Professional Documents
Culture Documents
Final Project
Julian Bennett
Final Project
cybersecurity operations and requires a holistic planning approach and careful evaluation and
implementation of tools. Failure to do so can have severe and adverse effects on business
operations and processes, resulting in mission failure or financial losses. Contained herein is a
compilation of executed efforts that outlines basic selections of tools and processes.
Network visualization tools, as well as supporting tools, are an integral part of any IT
infrastructure, no matter the size. It is therefore essential to carefully evaluate the tools, along
with their capabilities and limitations before implementing them in a production environment.
While the criteria documented herein are evaluated against a lab environment, they can be easily
applied to a larger production environment to ensure the network is properly mapped and
monitored.
The following criteria are used in order to evaluate open source network visualization and
monitoring tools for this lab environment: 1) Intuitive setup, 2) Compatibility with Linux
platforms, 3) Multi-Platform device detection and logging, 4) Detailed visuals with dashboards
with broad range of displayed metrics. While there is a myriad of open source tools available for
use, two tools are appropriate to compare and contrast; OpenNMS and Zabbix.
OpenNMS
effective and integrated network monitoring solutions. It is able to detect network outages and
graph latency and performance metrics using industry standard agents such as SNMP, JMX,
WMI, and XMP. It is compatible to install on any flavor of Linux distribution (CentOS, RHEL
FINAL PROJECT 3
or Debian varieties) and installs via OpenNMS Linux repository or automated install script. A
major benefit of this tool is that it is able to detect and monitor all device types, ranging from
Windows workstations and servers, Linux based systems as well as layers two and three network
devices. It can be set up to continuously scan and monitor the network environment. While initial
is lengthy and labor intensive, with long manual entries of network information, such as ports,
protocols, IP ranges and tagging of device types. This manual tagging is necessary in order for
configured correctly, OpenNMS is a powerful event-driven tool that alerts on service-, interface-,
and node-outages.
Zabbix
Zabbix is an open source network monitoring and visualization tool, capable of detecting
and monitoring network health, multi-platform servers and workstations, applications, databases
as well as virtual machines and cloud services. Much like OpenNMS, it is compatible for all
Linux distributions and easily installs via repository or automated install script. This highly
flexible product features intuitive setup procedures with ready to use, pre-defined configuration
templates, with the option of building custom templates. Metric and data visualization is
compiled via web interface as widget-based dashboards, graphs, network maps, and slideshows.
Furthermore, system administrators can use these graphical displays to drill down for detailed
Both tools are great tools to use in many environments. However, Zabbix is the more
powerful open source product based on the selected criteria for a lab environment. Installation is
FINAL PROJECT 4
intuitive and glitch-free and quick setup is facilitated by out-of-the-box settings and templates.
Dashboard functionality is deep with detailed network and system information with insightful
metrics while able to support scaling due to network growth. Zabbix is the better all-round
Vulnerability Scanners
size. Ranging from home networks to large corporate networks across all industries, these
scanners detect and highlight vulnerabilities to the network owner in order to apply software and
hardware updates, change configurations, or check for compliance. While the criteria
documented herein are evaluated against a lab environment, they also apply to production
environments.
The following criteria are used in order to evaluate vulnerability scanners: 1) cost, 2)
complexity, 3) available documentation and support, and 4) compatibility with the Common
Vulnerabilities Exposure (CVE) program. While there is a large amount of vulnerability scanners
available for use, two tools are appropriate to compare and contrast; Nessus and OpenVAS.
