Building.Open.Source.Network.Security.Tools.Components.And.Techniques [Electronic resources] نسخه متنی

Network Security Tool Taxonomy

To further simplify conceptualization, we can assign a taxonomy system to network security tools within the modular model of network security tool design to classify and group them. We can describe this system with the following four main groups or classes:

Active reconnaissance

Passive reconnaissance

Attack and penetration

Defensive

As described earlier, these classes are tied to the technique layer. The different techniques that a tool employs determine how it should be classified.

Reconnaissance Tools

Reconnaissance tools gather information and assist the user in learning more about a network entity. These tools tend to be agnostic in that they can be used for attack and penetration or defensive purposes. Tools in this category are either active or passive. An active tool generally gathers information by doing something in a detectable way, often by sending network traffic and waiting for responses. Active tools should change little if any state on the entity in question. A passive tool generally works in the opposite way by receiving unsolicited network traffic and analyzing it. Passive tools don't change any state on the entity in question. If a tool employs both passive and active reconnaissance techniques, the active component takes precedence for classification, and the tool is considered an active reconnaissance tool. Reconnaissance tools tend to have longer lifetimes in terms of utility compared to the other two, and they work in conjunction with both defensive and attack and penetration tools.

Attack and Penetration Tools

Attack and penetration tools test the strengths of network entities and expose weaknesses. Practically, these tools aid the user in breaking into and gaining unauthorized access to a network entity (host, router, firewall, or switch). They often work by exploiting a specific vulnerability or a class of vulnerabilities in software or by exploiting unintended interactions between entities in heterogeneous environments. Attack and penetration tools usually require updates to remain useful because security vulnerabilities are often patched after they surface. These tools usually are at odds with defensive tools but are supported by reconnaissance tools.

Defensive Tools

Defensive tools assist the user in keeping a network entity safe. They might perform this task by encrypting sensitive traffic, watching for illicit activity, or blocking certain kinds of network traffic. Defensive tools are often more complex and have longer execution times (they might run indefinitely) due to the fact that defending a network entity is usually more complex than attacking one. Defensive tools also usually require some sort of update process to learn about new security vulnerabilities as they surface. These tools usually are at odds with attack and penetration tools but are supported by reconnaissance tools.

In this book, you will learn to build tools that employ techniques from each of these classes. You can use the modular model to classify many existing tools. To use Traceroute, for example, we would classify it as an active reconnaissance tool(see Figure 1.4).

Figure 1.4: Traceroute.