Security is often one of the primary concerns of network administrators. And just like there are tools to assist us with pretty much all of our daily tasks, there are tools that will help us with securing our networks and the equipment they’re made of. And today, we’re bringing you some of the best network security tools we could think of.
Our list is by no means complete as there are hundreds of tools out there that can help you with securing your network. It also excludes anti-virus software which, despite being security-related, fall into a completely different category of tools. We’ve also excluded firewalls from our list. These are also in a different category. What we’ve included are vulnerability assessment tools and scanners, encryption tools, port scanners, etc. In fact, we had pretty much only one criterion for inclusion on our list, they had to be security-related tools. That is tools that can help you increase security or test and verify it.
We have so many tools to review that we won’t spend much time on theory. We’ll simply start off with some more details on the different categories of tools and follow through with reviewing the tools themselves.
Different Categories Of Tools
There are literally hundreds of different tools pertaining to network security. To make for an easier comparison of the different tools, it can be useful to categorize them. One of the types of tools we have on our list is event managers. Those are tools that will respond to various events happening on your network. They often detect those events by analyzing logs from your equipment.
Also useful are packet sniffers, they let you dig into traffic and decode packets to see the payload they contain. They will often be used to further investigate security events.
Another major category of tools is intrusion detection and prevention systems. They are different from antivirus or firewall software. They work at the perimeter of your network to detect any unauthorized access attempt and/or any malicious activity.
Our list also features some oddball tools that don’t really fit into a specific category but that we felt should be included as they are truly useful.
The Best Network Security Tools
When presenting such an extensive list of tools that serve vastly different purposes, it’s hard to list them in any order. All the tools reviewed here are very different and one is not objectively better than any other. So, we’ve decided to just list them in a random order.
If you don’t already know SolarWinds, the company has been making some of the very best network administration tools for years. Its Network Performance Monitor or its NetFlow Traffic Analyzer are some of the best SNMP network monitoring and NetFlow collector and analyzer packages you can find. SolarWinds also makes some excellent free tools that address specific needs of network and system administrators such as an excellent subnet calculator and a very good TFTP server.
When it comes to network security tools, SolarWinds has a few good products for you. First and foremost is its Log and Event Manager (LEM). This tool is best described as entry-level Security Information and Event Management (SIEM) system. It is possibly one of the most competitive entry-level SIEM systems on the market. The SolarWinds product has most everything you can expect from a basic system. The tool has excellent log management and correlation features together with an impressive reporting engine.
The SolarWinds Log and Event Manager also boasts some excellent event response features. Its real-time system will react to any threat it detects. And the tool is based on behavior rather than signature making it great for protecting against zero-day exploits and unknown future threats without needing to constantly update the tool. The SolarWinds LEM and features an impressive dashboard which is possibly its best asset. Its simple design means you’ll have no trouble quickly identifying anomalies.
Pricing for the SolarWinds Log and Event Manager starts at $4 585. And if you want to try before you buy, a free fully functional 30-day trial version is available.
SolarWinds also make a few other tools related to network security. For instance, the SolarWinds Network Configuration Manager will allow you to ensure that all equipment configurations are standardized. It will let you push bulk configuration changes to thousands of network devices. From a security standpoint, it will detect unauthorized changes which could be a sign of malicious configuration tampering.
The tool can help you quickly recover from failures by restoring previous configurations. You can also use its change management features to quickly identify what changed inside a configuration file and highlight the changes. Furthermore, this tool will allow you to demonstrate compliance and pass regulatory audits thanks to its built-in, industry-standard reports.
Pricing for the SolarWinds Network Configuration Manager starts at $2 895 and varies according to the number of managed nodes. A free fully-functional 30-day trial is available.
The SolarWinds User Device Tracker is another must-have network security tool. It can improve your IT security by detecting and tracking users and endpoint devices. It will identify which switch ports are in use and determine which ports are available in multiple VLANs.
When malicious activity is suspected with a specific endpoint device or a given user, the tool will allow you to quickly pinpoint the device’s or the user’s location. Searches can be based on hostnames, IP/MAC addresses, or usernames. The search can even be extended by looking into past connection activities of the suspected device or user.
