|
|
| Previous | Table of Contents | Next |
SATAN was not the first program to look for network vulnerabilities. ISS does a similar scan and claims to look for more vulnerabilities than any other program—200 at the time of this writing. Unlike SATAN, the latest ISS is not free, but is instead a commercial product that does not include source code. See http://www.iss.net/ for more information. An older, but free, version of ISS is available, along with a patch for bug fixes, from ftp://ftp.uu.net/usenet/comp.sources.misc/volume39/iss/.
Fremont, a freely available program, does a scan of hosts and attempts to build a map of systems. However, it does not search for network vulnerabilities. It is available from ftp://ftp.cs.colorado.edu/pub/cs/distribs/fremont.
SATAN had the effect that the creators may have secretly desired. It increased customer interest in network security, causing vendors to release bulletins and patches if they weren’t already doing so. Such public disclosure of holes is risky, however; users who are unaware of workarounds or patches may be vulnerable to holes for some time, whereas intruders have been alerted to them.
The creators of SATAN provided advance copies of the programs to vendors to help them prepare for its release. All the major vendors released extremely detailed bulletins in response to SATAN, some before SATAN’s release and the rest within weeks after SATAN’s release. These bulletins listed patches that addressed most of the vulnerabilities searched for by SATAN that were code problems. The bulletins also indicated configuration recommendations and advice on the trade-offs between running some products (finger) and the risk involved.
Note: The CIAC web site includes links to most vendor bulletins regarding SATAN. See http://ciac.llnl.gov/ciac/.
SATAN has increased public awareness of many Internet security vulnerabilities and improved responsiveness by vendors, perhaps by alerting vendor management to the high-profile nature of this area.
Surprisingly, few stories of intrusions as a result of SATAN have been publicized. It is possible that these intrusions are just not being detected, because many attacks go unnoticed. For HP, the SATAN advisory continues to be requested every week, making it the most popular security bulletin ever published, with perhaps 10,000 copies distributed.
It is likely that SATAN will continue to gather additional vulnerability checks, although few have been added so far. SATAN does provide a flexible architecture for adding such checks, an easy way to intelligently scan many hosts, as well as a nice reporting mechanism and database format.
There are several network monitoring programs for your Unix system. The most popular SATAN detection program is Courtney, but the others listed here are also quite useful.
The Courtney program detects whether a system has been scanned by SATAN, or any other port scanner such as ISS, and notifies the administrator of this probe. The program is a short PERL script that uses the tcpdump packet sniffer library (libpcap) to monitor all network traffic to a system. When the system encounters a SATAN-like rapid sequence of connection attempts to many UDP and TCP ports, Courtney assumes that this has been generated by a port scanner such as SATAN.
Courtney requires the tcpdump libpcap library, which uses the systems LAN in promiscuous mode, something that not all systems support. Courtney was created by the CIAC in direct response to SATAN’s release and is available via the CIAC web site at http://ciac.llnl.gov.
Instead of a PERL script, Gabriel is a binary, built from C source, that offers similar functionality, but without requiring the tcpdump libpcap library. Gabriel, however, runs only on Sun platforms. It is freely available from http://www.lat.com/gabe.htm along with information on joining a mailing list of Gabriel users.
The TCP wrapper program can be used to log attempts to connect to network services. Because SATAN’s UDP and TCP scans do exactly this, the TCP wrapper logs can indicate a SATAN scan. In addition to the TCP_wrappers program, some inetd programs, and xinetd, include TCP wrapper functionality.
In addition to logging attempts, these programs also provide some control over incoming requests. tcp_wrappers can be used to permit (/etc/hosts.allow) or deny (/etc/hosts.deny) access based on the remote IP address and the owner of the remote connection. Both of these restrictions can be circumvented: IP spoofing is possible, and modification of the remote system’s identd is straightforward. Many inetd programs use inetd.sec to provide the same control.
Xinetd provides this functionality and adds control over the time of the connection attempt. Xinetd also adds additional logging information, including remote user ID, access times (including exit time and exit status), and service-specific information. Xinetd also permits access control over every UDP packet instead of just the initial one.
The netlog program logs TCP and UDP traffic, using the promiscuous mode of the network interface (either by the /dev/nit device or streams dlpi). Although intended for Sun systems, netlog should be able to be ported to any system that offers similar functionality. netlog is available from ftp://ftp.net.ohio-state.edu/pub/security/netlog.
CMU’s SEI group, closely associated with CERT, offers an IP network transaction management and monitoring program called Argus network management program Argus. Argus is available from ftp://ftp.sei.cmu.edu/pub/argus-1.5 along with libpcap and other required programs.
You are now aware of the following:
It might be worthwhile to investigate ways of improving the overall security of Unix networking. Although minor changes to existing network services can minimize vulnerabilities, major changes are frequently required to deal with inherent problems of the Internet.
| Previous | Table of Contents | Next |