch all the computers that need patching?
Thurman:
If you've got the resources, you can simply have someone monitor the Microsoft Web site for patch releases. Of course, that person would have to know the details and intricacies of every operating system and application version in use at the company. If you're an administrator at a small firm, that's probably not a big deal. But if you're responsible for a huge, nationwide or worldwide network, then you'll need help.
There are also plenty of mailing lists or sites that will send you alerts when new patches are released. In addition, there are some software tools, such as Ecora, Marimba or Patchlink, that can be utilized for patch management. My favorite of the three is Patchlink.

Avanade: Active Directory will dramatically streamline the process for deploying security updates but is not a requirement. However, trying to implement an enterprise patch management tool without an NT 4.0 Domain or Active Directory will probably take longer and may introduce security issues related to credential management.

Q: Please recommend some forensic investigation tools when incidents have occurred. I'd like to see e-mail, Trojan code, hidden directories and hidden-application finders most of all, and activity log parsers if you can fit it in.

Tuesday:
Forensic investigations break down into two halves: the collection of the forensically sound image of the source data, and the analysis of the collected image to identify evidence.
A good overview of the whole process can be found at
ftp://ftp.isi.edu/in-notes/rfc3227.txt.
The imaging of source media seems to have split into two worlds: those with funds, like large corporate and law enforcement organizations, which tend to use Guidance Software's EnCase; and those without significant funds, like universities and small consultancies, which use the "dd" utility. EnCase is a full-featured commercial product. It isn't cheap, but it is very good, and I'd never try to go to court without it. Does it do anything magical? No, not at all. But in a field where the slightest slipped finger can lose you the entire case, I'd rather have it than "dd" covering my back.
EnCase also includes significant evidence analysis capability, quickly searching for hidden files and directories. It supports hash sets of known good and bad files that should very quickly help you find any Trojan code on your systems. It also supports a scripting language to automate scans of the images you have collected from suspect machines. These can include searches for the tricks used to try to hide directories and files. It will find data hidden in alternate streams and in files and folders marked as hidden and will highlight files saved with the wrong file extension.
For details on how to get e-mail and Web logs and parse them, I recommend Incident Response: Investigating Computer Crime, by Kevin Mandia and Chris Prosise (McGraw-Hill Professional Publishing, 2001).

Hofmeyr: Depending on which environment you're looking at and your goals (i.e., to prevent or pursue), there are a wide range of tools available, from freeware through high-cost, law-enforcement-grade forensics. If your aim is simply to ascertain the hows and whys of an incident and you are working in a Microsoft environment, the forensic tool kit from NT Objectives Inc. offers an easy-to-use set of tools that will provide some of the features you specified, including the ability to locate alternate data streams and hidden files.
Most antivirus tools will detect the majority of Trojans; for additional protection, there are many choices. One good bet is the a2 product from Emsi Software. Depending on the type of hidden application you're looking for, you could utilize anything from a free spyware-detection utility to the Windows Process List. Log Parser 2.0 is another product for the Microsoft environment. This easy-to-use tool, which is available as a free download from Microsoft's Web site, can assist in parsing out almost any type of Windows log.
If your goal is to collect evidence suitable for future legal proceedings, I would suggest retaining the services of a professional incident-response and forensics organization to assist you in establishing the proper environment.



Schweitzer: A well-rounded tool kit is essential for conducting any computer forensic investigation. For the sake of brevity, here are a few of my favorite freeware investigative tools. (Note: These would be used in addition to scanning with up-to-date antivirus software.)
The following freeware tools are for detecting the presence of Trojans and back doors:

  • Fport.exe from Foundstone is a handy freeware tool for viewing all open TCP/IP and UDP ports. In addition, it goes a step further by tracing open ports back to the owning application.
  • Nmap (Network Mapper), available at Insecure.org, is an open-source Unix/Linux utility that's useful for exploring network connections and for security auditing. Nmap determines which hosts are available and which ports they are using.
  • ListDLLs (available from Sysinternals) is a Windows freeware utility that is able to display the full path names of loaded modules, not just their base names. This handy utility can also illustrate which DLLs have been relocated when they're not loaded at their base address.


