animind - Fotolia

Get started Bring yourself up to speed with our introductory content.

You may already own the best Internet security tool

You may not have to spend money to purchase more security tools; in fact, Michele Chubirka writes, you probably already own what you need.

In part one of this series, we discussed the challenges IT professionals face when building a security infrastructure. It's often tempting to overindulge on the hottest tools, making the race to secure the enterprise into a buying binge, with the result that information security is seen as a money pit.

In the halcyon days of security, when fear, uncertainty and doubt, or FUD, was in short supply and IT budgets were smaller, people created their own tools or made do by customizing what they already had. 

Many of the best open source programs were born from someone's need to solve a problem efficiently and inexpensively. Nmap, Wireshark and Snort all started out this way. A good Unix engineer could also work security magic with a perl script or even sed and awk. When did information security become obsessed with buying instead of building?

Many monitoring systems can do double-duty as a security tool

The business can derive better return on investment by using features of its existing tools for security functions. For example, monitoring systems provide excellent tools that provide real-time visibility into your infrastructure. Most organizations simply don't spend enough time configuring these tools to realize their value to information security. Any good enterprise monitoring system will send out alerts when a service is down, a resource threshold is exceeded or a response time is too slow. All of these are possible signs of malicious activity. Nagios and MRTG are great open source applications, but there are plenty of commercial tools that can do double duty as security monitors. And everyone always seems to forget about NetFlow. Why would you need an expensive, dedicated Internet security tool to tell you there's anomalous activity on the network when you could track and report traffic patterns with a NetFlow collector?

Domain name system has powerful tools

Additionally, the domain name system (DNS) offers some powerful capabilities to protect your enterprise. First, there is the DNS sinkhole, a technique used to decrease malicious activity on the network by adding nonroutable addresses to a recursive server to prevent access to unsavory domains. The Internet Systems Consortium has made this process even easier through Response Policy Zones, which are now baked into BIND. The integration allows users to more easily integrate reputation feeds into recursive DNS services, making management more seamless.You can significantly decrease malware in your environment by using this little-known tool. Query logging has always been a great incident response tool, a way to find out where your malware may be hiding, but if your DNS server doesn't have the real estate or the spare processing power for query logging, you could set up a passive DNS collector to identify attack trends and compromised hosts.

Configuration management tools yield other benefits

Then there are your configuration management tools. These applications aren't just useful for ensuring that people comply with your change management policy or for rolling back to a previous configuration. They also can inform your security team if an attacker is making changes in your environment. The only thing required is configuring and tweaking alerts after creating some baselines.

Maybe most of us would be better served by taking advantage of the features contained in products we already own.

You also have some very beneficial features in most wireless management systems (WMSes). It often isn't necessary to spend money on a dedicated wireless intrusion-prevention or intrusion-detection system (IDS), because most organizations can get by with features already available in the base WMS. Any good enterprise WMS will detect rogues and can write to syslog or send an SNMP trap. You could send these to a log correlation system or generate email alerts for the security team.

Logs are always useful to an organization but, according to the SANS Institute, most organizations don't spend enough time with them. This is unfortunate, because they're a treasure trove of security data. But you don't always need expensive security information and event management; oftentimes you can get what you need by using a simple utility like Logcheck (or a Windows equivalent) to identify security violations. A few alerts to a vigilant sysadmin can be quite effective.

Finally, while most organizations have the budget for a firewall and an IDS, they can't always afford the hefty price tag that comes with a niche Internet security tool that's supposed to prevent the latest attack trend. There's a lot of competition for IT dollars within the enterprise. Management is demanding a better "bang for the buck" and is less willing to fork over money for the latest bit of "security cool." Maybe most of us would be better served by taking advantage of the features contained in products we already own. Not only would we get the same or even better functionality, we can avoid all the grandstanding.

Next Steps

10 top Linux security tips

Internal testing tools you need

What the military can teach you

This was last published in August 2014

Dig Deeper on Network Security Best Practices and Products

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Do you believe your existing Internet security tools provide you with the protection you need?
Great article Michele.

You have to be careful not become complacent. You might have the best tool but it'll mean nothing unless you can get past this:
I agree with Kevin. Though the tools you have - DNS, log management software and others - allow you to keep sight of activity and prevent access, they might inject a semblance of relaxation into the process. In many cases, having a protocol that operates above (around) your existing systems to regulate access and keep out unsavory characters is easier to implement and keep up to date.

Do we have the tools already? Sure. Are they the best solution? Depends on your situation. I like having a separate solution that does everything I need.

Good piece Michele!
You may think you are totally protected but there are always people out there to find exploits and vulnerabilities in everything. If you don't keep raising your bar, people will just step over it and into places you don't want them.
Try free tools such as SMBs startups and hiring inexperience help versions of DSM 4.3  or earlier