RELEASE OF SATAN SOFTWARE TOOL FACT SHEET INTRODUCTION Due to extensive media attention regarding the release of another version of SATAN (Security Administrator Tool for Analyzing Networks), the National Institute of Standards and Technology (NIST) is issuing this fact sheet to answer questions about SATAN. WHAT IS SATAN? SATAN is a software tool for assessing Internet host and network security. SATAN tests host systems to determine which Internet services are present and whether those services are misconfigured or contain vulnerabilities that an intruder could exploit. SATAN provides limited information on how to correct the vulnerabilities it identifies as well as a modest tutorial on host system security. SATAN can test individual hosts or entire networks of host systems. SATAN is an analysis and reporting tool only and does not break into systems or exploit new and/or rare vulnerabilities. All the vulnerabilities it finds are well known and have either bulletins and/or patches from an incident response team or a vendor. However, as with most tools of this type not just system administrators but intruders will undoubtedly use SATAN to find vulnerabilities in certain systems and then they will exploit those systems. Thus, while the tool aids a conscientious security-aware administrator it does increase the risk to the unwary administrator. SATAN'S AVAILABILITY SATAN's authors, Mr. Dan Farmer and Mr. Wietse Venema, made SATAN widely available over the Internet without cost starting April 5, 1995. Many Internet sites now have SATAN and thousands of copies have been distributed worldwide. WHAT IS REQUIRED TO RUN SATAN? SATAN runs on specially-configured UNIX systems and can be configured so that only users with system-level privileges or root privileges may execute the software. The first release of SATAN runs only on UNIX systems made by Sun Microsystems and Silicon Graphics. Ports to other UNIX systems such as Linux have followed quickly. SATAN requires installation of additional software and World Wide Web (WWW) client programs such as Mosaic. It is important, however, to distinguish between systems that execute SATAN and those that SATAN can scan. SATAN can be used to scan many different vendor systems and, furthermore, could be modified to probe routers and other networked devices. WHY IS SATAN CONTROVERSIAL? As stated earlier, SATAN is controversial because conscientious system and network administrators and would-be hackers or intruders are both helped. Administrators who have both time and the capability to use and understand SATAN and its findings will clearly close up the holes or vulnerabilities in their systems. However, many system administrators are often ill-equipped or equipped but over-burdened, and thus are quite vulnerable to intruders who run SATAN against them. A typical hacker will scan a site for vulnerabilities with a tool like SATAN, find some systems vulnerable, and then install trojanized login programs (permit access by legitimate users but steals their passwords and system Ids) or sniffer programs that silently sniff legitimate user passwords and Ids for later illegitimate use. Several computer security incident response teams report that internal testing for vulnerabilities indicates that very high percentages of Internet host systems are vulnerable to tools like SATAN. As a consequence, some incident response teams and others in the Internet community have and are writing detectors to note when SATAN is being used to scan their systems. IS SATAN OVERBLOWN? As we saw in the Michelangelo Virus furor that erupted a few years ago, our fear and the attendant hype outstripped the actual damage caused. Part of the issue here is our attention span. Clearly, viruses are very real and can and do cause much mayhem even if the damage occurs after the press and management focus moves on to other issues. Similarly, the vulnerabilities that SATAN identifies are real and exploitable but won't evidence themselves in a sudden series of attacks days or hours after the SATAN release. However, with thousands of copies freely available and in use SATAN will make an impact. It won t aid the knowledgeable intruder who is already aware of how to break in but it will assist the less than gifted would-be intruder. As these thousands of copies coarse throughout the Internet, we and the computer security community will be in a better position to assess the real impact of SATAN and whether the initial hysteria was founded after about 6 months of perspective is gained. DOES SATAN IDENTIFY NEW VULNERABILITIES? No, all the vulnerabilities it finds are well known and have either bulletins and/or patches from an incident response team or a vendor. HOW IS SATAN DIFFERENT FROM OTHER SECURITY TOOLS? Tools similar to SATAN have been available to Internet users for several years, both commercially and in the public-domain. These tools are also used by the intruder community to identify systems vulnerable to attack. SATAN is different in that it can be configured to test virtually any system or network of systems accessible to the Internet. SATAN is also more powerful than previous tools and able to identify more vulnerabilities. SATAN can discover whether a system trusts connections from other systems, and then scan those systems. SATAN's WWW interface is easy to use and its results are easy to view. Additionally, SATAN can be modified easily to exploit new vulnerabilities. ADVICE FOR SYSTEM AND NETWORK MANAGERS Sites should be concerned that internal users as well as intruders could run SATAN and expose site vulnerabilities. Thus, NIST recommends the following: - sites should develop policies for using SATAN responsibly and efficiently, - sites should promptly correct all vulnerabilities before vulnerable systems could be attacked, - sites should look-out for illicit scans of their networks by SATAN or other tools, and - system managers should install access control software to ensure scans of their systems by SATAN will be noticeable and consider installing SATAN detector software developed by incident response teams. Sites should also improve their network and host security policies and measures. Sites should consider installing firewall systems so that internal systems are easier to manage and less vulnerable to attacks. Sites should install all vendor patches and subscribe to vendor and incident response team mailing lists so that they will be notified of future patches or vulnerabilities. Sites should develop policy for network usage, Internet access, and incident reporting. It is very important that sites improve system management by allotting sufficient time for system administration duties and training as necessary. Lastly, when purchasing systems, sites should demand security features and properly install and configure new systems and periodically recheck old systems. FOR FURTHER INFORMATION NIST operates a clearinghouse of computer security information and tools accessible via the Internet and dial-in at all times. The clearinghouse contains links to information about computer security and incident response team clearinghouses. Together, these sites provide basic and detailed computer security information, vulnerability and threat assessments, incident response team alerts, vendor patches, and computer security tools including firewalls and pointers to vendors. The clearinghouse is accessible via the following methods: WWW: http://csrc.ncsl.nist.gov ftp: csrc.ncsl.nist.gov, login as "anonymous" email: send message "send INDEX" to docserver@csrc.ncsl.nist.gov dial-in: 301-948-5717