ch04.htm

Maximum Security (First Edition) 网络安全 英文版

<H3><FONT COLOR="#000077"><B>SATAN and Other Tools</B></FONT></H3>
<P>Today, government sites are cracked with increasing frequency. The authors of
the GAO report attribute this largely to the rise of user-friendly security programs
(such as SATAN). <I>SATAN</I> is a powerful scanner program that automatically detects
security weaknesses in remote hosts. It was released freely on the Net in April,
1995. Its authors, Dan Farmer and Weitse Venema, are legends in Internet security.
(You will learn more about these two gentlemen in Chapter 9, &quot;Scanners.&quot;)</P>
<P>Because SATAN is conveniently operated through an HTML browser (such as Netscape
Navigator or NCSA Mosaic), a cracker requires less practical knowledge of systems.
Instead, he or she simply points, clicks, and waits for an alert that SATAN has found
a vulnerable system (at least this is what the GAO report suggests). Is it true?</P>
<P>No. Rather, the government is making excuses for its own shoddy security. Here
is why: First, SATAN runs only on UNIX platforms. Traditionally, such platforms required
expensive workstation hardware. Workstation hardware of this class is extremely specialized
and isn't sold at the neighborhood Circuit City store. However, those quick to defend
the government make the point that free versions of UNIX now exist for the IBM-compatible
platform. One such distribution is a popular operating system named <I>Linux</I>.</P>
<P>Linux is a true 32-bit, multi-user, multi-tasking, UNIX-like operating system.
It is a powerful computing environment and, when installed on the average PC, grants
the user an enormous amount of authority, particularly in the context of the Internet.
For example, Linux distributions now come stocked with every manner of server ever
created for TCP/IP transport over the Net.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Linux runs on a wide
	range of platforms, not just IBM compatibles. Some of those platforms include the
	Motorola 68k, the Digital Alpha, the Motorola PowerPC, and even the Sun Microsystems
	SPARC architecture. If you want to learn more about Linux, go to the ultimate Linux
	page at <A HREF="http://www.linux.org/"><B>http://www.linux.org/</B></A>. 
<HR>


</BLOCKQUOTE>

<P>Distributions of Linux are freely available for download from the Net, or can
be obtained at any local bookstore. CD-ROM distributions are usually bundled with
books that instruct users on using Linux. In this way, vendors can make money on
an otherwise, ostensibly free operating system. The average Linux book containing
a Linux installation CD-ROM sells for forty dollars.</P>
<P>Furthermore, most Linux distributions come with extensive development tools. These
include a multitude of language compilers and interpreters:

<UL>
	<LI>A C language compiler
	<LI>A C++ language compiler
	<LI>A SmallTalk interpreter
	<LI>A BASIC interpreter
	<LI>A Perl interpreter
	<LI>Tools for FORTRAN
	<LI>Tools for Pascal
	<LI>A common LISP interpreter
</UL>

<P>Yet, even given these facts, the average kid with little knowledge of UNIX cannot
implement a tool such as SATAN on a Linux platform. Such tools rarely come prebuilt
in binary form. The majority are distributed as source code, which may then be compiled
with options specific to the current platform. Thus, if you are working in AIX (IBM's
proprietary version of UNIX), the program must be compiled for AIX. If working in
Ultrix (DEC), it must be compiled for Ultrix, and so on.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>A port was available for Linux not
	long after SATAN was released. However, the bugs were not completely eliminated and
	the process of installing and running SATAN would still remain an elusive and frustrating
	experience for many Linux users. The process of developing an easily implemented
	port was slow in coming. 
<HR>


</BLOCKQUOTE>

<P>Most PC users (without UNIX experience) are hopelessly lost even at the time of
the Linux installation. UNIX conventions are drastically different from those in
DOS. Thus, before a new Linux user becomes even moderately proficient, a year of
use will likely pass. This year will be spent learning how to use MIT's X Window
System, how to configure TCP/IP settings, how to get properly connected to the Internet,
and how to unpack software packages that come in basic source-code form.</P>
<P>Even after the year has passed, the user may still not be able to use SATAN. The
SATAN distribution doesn't compile well on the Linux platform. For it to work, the
user must have installed the very latest version of Perl. Only very recent Linux
distributions (those released within one year of the publishing of this book) are
likely to have such a version installed. Thus, the user must also know how to find,
retrieve, unpack, and properly install Perl.</P>
<P>In short, the distance between a non-UNIX literate PC user and one who effectively
uses SATAN is very long indeed. Furthermore, during that journey from the former
to the latter, the user must have ample time (and a brutal resolve) to learn. This
is not the type of journey made by someone who wants to point and click his or her
way to super-cracker status. It is a journey undertaken by someone deeply fascinated
by operating systems, security, and the Internet in general.</P>
<P>So the government's assertion that SATAN, an excellent tool designed expressly
to improve Internet security, has contributed to point-and-click cracking is unfounded.
True, SATAN will perform automated scans for a user. Nonetheless, that user must
have strong knowledge of Internet security, UNIX, and several programming languages.</P>
<P>There are also collateral issues regarding the machine and connection type. For
example, even if the user is seasoned, he or she must still have adequate hardware
power to use SATAN effectively.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>You will examine SATAN
	(and programs like it) in greater detail in Chapter 9. In that chapter, you will
	be familiarized with many scanners, how they work, how they are designed, and the
	type of information they can provide for users. 
<HR>


</BLOCKQUOTE>

<P>SATAN is not the problem with government sites. Indeed, SATAN is not the only
diagnostic tool that can automatically identify security holes in a system. There
are dozens of such tools available:

<UL>
	<LI>Internet Security Scanner (ISS)
	<LI>Strobe
	<LI>Network Security Scanner (NSS)
	<LI>identTCPscan
	<LI>Jakal
</UL>

