1. Field of the Invention
The invention relates to the field of computer network security, and in particular concerns an internet or intranet based technique by which operators, who need not have extensive knowledge of network TCP/IP subsystems, can assess the vulnerability of any or all of their network hosts (e.g., servers and workstations) to a variety of intrusion methods. A host or server operating the security system according to the invention uses communication techniques to confirm the identity of an operator who seeks an assessment, and may effect a credit or bank account transaction as a means of payment. A hypertext web page is generated on the security system server for starting the assessment, having a URL that is unique to the operator's request. The URL of the starting page is reported to the qualified operator by email. The operator selects a level of security assessment by selecting a number or class of network hosts to be analyzed and a level of intensity for the analysis. The security system server then launches a series of selected inquiries by TCP/IP communications, assesses points of vulnerability, and inserts hypertext links into the report page, naming vulnerabilities found and linking to hypertext pages explaining each vulnerability and directing the operator to potential fixes and further information. The assessment can be repeated as often as necessary during a limited time period, for example to test fixes made after earlier reports of vulnerability. After the limited time period, the report page and its URL are removed.
2. Prior Art
Standards have been developed for network communications among workstations and servers (collectively "hosts"), and are well documented. The same standards that apply to open network communications can also be used in communications among hosts on a local area network or a wide area network. Communications of this type generally fall into two categories, namely TCP and UDP.
In TCP ("transmission connection protocol"), a connection is made and held between the source of the data and an at-least intermediate destination. Delivery of data in TCP is more or less guaranteed once a connection is made.
In UDP ("user datagram protocol"), data packets are transmitted from a source to a destination, but no standing connection is made. In UDP, it is up to the programmer designing the software to guarantee reliability of the communication session.
Depending upon whether a host is configured to provide the services of a web server, a router, a workstation or the like, that host must be configured to respond to the appropriate inquiries needed to function. When the TCP/IP subsystem of the host is enabled to respond to these inquiries by the software that enables the host to operate as a server, router, etc., one of the numbered TCP ports is caused to respond to the appropriate inquiry.
Some services provide usernames and TCP/IP addresses, and a remote host can use the noted services to learn usernames and/or addresses and thereafter attempt to determine further information or use the information to mount an attack. With a knowledge of usernames, an iterative routine or a program having a dictionary file can attempt to determine passwords randomly or to guess passwords using common words, and attempt to log into a host as a given user. On some servers, particularly of Internet service providers, usernames are used to define the paths to the users' subdirectories. An authorized user can log in to their ISPs server, under their own username, then change directory up a level, and obtain the usernames of all subscribers by listing the username subdirectories. Depending on rights granted, this could enable subscribers to monitor shells, last login times, alter personal web page content and even read or insert pending email messages. It may or may not be appropriate for all such capabilities to be open to users, but in such instances it is appropriate for both the subscribers and the operator of the server to understand fully where the system is vulnerable to attack. For these and other reasons it can be difficult for systems administrators or others to determine the true identity of a person who obtains unauthorized access to information or services.
Networks that may be vulnerable to attack or contain confidential information may be protected by firewalls. Firewalls are intermediate computers that are coupled between a protected network server and the Internet. A firewall is basically a router having filters that pass certain forms of messages and block others. Of course a firewall does not address the possibility of an attack from a user within the network protected by the firewall.
A firewall can be more or less aggressive at blocking messages. Aggressive filtering means that fewer services can be made available in one direction or the other through the firewall. Insufficient filtering leaves the network open to attack. A proper balance is sought by system administrators in setting up the filtering that will be undertaken by the firewall, to provide the needed services and minimize dangers of unauthorized access and of damaging attack. Both innocent and malicious requests are blocked. Firewalls also may provide proxy or masquerading services which "hide" the presence of computers behind it.
