SATAN (Security Administrator Tool for Analyzing Networks) is a security tool designed by Dan Farmer and Wieste Venema to help systems administrators recognize several network-related security problems, in a world where computer systems are becoming more and more dependant on networks. SATAN is a UNIX based tool, originally designed only for SunOS/Solaris and Irix, however ports to many other flavors of UNIX now exist, including one for Linix, allowing anyone with a PC and a Slip/PPP account access to the information provided by SATAN, which normally requires root access to run. It is important to note that while SATAN is a UNIX based tool it can be configured to scan virtually any type of network. Such as a Macintosh user running a telnet package that could have an ftp server enabled, allowing a remote user to write or modify files on the local machine, or a PC user running an X Windows server with no access control enabled or a VMS workstation using NFS to export disks, without any restrictions SATAN works by gathering as much information as possible about system and network services, such finger, NFS, NIS, ftp, rexd, etc. Along with this, SATAN also gathers information on well known software bugs, poorly or improperly setup network utilities, services or network configurations. For any vulnerabilities that SATAN finds it provides limited information on how to correct the problem. SATAN can test individual machines or entire networks of machines. For example, SATAN often finds sites that haven't installed an updated version of sendmail and therefore are at risk to even inexperienced hackers. It's real strength though comes from it's exploratory mode. Based on the initial information gathered and a user definable ruleset, SATAN will examine the avenues of trust and dependency for each host on the network, further exploring any secondary host that it encounters, giving the network administrator a good picture of not only the local hosts/networks but also that of any network providing services to the local network. This provides the administrator with a more complete picture of the actual security of the network. All of the information gathered by SATAN is then presented to the user via a World Wide WEB browser(such as Netscape, Mosaic, etc) in an easy to read and follow format. Making SATAN extremely easy to use. Released without cost on April 5th, 1995, SATAN was an immediate hailstorm of controversy. Due to SATAN's widespread availability, its ease of use and the fact that it can scan foreign networks for poor configurations and determine which hosts are trusted by which systems on those networks, many feared that SATAN would become the tool of choice for hackers. PC Magazine in an article called "The Arrival of Satan"(4/7/95) describes its ease of use,"Using Satan, figuring out how to break into a multitude of Internet sites is literally as easy pulling up a dialog box in the program, and filling in two fields. One asks for the Internet address of the site you want to probe, and the other asks what level of probing you want to do--essentially how hard an attack you want to mount against the site."
In fact just two days after SATAN's release officials from Chicago's DomiNET and Clear Lake's Phoenix Data Systems(both Internet Service Providers) confirmed that they had spotted SATAN's trademark Internet snooping behavior in their access logs. However most of the hysteria surrounding SATAN actually occurred before it's release. This quote appeared in the L.A. times "SATAN is like a gun, and this is like handing a gun to a 12-year-old.", along similar lines, this quote appeared in the Oakland Tribune. "It's like randomly mailing automatic rifles to 5,000 addresses. I hope some crazy teen doesn't get a hold of one." Since the initial release of SATAN, relatively few break-ins have been attributed to SATAN. This is largely due to the fact that SATAN only exploits well known security holes that all either have bulletins or patches available from an incident response team(such as CERT) or a vendor, so only the unwary administrator is at increased risk from SATAN. Also, several programs have been written to detect SATAN's scans, such as the program called Courtney. Paul Danckaert who is in charge of Computer Security for UCS at UMBC had this to say about SATAN,"...I ran it twice, when it came out. Once was to see if it would do anything.. the second time, because I didn't believe how poorly it did the first time. ...So... yes, I've run satan.. No, I don't see people use it in the "real world".. atleast anybody who knows anything about security. Its only possible use is as a Check-up type of tool, to double check your setup when you finish configuration of a machine or firewall, but even then, it is probably easier just to check a few files on the local machine.."
So it seems that despite all the media attention and furor, the greatest result achieved by SATAN has been to get systems administrators to take a hard look at their system and network security. All the security provided by SATAN, ironically can be provided just as well without SATAN, all that is needed is for administrators to get on security mailing lists and install all available security patches as they come out for the machines that they are running.
SATAN'S WEB PAGES
COURTNEY DISTRIBUTION
_______________________________