These tools are useful in searching for deleted e-mail or any hidden files:

  • BinText from Foundstone is a small and fast text extractor. BinText is capable of extracting text from a wide variety of files such as plain text, Unicode and resource strings. This handy utility also provides detailed information by using the optional (advanced) view mode, as well as keyword filtering to prevent any unwanted text from being listed.
  • Disk Investigator, by Kevin Soloway, is a freeware utility that can gather a variety of information from a user's hard disk. It can help discover all that is "hidden" on a computer hard disk by displaying the drive's true contents. By bypassing the operating system and reading the "raw" sectors, Disk Investigator can help you search files and clusters for specific keywords and content.


In addition, there may be times during an investigation when you come across files that have been compressed and/or password-protected. If you want to attempt to crack the password yourself, you may want to try the following freeware tools:



Q: What is the most effective and widely used software distribution tool for Windows updates, excluding the Microsoft Windows Update site?
Tuesday:
There isn't one that is effective and widely used. Why do you think that large corporations keep getting hit by virus and worm outbreaks?
There are a few attempts that get close. If you have a well-administered company and can control the configuration of all the end-node machines, then the Microsoft approach of Software Update Services just might help (download SUS data sheet). This is a mini Windows Update server that you can run on your own network and apply policy for which patches get pushed to your enterprise. Bizarrely for Microsoft, it is free; perhaps the incoming threats of litigation and regulation over patches have driven a new approach at Microsoft.
If your site is well run, you almost certainly have an existing software-deployment mechanism, like SMS or something you built in-house, so SUS won't do you a lot of good. But if you had such a mechanism, then I'd expect you to be using that and not ask the question.
So, if you have many systems that aren't really under anyone's management, as is the case with most of the places where I've worked, then you need a tool that finds and fixes the vulnerabilities you have.
The best I know of is the GFI LANguard network security scanner. This fast-moving scanner will identify all the machines on your network and highlight any missing patches. Obviously, there are many scanners that will do this, but what makes LANguard so clever is that if you approve, it will deploy and install all your required patches from a central point. It will even install service packs and works with Windows NT, two tasks that SUS finds hard to do.

Avanade: "Effective" patch management tools are those that meet your organization's process requirements. Most organizations have complex workflows that prescribe testing, dictate patch applicability, control scheduling and even throttle bandwidth use. There are three classes of tools for deployment: free patch-management services, patch management point tools and configuration management tools.
Free services include vendor-provided services (Windows Update) as well as Microsoft's SUS. These tools automate deployment but have limited functionality, are not comprehensive and do not include reporting.
Patch management point tools allow patches to be downloaded and applied on a granular basis to specific subsets of machines, on a scheduled basis. These tools tend to be very quick to set up and do not require specialized skills. But features and cost vary: Products may or may not require agents, and they may or may not have limited testing and rollback capability and rich reporting capabilities. Examples include Shavlik Technologies' HFNetChkPro, St. Bernard Software's UpdateExpert, Configuresoft's Security Update Manager, Ecora's Ecora Patch Manager, and PatchLink's PatchLink Update.
Configuration management tools encompass many functions, including inventory and metering, operating system installation and configuration, and software installation and configuration. These tools tend to require expertise to set up and manage and often have detailed reporting and very advanced functionality such as testing and rollback. They tend to be expensive but extremely sophisticated. Among them are products from LANDesk, Marimba, Novadigm, Opsware, Microsoft and IBM Tivoli.
The optimal solution combines tools, people and process to provide overlapping coverage and better overall risk mitigation. You might augment a patch distribution tool with tighter configuration management (i.e., locking down client and server configurations) and investigate ways to effectively quarantine systems that do not meet a baseline patch level on the LAN and over VPN.

Related:
1 2 Page 1
Page 1 of 2
Download: EMM vendor comparison chart 2019
  
Shop Tech Products at Amazon