Improving your Network Security using SATAN

	SATAN (Security Administrator Tool for Analyzing Networks)
is a security tool designed by Dan Farmer and Wieste Venema to
help systems administrators recognize several network-related
security problems, in a world where computer systems are becoming
more and more dependant on networks.  SATAN is a UNIX based tool,
originally designed only for SunOS/Solaris and Irix, however
ports to many other flavors of UNIX now exist, including one for
Linix, allowing anyone with a PC and a Slip/PPP account access to
the information provided by SATAN, which normally requires root
access to run.  It is important to note that while SATAN is a
UNIX based tool it can be configured to scan virtually any type
of network.  Such as a Macintosh user running a telnet package
that could have an ftp server enabled, allowing a remote user to
write or modify files on the local machine, or a PC user running
an X Windows server with no access control enabled or a VMS
workstation using NFS to export disks, without any restrictions
	SATAN works by gathering as much information as possible
about system and network services, such finger, NFS, NIS, ftp,
rexd, etc.  Along with this, SATAN also gathers information on
well known software bugs, poorly or improperly setup network
utilities, services or network configurations.  For any
vulnerabilities that SATAN finds it provides limited information
on how to correct the problem.  SATAN can test individual
machines or entire networks of machines.  For example, SATAN
often finds sites that haven't installed an updated version of
sendmail and therefore are at risk to even inexperienced hackers.
It's real strength though comes from it's exploratory mode. 
Based on the initial information gathered and a user definable
ruleset, SATAN will examine the avenues of trust and dependency
for each host on the network, further exploring any secondary
host that it encounters, giving the network administrator a good
picture of not only the local hosts/networks but also that of any
network providing services to the local network.  This provides
the administrator with a more complete picture of the actual
security of the network.  All of the information gathered by
SATAN is then presented to the user via a World Wide WEB
browser(such as Netscape, Mosaic, etc) in an easy to read and
follow format.  Making SATAN extremely easy to use. 
	Released without cost on April 5th, 1995, SATAN was an
immediate hailstorm of controversy.  Due to SATAN's widespread
availability, its ease of use and the fact that it can scan
foreign networks for poor configurations and determine which
hosts are trusted by which systems on those networks, many feared
that SATAN would become the tool of choice for hackers. PC
Magazine in an article called "The Arrival of Satan"(4/7/95)
describes its ease of use, 

"Using Satan, figuring out how to break into a multitude of Internet sites is literally as easy pulling up a dialog box in the program, and filling in two fields. One asks for the Internet address of the site you want to probe, and the other asks what level of probing you want to do--essentially how hard an attack you want to mount against the site."

In fact just two days after SATAN's release officials from Chicago's DomiNET and Clear Lake's Phoenix Data Systems(both Internet Service Providers) confirmed that they had spotted SATAN's trademark Internet snooping behavior in their access logs. However most of the hysteria surrounding SATAN actually occurred before it's release. This quote appeared in the L.A. times "SATAN is like a gun, and this is like handing a gun to a 12-year-old.", along similar lines, this quote appeared in the Oakland Tribune. "It's like randomly mailing automatic rifles to 5,000 addresses. I hope some crazy teen doesn't get a hold of one." Since the initial release of SATAN, relatively few break-ins have been attributed to SATAN. This is largely due to the fact that SATAN only exploits well known security holes that all either have bulletins or patches available from an incident response team(such as CERT) or a vendor, so only the unwary administrator is at increased risk from SATAN. Also, several programs have been written to detect SATAN's scans, such as the program called Courtney. Paul Danckaert who is in charge of Computer Security for UCS at UMBC had this to say about SATAN,

"...I ran it twice, when it came out. Once was to see if it would do anything.. the second time, because I didn't believe how poorly it did the first time. ...So... yes, I've run satan.. No, I don't see people use it in the "real world".. atleast anybody who knows anything about security. Its only possible use is as a Check-up type of tool, to double check your setup when you finish configuration of a machine or firewall, but even then, it is probably easier just to check a few files on the local machine.."

So it seems that despite all the media attention and furor, the greatest result achieved by SATAN has been to get systems administrators to take a hard look at their system and network security. All the security provided by SATAN, ironically can be provided just as well without SATAN, all that is needed is for administrators to get on security mailing lists and install all available security patches as they come out for the machines that they are running.


References:

SATAN'S WEB PAGES SATAN DISTRIBUTION

COURTNEY DISTRIBUTION

_______________________________