One form of attack that is particularly troublesome is a "denial of service" attack. Networks providing information services that are critical for reasons of public safety or national defense need to be operational when called upon. A denial of service attack on a given host or TCP/IP address can result in that host (workstation or server) locking up (e.g., displaying the so-called "blue screen of death," normally a general protection fault) requiring that the affected host be rebooted. A server lockup can disable useful operation of all users logged onto that server by precluding access to shared data. An attack on an individual host on the network at least can disable that host, and it is possible to mount a denial of service attack on all the hosts on a network simultaneously.
Several denial of service attacks are well known and documented, and software patches are available to deal with most of them. For example, the Windows NT service pack from Microsoft deals with certain vulnerabilities found in the Windows TCP/IP subsystem. An example is the Window OOB Bug (aka "WinNuke"). A program can send out of band (OOB) data to a TCP/IP address at which a Windows machine is coupled to the network, for example attacking NetBIOS (TCP port 139). The Windows machine is unable to handle the data and can lock up.
A program called SPING sends fragmented ICMP packets to a TCP address of a Windows machine, requesting an echo of the packet. The machine attempts to reassemble the packets but they cannot be reassembled. The machine's buffers overload and the machine locks up. Similarly, spoofed connection requests can be sent by TCP to a Windows host in a so-called Land Attack. SYN packets are sent to the host address as the destination and appear to have the same address as the source. That is, the packets have the same host and port numbers identifying the source and the destination. As it attempts to resolve the conflict of having information simultaneously being sent and received by the same host over the same port, the system slows down.
The Tear Drop and New Tear Drop (or Bonk) attack concern sending overlapping TCP/IP fragments or corrupted UDP fragments. These attacks fill the available memory buffer space and eventually crash the machine.
The foregoing attacks are exemplary. Additional attacks become possible periodically, as the implementation of the TCP/IP system is further understood. Additionally, public service organizations monitor reports of attacks and publish advisories containing strategies for dealing with attacks. The organizations include CERT, CIAC, ASSIST, and others.
In April 1995, a software package called Security Administrators Tool for Analyzing Networks (SATAN) was made publicly available to enable systems administrators to obtain an automated assessment of their network security. SATAN provides source code for operation on a Unix system. When compiled, configured and run, SATAN attempts to access certain critical data files, to effect file transfers considered dangerous, and to determine which programs are in use. SATAN cannot fully assess a system via TCP/IP through a firewall, from any arbitrary host on the Internet. The administrator can readily configure their firewall to filter certain inquiries such as PING requests, and can block FTP access to files on hosts within the firewall and the like. Thus SATAN is substantially intended for a systems administrator to get his or her own network house in order via internal checks. The systems administrator configures SATAN for operation on their particular system and runs the program to determine whether certain vital network data is accessible.
The foregoing problems have been the subject of various advisories from CERT or CIAC and their implications and fixes are documented in various publications. Although they represent some important potentially exploitable information leaks as well as opportunities for a knowledgeable hacker to wreak mischief or damage to the network, they do not address various possible denial of service vulnerabilities, and do not address a likely source of attack, namely an arbitrary host communicating in TCP or UDP from outside the firewall.
Additionally, as its authors recognize, a security program such as SATAN is a two edged sword. It is helpful to permit systems administrators to identify security gaps which are then plugged by appropriate fixes, but the information it generates is of offensive value to a hacker, because SATAN could enable an easy and automated identification of unfixed network vulnerabilities that might be exploited. As a result, it would be highly inappropriate to permit the operation by others of such a security assessment program on one's network. It would also appear to be ill advised to permit operation of a security assessment program through a firewall, or even to open the firewall filters sufficiently to permit TCP and UDP communications that could conceivably assess, and therefore potentially exploit, vulnerabilities of the TCP/UDP subsystems. On the other hand and as mentioned above, the alternative is to deny access to services that are useful in Internet communications.
It would be advantageous, and it is an object of the present invention, to provide a security assessment program that is not limited to internal operation on a network Unix server, that can be operated conveniently and securely from a World Wide Web (WWW) browser at an arbitrary host, that fully assesses file access, version information, and vulnerability to denial of service attacks, but which has sufficient security to minimize the danger of exploitation by hackers to obtain offensive information.