The SolarWinds User Device Tracker is priced starting at $1 895 and varies by the number of ports to track. As with most SolarWinds products, a free 30-day full-features trial is available.
To say that Wireshark is just a network security tool is a gross understatement. It is by far the best packet capture and analysis package we can find these days. This is a tool that you can use to perform in-depth analysis of network traffic. It will let you capture traffic and decode each packet, showing you exactly what it contains.
Wireshark has become the de-facto standard and most other tools tend to emulate it. This tool’s analysis capabilities are so powerful that many administrators will use Wireshark to analyze captures done using other tools. In fact, this is so common that upon startup, it will prompt you to either open an existing capture file or start capturing traffic. But the biggest strength of this tool is its filters. They will easily let you zero in on precisely the relevant data.
Despite its steep learning curve (I once attended a three-day class just on how to use it) Wireshark is well-worth learning. It will prove invaluable countless times. This is a free and open-source tool that has been ported to almost every operating system. It can be downloaded directly from Wireshark’s website.
5. Nessus Professional
Nessus Professional is one of the industry’s most widely deployed assessment solution for identifying vulnerabilities, configuration issues, and malware that attackers use to gain unauthorized access to networks. It is used by millions of cybersecurity professionals, giving them an outsider’s view of their network security. Nessus Professional also offers important guidance on how to improve network security.
Nessus Professional has one of the broadest coverage of the threats scene. It possesses the latest intelligence and an easy-to-use interface. Rapid updates are also one of the tool’s excellent features. Nessus Professional provides an effective and comprehensive vulnerability scanning package.
Nessus Professional is subscription-based and will cost you $2 190/year. If you’d rather try the product before purchasing a subscription, a free trial can be obtained although it only lasts 7 days.
Snort is one of the best-known open-source intrusion detection system (IDS). It was created in 1998 and it has been owned by Cisco System since 2013. In 2009, Snort entered InfoWorld’s Open Source Hall of Fame as one of the “greatest open source software of all time“. This is how good it is.
Snort has three modes of operation: sniffer, packet logger, and network intrusion detection. The sniffer mode is used to read network packets and display them on the screen. The packet logger mode is similar but the packets are logged to the disk. The intrusion detection mode is the most interesting. The tool monitors network traffic and analyzes it against a user-defined ruleset. Different actions can then be performed based on what threat has been identified.
Snort can be used to detect different types of probes or attacks, including operating system fingerprinting attempts, semantic URL attacks, buffer overflows, server message block probes, and stealth port scans. Snort can be downloaded from its own website.
Tcpdump is the original packet sniffer. First released in 1987, it has since been maintained and upgraded but remains essentially unchanged, at least it the way it is used. This open-source tool comes pre-installed in almost every *nix operating system and it has become the standard tool for a quick packet capture. It uses the libpcap library–also open-source–for the actual packet capture.
By default. tcpdump captures all traffic on the specified interface and “dumps” it–hence the name–on the screen. This is similar to Snort’s sniffer mode. The dump can also be piped to a capture file–behaving like Snort’s packet logger mode–and analyzed later using any available tool. Wireshark is often used for that purpose.
Tcpdump’s key strength is the possibility to apply capture filters and to pipe its output to grep–another common Unix command-line utility–for even more filtering. Someone with a good knowledge of tcpdump, grep, and the command shell can easily capture precisely the right traffic for any debugging task.
Kismet is a network detector, packet sniffer, and intrusion detection system for wireless LANs. It will work with any wireless card which supports raw monitoring mode and can sniff 802.11a, 802.11b, 802.11g, and 802.11n traffic. The tool can run under Linux, FreeBSD, NetBSD, OpenBSD, and OS X. There is unfortunately very limited support for Windows mainly because only one wireless network adapter for Windows supports monitoring mode.
This free software is released under the Gnu GPL License. It is different from other wireless network detectors in that it is working passively. The software can detect the presence of both wireless access points and clients without sending any loggable packet. And it will also associate them with each other. Furthermore, Kismet is the most widely used open source wireless monitoring tool.
Kismet also includes basic wireless intrusion detection features and can detect active wireless sniffing programs as well as a number of wireless network attacks.
