Network security auditing is the process of assessing a network’s health by analyzing and studying the flow of data through the network. Network auditing is one of the critical steps to detect potential security threats and errors within the network. Security audits are either performed manually or are automated using various testing tools, they are crucial because they ensure whether the network is secure and void of any security vulnerabilities or loopholes that can be exploited by an attacker. A basic security audit may include.
- Analysis of all Network devices
- Analysis of the Network Infrastructure
- Identifying network policies
- Risk Assessment
- Firewall Assessment
- Penetration testing
- Report drafting
Network performance refers to the quality of the network, it is measured by Bandwidth, Throughput, Latency, and Jitter. They can be measured by using various network monitoring tools. Below mentioned are some tools that are used to monitor network performance. In this article, we will briefly discuss some basic auditing techniques.
Using Etherape to Monitor Network Performance and Traffic
Etherape is a free and open-source tool used to monitor network performance and traffic. Used to display network activity in a Graphical Interface, It shows the nodes involved in the network as well as the protocols used. The below command is used to install Etherape.
$ sudo apt-get install etherape
Once the installation is complete, execute the below command to run etherape application. Make sure they include sudo to allow socket permissions.
$ sudo etherape
Netstat is a command line tool that can be used to monitor both incoming and outgoing network traffic. It is also used to analyze the free ports and the ports that are being listened to. Run the following command to execute netstat.
$ sudo netstat -a
Netstat Tool
Socket Analysis and Port Defense
But the netstat tool is now obsolete and is no longer used. The ‘ss’ command is used instead of netstat which displays socket data statistics. Below are some of the commands used for socket investigation. The below command can be used to display all active TCP connections.
$ ss -t -o
We can also filter for specific ports, this is known as Port Scanning. We can use the following command to filter ports.
$ ss -tn sport = :<port-number>
Example:
$ ss -tn sport = :55226
Open ports can be identified and can be potentially exploited by attackers, So to prevent this from happening we can use defensive port scanning to identify open ports and then protect them. One of the defense strategies used is altering the default port values for services such as SSH. We can perform a port scan using Nmap. Install Nmap using the following command.
$ sudo apt install nmap
Installation of nmap
Run a port scan using the following command.
$ nmap <host-name or address>
Example:
$ nmap scanme.nmap.org
Scanning scanme.nmap.org
The above command leaves logs on the target system, to prevent this from happening we can provide the -A flag and the -sS flag along with root privileges.
$ sudo nmap -A -sS <host-name or address>
where,
- -A: Displays Trace Route
- -sS: Stands for TCP SYS SCAN , prevents the TCP 3-way handshake
Network Benchmarking and Troubleshooting
For Network Benchmarking and Monitoring we will be discussing two user-friendly tools namely.
Nmon is a computer performance system monitor and network benchmarking tool for Linux operating systems. It can display various information such as CPU, Disks, Resources, Virtual memory, Network, etc. Run the following command to install nmon tool.
$ sudo apt install nmon
or
$ aptitude update && aptitude install nmon
Execute the below command to run nmon tool.
$ nmon
Nmon can be used to monitor the network traffic in real-time to prevent unnecessary network loads and look out for threats.
2. Monitorix
Monitorix is a GUI-based utility tool that can be used to monitor both system resources as well as network bandwidth. Monitorix is a lightweight but powerful tool that can display and track usage stats and network traffic data. It is ideal for small to medium scaled networks. Monitorix supports both IPV4 and IPV6 connections and also displays packet traffic graphs. They support an unlimited number of devices in a single network. Install Monitorix using the following command.
$ sudo apt install monitorix
Monitorix comes with a default configuration file at /etc/monitorix/monitorix.conf. The default settings work for most of the part but to fine-tune the settings you can read the official documentation from Monitorix Manual and edit the configuration file using any text editor of your choice.
To access the Monitorix interface enter the following URL in your browser’s address box.
https://<ip-address>:<port-address>/monitorix
Replace <ip-address> and <port-address> with your desired IP address and port address respectively.
To run monitorix interface on your own computer enter the following URL in your browser.
http://localhost:8080/monitorix
3. Darkstat
Darkstat is a web-based network analyzer interface that can be used to display statistics on network traffic, protocols, and general connection data. Darkstat can be installed in debian-based systems using the apt package manager by the following command.
$ sudo apt install darkstat
Darkstat has to be configured before the first time, the configuration file is present in /etc/darkstat/init.cfg. Edit the file using the following command.
$ nano /etc/darkstat/init.cfg
Initially the init.cfg file will be like this.
Replace your configuration file with the following code.
# Turn this to yes when you have configured the options below.
START_DARKSTAT=yes
# Don’t forget to read the man page.
# You must set this option, else darkstat may not listen to
# the interface you want
INTERFACE=”-i ens33″
DIR=”/var/lib/darkstat”
PORT=”-p 666″
BINDIP=”-b 0.0.0.0″
#LOCAL=”-l 192.168.0.0/255.255.255.0″
# File will be relative to $DIR:
DAYLOG=”–daylog darkstat.log”
# Don’t reverse resolve IPs to host names
#DNS=”–no-dns”
#FILTER=”not (src net 192.168.0 and dst net 192.168.0)”
# Additional command line Arguments:
# OPTIONS=”–syslog –no-macs”
The interface of your system can be found using the following command.
$ ip addr
Here the name of my interface in use is ens33, so alter the name of the network in the configuration file.
By default darkstat uses the port 666, so we have to open up the port before using it. Use the following commands to allow 666 port to bypass firewall configurations.
$ sudo ufw allow 666/tcp
To reload firewall
$ sudo ufw reload
To check whether darkstat is listening to port 666 execute the following command.
$ ss -antpl | grep 666
Start the darkstat services again to fetch the new configuration files. Use the following command to restart the services
$ sudo systemctl start darkstat
Run the following command to check the status of darkstat
$ systemctl status darkstat
Once everything is up and running you have successfully configured darkstat, and can be accessed using the url http://localhost:666 in your browser.
Like Article
Suggest improvement
Share your thoughts in the comments
Please Login to comment...