Network security has become a very complicated responsibility in recent years. This is because of the advent of phishing, advanced persistent threats, doxing, and masquerading. These tricks mean that employees are now having a hard time identifying whether the instructions they receive from remote senior management is genuine. In this type of environment, the traditional boundaries of network security go beyond the prevention of snooping on the internet and blocking viruses with firewalls. You now also need to analyze patterns of behavior in traffic and spot anomalous activities even when they are performed by authorized users.
Traditionally, the IT department had administrator privileges that gave any of the support staff access to every element of the corporate system. The risks of data disclosure are now higher. Even unintentional breaches of confidentiality can result in expensive litigation from those whose personal data is held on your system. This new environment demands that you tighten up access rights and track all activities in order to prevent and log malicious activity and accidental destruction.
Fortunately, modern network equipment has messaging systems built in, and you can exploit these sources of information just by installing collector agents and analysis software. The network security market provides several categories of monitors that will help you protect your company from data theft and other malicious activity.
In this guide, we will look at the following categories of network management software:
- Traffic analyzers
- Log managers
- Vulnerability scanners
- Configuration managers
- Network monitors
- Intrusion detection and intrusion prevention systems
Here is our list of the best network security software:
- SolarWinds Network Performance Monitor
- WhatsUp Gold
- TrueSight Network Automation / Network Vulnerability Management
- Paessler PRTG
You can read more details on each of these options in the next section of this guide.
Network Security Software Options
The recommendations in this list include a number of comprehensive network management tools that will serve as general network performance monitors as well as specifically track security issues for you. The three main tools in the list are SolarWinds Network Performance Monitor, WhatsUp Gold, and Paessler PRTG. Each of these packages can be expanded to include a wide range of extra functions. The architecture of these tools also allows you to limit their functionality to focus on just one task, such as security monitoring. OSSEC and Sagan are highly regarded specialist intrusion detection systems and the TrueSight package includes a nice mix of network protection functions.
This list includes options that are suitable for small, middle-sized, and large networks.
The Network Performance manager is the key tool offered by SolarWinds. It tracks the health of network devices through the use of Simple Network Management Protocol messaging. All network equipment ships with SNMP capabilities, so you only need to install an SNMP manager, such as this SolarWinds tool in order to benefit from the information that SNMP provides.
Download a free trial at https://www.solarwinds.com/network-performance-monitor/
The tool includes an autodiscovery and mapping tool, which creates an inventory of your network equipment. The discovery function runs continually and will spot new devices added to the network. This is a useful assistant for intrusion detection because hardware invasions are one form of intrusion. The deep packet inspection capabilities of the Network Performance Monitor will also help you protect your network by highlighting and tracking anomalous behavior in traffic patterns and user activity.
SolarWinds offers a number of other network management tools that will enhance the abilities of the Network Performance Monitor with respect to security monitoring. A NetFlow Traffic Analyzer examines traffic flows around your network and includes security monitoring features. This includes the tracing of malformed and potentially malicious traffic to network port 0. In addition to those monitoring features, the traffic visualizations and anomaly alerts help you spot unusual activity.
The dashboard of this tool includes some great visualization of live data and it is also capable of storing packet data for historical analysis. The tool has a range of options for packet capture, which includes sampling methods that reduce the amount of data that you need to store for analysis. If you don’t have the budget for the SolarWinds Network Performance Monitor and the NetFlow Traffic Analyzer, you could try the free Real-time Bandwidth Monitor. However, this tool doesn’t have many features and would only be suitable for small networks.
You get greater insights into user activities if you add on the User Device Tracker. This enables you to track user activity and it also keeps an eye on switch port events, including attempts by hackers to scan ports. The tool can also close off ports and selectively block users in the event of intrusion detection.
Extra features of the SolarWinds stable can be added on to the monitor because the company created a common platform for all of its major tools that enables data sharing and interdisciplinary modules. The Network Configuration Manager would be a good choice for security issues because it controls the settings of your network equipment. It will also look for firmware updates and install them for you — keeping up to date with operating systems and all software is an important security task of IT systems.
SolarWinds offers a number of free tools that will help you control the security of your network. These include the Solar-PuTTY package. This is not just a secure terminal emulator to enable you to access remote servers securely. It also includes an SFTP implementation, which you could use to backup and distribute device configuration images. This would be a cheap alternative to the Network Configuration Manager if you have a small network and a very tight budget.
