Texas A&M Network Security Package Update 7/1/93 Dave Safford Doug Schales Dave Hess This is an updated release of the security tools developed at the Texas A&M University Supercomputer Center. These tools are available for anonymous FTP from net.tamu.edu:/pub/security/TAMU. ------------------------------------------------------------------------ CHANGE SUMMARY (see respective README files for more information): 'tiger' - Version 2.1.1 - UNIX security checking tool An explain facility for giving more information on the output from tiger. Many new checks, bug fixes, all around improvements. Too numerous to go into. Briefly, checks mail aliases, cron jobs, inetd configuration, PATH variables, more checks on passwd and group files. Untested initial configuration files for AIX 3, IRIX 4, HPUX and UNICOS. Tested configurations for SunOS 4.1.1, 4.1.2, 4.1.3, 5.1 and 5.2, including signatures for latest security patches, and NeXTSTEP 3.0. 'netlog' - Version 1.02 - Network traffic logging tools Bug fixes, minor enhancements to functionality. New tool for gathering statistics on protocol and port usage. 'drawbridge' - Version 1.1 - IP bridging filter Bug fixes. Allow and reject clauses did not work properly and bridging was not working efficiently. 'check_TAMU' - TAMU Security distribution check script A new script is now available for checking this distribution for any signs of tampering. This is intended for anyone who obtains this distribution from a site other than net.tamu.edu. The script is available from a mailserver at "drawbridge-server@net.tamu.edu". See the section AVAILABILITY below for more info. ------------------------------------------------------------------------ ORIGINAL DESCRIPTION: Last August, Texas A&M University UNIX computers came under extensive attack from a coordinated group of internet crackers. This package of security tools represents the results of over nine months of development and testing of the software we have been using to protect our estimated five thousand IP devices. This package includes three coordinated sets of tools: "drawbridge", an exceptionally powerful bridging filter package; "tiger", a set of convenient yet thorough machine checking programs; and "netlog", a set of intrusion detection network monitoring programs. KEY FEATURES: For full technical details on the products, see their individual README's, but here are some highlights: DRAWBRIDGE: - inexpensive (PC with two SMC/WD 8013 cards) - high level filter language and compiler - powerful filtering parameters - DES authenticated remote filter management - O(1) table lookup processing even with dense class B net filter specifications. TIGER: - checks key binaries against cryptographic checksums from original distribution files - checks for critical security patches - checks for known intrusion signatures - checks all critical configuration files - will run on most UNIX systems, and has tailored components for SunOS, Next, SVR4, Unicos. NETLOG: - efficiently logs all tcp/udp establishment attempts - powerful query tool for analyzing connection logs - "intelligent" intrusion detection program AVAILABILITY: This package is available via anonymous ftp in net.tamu.edu: pub/security/TAMU Due to the sensitive nature of these tools, we recommend that you retrieve them from this location. If you do not get them from net.tamu.edu we suggest that you use our check_TAMU script that uses cryptographic checksums to check the distribution for any signs of tampering. The script is available in the anonymous ftp directory above and from an e-mail server at: drawbridge-server@net.tamu.edu Note that there are some distribution limitations, such as the inability to export outside the US the DES libraries used in drawbridge; see the respective tool README's for details of any restrictions. (Note that the DES libraries are NOT required to use drawbridge. They just enable secure remote management of drawbridge.) CONTACT: Comments and questions are most welcome. Please address them to: drawbridge@net.tamu.edu