free security tools: pros and cons: a review of free security tools
TRANSCRIPT
Network Security October 7 999
My assessment is that Internet- based security education today is rapidly approaching the level of effectiveness and interaction that televised two-way education achieved 20 years ago, and that it will likely not go far beyond this for quite some time to come. The reason is the same as the reason that televised education didn’t go much further. Because 80% of the quality at 20% of the cost is about as good as you can do. While a few minor improvements will be made, today, you can get almost as good an education by the
combination of CD-ROMs, E-mail interaction, Internet-based content, strategic scenario gaming, and well thought-out homework assignments as you can in a classroom with a slightly less knowledgeable professor and a less-than-ideal set of laboratories,
While this is not as good as it could get, it is as good as it is likely to get for some time to come. With the large number of students requiring education in this area and the lack of adequate facilities and experts in
academia, I can’t see it going any other way for now,
About the author:
Fred Cohen is a Principal Member of Technical Staff at Sandia National laboratories and a Managing Director of Fred Cohen and Associates in livermore California, an executive consulting and education group specializing in information protection. He can be reached by sending E-mail to fc@a//,net or visiting h ttp://all.net/.
Free Security Tools: Pros
and Cons A review of free security tools Dario Forte
The reasons for the choice
Open Source is now an established phenomenon: basic products such as LINUX, “x”BSD and BeOS are already widely available. There are two main factors driving this expansion: costs are very low and it is relatively simple - though not exactly within everyone’s capabilities - to implement an infrastructure based on software completely supported by the international community, with no purchase costs. For this reason, operators have recently focused their attention on system and network management products, with particular emphasis on security.
For the last five years the international scientific community has been intensely engaged in the development of this type of tool, which in many cases constitutes a guiding light for commercial products as well. Nevertheless, these products do have their limitations, especially for those known in the lingo as “timid administrators”, who often
lack the proper skills for setting them up and using them properly.
The main categories
There are currently several dozen open source security tools and I am not going to be able to give a complete overview of them in one article. Nevertheless, I can
certainly say something about the most widely used tools, which can be broken down into the following categories:
Auditing tools, These are the most common. They perform vulnerability assessments. These tools are often included among Intrusion Detection Systems (IDS), even though certain researchers would categorize them differently.
l Intrusion Detection Systems, Considered for about a year now to be the irreplaceable complement to firewalls, IDSs are used to detect attempts at intrusion into the network, whether they come from inside or outside of the perimeter. When an intrusion attempt is detected, countermeasures are activated and the system administrator is notified.
l Firewalls. In reality, there are not many open source firewalls and those that do exist are mainly linked to an operating system. Every LINUX issue, for example, includes software such as fwfk and lpchains and so on, which provide an excellent solution at zero cost.
10 0 1999 Elsevier Science Ltd
October 7 999 Network Security
Their disadvantages lie in the lack of a stock graphic interface and some distribution management problems. Nevertheless, there are many Web sites offering free downloads of well-made graphic interfaces, along with a series of alternative products,
l Authentication Servers, Here too, the available tools are generally linked to standard protocols such as RADIUS, TACACS and Kerberos (currently available in Version 5, used by Windows 2000 for various authentication functions,such as the new trust relationships between domains).
l Virtual Private Network tools. VPN tools are the second most widely used after auditing tools. We will speak at length about them in this article.
The free auditing tools
SATAN
Without any doubt, Security Administrator’s Tool for Analyzing Networks (SATAN) is the granddaddy of the category. Created in the mid- 1990s by the holy wonders, Dan Farmer and Witsie Venema, currently separated only by company allegiance (Farmer is in R&D at Hearthlink (USA), and Venema is in R&D with IBM TJ Watson), SATAN is still available in the public domain and works principally on the following types of misconfigurations:
l NFS file systems exportable to arbitrary hosts;
- NFS file systems exportable to non-authorized programs;
0 1999 Elsevier Science Ltd
NFS file systems exportable via portmapper;
Access to files containing NIS passwords by non-authorized hosts;
Obsolete versions of SendMail (i.e. earlier than 8.6.10):
Disabled access controls to the X server;
Files accessible without authorization via TFTP;
Access to remote shells by non-authorized hosts;
Possibility to write in the home directory via anonymous FTP
SATAN’s authors were principally motivated by the exposure of open systems to misconfigurations and the directly proportional vulnerability of these systems to exploits. SATAN’s main objective is to provide system administrators with an auxiliary tool. For every vulnerability discovered, the tool provides a tutorial to help system administrators develop the skills necessary to resolve the problem. The solution is achieved via one of four fundamental methods: correction of the error in the configuration file; installation of a bugfix supplied by the vendor; use of a workaround; or simply dlsabling the service.