The Kiwi syslog server is another useful SolarWinds security tool that small organizations can use for free. You don’t have to pay for this tool if you are only monitoring up to five devices. The tool is also suitable for larger networks, but for that you will have to pay. The log manager also collects and stores SNMP messages and you can set alerts on the volumes of message types. This is a very useful feature if you don’t have an SNMP-based network manager. The alerts will highlight volume attacks and brute-force password cracking attempts. Unusual surges in traffic and suspicious user activity can also be spotted by this log management tool.
2. WhatsUp Gold
WhatsUp Gold is a challenger to the SolarWinds Network Performance Monitor. It is produced by Ipswitch, which also offers a number of add-on modules that enhance the security monitoring capabilities of WhatsUp Gold. This network monitor will highlight unusual behavior by monitoring switches and routers with the SNMP messaging system. Finally, the console enables you to set up your own custom alerts that will give you warnings of traffic surges and illogical user activity.
Alerts will be shown in the dashboard of the system and you can also nominate to have them sent as email or SMS notifications. It is possible to direct different notifications to different team members according to message source and severity. A free companion tool, WhatsUp Syslog Server enhances the information that you can get out of system messages and also create custom alerts. Syslog messages can be shown in the console, forwarded to other applications, and stored in files. The server will manage your syslog files in a logical directory tree to make specific messages easier to retrieve. Archived messages can be read back into the dashboard for analysis. In addition to that, the interface allows you to sort and filter messages so that you can identify patterns of behavior and additionally spot anomalous behavior.
WhatsUp Gold is accompanied by a number of paid enhancements that will improve your security monitoring power. You should consider adding on the Network Traffic Management module to get data flow information on your network. The main WhatsUp Gold package focuses on the statuses of devices and the Traffic Management module gathers data flow information. The module includes traffic tagging capabilities for QoS implementations. It can split traffic volume reporting by source and destination device, by source and destination country and domain, by conversation, application, protocol, or port number. This detail will help you track unusual activity and you will even be able to block certain applications, such as file transfer utilities in the event of an emergency.
The Network Configuration Management module will help you control any changes to the settings of your network devices. Unauthorized alterations to device settings are often a prelude to intrusion and advanced persistent threats. This is because hackers can open ports an then block reporting functions that would indicate unauthorized activities. You need to create a policy for each device type, make, and model and create a standard setting profile for each group. The WhatsUp Network Configuration Management add-on will enable you to distribute these standard configuration images, take backups of approved configurations and ultimately rollback to those standard settings should any configuration changes be detected.
The WhatsUp Gold paid tools can be accessed for free for 30 days. All WhatsUp Gold software installs on the Windows environment.
3. TrueSight Network Automation / Network Vulnerability Management
These two products from BMC Software combine to create a really comprehensive security toolkit. The Network Automation tool will monitor your network after first discovering all of your equipment, logging it, and mapping it. The configuration management module of the Network Automation package is the really impressive feature of this network monitoring system. It integrates templates, or “policies,” that automatically implement security standards. There is a policy for each of the well-known standards: NIST, HIPAA, PCI, CIS, DISA, SOX, and SCAP. So, if you have undertaken to comply with one of these data integrity systems, the Network Automation tool will even enforce it for you.
The configuration manager in TrueSight Network Automation will adjust the configuration of each network device so that it complies with the selected policy. It will then back up that configuration and monitor for any changes in the device’s settings. If any changes are made that takes the device out of compliance with the policy, the configuration manager will reload the backed-up config file. This action has the effect of wiping out those unauthorized changes. The Network Automation system is also a patch manager. It will keep in contact with the notification systems of equipment manufacturers for patches and firmware updates. Once a patch is available, the tool will notify you, and even roll out those updates to your network devices.
The Network Vulnerability Management utility scans all devices for vulnerabilities. The system relies on checks with vendor notifications and the NIST National Vulnerability Database to log known weaknesses in the network equipment and servers that you operate. Finally, the tool will update software to block exploits and keep an eye on the performance of devices and servers.
OSSEC stands for Open Source HIDS Security. A HIDS system is a host-based intrusion detection system. Intrusion detection has become an essential specialization in the world of network security and you really need to install an IDS as part of your security suite.
