|
|
| Previous | Table of Contents | Next |
The threat level of a security vulnerability must be weighted by at least several factors:
Trade-Offs Between Environment and Vulnerabilities
Class 1 through 3 problems are typically not so critical that the system must be stopped immediately. System administrators frequently have control over local users to an extent that these problems are not exploited, at least not maliciously. For example, in a company setting, a department system is used only by members of that department, and exploitation of holes does not go unnoticed.
Class 4 through 6 problems are much more serious, because non-electronic control over the intruders is no longer simple. However, in many corporate or organizational environments, the majority of systems are behind firewalls, and the majority of members of that organization can be trusted, to some extent. For systems directly connected to the Internet, these problems are extremely serious. SATAN specifically searches for vulnerabilities in the Class 4 to Class 6 range.
Class 7 through 9 problems are very serious problems; with Internet access a requirement for most organizations, and given the poor security of most hosts add desktop operating systems, firewalls are frequently deployed as the only barrier between a company’s information assets data and intruders. A security hole that can cross a firewall is serious enough for an organization to seriously consider an immediate disconnection from the Internet—not a decision to be taken lightly. SATAN searches for vulnerabilities in this range. Most organizations only connect to the Internet through a firewall system that offers a limited amount of network services, has packet filtering, and is frequently scrutinized by system administrators. Under these conditions, SATAN should not find many vulnerabilities in this range. One such SATAN scan is the search for a recent version of sendmail: sendmail is frequently run on home grown firewall systems, and holes in the older versions of sendmail permitted intruders to cross the firewall.
Note: Your organization should consider the cost of ownership before subscribing to the send mail bug-of-the-month club.
A multiuser system intended for payroll management would find a Class 1 hole to be much less tolerable than a single-user workstation intended for CAD designs. For example, it probably would not be acceptable to allow a contractor to view the current paycheck of the CEO, though it would be acceptable for an engineer to view the contents of the shadow password file.
A multiuser system that served as an inventory control machine for many users might find Class 3 holes to be a much greater threat than Class 7 holes because of the great importance of uninterrupted uptime. For example, permitting someone on the manufacturing floor to write root-owned files, such as the number of CD-ROM players in the stockroom, would be more of a realistic problem than the threat of a remote user reading through large numbers of files indicating the stocking level of parts.
A system with sophisticated users might be vulnerable to Class 3 holes also, because such users might want to exploit these holes for making configuration changes outside the official system administration path; for example, a system used by many programmers to do builds of software packages might be vulnerable to a Class 3 hole when one user uses the hole to make changes to disk quota settings, makes a mistake, and causes the system to crash. All the other programmers who depend on the system to build software packages are now unable to do their work.
System Classifications
The U.S. DoD (Department of Defense) created the Trusted Computer System Evaluation Criteria (TCSEC) or “Orange Book” (DoD, 1985a). Computer systems are evaluated against this criteria by the National Computer Security Center (NCSC) and are given a rating of D, C1, C2, B1, B2, B3, or A1 with Class A1 being the most secure. A few Unix systems that have successfully completed a formal NCSC evaluation appear on the Evaluated Products List (EPL) at http://www.radium.ncsc.mil/tpep/. Some vendors claim “compliance” to some level of the criteria, which basically amounts to the vendor saying, “Trust me—it’s secure!” Such a marketing stance is simply not comparable to an evaluation by an independent, disinterested, and experienced team against a known and certain security criteria.
Unfortunately, most vendors think they can penetrate and patch their way through security without the benefit of an evaluation based upon sound security principles. Twenty years later, these same vendors simply have not demonstrated any progress in the area of network security. Customers who are stuck with these systems need an alternative baseline for security classifications to help fill the void left by vendors. One such do-it-yourself baseline—with significantly lower assurance than the TCSEC—could be based on the aforementioned ITL class ratings: a system could be branded based on its highest ITL class problem. For example, a system running a standard NFS server and exporting a file system for read-only access would be at least an ITL Class 5 system. The ideally secure system would be an ITL Class—1 system, probably corresponding to a system that is disconnected from the Internet. The highest security obtainable for a standard Internet Unix system is an ITL Class 0 rating, and vendors should be readily able to provide patches to permit customers to obtain this level of security.
SATAN attempts to classify systems based on the severity of vulnerabilities found. SATAN’s classification system, and how it corresponds to the ITL class ratings, is presented later in this chapter. It would be quite useful if SATAN used the ITL classification scale: a numerical index is a much better tool for comparing systems and allowing an organization to manage a large number of computers. For example, an IT group could set goals of “less than 10 percent of all systems are ITL Class 4 or higher,” and use SATAN to run periodic scans to enforce this policy—in a dynamically changing environment, only SATAN, or some other similar tool, would be able to enforce such a policy.
| Previous | Table of Contents | Next |