TlTA N
In SATAN’s wake, and that of its immediate successor, SAINT, Dan Farmer, this time together with Brad Powell of Sun Microsystems and Matthew Archibald of KLA- Tencor, came up with the idea of creating a new tool along the same lines but containing different features. TITAN was presented for the first time at the LISA Conference 1998 in the USA.
The first thing the authors pointed out is that installing TITAN does not eliminate the need for other security auditing tools. This product is not a complete alternative to commercial tools, but merely supplements them.
This tool offers many improvements over SATAN, mainly regarding Denial of Service (DOS) attacks, improved logging and auditing as well as perimeter protection, and making security policies as robust as possible.
Although its authors point out certain u priori limitations, TITAN is considered a valid policy assessment tool, one that is simple to use and has a modular structure in keeping with the modern UNIX software implementation model, used by Witsie Venema as well in his Postfix mailer. TITAN does not suffer the drawbacks of monolithic implementations characteristic of older UNIX software. Many programmers have caught on to the fact that by using a modular approach it is possible to create a framework that can accommodate new components at any time while limiting the impact of certain attacks, such as DOS, which by striking a single product module leaves the rest of the structure intact.
TITAN is commercially available under Sun Solaris.
NESSUS
When the first release was announced about eight months ago, people thought it was a prank. A tool usable on all the principal UNIX and Windows platforms, making wide use of Java, addressing a broad range of vulnerabilities and especially having such a promising evolutionary roadmap seemed too good to be true. But instead, in
11
Network Security October 7 999
just a few short months, NESSUS has become a benchmark among free auditing tools.
The software is composed of two parts: a server that launches attacks to a remote host, and a client that generates auditing procedure reports, NESSUS was developed under UNIX (NetBSD, LINUX) and was later recompiled under Windows NT. A client Java version called NESSUSJ is currently available.
I have personally team tested the server side NESSUS in depth under a LINUX SUSE 6.0 with Kernel 2.2.25, using all available clients. Basically, the test involved deliberately creating misconfigurations and letting the software take care of any resulting problems, The feedback was entirely positive. It would thus be advantageous to include NESSUS at least in new LINUX releases.
Information on the project is available at wwwnessusorg.
AAND
AAFID belongs to the Intrusion Detection Systems category. COAST is one of the most active workgroups in security. It operates out of Purdue University and develops a series of projects ranging from training to developing literature and tools.
AAFID, currently in the advanced prototype stage, is an IDS project based on the concept of Autonomous Agents. Here too a modular approach is preferred over a monolithic implementation for the reasons stated above. AAFID was written completely in Perl 5 in order to favour its portability onto various platforms. AAFID 2 currently runs under UNIX.
NFR
Network Flight Recorder is considered another benchmark IDS. Based on extremely open architecture, the creation of Marcus Ranum’s team cannot be considered wholly free of charge. You can download a research version at the NFR site (www,nfr,net) which allows unlimited use but strictly for research purposes. Those wishing to use NFR within a commercial enterprize must obtain a licensing agreement.
Its salient characteristics include the frequency of code updates and, naturally, the very low percentage of false alarms,
JRlNUX
TRINUX is another very interesting project in no-cost firewalling. Among its other attributes, it requires minimal hardware resources since it resides exclusively in RAM.
TRINUX is portable and can be booted off 2-3 floppies or a FAT 16 partition that runs entirely in RAM. It operates like a pure firewall with very advanced and effective functions. On the downside, TRlNrJX lacks a graphic interface.
1lNUX S/WAN
The last item in our brief review is a VPN tool.
S/WAN is a tunnelling project between UNIX poles based on Internet Protocol SECurity (IPSEC) - a set of protocols developed to manage tunnelling and authentication under IPV6. However, given the objective soundness of the security model, IPSEC features have also been implemented under IPV4.