The two great attributes of OSSEC are that it is the leading HIDS available and it is completely free to use. The product is owned and supported by the well-known security software producer, Trend Micro. HIDS methodologies rely on log file management. Correct interrogation of your log files should reveal actions by hackers to explore your system and steal data and resources. This is why hackers always alter log files. OSSEC will create a checksum for each log file, enabling it to detect tampering. The tool monitors log files that record file transfers, firewall and anti-virus activity, event logs, and mail and web server logs. You need to set up policies, which dictate the actions of the utility. These policies can be written in house, or you can even acquire them from the OSSEC community. The policy dictates the conditions that OSSEC should monitor and it will generate an alert if one of the monitored logs shows unauthorized activity. Those alerts can be sent to the interface or sent as email notifications.
If you install the system on Windows, it will monitor the registry for unauthorized changes. On Unix-like systems, it will track access to the root account. OSSEC will run on Windows, Linux, Mac OS, and Unix.
OSSEC is a great data gathering tool, but its front end is a separate product and, in fact, is no longer supported. As this HIDS is so well respected, a number of software providers have created interfaces that are compatible with the OSSEC data formats. Many of these are free. So, you would install OSSEC, plus a front end from a different source for data viewing and analysis. Check out Kibana or Splunk for this function.
Sagan is a free log file manager. It has many functions that make it a good host-based intrusion detection system. Sagan is also able to analyze data collected by network-based intrusion detection systems. A NIDS collects traffic data through a packet sniffer. Sagan doesn’t have a packet sniffer, but it can read in traffic data collected by Snort, Bro, and Suricata — all of which are free to use. So you get a blend of both HIDS and NIDS security activities with Sagan.
You can install Sagan on Unix, Linux, and Mac OS. Unfortunately, there is no version for Windows. Although it can’t access computers using the Windows operating system, it can process Windows event log messages. The processing methods of Sagan distribute its load across several servers or any other piece of equipment on your network that has a processor. This lightens the burden of processing on each piece of equipment.
The tool includes features that make it an intrusion prevention system (IPS). Once Sagan detects anomalous behavior, it can write to your firewall tables to ban specific IP addresses from the network either permanently or temporarily. This is a great assistant for network security because it implements IP bans automatically and keeps the system available for genuine users. Sagan will simultaneously generate an alert to inform you of the intrusion. The prevention actions don’t have to be implemented if you just want to use Sagan as an IDS.
For reporting purposes, Sagan has a nice feature, which traces suspicious IP addresses to their location. This can be a very useful tool for tracking hackers that cycle their attacks through several different addresses to try to evade detection. Sagan allows you to aggregate network activity by source IP address location, thus unifying all of the actions of one miscreant using several addresses.
6. Paessler PRTG
Paessler PRTG is a very large monitoring system that is implemented by a series of sensors. Each sensor monitors one attribute of a network. You can reduce the scope of the monitoring tool to just focus on one aspect of your infrastructure by the sensors that you choose to activate. The whole system will monitor network devices, network traffic, applications, and servers. Paessler made this a pure monitoring tool, so it doesn’t have any management functions, such as configuration management.
One of the sensors in PRTG is the Syslog Receiver. This collects syslog messages and inserts them into a database. Once those messages have been stored, they can be sorted, written out to files, or even assessed as triggering events that can have automated actions associated with them.
The security monitoring features of PRTG include a deep packet inspection facility that is called the “packet sniffer sensor.” This will sample you network traffic’s packets and store them to a file. Once you have captured enough data you can analyze traffic in the PRTG dashboard. This facility enables you to target web, mail, and file transfer traffic with this tool, so it is a good aide to monitoring user activity and also to protect a web server from attack. The firewall monitor keeps track of attack events and notifies you of them through alerts. The tool will also regularly check with your firewall provider for updates and patches for the software, download them and install them for you. This ensures that you have the latest remedies for newly discovered security weaknesses.
The PRTG system installs on Windows. Alternatively, you can choose to access the service online. Either way, you can use it for free if you only activate up to 100 sensors. You can also get a 30-free trial of Paessler PRTG with unlimited sensors included.
Network Security Tools
There are many different types of specialized network security tools available and you will have to install several in order to keep the data and resources of your company free from theft, damage, and exploitation.
You will notice from the explanations of software in our list of recommended tools that many of them are free. The paid tools often have free version or trial periods so you lose nothing by trying out each of them.
Some of these tools work on Windows and some work on Linux and Unix. So if you only have one operating system on the hosts in your company, your choice of security tool will be narrowed down for you. The size of your network is another influencing factor that will direct you to choose a specific tool.
Do you have a favorite network security tool? Have you tried any of the software in our list? Leave a message in the Comments section below to share your experience with the community.