62 Eleventh Hour Security : Exam SY0-201 Study Guide Network security tools Many tools exist today that can help you better manage and secure your net- work environment: specifically, intrusion detection and protection, firewalls, honeypots, content filters, and protocol analyzers. These tools will monitor, detect, and help contain malicious activity in an environment. NETWORK PORTS, SERVICES, AND THREATS In order to properly protect a network it is important to first identify the exist- ing vulnerabilities, network ports, services, and potential threats. Knowing what exists in a network is the best first defense. Monitoring required services and removing all others reduces the opportunity for an attack and begins to make the environment more predictable. Network ports and protocols As discussed earlier in Chapter 2, "OS Hardening", unnecessary network ports and protocols in an environment should be eliminated whenever possi- ble. Many, if not nearly all, internal networks today utilize TCP /IP as the pri- mary protocol. So for most that means eliminating the following protocols: Internetwork Packet Exchange (IPX), Sequenced Packet Exchange (SPX), and/ or NetBIOS Extended User Interface (NetBEUI). It is also important to look at the specific operational protocols used in a network, such as Internet Control Messaging Protocol (ICMP), Internet Group Management Protocol (IGMP), Service Advertising Protocol (SAP), and the Network Basic Input/Output System (NetBIOS) functionality associated with Server Message Block (SMB) transmis- sions in Windows-based systems. The question as to which ports should be open is a matter of policy and risk assessment. Even for ports that are allowed and have been identified by scan- ning tools, decisions must be made as to which of these ports are likely to be vulnerable, and then the risks of the vulnerability weighed against the need for the particular service connected to that port. Port vulnerabilities are constantly updated by various vendors, and should be reviewed and evaluated for risk at regular intervals to reduce potential problems. It is important to remember that scans of a network should be conducted initially to develop a baseline of what services and protocols are active on the network. Once the network has been secured according to policy, these scans should be conducted on a periodic basis in order to ensure that the network is in compliance with the policy. Network threats Network threats exist in today's world in many forms. One of the more excit- ing and dynamic aspects of network security relates to the threat of attacks. A great deal of media attention and many vendor product offerings have addressed the topics of attacks and attack methodologies. While there are many different