Nessus
only scanning a network for hardware and software vulnerabilities, but also for compliance and
configuration weaknesses. Nessus offers a free version but is limited to scanning only 16 unique
devices. A license for the full Nessus Pro ranges from $2,390 for one year to $8,011.50 for three
years. Nessus is a highly capable scanner that is intuitive to use, considering the large amounts of
features it offers. Pre-built scanning templates that include scanning plug-ins allow
administrators to quickly scan a variety of characteristics, compliance vulnerability scan (i.e. PCI
FINAL PROJECT 5
DSS), asset discovery, missing software update, end-of-life hardware, or even specific
customizable reports and dashboards for visualization and executive review. Setup, configuration
compatible with the CVE program, referencing the specific CVE listing with each detected
vulnerability. Overall, the tool is one of the industry leading vulnerability scanners that offers an
OpenVAS
basic scanner that currently hosts only slightly more than 50,000 Network Vulnerability Tests
(NVTs) that OpenVAS uses to scan systems for known flaws. Comparatively, Nessus uses over
130,000 plugins to base its scans on. Scan results are categorized into various risk rating levels
and can be ingested into dashboards for easy review. While no official developer support
available, OpenVAS has a large community following with extensive support and
documentation. Much like Nessus, OpenVAS is compatible with the CVE program.
Both tools are great tools to use in many environments. However, Nessus is the more
powerful product based on the selected criteria the environment. Installation is extremely easy
and setup is intuitive. Although Nessus and a very high-priced scanner, the stability of the tool
and the official support provided by Tenable is solid. Nessus is a lot more customizable with
seemingly endless scanning templates and categories, and dashboard configurations display
FINAL PROJECT 6
useful metrics to manage large and small networks. Nessus is the better all-round vulnerability
The test lab architecture for the lab exercises conducted in this project is fully virtualized
using VirtualBox as depicted in Figure 1. Each virtual machine (VM) plays an important role is
in supporting the overall network and its intended functions. The DHCP server is configured
within VirtualBox to provide dynamic assignment of IP addresses for each virtual machine. The
Kali Linux VM is the central focus of this lab environment. Developed by Offensive Security,
Kali is a Debian-based Linux distribution designed for advanced penetration testing and network
auditing. It contains hundreds of tools aimed at various network security tasks. The
Metasploitable is an intentionally vulnerable Linux VM, designed to conduct security audits, test
various security tools and practice vulnerability exploitation. The last VM is standard Ubuntu
operating system used as a host for Webgoat, both tested vulnerability scanners and network
visualization tools.
Figure 1. Virtualized test lab environment with IP addresses and host names
FINAL PROJECT 7
Table 1 illustrates and describes each security tool utilized in the test lab, to include a brief
Table 1
The following command was used to determine the operating systems installed on hosts
The NMAP tool was also used to identify open and listening ports on a host:
Using Kismet, the following commands were used in terminal in order to place external network
adapter into monitoring mode and to launch Kismet (“wlan0” being the name of the external
network adapter):
kismet -c wlan0mon
Using Hydra, the following command was used to launch a brute force dictionary attack against
hydra -l root -P <path to text file containing dictionary words> <target IP> -t ssh
An example of using an exploit to set up a backdoor against a vulnerable web service on the
Metasploitable VM, I used the following command within the Metasploit Framework terminal as
msfconsole
use exploit/unix/irc/unreal_ircd_3281_backdoor
exploit
Lastly, I utilized Wireshark to “eavesdrop”, or capture packets, between two systems. Since
Wireshark is native to Kali Linux and utilized a graphic user interface (GUI), no traditional
commands were used within terminal. However, one simple step allows the user to capture
network traffic between the network interface of one host and its source destination. By opening
Wireshark, highlighting the desired network interface card and clicking the shark fin icon will
start the capture network packets passed between target system and its destination traffic.
Lessons Learned
The lessons learned during the course of executing assignments within this lab
environment are plentiful. First and foremost, it forced me to brush up and sharpen my Linux
installation issues and getting security tools to function properly, I learned the small nuances that
make Linux a premier operating system platform it is today. Secondly, and arguably most
FINAL PROJECT 9
much more than policies, controls, patch management and risk mitigation processes. Many
cybersecurity professionals work at the management level and have lost touch or never had the
to understand the holistic practice and understanding what the security technician/engineer does
at the technical level. I will take this knowledge and use it to guide me when I am inevitably