SATAN Advisory
The press has been reporting the imminent release of a tool for UNIX workstations called SATAN,
an acronym for Security Analysis Tool for Analyzing Networks. It provides a point-and-click
interface for the analysis of the TCP/IP network security configuration of one or more
machines. It can be used by system administrators or security auditors to analyze the security
of a private network on the Internet. It can also, as has been reported, be used by malicious
hackers to analyze the security of a network in order to obtain information about possible
means of penetration. 

Background
  The authors of the tool, Dan Farmer and Wietse Venema,  have built and
are allegedly releasing the tool in order to make sure that the playing field is
leveled between hackers and administrators. Hackers currently have access
to the information about security weaknesses, while administrators often do
not. 
  The authors have released a paper called Improving the Security of Your
Site by Breaking into It,  which publishes the same vulnerabilities that are
uncovered by SATAN but which is written as prose rather than as a
program. The paper, as attached, was downloaded from the Internet site
operated by Dan Farmer (http://fish.com) and numerous other Internet sites.
   Dan Farmer was formerly employed with CERT, Sun Microsystems, and
Silicon Graphics and was involved in the creation of a security checking
software package called COPS. This package does an internal scan of a
UNIX system and allows an administrator to analyze his system's security.
The tool is extremely good at scanning for deficiencies in the current
configuration of a UNIX machine but it is weak in the area of network
security and only runs against one machine. SATAN is an intellectual
outgrowth of COPS and extends the capabilities beyond the local machine to
encompass one or more machines on a network.

  SATAN is not the first such tool of its kind but it has been receiving a lot
more publicity than its precursor, Internet Security Scanner (ISS). ISS is
currently widely distributed on the net and performs many of the same
functions as SATAN but without the graphical user interface and ease of use.

Impact
 The tool searches for weaknesses (already well known among the expert
security and hacker communities) in UNIX and TCP/IP configurations. These
same vulnerabilities could easily exist in non-UNIX machines which are
connected to the Internet, because the non-UNIX implementations of  TCP/IP
software suites attempt to imitate the UNIX implementations as closely as
possible. Thus, not only UNIX machines but all machines including PCs
connected to the Internet may contain vulnerabilities which can be
uncovered by SATAN.
  More importantly, SATAN provides hacking opportunities to non-experts by
providing a tool which uncovers and explains the vulnerabilities in networks.
The potential exists that there will be an increase in the number and
frequency of  attempted break-ins.
  The requirements to run SATAN are minimal; a 386 PC running a free
UNIX-like operating system such as FreeBSD or Linux, the Perl 5 scripting
language and the Mosaic WWW browser  (all of which are free on the
Internet) would suffice. Although root privilege is needed on the machine to
run SATAN, this is not difficult to gain by running ones own machine.
Recommendations
  The following recommendations should be considered in order to minimize
the vulnerability and therefore the risk of ones systems, not just to SATAN,
but to hackers in general:
    Follow the instructions in the Improving the Security of Your Site by Breaking into It
paper in
     the "Protecting the system" section and the CIAC advisory number 95-07.
    Get and install the COPS security auditing software. It is available from
     ftp://ftp.cert.org.
    Get and install a firewall which shields one's internal network from visibility on the
Internet and
     provides a secured single point of entry. This will reduce the ability of hackers to
locate the
     hosts which may or may not be vulnerable and allows for the enforcement of a front-line
     security policy which limits the ability of hackers gaining access to the vulnerable
interfaces of 
     internal machines.
  Further to this, the US Department of Energy's Computer Incident Advisory Committee has made
an analysis of SATAN available as
http://ciac.llnl.gov/ciac/notes/Notes07.shtml) This analysis details the
probes made by SATAN and points out possible countermeasures. One of these is a program called
Courtney.
(http://ciac.llnl.gov/ciac/ToolsUnixNetMon.html#Courtney) which
monitors behavior which looks like a SATAN attack and reports this to the system operator.
  If you have further questions, please contact CSE ITS Client Services, phone (613)991-7546.
  
Attachments
    Improving the Security of Your Site by Breaking into It, Dan Farmer and Wietse Venema.
     [admhack.txt]
    CIAC Notes Number 95-07: A Look at SATAN, U.S. Department of Energy Computer Incident
     Advisory Capability, 29 March 1995. [ciac9507.txt]
    CERT Coordination Center General Security Information, U.S. Computer Emergency Response
     Team. [certseci.txt]
    Anonymous FTP Configuration Guidelines, CERT. [certaftp.txt]
    Packet Filtering for Firewall Systems, CERT. [certpfil.txt]