KEYWORDS: Security tools.
Many Web sites currently contain lists of security-related tools.
Most of these sites consist of an undifferentiated list of tools,
where each tool entry contains a pointer enabling the user to
download the tool and, possibly, a short abstract. This is sufficiently
useful for a user who knows exactly what tools he/she wants and
is simply looking for a site from which to download the tool.
However, it can be somewhat overwhelming for the user who is
trying to discover what is available in this arena. Some sites
go one step further, and sort the tools list according to functional
capabilities. This does add some organization to the chaos, but
it still requires the user to choose one tool, out of perhaps
20 or more, on the basis of a terse abstract.
Of course, the user can just download the tool and try it out.
However, this is not always so simple for Unix tools. Most of
these tools require root-level access for the installation process,
and many of them demand a fair amount of tinkering and tweaking
before they will run. If a user is shopping for a variety of
security tools, it can take a substantial amount of time and effort
to unearth an assortment of tools that turn out, after all that
work, not to be exactly what he/she had in mind.
The Center for High Integrity Software Systems Assurance (CHISSA)
at NIST recently initiated a Web Site that has the capacity to
address this problem. The site contains a database of "artifacts"
that includes documents (papers and abstracts), audio/video performances,
and interactive tools demonstrations.
Figure 1
shows the RISQ
(Reference Information for Software Quality) 1
introductory screen, displayed when the user points his/her browser
to the URL
http://hissa.ncsl.nist.gov/risq .
As its name might indicate, the domain of interest is broader
than security, covering the whole landscape of high integrity
software, but one branch of the high integrity "tree"
is that of security. The Computer Security Division of NIST plans
to add a large variety of security tools to the RISQ database.
The array of public-domain, freely-available security tools covers
a wide variety of functionality. Some security tools aid in the
prevention of potential security problems by detecting, in advance,
problematic system or network configurations. In particular,
there are tools that scan all of a system's user passwords, reporting
on those that can be easily guessed, or "cracked"; other
tools offer alternatives to password-related user authentication,
supplying advanced authentication methods such as one-time passwords.
Other preventive tools analyze user and system files, reporting
on dangerous permissions, insecure file relationships, and the
use of system features, files, or protocols that can be easily
subverted. A particularly aggressive form of preventive security
tool is the "real-time penetration" class of tools,
that actively probe a system for known vulnerabilities.
Another class of security tools can detect system intrusions by
monitoring, logging, or auditing the progress and output of potentially
problematic connections or processes. When normal behavior is
documented and recorded, unexpected changes in such things as
file sizes, program output, user profiles, or other system behavior
can alert the system administrator that an intrusion has occurred.
Cryptographic tools enable users to ensure the confidentiality
of files and transmissions through the use of encryption, and
to authenticate the identity of one or both parties engaged in
an electronic transaction.
In the past, systems and network security were the domain of professional
systems administrators, and the majority of security tools ran
on Unix machines. The largest number of freely-available, public
domain security tools today still are Unix tools. However, with
the proliferation of desktop PC's and the advent of Windows NT
servers, more and more systems and networks are administered by
individual users who are not expert in the domain of system administration.
There are currently a number of freeware tools available for
DOS, Windows, and the Macintosh, and undoubtedly more will be
offered in the near future. The RISQ security tools database
will undoubtedly be heavily weighted on the Unix side, but as
non-proprietary public domain security tools for PC's become available,
they will be added to the database.
When using the RISQ database, the user can search either the
whole high integrity infrastructure or one of its branches (process,
quality, safety, security, and verification/test) by specifying
one or more of the three classes of searches. He/she can click
on any tree or sub-tree in the taxonomy, enter user-specified
keywords, and/or specify which type of artifacts to search for.
Thus, if a user is searching for information and tools related
to security threat analysis, with the specific goal of monitoring
network connections for the purpose of intrusion detection, he/she
could click on the "threat analysis" branch of the security
tree, enter the user-specified keyword "network monitoring,"
and click on the artifact types "document" and "tool."
Figure 2
shows the RISQ screen set up to perform this search,
and
Figure 3
illustrates the possible outcome of such a search.
