Businesses of all sizes need security tools to back up their IT security programs. They need tools to monitor,...
check and guard their networks from vulnerabilities, as well as to justify their security staff and budgets.
Large companies with well-funded and dedicated IT security departments can afford commercially available network security tools. But these tools may be out of reach for midmarket companies that are thin on budgets and staff. Options are available, however, that are both affordable and easily managed with light staffs.
The term security tools covers a broad range of products, but the tools of interest to most companies fall into roughly three categories: network security monitoring tools, which includes intrusion detection systems (IDSes) and intrusion prevention systems (IPSes); network security testing tools; and application security scanning tools.
Network monitoring tools
GFI LANguard VulnerabilityManager from GFI Software Ltd. is an award-winning security scanner geared toward midmarket companies. It scans your network, checking for more than 15,000 vulnerability assessments based on a database of vulnerabilities from OVAL, The SANS Institute's list of the top 20 security risks, BugTraq and Microsoft's Knowledge Base. It also checks to make sure antivirus and antispyware software is up to date and provides customizable reports of its scans. The price ranges from $575 for a network of 32 IP addresses to $2,950 for 512 IP addresses.
SecureFlow from Radware Ltd. combines several features -- antivirus, IDS and firewall -- into a single security appliance. Though SecureFlow is more like a switch than a true scanner, it is also a lightweight product aimed at the midmarket. With its centralized management and logging capabilities, it provides network scanning capabilities.
The Sunbelt Network Security Inspector from Sunbelt Software Distribution Inc. -- priced at only $1,868 per admin user -- is another security scanner. Like GFI, it works off a database of 4,000 known vulnerabilities from the FBI, Carnegie Mellon University's Computer Emergency Response Team, the Department of Homeland Security and other public sources.
In the same family as scanners, content monitoring tools and IDSes prevent data leakage. Content Alarm NW from Tablus Inc. and ModSecurity Pro M1100 from Breach Security Inc. both monitor networks for unauthorized transmissions by email or file transfers of sensitive information. GFI also offers a suite of three products -- MailEssentials, MailSecurity and WebMonitor -- that scan email and downloads from Web sites for malware.
In the IDS category, there are other vendors worth mentioning for midmarket companies: iPolicy Networks Private Ltd., which uses data from Nessus for intrusion detection scanning, and TriGeo Network Security Inc., which does real-time log analysis. Though these devices are really IDSes, they act like scanners, watching both incoming traffic and network behavior.
In tests, we trust
The testing category of tools includes, of course, the famous free standbys: Nessus, Nmap and Netcat. These tools do an excellent job for one-shot testing but can also be a drag on your network's performance.
An intriguing tool on a USB key comes from Northwest Performance Software Inc. NetScanTools Pro USB can be bought on a CD for $249 or on a 1 GB USB flash drive for $349 -- a very reasonable price for a cash-strapped midmarket company. The product can check overall network health, perform ARP scans to search for unauthorized devices on the network, capture and view packets and check for NetBIOS shares. It also has a tool called Cache Forensics that can check Internet Explorer's history, cache and cookies.
Securing the app
The next category, application security scanning tools, is actually a subset of the testing tools just described. But unlike tools that scan networks, these tools scan applications, particularly Web applications, for potential vulnerabilities. This has become an especially fertile area of testing as hackers have migrated from hacking networks to hacking applications and Web sites. It's easier these days to just insert malware into Web sites than it is to breach a firewall. Hackers prefer to avoid scanning a firewall for holes, in favor of piggybacking on a Web application to get into a network.
Full-blown code reviews are costly and time consuming even for big organizations, not to mention backbreaking for midmarket companies. Even a small company may have applications with tens of thousands of lines of code. That's a lot for even the most robust tools to handle.
Two nice products for midmarket companies are WebInspect from SPI Dynamics Inc. and AppScan from Watchfire Corp. Both are Web scanning tools that can be customized to check any number of a company's Web sites for common vulnerabilities and attacks. They both produce readable reports that are also customizable, whether for management or a development team assigned to fix defects. The tools are lightweight, can be easily installed on a tester's desktop and have intuitive, easy-to-use interfaces.
On the free side are Web scanners like WebScarab and Nikto. Other testing tools for Web sites that aren't scanners include Paros Proxy, Nessus and Metasploit. All these tools require some level of technical expertise to configure and run, a consideration if your IT department is short-staffed.
When shopping for all of these network security tools, no matter whether they're scanning networks and applications or testing products, midmarket companies should consider a few things. Price, of course, is important. But don't necessarily be lured by free tools just because they're free; these tools don't come with support, and the time and cost of maintenance for your staff can quickly add up. Other issues to consider are compatibility of tools with your existing network infrastructure and scalability as your company, hopefully, grows. You don't want security monitoring tools to take down your network at critical times.
Does it sound like a lot of these tools overlap? It seems that monitoring, scanning and testing tools all have multiple uses. They all watch for network holes, malware, data leakage and malicious Web traffic, and log, monitor and report on suspicious activity -- but that's the trend. As security tools mature and the attacks they must prevent become more sophisticated, various functions will merge. The tool that just scans, just monitors or just tests will be history -- even for midmarket companies.
Joel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP specializing in Web and application security, and is the author of The Little Black Book of Computer Security, available from Amazon.com. He has a regular radio show on computer security on WIIT in Chicago and runs The IT Security Guy blog at www.theitsecurityguy.com.