<P>Chapter 9 examines these automated tools and their methods of operation. For now,
I will simply say this: These tools operate by attacking the available TCP/IP services
and ports open and running on remote systems.</P>
<P>Whether available to a limited class of users or worldwide, these tools share
one common attribute: They check for known holes. That is, they check for security
vulnerabilities that are commonly recognized within the security community. The chief
value of such tools is their capability to automate the process of checking one or
more machines (hundreds of machines, if the user so wishes). These tools accomplish
nothing more than a knowledgeable cracker might by hand. They simply automate the
process.
<H3><FONT COLOR="#000077"><B>Education and Awareness About Security</B></FONT></H3>
<P>The problem is not that such tools exist, but that education about security is
poor. Moreover, the defense information networks are operating with archaic internal
security policies. These policies prevent (rather than promote) security. To demonstrate
why, I want to refer to the GAO report I mentioned previously. In it, the government
concedes:

<DL>
	<DD>...The military services and Defense agencies have issued a number of information
	security policies, but they are dated, inconsistent and incomplete...
</DL>

<P>The report points to a series of Defense Directives as examples. It cites (as
the most significant DoD policy document) Defense Directive 5200.28. This document,
<I>Security Requirements for Automated Information Systems</I>, is dated March 21,
1988.</P>
<P>In order to demonstrate the real problem here, let's examine a portion of that
Defense Directive. Paragraph 5 of Section D of that document is written as follows:

<DL>
	<DD>Computer security features of commercially produced products and Government-developed
	or -derived products shall be evaluated (as requested) for designation as trusted
	computer products for inclusion on the Evaluated Products List (EPL). Evaluated products
	shall be designated as meeting security criteria maintained by the National Computer
	Security Center (NCSC) at NSA defined by the security division, class, and feature
	(e.g., B, B1, access control) described in DoD 5200.28-STD (reference (K)).
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><I><B>Cross Reference:</B></I></FONT><I><B> </B>Security Requirements
	for Automated Information Systems</I> is available on the Internet at <A HREF="http://140.229.1.16:9000/htdocs/teinfo/directives/soft/5200.28.html"><TT>http://140.229.1.16:9000/htdocs/teinfo/directives/soft/5200.28.html</TT></A>
	
<HR>


</BLOCKQUOTE>

<P>It is within the provisions of that paragraph that the government's main problem
lies. The Evaluated Products List (EPL) is a list of products that have been evaluated
for security ratings, based on DoD guidelines. (The National Security Agency actually
oversees the evaluation.) Products on the list can have various levels of security
certification. For example, Windows NT version 3.51 has obtained a certification
of C2. This is a very limited security certification.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Before you continue,
	you should probably briefly view the EPL for yourself. Check it out at <A HREF="http://www.radium.ncsc.mil/tpep/epl/index.html"><TT>http://www.radium.ncsc.mil/tpep/epl/index.html</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>The first thing you will notice about this list is that most of the products are
old. For example, examine the EPL listing for Trusted Information Systems' Trusted
XENIX, a UNIX-based operating system.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>The listing for Trusted
	XENIX can be found at <A HREF="http://www.radium.ncsc.mil/tpep/epl/entries/CSC-EPL-92-001-A.html"><TT>http://www.radium.ncsc.mil/tpep/epl/entries/CSC-EPL-92-001-A.html</TT></A>
	
<HR>


</BLOCKQUOTE>

<P>If you examine the listing closely, you will be astonished. TIS Trusted XENIX
is indeed on the EPL. It is therefore endorsed and cleared as a safe system, one
that meets the government's guidelines (as of September 1993). However, examine even
more closely the platforms on which this product has been cleared. Here are a few:

<UL>
	<LI>AST 386/25 and Premium 386/33
	<LI>HP Vectra 386
	<LI>NCR PC386sx
	<LI>Zenith Z-386/33
</UL>

<P>These architectures are <I>ancient</I>. They are so old that no one would actually
use them, except perhaps as a garage hacking project on a nice Sunday afternoon (or
perhaps if they were legacy systems that housed software or other data that was irreplaceable).
In other words, by the time products reach the EPL, they are often pathetically obsolete.
(The evaluation process is lengthy and expensive not only for the vendor, but for
the American people, who are footing the bill for all this.) Therefore, you can conclude
that much of the DoD's equipment, software, and security procedures are likewise
obsolete.</P>
<P>Now, add the question of internal education. Are Defense personnel trained in
(and implementing) the latest security techniques? No. Again, quoting the GAO report:

<DL>
	<DD>Defense officials generally agreed that user awareness training was needed, but
	stated that installation commanders do not always understand computer security risk
	and thus, do not always devote sufficient resources to the problem.
</DL>

<H4><FONT COLOR="#000077"><B>High-Profile Cases</B></FONT></H4>
<P>Lack of awareness is pervasive, extending far beyond the confines of a few isolated
Defense sites. It is a problem that affects many federal agencies throughout the
country. Evidence of it routinely appears on the front pages of our nation's most
popular newspapers. Indeed, some very high-profile government sites were cracked
in 1996, including the Central Intelligence Agency (CIA) and the Department of Justice
(DoJ).

<UL>
	<LI>In the CIA case, a cracker seized control on September 18, 1996, replacing the
	welcome banner with one that read <I>The Central Stupidity Agency</I>. Accompanying
	this were links to a hacker group in Scandinavia.
</UL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>To see the CIA site in
	its hacked state, visit <A HREF="http://www.skeeve.net/cia/"><TT>http://www.skeeve.net/cia/</TT></A>.<BR>
	
<HR>

<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B><TT>skeeve.net</TT> was one of many
	sites that preserved the hacked CIA page, primarily for historical purposes. It is