home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Group 42-Sells Out! - The Information Archive
/
Group 42 Sells Out (Group 42) (1996).iso
/
security
/
satanfaq.txt
< prev
next >
Wrap
Text File
|
1995-11-30
|
8KB
|
147 lines
RELEASE OF SATAN SOFTWARE TOOL
FACT SHEET
INTRODUCTION
Due to extensive media attention regarding the release of another version
of SATAN (Security Administrator Tool for Analyzing Networks), the National
Institute of Standards and Technology (NIST) is issuing this fact sheet to
answer questions about SATAN.
WHAT IS SATAN?
SATAN is a software tool for assessing Internet host and network security.
SATAN tests host systems to determine which Internet services are present
and whether those services are misconfigured or contain vulnerabilities that
an intruder could exploit. SATAN provides limited information on how to
correct the vulnerabilities it identifies as well as a modest tutorial on
host system security. SATAN can test individual hosts or entire networks
of host systems. SATAN is an analysis and reporting tool only and does not
break into systems or exploit new and/or rare vulnerabilities. All the
vulnerabilities it finds are well known and have either bulletins and/or
patches from an incident response team or a vendor. However, as with most
tools of this type not just system administrators but intruders will
undoubtedly use SATAN to find vulnerabilities in certain systems and then
they will exploit those systems. Thus, while the tool aids a conscientious
security-aware administrator it does increase the risk to the unwary
administrator.
SATAN'S AVAILABILITY
SATAN's authors, Mr. Dan Farmer and Mr. Wietse Venema, made SATAN widely
available over the Internet without cost starting April 5, 1995. Many
Internet sites now have SATAN and thousands of copies have been
distributed worldwide.
WHAT IS REQUIRED TO RUN SATAN?
SATAN runs on specially-configured UNIX systems and can be configured so
that only users with system-level privileges or root privileges may execute
the software. The first release of SATAN runs only on UNIX systems
made by Sun Microsystems and Silicon Graphics. Ports to other UNIX
systems such as Linux have followed quickly. SATAN requires installation
of additional software and World Wide Web (WWW) client programs such
as Mosaic. It is important, however, to distinguish between systems that
execute SATAN and those that SATAN can scan. SATAN can be used to scan
many different vendor systems and, furthermore, could be modified to probe
routers and other networked devices.
WHY IS SATAN CONTROVERSIAL?
As stated earlier, SATAN is controversial because conscientious system and
network administrators and would-be hackers or intruders are both helped.
Administrators who have both time and the capability to use and understand
SATAN and its findings will clearly close up the holes or vulnerabilities
in their systems. However, many system administrators are often
ill-equipped or equipped but over-burdened, and thus are quite vulnerable
to intruders who run SATAN against them. A typical hacker will scan a
site for vulnerabilities with a tool like SATAN, find some systems
vulnerable, and then install trojanized login programs (permit access by
legitimate users but steals their passwords and system Ids) or sniffer
programs that silently sniff legitimate user passwords and Ids for later
illegitimate use. Several computer security incident response teams report
that internal testing for vulnerabilities indicates that very high
percentages of Internet host systems are vulnerable to tools like SATAN.
As a consequence, some incident response teams and others in the Internet
community have and are writing detectors to note when SATAN is being used
to scan their systems.
IS SATAN OVERBLOWN?
As we saw in the Michelangelo Virus furor that erupted a few years ago,
our fear and the attendant hype outstripped the actual damage caused.
Part of the issue here is our attention span. Clearly, viruses are very
real and can and do cause much mayhem even if the damage occurs after the
press and management focus moves on to other issues. Similarly, the
vulnerabilities that SATAN identifies are real and exploitable but won't
evidence themselves in a sudden series of attacks days or hours after the
SATAN release. However, with thousands of copies freely available
and in use SATAN will make an impact. It won t aid the knowledgeable
intruder who is already aware of how to break in but it will assist the
less than gifted would-be intruder. As these thousands of copies coarse
throughout the Internet, we and the computer security community will be in
a better position to assess the real impact of SATAN and whether the
initial hysteria was founded after about 6 months of perspective is gained.
DOES SATAN IDENTIFY NEW VULNERABILITIES?
No, all the vulnerabilities it finds are well known and have either
bulletins and/or patches from an incident response team or a vendor.
HOW IS SATAN DIFFERENT FROM OTHER SECURITY TOOLS?
Tools similar to SATAN have been available to Internet users for several
years, both commercially and in the public-domain. These tools are also
used by the intruder community to identify systems vulnerable to attack.
SATAN is different in that it can be configured to test virtually any
system or network of systems accessible to the Internet. SATAN is also
more powerful than previous tools and able to identify more vulnerabilities.
SATAN can discover whether a system trusts connections from other systems,
and then scan those systems. SATAN's WWW interface is easy to use and its
results are easy to view. Additionally, SATAN can be modified easily to
exploit new vulnerabilities.
ADVICE FOR SYSTEM AND NETWORK MANAGERS
Sites should be concerned that internal users as well as intruders could
run SATAN and expose site vulnerabilities. Thus, NIST recommends the
following:
- sites should develop policies for using SATAN responsibly and efficiently,
- sites should promptly correct all vulnerabilities before vulnerable systems
could be attacked,
- sites should look-out for illicit scans of their networks by SATAN or
other tools, and
- system managers should install access control software to ensure scans of
their systems by SATAN will be noticeable and consider installing SATAN
detector software developed by incident response teams.
Sites should also improve their network and host security policies and
measures. Sites should consider installing firewall systems so that
internal systems are easier to manage and less vulnerable to attacks. Sites
should install all vendor patches and subscribe to vendor and incident
response team mailing lists so that they will be notified of future
patches or vulnerabilities. Sites should develop policy for network usage,
Internet access, and incident reporting. It is very important that sites
improve system management by allotting sufficient time for system
administration duties and training as necessary. Lastly, when purchasing
systems, sites should demand security features and properly install and
configure new systems and periodically recheck old systems.
FOR FURTHER INFORMATION
NIST operates a clearinghouse of computer security information and tools
accessible via the Internet and dial-in at all times. The clearinghouse
contains links to information about computer security and incident response
team clearinghouses. Together, these sites provide basic and detailed
computer security information, vulnerability and
threat assessments, incident response team alerts, vendor patches, and
computer security tools including firewalls and pointers to vendors. The
clearinghouse is accessible via the following methods:
WWW: http://csrc.ncsl.nist.gov
ftp: csrc.ncsl.nist.gov, login as "anonymous"
email: send message "send INDEX" to docserver@csrc.ncsl.nist.gov
dial-in: 301-948-5717