Great Circle Associates Firewalls
(March 1995) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: SATAN
From: mshaver @ schoolnet . carleton . ca (Mike Shaver)
Date: Wed, 22 Mar 1995 20:02:11 -0500 (EST)
To: fillmore @ emr . ca (Bob Fillmore 992-2832)
Cc: ericm @ microunity . com, fc @ all . net, firewalls @ greatcircle . com
In-reply-to: <9503222342 . AA27416 @ emr1 . emr . ca> from "Bob Fillmore 992-2832" at Mar 22, 95 06:42:50 pm 
Bob Fillmore 992-2832 mumbled something vague about:
> 
> Eric Murray writes:
> 
> > Dr. Frederick B. Cohen wrote:
> > > 
> > > The real question is whether the good guys will get the release before
> > > the bad guys and how you tell them apart.
> 
> > how would you be able to tell 'good sysadmin' from 'bad hacker'?
> 
> Seems to me that there should be a secure way for an organization 
> such as CERT to release a tool like this a month or two in advance
> to bona fide domain technical contacts, as registered by the InterNIC.
> Perhaps something like PGP could be used to verify that the tool
> is sent to the correct person and isn't tampered with along the way.

After registering a few domains myself, I can tell you that we probably
don't want to be trusting blindly those that are technical domain contacts.
After all, I'm a *good guy* high school Unix hacker (not kraker, TYVM), but
you have no way of knowing that.

> How about this, CERT? InterNIC?  Any volunteers?

I'd offer to mirror it, but I don't think I constitute a HUGE ftp site.

Personally, I don't really understand why everyone is so worried about
SATAN.  Sure, if you have an unsecured network, and are just hoping to
survive by luck and sheer stubbornness, it could cause a problem, but no
more so than a kraker just deciding that he wants something to do.

I've seen the list of attacks that SATAN probes for, and they're not really
new.  All of them should be fixed by now if they're going to be fixed at
all.  I see SATAN as being a very useful *maintenance* tool, though.
Sort of like a networked Tripwire.  You run it on your internal networks to
see what things are like, fix them, and then run it periodically to make
sure that everything *stayed* fixed.

Also, it can help you get a feel for how far an intruder would get into your
soft, chewy centre.  If SATAN shows a line of holes from just inside the FW
to your payroll machine, you've got some work to do.  If the only path it
shows leads from your terminal servers to the public WWW site, then at least
the intruder won't use the SATAN holes. =)

Of course, any kraker with a common hole *not* probed by SATAN is sitting
pretty now.  After April 5th, there will be a *lot* of sysadmins with a bit
of panic (those that found holes), and even more with a false sense of
security (those that didn't).

Mike
References:
  • Re: SATAN
    From: fillmore @ emr . ca (Bob Fillmore 992-2832)
Indexed By Date Previous: Re: Wellfleet Routers
From: Reto Lichtensteiger <rali @ hri . com>
Next: Re: Wellfleet Routers
From: "Peter Harrison" <harrison @ wellfleet . com . au>
Indexed By Thread Previous: Re: SATAN
From: Michael Nelson <mikenel @ netcom . com>
Next: SATAN
From: rodney @ subasic . sciatl . com (Rodney Garner)
Google
 
Search Internet Search www.greatcircle.com