Search our
entire site
Enter your search
terms below, or visit
our search page

Search case
studies only
Enter your search
terms below:

For the table
of contents and
hyperlinks to
general topics
proceed to toc

SAFEsuite
September 1998

Creating a secure UNIX system is relatively easy if you know your security needs. However, creating the same level of security on a large number of systems is not easy at all, as it takes time for the system administrator to check each system with the many parameters that determine the services offered and the security risks incurred. It is possible to create a system of monitors, using publicly available software to help solve some of these problems, but it means the system administrator must configure and support a large number of different packages. And even if all those packages are installed, there still is the issue of reporting the problems in a meaningful manner.

Internet Security Systems (ISS) claims that the SAFEsuite system is an all-in-one package for testing and reporting important security issues for networks.

SAFEsuite is a commercial version of the publicly available Internet Security Scanner. However, the current product has little in common with its publicly available predecessor. The original Internet Security Scanner was posted to Usenet by Christoffer Claus in 1992. In 1994 he founded ISS and began developing a commercial version of this scanner, the basis of SAFEsuite.

Issues

A network scanner can help a system administrator or security officer identify security issues with hosts on the LAN by automatically checking all the hosts on the network for vulnerabilities, and providing a report summarizing those that are found.

However, if the site does not have a security policy, the decision about which issues should be addressed is left up to the system administrator, who might or might not have the necessary clout to put appropriate fixes in place. This is further complicated by the scanner's inability to determine whether a vulnerability is real or only appears to be. Examples of the latter were seen in our firewall test, where the scanner was incorrectly reported to be vulnerable to certain attacks. Without a security policy, what should be supported is open to the interpretation of the informal and implicit guidelines. Such a situation makes it almost impossible for the system administrator to do a reasonable job. Whatever decision is made will be subject to disagreement.

No tool can ever replace experienced administrators writing a reasonable security policy. A security policy is the cornerstone of both perimeter and internal computer security. If an organization has no security policy, there is no way to determine how much security is enough, or to establish a security profile to serve as a guideline for implementation and testing for a site's security. So before you invest in products, determine a security policy for your network.

Overview

SAFEsuite consists of three products, the Internet Scanner, the Firewall Scanner, and the Web Security Scanner. The Internet Scanner is designed to scan a TCP/IP network. The Web Security Scanner is designed to look for problems in a Web server and the underlying OS platform. It looks for problems in the Web server's configuration, including misconfiguration and vulnerabilities in the CGI script, which allow an intruder to gain host access.

The Firewall Scanner looks for vulnerabilities in a firewall implementation and can test both proxy-based and packet-filter-based firewalls. As we are using only application proxy-based firewall technology, we have not evaluated the scanner's ability to test, and possibly penetrate, the network behind a packet-filter-based firewall.

Keeping a network-security analyzing tool up-to-date and able to detect the holes used by the latest intruder strategies is an arms race. ISS solves this problem by creating frequent updates to its product. According to the information received from ISS, the company estimates that it will make six to nine yearly updates--over the last two years ISS has made at least 12 updates available through its FTP site.

The three modules of SAFE-suite are licensed individually, so a user can purchase just what is required. The license keys are kept in a file that contains both the encrypted keys and key information (such as which products are licensed). The license information also can be accessed through a command-line version of the scanner.

The license keys also specify which networks a user is allowed to scan. This limitation was created to ensure that a system administrator has the capability to scan all the local networks, but is unable to scan any networks not part of the local domain.

Our tests were run on a subnet that contained both up-to-date UNIX systems and some older systems that were added to the network as a control group to introduce vulnerabilities the scanner should be able to find. The tests were conducted from a Sun Microsystems SPARCstation using SunOS 4.1.3. The test also included a TIS Firewall Toolkit-based firewall, which was tested from both inside and outside the firewall.

Installation

The installation of SAFEsuite is extremely simple, as the only thing required is to run a script that installs the packages from either a CD-ROM or an archive downloaded through the Internet. The license keys, provided separately by ISS, must be copied into place afterward, as the installation process does not prompt for this information.

With the installation completed and the license keys in place, we were ready to start scanning our network for problems. However, we couldn't because the scanner refused to operate. The older version from the CD-ROM hung, and the latest version downloaded from the ISS FTP site just terminated.

Working with ISS's technical support, we located the problem in the kernel, which is configured without semaphores to save memory. Switching to a generic kernel eliminated this problem immediately. However, we could not find any references in the FAQ about the software having a special kernel requirement. While many people are satisfied running the generic kernel on their systems, when the kernel is trimmed to include only the resources required by the system, this is an issue.

Running Tests

The scanner can be run from either a X11-based GUI or from the command line. We ran all internal tests from the GUI and ran the tests on our external network, using the text-based command-line interface, because we did not want to run X11 on the outside network.

The scanner-configuration window lets you specify which scans should be performed and on which hosts the scans should be performed.

The scanner provides four predefined scanning levels, from light, which only scans for services, to a full scan which performs all possible checks. The scanner also provides a custom level, which allows the user to determine which checks to perform. This allows the user to exclude checks which might not be appropriate in the local environment, or to tailor the scans according to another list of requirements.

