SAGE SATAN Advisory

[ In response to all the advance hype about SATAN, we present the following
  statement for the benefit of SAGE members and other interested parties.  

  Pat Wilson
  SAGE Board of Directors
  paw@usenix.org || paw@dartmouth.edu ]


What's all this about SATAN?
----------------------------

SATAN, to be released April 5th, is a Security Administrator Tool for
Analyzing Networks written by Dan Farmer and Wieste Venema.  Combining a 
GUI front-end with a rule-based probe engine, it is both well designed and 
easy to configure, use, and upgrade.  SATAN should definitely become part of 
every sysadmin's toolkit, right along with COPS and Swatch.
As shipped, SATAN will test for 11 well-known vulnerabilities (NFS mounting
holes, rexec, old sendmail versions, and suchlike) - if you've been paying
attention to CERT advisories and patching accordingly, you should find few
surprises.  The tool is designed to probe, rather than probe and exploit.  

The real dangers of SATAN arise from its ease of use - an automated tool
makes it very easy to probe around on the network.  Arbitrary hosts may be
probed, and the "network of trust" feature encourages searches of machines
peripheral to the target machine (sites showing up in .rhosts files, for
example, are automatically added to the probe list in most configurations).  
Denial of service due to large numbers of SATAN probes may be a very real issue
for some well known sites.  The other major worry is that little effort is 
required to add new probes (so new holes may be discovered and explored more 
rapidly by more people than in the past), and it seems a fairly small amount of 
work to convert "probe only" scripts to "probe and exploit."

There's already been a "SATAN detector" released: Courtney (which detects
SATAN probe activity via tcpdump data) is available from 
ftp://ciac.llnl.gov/pub/ciac/sectools/unix/.  Other SATAN sniffers should
be available soon.

In summary:  SATAN is a well-made tool which should prove valuable for
security admins.  Get it and use it.

References:

"Improving the Security of Your Site by Breaking Into It", Dan Farmer and Wietse Venema 
SATAN documentation: ftp://ftp.win.tue.nl/pub/security/satan_doc.tar.Z 
CERT advisory CA-95:06 : ftp://info.cert.org/pub/cert-advisories
CIAC Notes 95-07: ftp://ciac.llnl.gov/pub/ciac/notes  

-----
For more information about SAGE, the System Administrators' Guild,
send mail to sage@usenix.org (pre-recorded message) or visit 

-----
-- 
Pat Wilson
Member, SAGE Board of Directors
paw@usenix.org