We are excited that we are the subject of imitation by competing SATAN compatible products. SARA continues to push the edge of network auditing tools.
When should we reduce maximum scanning performance?
Performance is often the major factor for tools that are used for exploitation
and discovery. SARA normally operates in a "fast scan" mode where system
resources are balanced with scanning packet density. However, there are
many instances where this is not the optimum solution. For instance, the
target(s) may be slow, may be linked via slow networks, or may be a member of
a congested hub. Also, the environment of SARA must be addressed. Lastly,
high packet density may cause a collapse of a marginal subnet. As a
result, we have added a performance mode to the command line arguments. The
"-p" option will reduce concurrent packet density in accordance with the
firewall parameters (e.g., 50 concurrent sockets/module).
Why didn't you use the autoconf configure instead of
'make OS_type'?
We tried the autoconf utility to standardize the building and installing of
SARA. We were unhappy with the numerous warning messages (especially with
SGI IRIX) that we generated. We believe that the current 'make' process
generates more robust software.
SATAN Developers
Why did we create SATAN? Quite simply, we wanted to know more about
network security, particularly with respect to large networks. There
is an enormous amount of information out there, and it is definitely not
clear by examining information and hosts by hand what the real
overall security picture is. SATAN was an attempt to break new ground,
to promote understanding, and to have fun writing such a program.
Money, endorsements, recording contracts, etc.
For the record, no one gave us any money to build the tool; the development
was done on our own time and equipment. No one (including our current
employers) endorses or directly supports it.
Why does it scan sites other than your own?
All the hosts scanned with SATAN are done so because it gives a clearer
picture of what the network security of your site is, by examining the
webs of trust and the possible avenues of approach or attack. Since there is
no way that SATAN could, a priori, know where it is going to scan, we
decided that instead of placing artificial constraints on the program, we
would allow the system administrator to place their own constraints on
where SATAN would run, via the configuration file
( targeting exceptions.)
Why wasn't there a limited distribution, to only the "white hats"?
History has shown that attempts to limit distribution of most security
information and tools has only made things worse. The "undesirable"
elements of the computer world will obtain them no matter what you do,
and people that have legitimate needs for the information are denied it
because of the inherently arbitrary and unfair limitations that are set up
when restricting access.
We're almost certainly going to continue development on SATAN. At the
top of our wish list is a way to graphically display the network maps,
especially with respect to the webs of trust. This is a hard problem!
Our main goal right now is to get a solid product out, and see how it's
received by the world; the response will drive our development. In
addition, we haven't had much of a chance to play with the program
ourselves, so once the dust clears, we'll probably have a better view of
where we'll take the program.
Back to the Introductory TOC/Index