By default, the scanner scans only the local host. The scanner's configuration window gives the user the option to add hosts or ranges of hosts' addresses manually, and can point to an existing file with the list of hosts. If the local environment is using the host file /etc/hosts, the scanner can be pointed to that file. If the local environment is using NIS, a file can be generated easily using the ypcat command. Normally the problem occurs if the local environment is using the Domain Name Service for hostname and host-address resolution; however, SAFEsuite includes a shell script that allows the system administrator to generate a list of hosts in the format used by /etc/hosts for any of the local domains. This means that whatever is used locally for hostname resolution, the system administrator can easily generate the lists of hosts that should be scanned.

If the system administrator attempts to add a host outside the address range for which the license has been issued, the software will refuse to enter the host into the range of hosts to be scanned.

Internal Tests

The first test we ran was the default light scan, which is intended to quickly evaluate services offered by the hosts present in the network. This information might help a system administrator, who might find services offered somewhere on the network that either should not be present or were previously undiscovered.

The analyzer allows the user to choose between generating reports in text format (suitable for mailing and editing in a pure text-based environment), and an HTML-formatted report, which uses a Web browser to view the reports. The latter includes links to relevant Web pages such as vendors and security organizations (including relevant CERT advisories). Unfortunately, many of these links only link back to the top of the document.

We followed the light scan with a heavy one. This scan turned up several vulnerabilities on the hosts running older versions of SunOS. However, not all of the vulnerabilities were relevant for our environment.

It is possible to create a configuration file enumerating certain vulnerabilities on this list of hosts that are acceptable and should not be reported. This file is attractive in that it reduces the level of static noise in the resulting reports, but it creates a vulnerability allowing an intruder to modify such a configuration file to exclude services the intruder wanted to go unnoticed. Considering the purpose of the scanner, my choice (and obviously ISS's) is to have the scanner report everything, then spend the extra time manually filtering out irrelevant parts of the reports.

The full scan of our firewall did not find any vulnerabilities, although it reported a few items which, in our environment, are acceptable. It also set off a number of alarms on the firewall by trying to connect to a number of interesting ports, including tftp. In this case, the scanner did not find any vulnerabilities, but it incorrectly reported some issues.

• It reported that the finger daemon was running, and represented some danger. However, on this system, the program generating the finger output does not read any information from the network, but instead always returns the same output, a minimal message on how to contact /sys/admin.
• FTP was reported as a vulnerability, and instructions for how to turn it off were provided. However, this machine is our anonymous FTP server with the system-administration archives, and should not be turned off.
• It reported that the directory /incoming was writable. While this observation is correct, the FTP server has been configured this way on purpose. Additional tests would have shown that the ls command never shows any of that directory's content, and any uploaded file is moved to a safe location shortly after being uploaded.

Incorrect information such as this can overwhelm the reports and can result in true vulnerabilities going unnoticed. On the other hand, it is much better having the software report that it is unable to determine that a problem does not exist, than to suppress potentially dangerous issues. The previous examples fall into this category. It is possible (though difficult) to create additional tests that can determine if the vulnerability is a real one.

The scans performed in this review proved that the scanner performs as well as ISS claims it will. Because of the limited size of our network, the scanner did not show as many vulnerabilities as it would in many real-life cases. Using this scanner, the system administrators should be able to locate and fix problems that otherwise would go unnoticed. Most importantly, the scanner gives system administrators a good idea of what is present on local networks. While the scanner will not find all possible problems, it will find most of the common ones.

Reporting

The report generator formats the raw data file well. The raw data files contain a wealth of information that is often of little interest, and the formatted report shows the essential information in a more readable format.

The ability to generate both text- and HTML-formatted reports lets the user choose the format that is most appropriate at a given time. Unfortunately, the report generator spawns the Web browser directly, resulting in the browser running as root. ISS recommends that users taking advantage of the HTML feature should run the analyzer as non-privileged users. While this is somewhat inconvenient, it resolves the vulnerability issue by ensuring that the Web browsers do not run with root permissions.

The reports do not show which scan level was run. The raw scanner-output files contain detailed information of what options were enabled for the scan, but this information is not displayed in the analyzer output.

The analyzer also lets the user specify what kind of information should be included in the report. The samples shown in this review all include a description of the vulnerabilities and their fixes, but the user can easily elect to exclude this information.

Documentation

SAFEsuite comes with a manual close to 250 pages long. We liked the section that gave an overview of the various tests the scanner could perform and the list of defaults. Unfortunately, nothing in the documentation resembles a reference manual. The overview of the scanner is somewhat informal--which might work well for people new to security issues, but it becomes more time-consuming to get a good understanding of the software capabilities. The command-line interface is documented in a very inconsistent manner. The main scan engines, iss and the listdomain utility, have what resembles UNIX manpages, while add-cron and config-gen are described in a very superficial manner. There is a brief description of a text-based report analyzer that is missing from the index. The index could be improved, as we often were unable to find what we needed and had to browse the manual.

TABLE OF CONTENTS