Various implementations of IPSEC exist, some of which are available commercially. The one used by S/WAN is naturally under GNU license. The project leaders affirm that S/WAN is compatible with all IPSEC versions developed in conformity with RFC 2401 and supplements. S/WAN is currently considered one of the most promising free VPN projects along with VPND (a VPN project that uses a private key cryptosystem based on the Blowfish algorithm, particularly well suited for use with serial connections). S/WAN is in ongoing evolution: volunteers are sought for the development of integration modules with PKt and key exchange protocols such as the very interesting Photuris.
Conclusions
I believe I can claim sufficient experience to second Dan Farmer in his suggestion that non- expert system administrators should not include production infrastructures in widescale auditing procedures conducted with tools of this type. It is preferable to carry out a preliminary testing phase. One of the teams I work with has set up a workshop with about 10 machines:
two Web servers (Apache/llS);
one DNS (BIND);
one mailer (SENDMAIL);
two file servers (LINUX/NT);
fwtk/ipchains under LINUX SUSE 6.1;
one router/gateway;
one machine dedicated to the tool with SOLARIS;
12 0 1999 Elsevier Science Ltd
October 7 999 Network Security
l one machine dedicated to the tool with LINUX.
I would mention again that, apart from NESSUS (also available in an NT version, which, among other things, has not proven to be very stable), all the security tools discussed in this article are available for UNIX platforms, This means that the people delegated to the testing phase should have a good level of competency with this operating system.
Granted that this tester’s opinions grow out of a tenuous equilibrium between experience, religious warring and - better admit it-state of mind, I believe that as things currently stand;NESSUS is the
Where to find the software
TRINUX: www.trinux.org.
NESSUS: www.nessus.org.
The main site for S/WAN is http://www.xs4all.nl/-freeswan/, and the VPND home page is http:llwww2.crosswinds,net/nuremberg/ -anstein/unix/vpnd.
TITAN can be downloaded along with other software written by Farmer at the URL www.fish.com/security.
NFR is available at http:l/www.nfr,netlindex.html.
AAFID can be found, along with a broad range of other tools and information, at http://www.cerias.purdue.edu/.
most interesting auditing tool allowing that this one can be project. As far as VPNs are considered relatively ‘free’, I concerned, S/WAN appears to think that NFR’s flexibility and be the boldest. if we look at analysis model are worthy of Intrusion Detection Systems, regard.
Auditing the Network
Environment at a Technical level: Why’s, How’s and Aha!‘s Dr. Bill Hancock, CISSP Chief Technology Officer, Network-l Security Solutions, Inc., 1601 Trapelo Rd., Waltham, MA 02451, USA; Tel: +l-781-522-3400; Fax: +l -781-522- 3450; E-mall: hancock@network-1 *corn; Web site: www.network-1 .com.
One of the pervasive concerns in dealing with cyber-security is the dreaded information systems (IS) audit. Most companies of a goodly size have an IS audit staff and if you work for a financial organization like a bank, you can count on regular visits by the popuius thereof. We have ail been indoctrinated to the necessity of IS audits and if you have ever worked for a larger company, you have been through them more than once - usually with mixed results, some good, some bad, some you are not terribly sure about. I have seen the entire gamut of IS audit results in my career and, unfortunately, when it comes to network security audits, most are on the “we’re not sure how to really find the right data and therefore did a lame job and the networking geeks know it and are laughing at us” end of the spectrum.
I have been teaching ISACA, IIA and various other organizations the components, technologies and issues involved with performing a real technical network audit for the last couple of years, I even went as far as to write a detailed audit program for IS auditors, which is downloadable from the security library at the Network-l Web site (wwwnetwork-1 corn). This all got started when a customer of ours asked us to do a technical audit of their network and I ended up generating a 974 page technical document of all the problems on the network that the network engineering folks could not refute (to wit: they ended up, putting it mildly, “freaking out in a major funky way” over what had been discovered in a real technical audit). The reason we were asked to perform the technical audit was simple: the IS audit staff was not technically qualified to audit network technologies and had failed rather miserably more than once. The networking personnel
0 1999 Elsevier Science Ltd 13