Upload
mildred-charles
View
214
Download
0
Embed Size (px)
Citation preview
OUTLINE
What is SATAN? Why build it? How it works Capabilities Why use it? Dangers of SATAN Legalities Future Directions
What is SATAN?
SATAN (Security Analysis Tool for Auditing Networks)
Examines remote hosts & Networks
What is SATAN (cont.)
Gathers information about potential security flaws such as:– Incorrectly set up or configured network services– Poor policy decisions– Well known bugs in:
Systems Network Utilities
What is SATAN (cont.)
Also gathers information about:
– Network topology– Webs of trust (more to come)– Hardware and software resident on network
SATAN is a research tool Not designed to solve any particular problem
Why Build SATAN?
To learn about network security with respect to large networks
To show how insecure the Internet really is
Why Build SATAN (cont.)
Design Goals:– To discover if problem of mapping security of large
networks is solvable
– To find maximum information about network security without being destructive
Why Build SATAN? (cont.)
Design Goals (cont.)
– To make package available to anyone Why? Because limiting access to information about security
problems hinders the abilities of system administrators Weakens the integrity of the Internet
Web of Trust
Definition:– When local resources of a server can be accessed or
compromised by a client with or without proper authorization
Trust is weak if:– Client authentication is weak– Client authentication is outside system administrator’s domain– Security of client is outside system administrator’s domain
At least one case is usually present when a host is trusted
Web of Trust (cont.)
Trust is transitive– A→B and B→C, Therefore A→C.
Trust in networks can bind otherwise disjoint hosts Sites depend on one another Sites could be insecure, compromising sites that trust
them
Leads to a weaker network
How SATAN Works
Has target acquisition program that uses fping to find hosts
Target list then passed to data collection engine
Data collection engine checks if target has been probed yet
If not …
How SATAN Works (cont.)
SATAN examines network services of remote host:
– NFS (Network File System) – file sharing protocol in UNIX
– NIS (Network Information Services) – naming service that allows resources to be added, deleted and modified.
– ftp
– tftp (trivial file transfer protocol) – used with diskless workstations
How SATAN Works (cont.)
SATAN can then:– Report information to user– Use simple rule-based system to investigate
potential security problems
Data collected is then stored SATAN uses HTML browser
– Output can be analyzed or queried by user
Capabilities
So far there has only been limited research SATAN has found the following problems in
networks:– NFS file systems exported to arbitrary hosts– NFS file systems exported to unprivileged hosts– NIS password file access from arbitrary hosts– Arbitrary files accessible via tftp
Capabilities (cont.)
SATAN’s exploratory mode– Where SATAN’s power comes from
– Traverses web of trust and dependency
– Performs analysis of secondary, tertiary hosts, etc.
– Gives more clear picture of overall network security and possible avenues of attack
SATAN’s weaknesses
SATAN is not optimized for speed of execution– Designed for periodic runs over large networks of
over 1000 nodes– Normal scanning time is several hours
SATAN will not run on Mac’s or PC’s unless running UNIX
Has not been tested on other OS’s like Linux
Why Use SATAN?
Mostly designed for system administrators
Intruders will be able to access the same security vulnerability information, which is why it is effective
Will likely uncover previously unknown problems or weaknesses in network
Dangers of SATAN
SATAN can be used by potential intruders and hackers
Works because it uses same techniques
SATAN can be used to probe a network without authorization
Dangers of SATAN (cont.)
Even well intentioned system administrators can let SATAN traverse webs of trust and probe beyond their authority
Could anger neighbors and / or lead to legal problems
Controlling SATAN
Best if run behind firewall
Proximity Level setting determines the number of hops away from target to probe– 1 hop – will only probe hosts adjacent to user in web
of trust
Controlling SATAN (cont.)
Uses targeting exception variables, which specify which hosts the user can, cannot, and must probe
– $don’t_attack_these$ Used to avoid .gov and .mil hosts, for example
– $only_attack_these$ Used to specify a certain network like .edu
Legality of SATAN
So far, no known files charged against anyone for running a security tool
Legality is not yet clear for doing so Running a security tool against a remote site
without permission is “probably” illegal.
Be careful
SATAN’S Future
Hoping to graphically display network maps
Hoping to graphically display webs of trust
MORE TESTING!!!!