In this case, five matching database entries were found: three
of them (cpm, ifstatus, and the TCP port probing program) are
tools, each having 2 types of associated database artifacts:
an abstract and a tool.
Figure 4
illustrates the format of a
sample tool abstract, and the types of
sample tool output that are available will be demonstrated in
subsequent parts of this article. The third match (Other Security
Tool Sites) is a list of pointers to sites with further information,
and the fifth match (Unix Systems Security) is an article that
can be retrieved in either text or postscript format.
Most security tools are designed to be run repeatedly, often in
the background at pre-specified times of the day or week. Thus,
most do not have an elaborate graphical user interface; quite
the opposite, the tools are usually launched through an unadorned
Unix command-line interface, with variations in the configuration
or output of the tool being specified either through a configuration
file or via Unix command-line options.
For those security tools that have a straightforward command-line
interface with few options and a limited number of output modes,
the RISQ system will offer the user the option of viewing sample
output for most or all of the cases. For example, ifstatus
2
is a tool that tests whether one or more of a system's interfaces
is running in promiscuous mode. Normally, applications that are
running on a system can only view network packets that are destined
for that particular system. If one of a system's interfaces
is running in promiscuous mode, it allows applications running
on the system to view all packets passing over that interface,
not just those packets that were sent to that particular system.
Turning on the "promiscuous mode" flag is a common
device used by intruders who want to monitor passwords and other
sensitive information that is being sent over the network. Ifstatus
has 2 modes, regular and verbose, and 2 possible outcomes for
each system interface: promiscuous or non-promiscuous. For a
tool such as ifstatus, the RISQ system will offer the user the
opportunity to view sample output for all possible cases.
Figure 5
displays this sample output.
An example of a security tool with multiple input configurations
and a prodigious amount of potential output is tiger
3
. Tiger consists of a set of scripts that scan a Unix system looking
for potential security problems and vulnerabilities. The scripts,
which check for such problems as incorrect file and directory
access permissions, can be run either individually or all at once,
and can also be run either immediately or on pre-specified dates
and times. The operation of the tiger scripts is controlled by
a small set of options, some of which determine the level of verbosity
of the error messages, and by a configuration file. The configuration
file sets environment variables which dictate such details as:
the depth of search within the file tree, the types of files to
be checked, which checks should be performed, whether informational
warnings should be issued, which users and groups are entitled
to exercise "root" privileges, etc. The RISQ system
will enable the user to peruse a sample configuration file, sample
error messages issued by each of the scripts, and/or a complete
list of all possible error messages that can be issued by each
script.
Figure 6
shows (for 4 representative tiger scripts) the
menu of tiger-related information presented to the user.
One of the tiger scripts, check_accounts, checks all user accounts,
both those that are currently active and those that have been
disabled, for certain types of anomalies. It checks the account's
home directory, the presence of several types of special-purpose
files that can easily
be compromised, and unsafe user ID/password combinations.
Figure 7
and
Figure 8
illustrate sample output (regular and verbose, respectively)
for check_accounts; and
Figure 9
shows the format used to display
the complete list of error messages, also using the check_accounts
script.
For tools that have a more elaborate interface, and more numerous
execution paths and/or options, the RISQ database can, under certain
circumstances, provide an actual demonstration of the tool. This
is only possible for users who access the database from an X terminal;
for other users, a simulated, canned demonstration is provided.
The less interactive mode of demonstration described in the preceding
paragraphs will suffice for the security tools that are currently
intended
to be added to the RISQ database; no interactive security tool
demonstrations are planned, although a number of other types of
tools can be interactively executed in this manner.
The Security tools area of the RISQ database is currently in the
planning stage, and user input is actively solicited. We welcome
comments on all aspects of the database's format and content,
including the following:
The RISQ database should be an excellent vehicle for the "Try
Before You Buy" approach to investigating security tools.
Hopefully, the combination of tool abstracts and other useful
information; sample tool input, output, and error messages; and,
where useful, interactive or simulated tool demonstrations will
be of value to users. The goal is to enable users to pre-screen
security tools, in order to better differentiate between those
tools that can meet the user's pre-determined criteria and those
that will not.
Introduction
What Types of Security Tools Are Available?
Using the RISQ Database
Conclusion
References