Network Computing
	      January 15, 1997, Issue: 801
              Section: Features -- State of Security


              Been Attacked? Congratulations!

              By 

              The hacker's job is actually pretty easy. He has a wide variety of
              inexpensive tools and known system vulnerabilities to work from. He need
              find only one mistake, while you need to protect hundreds of attack
              points. To make matters worse, you may not even know when you've
              been breached by an attack. Networks generate massive amounts of
              traffic data, and anyone doing harm will try to leave as few tracks as
              possible.

              If you work alone, you'll find it very difficult to assess your vulnerabilities.
              You can buy expertise from a consultant or use some of the available
              tools for analyzing your current situation.

              For general IP network and host vulnerability scanning, the Security
              Administrator's Tool for Analyzing Networks (SATAN), freely available
              from Eindhoven University of Technology at ftp://ftp.win.tue.nl/
              pub/security/index.html provides a good assessment and is easy to use.
              Unfortunately, SATAN is falling behind; its problem database is simply
              not updated often enough.

              On a per-host basis, Haystack Labs' highly regarded Stalker suites
              analyze Unix systems as well as firewalls, while its Webstalker Pro
              watches over World Wide Web hosts. These products, like many
              Unix-based alternatives, make heavy use of log file analysis to identify
              unscrupulous behavior.

              RealSecure from Internet Security Systems is a real-time, network-based
              attack analyzer, combining a network sniffer and attack signature
              recognition. RealSecure issues alerts or makes log entries when an
              intrusion is detected, scanning for hundreds of known attacks to any host
              visible on the monitored segments. The recognition engine is periodically
              updated with new patterns.

              If an attack is detected, RealSecure terminates the connection between
              hosts by spoofing packets on behalf of each of the hosts involved, using
              RST packets to conduct an abortive release of a TCP connection.

              You might be thinking: "This would be very helpful to hack a network
              with." Indeed, many legitimate tools can be put to illegitimate use. If
              SATAN exposes holes in your network to you, it can expose them to
              someone else, too. So now you have to protect yourself from the tools.

              A number of anti-SATAN tools exist, such as Courtney from the
              Department of Energy's Computer Incident Advisory Capability (CIAC)
              (ciac.llnl.gov/ciac) or Los Altos Technologies' Gabriel
              (www.lat.com/gabe.htm)

              In addition, a security-assessment tool, a network analyzer and a
              password verifier are a few examples of products that you should use
              yourself, just because others may use them against you.

              Copyright ® 1997 CMP Media Inc.