Nikto is an open-source web server scanner. It will perform a comprehensive array of tests against web servers, testing for multiple items including over 6700 potentially dangerous files and programs. The tool will check for outdated versions of over 1250 servers, and identify version-specific issues on over 270 servers. It can also check server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software.
Nikto is designed for speed rather than stealth. It will test a web server in the quickest time possible but its passage will show up in log files and be detected by intrusion detection and prevention systems.
Nikto is released under the GNU GPL license and can be downloaded for free from its GitHub home.
The Open Vulnerability Assessment System, or OpenVAS, is a toolset that offers comprehensive vulnerability scanning. Its underlying framework is part of Greenbone Networks’ vulnerability management solution. It is entirely free and most of its component are open-source although a few are proprietary. The product has over fifty thousand network vulnerability tests which are being updated on a regular basis.
There are two primary components to OpenVAS. First, there’s the scanner, which handles the actual scanning of target computers. The other component is the manager. It controls the scanner, consolidates results, and stores them in a central SQL database. The tool’s configuration parameters are stored in that database as well. An additional component is called the Network Vulnerability Tests database. It can be updated from either the fee Greenborne Community Feed or the Greenborne Security Feed. The latter is a paid subscription server while the community feed is free.
OSSEC, which stands for Open Source SECurity, is a host-based intrusion detection system. Contrary to network-based IDS, this one runs directly on the hosts it protects. The product is owned by Trend Micro, a trustworthy name in IT security.
The tool’s primary focus is log and configuration files on *nix hosts. On Windows, it watches the registry for unauthorized modifications and suspicious activities. Whenever something odd is detected, you are quickly alerted either through the tool’s console or by email.
The main drawback of OSSEC–or any host-based IDS–it that it must be installed on each computer you want to protect. Fortunately, this software will consolidate information from each protected computer in a centralized console, making its management much easier. OSSEC only runs on *nix. However, an agent is available to protect Windows hosts.
OSSEC is also distributed under the GNU GPL license and it can be downloaded from its own website.
Nexpose from Rapid7 is another top-rated vulnerability management tool. This is a vulnerability scanner which supports the entire vulnerability management lifecycle. It will handle discovery, detection, verification, risk classification, impact analysis, reporting, and mitigation. User interaction is handled via a web-based interface.
Feature-wise, this is a very complete product. Some of its most interesting features include virtual scanning for VMware NSX and dynamic discovery for Amazon AWS. The product will scan most environments and can scale up to an unlimited number of IP addresses. Add to that its rapid deployment options and you have a winning product.
The product is available in a free community edition with a reduced feature set. There are also commercial versions which start at $2,000 per user per year. For downloads and more information, visit the Nexpose homepage.
13. GFI LanGuard
GFI Languard claims to be “The ultimate IT security solution for business”. This is a tool that can help you scan networks for vulnerabilities, automate patching, and achieve compliance. The software not only supports desktop and server operating systems but also Android or iOS. GFI Languard performs sixty thousand vulnerability tests and ensures your devices are updated with the latest patches and updates.
GFI Languard’s intuitive reporting dashboard very well made and so is its virus definition update management which works with all major antivirus vendors. This tool will not only patch operating systems but also web browsers and several other third-party applications. It also has a very powerful web reporting engine and great scalability. GFI Languard will assess vulnerabilities in computers but also in a wide range of networked devices such as switches, routers, access points, and printers.
The pricing structure for GFI Languard is quite complex. The software is subscription-based and must be renewed annually. For users who prefer to try the tool before buying it, a free trial version is available.
The Retina Network Security Scanner from AboveTrust is another one of the best-known vulnerability scanners. This is a fully-featured product that can be used to perform an assessment of missing patches, zero-day vulnerabilities, non-secure configuration, and other vulnerabilities. The tool boasts an intuitive user interface. Furthermore. user profiles matching various job functions simplify the operation of the system.
The Retina scanner uses an extensive database of network vulnerabilities, configuration issues, and missing patches. The database is automatically updated and it covers a wide range of operating systems, devices, applications, and virtual environments. The product’s full product of VMware environments includes online and offline virtual image scanning, virtual application scanning, and integration with vCenter.
The Retina scanner is only available as a subscription at a cost of $1 870/year for an unlimited IP addresses count. A free 30-day trial version can also be obtained.