Slashdot Mirror
Guardent To Sell Snort And Nessus
Cally writes: "An interesting article appeared on the Info-Sec News list the other day about Guardent's new security appliance. Based on Snort,
Nessus and IPTables, Guardent are taking the unusal step of trying to sell a product based on Free software into the highly resistant corporate security market.
Although Free/Open security software is widely acknowledged to be better than commercial alternatives, it's rarely been trusted in the enterprise - the article points out that, although the NSA use Free
software, the need for an expensive government audit prevents the
government from saving money and improving security."
It would be nice to know that Guardent is contributing to the respective projects that are being implemented on this device (IPTables, Snort, Nessus), but I haven't been able to find any ackknowledgement of it on either Nessus's thanks page or in the credits for Snort.
Certainly they've got people working for them who have the know-how to add substancial features to the projects and it would be nice to know that they're not just freeriding on the software for the managed services platform that this device really is.
OpenBSD has several advantages over Linux for this application:
- More cohesive codebase, tighter integrated security audits. (==more secure foundation to work from)
- Better firewall and nat features, syntax.
- BSD-licensed foundation, so no hassles if you're using it in a product.
- Cooler logo.
;-)
And of course, since the OpenBSD community has a lot of paranoidQuite frankly, seeing someone selling a security solution based on open source software and finding out the OS isn't OpenBSD is like finding your cousin Larry using an egg beater to polish his car's paint... You know they must have some reason, but damn if it has any obvious logic to it...
(Linux has it's own place. I use it a lot for developing and deploying java applications, also it's a better DB platform than obsd becuase it has SMP support. Right tool, right job. For security, obsd is the right tool.)
Only 100 good programmers would take years to do a line-by-line audit of all MS's major products, and, of course, by the time that they're done, all of the products they've audited are already obsolete.
Equivalently, where are you going to find 100 programmers good enough to do the job in a reasonable amount of time? Although a lot of people have overinflated valuations of their skills, most would probably weigh in as marginal at best.
"Although Free/Open security software is widely acknowledged to be better than commercial alternatives..."
I'm sure this point will rapidly become a chorus in this thread, but that sentence is pointless fluff.
Open source means you can could inspect the source. Iff you choose to expertly inspect the source you may come to understand the security parameters of the application. You'll know how it works, and a lot of what it depends on in terms of libraries, OS calls etc. And you can evaluate on those terms whether it provides an adequate level of security for the environment in which you intend to use it.
If you haven't audited the code, all you know is that the code is auditable. You know nothing about the security of the system.
Most of us here haven't performed any of these steps on systems like OpenSSH, for instance. Instead we rely on two things: that someone else has peformed a competent, honest audit; that so many people use it that if it had problems we'd all know (surely). Both of those are flimsy, when you come right down to it.
Open source only means you could audit it if you wanted to. It doesn't make it any more or less secure than anything else.
I hope that, if they make profit using these free softwares, they give some money back to the developers. I know that Renaud Deraison, one of the Nessus core developers, is tired of seing derivatives of his product sold by many companies which *never* give anything (bug reports, patches, plugins, money) back.
Hell, free software needs financial *and* technical support from those who use it. Or you won't be able to use it very long.
I find this statement terribly interesting. This implies that opensource software is more heavily auditted by the US government than closed source software.
Does anyone else find this ludicrous ?
This is actually quite sensible. Someone has to pay for the audits. In commercial applications, it will be the vendor.
But with OSS, it isn't clear who is the one responsible for the audits. And it isn't clear which version will be audited (with a theoretically possible fix made every minute). So, it will probably have to be the version to be implemented. Since there is no clear responsible party who can fund the audit, it will have to be the customer.
So in that sense, it is the customer who winds up for the cost of the audit directly, while with commercial products, it will be the vendor who winds up for the cost (and calculates that back into the price of the product).
In one sense, the customer paying for it is preferable, since they can now see how the money is being spent, on the other hand, having the customer pay for it prevents the spreading of the cost. In commercial products, every customer pays for a part of the costs, in OSS, every customer has to pay for the complete audit again unless the results are frozen.
although the NSA use Free software, the need for an expensive government audit prevents the government from saving money and improving security.
I find this statement terribly interesting. This implies that opensource software is more heavily auditted by the US government than closed source software.
I'm not sure where the quote is from, so I can't put it in context, but the NSA certainly does audit closed-source software. I think it's more likely the statement is saying that it is irrelevent whether they go with a $500 product or a $0 product; the audit costs far outweigh either.
Change "Free Software" above to "new product" and it makes more sense. Anything new has to be sufficiently better to justify the audit cost.
Yes, but the main issue with open source for mission critical applications / services is the lack of a legally binding contract.
At least with a faceless corporation you have a piece of paper saying what both parties are legally obliged to do - you know for a fact that their definitions are supposed to be updated with X frequency etc. You also get a guaranteed level of support, someone to blame when it goes wrong and a company with deep pockets to sue if they are negligent!
Now with open source, aside from the contract problem you get another issue - if it all goes horribly wrong the blame can't be passed external to the company, the person that allowed this software to be deployed gets the blame!
Once it comes down to "spend all the money I requested and have my ass covered" or "save the company money but risk being the scapegoat if it fails" which option would you choose, bearing in mind that it's not your money and you doubtlessly have enough to cover the cost of a proper installation...
In situations like this the free open source will not prevail because there are no safety nets such as someone external to blame, no support contract, no guarantees, and no faceless entity with deep pockets to sue.
The thing about big business and critical applications is that it's less about cost of ownership than it is about being able to shift the blame if it all goes wrong...
Guardent's choice to go with this open source solution has nothing to do with some epiphany that open source is better or more secure. It's about "the bottom line". Guardent's main marketing focus is MSS (managed security services). Because their standard bill rates are higher than most InfoSec consulting firms, the only way to compete in the market was to lower the cost of their managed IDS/firewall offering by using open source products.
Using the IDS portion of this for corporate networks is fine. But IPTables is NOT a firewall I would recommend to any major corporation.
An earlier post suggested Guardent should contribute to the development efforts, since they plan to make some profit off of it. That won't happen, because it cuts into "the bottom line". I have inside info on this, so I know.
OpenBSD has a fantastic reputation for security. However, there are several side notes that probably pushed linux over the top.
1) LIDS. If they're using a 2.4 kernel, they can do LOTS of nice security things, like striping root of lots of it's dangerous abilities. Less danger if root is cracked. I don't know if LIDS is in use, but it probably should be.
2) Your 'better firewall and nat features, syntax' is highly debatable. As somone else pointed out, IPTables stateful inspection is far ahead of either ipfilter or pf. And your syntax comment is nothing more than a personal preference.
3) I don't like this reason much, but 'Linux' is much more widely recognised in the business world than 'OpenBSD'. When you come down to it, you have to be able to market this thing. Is this the way it should be? No. But it is, and we have to deal with it.
Zapman