At 04:51 AM 2/1/97 +1000, you wrote:
>In reply to the honourable 'frankw @
net' who said:
>> The SATAN tool (or SANTA as I prefer to call it - after running the
>> REPENT program) is vastly over-hyped & over-rated. BTW, I hope you
>sorry but some of us beg to differ, FWIW its a great tool and im sure many
>recognise its worth. putting it down the way you did does the auther DF a
>disservice. its just another tool in the sysadmin's suite of tools or
should be seen
>as such, and it performs, what is normally a repetitive and standard set of
>diagnostics that one should be running on ones _own_ network, extremely well.
I maintain my stance that the SATAN/SANTA tool is over-hyped and over-rated.
Just before it was released, it made a lot of Information Security Officers
(including me) very nervous. At the time I was a Company (nationwide)
Information Security Operations officer for a major US hi-tech company overseas
(@3K systems and 6K employees, but I digress). After putting the tool on the
bench and seeing what it really does, we breathed a lot easier.
Here are a few reasons why:
o The software was/is out-dated (even when it was released). If you are
keeping your software current, then it is highly likely that your system
will contain patches for vulnerabilities that the SANTA tool would detect.
o An Operating System (O/S) contains 5 major components - Accounts, Auditing,
File System, Network, & System areas (root files, system binaries, etc.
In performing its testing, the SANTA tool relies on the network component
(only) of the Operating System to tell you about the security of the
*entire* O/S (as seen by the network). While this is a noble goal, it
falls far short. Non-networking components of the O/S are not evaluated.
IOW, if your networking component is secure, but your system is wide open
because of problems in other areas, your system is vulnerable to being
taken over - in spite of a report from SANTA that your system is OK.
Use the right tool for the right job. SANTA tests (primarily) the
networking component, and it doesn't do that very well, IMHO.
o The SANTA tool performs a very small portion of the tests that ISS
and other vendors' products perform. If it doesn't test for attacks
such as SYN-flooding or the "Ping-of-death", then it can't tell you
if these will be a problem for you or not.
o A "clean bill of health" from the SANTA tool give the sysadmin a false
sense of security about the security of his/her systems.
o At best, the SANTA tool will tell the beginner sysadmin if they
have overlooked something basic, but beyond that, it is useless.
o Another nit is the choice of the name that was chosen. In one stroke,
DF & WV managed to alienate those who are offended by the name "SATAN".
The name SATAN signifies the epitome of evil. If the tool was intended
to be used for good rather than evil purposes, the choice of the name
was the worst one possible. I don't know the agenda behind the name,
but I am curious why they chose that particular name than any of a
multitude of other suitable names.
o It is my understanding that a trojan horse was planted (by a hacker)
in version 1.1 of the tool. If you really insist on using the tool,
run the latest version possible (or v1.1.1 as a minimum).
o It is probably worth checking the 'net for free & commercial versions
of tools similar to the SANTA tool. You will probably find other
tools which provide better coverage than the SANTA tool.
o Use the right tool for the right job. A network security tool is only
one of many tools which a skilled Information Security Officer uses
to keep their environment secure.
Santa does have two redeeming graces <double-pun intended>, but they
don't outweigh the disadvantages, IMHO. The few advantages are:
o The source code is available, so it can be modified to run on custom
o Further, since the source code is available, any sysadmin can add
custom modules to the tool (OTOH, so can the hackers).
Last, but not least, if one of our customers has heard of the tool and
is curious what it looks like, we will show it them. Then we will
show them that our typical network security analysis services (such as
Firewall Penetration Tests, etc.) discover far more potential probem
areas than the SANTA tool ever could. FWIW, the contrast between the
"much-feared" SANTA tool and the far more extensive tests that we run
makes *quite* a favorable impression on our customers.
| Fortified Networks, Inc. - Expert Information Security Consulting |
| Web: http://www.fortified.com |
| Phone: (317) 573-0800 |
| Fax: (317) 573-0817 |