OMNIGUARD & COURTNEY PROTECT AGAINST SATAN SECURITY PROGRAM

If you're thinking of trying out the new SATAN (Security
Administrator Tool for Analyzing Networks) security software --
which was just released over the Internet and other online services
-- be careful you know how to "play with fire," some network
security experts are warning.

"If I were an IS (information systems) manager, and I'd been
reading some of the initial press reports about SATAN, I might
assume the best thing to do is rush out, grab SATAN off the net,
and put it on my system," said Rob Clyde, VP of security technology
for Axent, in an interview with Newsbytes that also addressed
Axent's new OmniGuard/Enterprise Access Control (EAC) security
system.

"In the hands of a highly skilled individual, under carefully
controlled circumstances, (use of SATAN) might make sense. But
the next thing you know, we'll have thousands of people
indiscriminately running SATAN due to curiosity and fear," Clyde
added.

The Unix-based SATAN, which investigates the Transmission Control
Protocol (TCP) ports of systems connected to the Internet, is being
touted as a security tool by its creators: Dan Farmer, who previously
authored the COPS (Computer Oracle and Password System) computer
security analyzer, and Wietse Venema from the Eindhoven University of
Technology in the Netherlands.

But Clyde and other critics point to the fact that SATAN can be
used in two ways. The system weaknesses discovered by a SATAN
probe can either be reported to the user, or abused by a security
cracker. "Another thing we have against SATAN is that it `reaches
out and touches' other people's systems," Clyde noted.

Also over the Internet, the Lawrence Livermore National Laboratory
has released a new tool called Courtney designed to protect against
SATAN. According to a recent report from Livermore, SATAN contains
a "target selection" component which allows users to choose which
computer or group of computers to attack, as well as the extent of
the attack.

A "light" attack reports what hosts are available, and which remote
procedure call (RPC) services they offer. A "normal" attack probes
the targets by establishing common service connections which are
then used to determine operating system and version, along with
any vulnerabilities. A "heavy" attack will search for several
additional vulnerabilities, including "writeable" anonymous file
transfer protocol (FTP) directories.

"Basically, SATAN is just another hacker's toolkit -- like ISS
(Internet Security Scanner), for example -- but SATAN does
have a couple of unique attributes," contended Clyde.

Aside from its "provocative" name, SATAN provides a "pretty nice"
hypertext markup language (HTML)-based graphical user interface
(GUI) that makes the program "fairly easy to use," he elaborated.

Misuse of SATAN can take place either accidentally or
intentionally. But in either case, companies will be faced with
"some interesting liability issues" if employees who have loaded
SATAN on to their systems then break in to other organizations'
systems, he observed.

"One action companies should take immediately is to issue policy
statements that running tools like SATAN will require prior
approval from appropriate people in management,'" he advised.

Beyond preventing unqualified employees from using SATAN,
companies should also install `active controls' against intrusion,
like those provided by Axent's OmniGuard/EAC, he said.

Clyde explained that the virtually simultaneous release of
OmniGuard/EAC and SATAN is coincidental. Axent had been working
toward the current release date "for some time," according to the
VP. Priced starting at $395, OmniGuard/EAC is currently available
for SunOS, Solaris, HP-UX, and AIX.

Clyde added that OmniGuard/EAC differs from other Unix-based
security systems by offering a GUI for establishing levels of
privilege. As a result, this task no longer needs to be performed
only by a company's "best and brightest," he reported.

Through the GUI, he said, the administrator can set up a wide range
of password controls for individual users, user groups, or global
enforcement, such as specifying a format that all passwords must
follow, or a minimum and maximum password length, preventing the
creation of passwords that match a list of "easily guessed"
passwords, and requiring password expiration after a specified
length of time.

OmniGuard/EAC can also be used in conjunction with a "firewall."
The Axent product is able to restrict access to each computer behind
the firewall by source: internal network, external network, or
dial-up modem. Unauthorized users can be prevented from privileged
access even when the root password is known.

In addition, OmniGuard/EAC will "lock" unattended workstations
until users reauthenticate themselves, restrict the number of
concurrent log-in sessions, and limit access by time or day or day
of week. If repeated break-in attempts are made, OmniGuard/EAC
will detect the activity and "prevent entry," said Clyde.

Courtney, the new anti-SATAN tool from Livermore, is intended to
monitor networks for the connection-attempt pattern applied by
Saturn, assume that this pattern indicates a SATAN attack, and log
the event.

Marvin Christenson, Courtney's developer, acknowledges that
Courtney is only able at this point to report the assumed attack
and the network address of the attacker, but he is now working with
other security experts to "strengthen" Courtney, according to the
Livermore Lab. Courtney is available free of charge at
http://ciac.llnl.gov/ciac/ToolsUnixNetMon.html#Courtney.