SATAN SECURITY ANALYSIS TOOL FOR AUDITING NETWORK

SATAN SECURITY ANALYSIS TOOL FOR AUDITING NETWORK

INTRODUCTION

What is SATAN?

>> SATAN is the Security Analysis Tool for Auditing Networks. In its simplest (and default) mode, it gathers as much information about remote hosts and networks as possible by examining such network services.

>> The information gathered includes the presence of various network information services as well as potential security flaws -- usually in the form of incorrectly setup or configured network services, well-known bugs in system or network utilities, or poor or ignorant policy decisions.

>> It can then either report on this data or use a simple rule-based system to investigate any potential security problems.

>> Users can then examine, query, and analyze the output .

>> While the program is primarily geared towards analyzing the security implications of the results, a great deal of general network information can be gained when using the tool - network topology, network services running, types of hardware and software being used on the network, etc.

Who should use SATAN?

SATAN should prove to be most useful when used by the system or security administrators who own or are responsible for the security of the systems involved.

Internet community, it should be used by anyone who is concerned about the security of their systems, since potential intruders will be able to access the same security vulnerability information and since it is quite likely that it will uncover security problems that were previously unknown.

How does it work?


SATAN has a target acquisition program that uses fping to determine whether or not a host or set of hosts in a subnet are alive.

It then passes this target list to an engine that drives the data collection and the main feedback loop.

Each host is examined to see if it has been seen before, and, if not, a list of tests/probes is run against it (the set of tests depends on the distance the host is from the initial target and what probe level has been set.)

The tests emit a data record that has the hostname, the test run, and any results found from the probe; this data is saved in files for analysis.

The user interface uses HTML to link the often vast amounts of data to more coherent and palatable results that the user can readily digest and understand.