Slashdot Mirror
Guardent To Sell Snort And Nessus
Cally writes: "An interesting article appeared on the Info-Sec News list the other day about Guardent's new security appliance. Based on Snort,
Nessus and IPTables, Guardent are taking the unusal step of trying to sell a product based on Free software into the highly resistant corporate security market.
Although Free/Open security software is widely acknowledged to be better than commercial alternatives, it's rarely been trusted in the enterprise - the article points out that, although the NSA use Free
software, the need for an expensive government audit prevents the
government from saving money and improving security."
Based on previous security issues in open source it has pretty much become obvious that a major security problem in an open source product is fixed much faster than an equivalent closed source product.
:)
Also, due to the number of people looking at the code of the open source product there's more chance of those hairy bugs being weeded out, or in the case of the software being used here probably has been given the maturity of the software and the caliber of the kind of people who use it.
With closed source or hardware based security solutions you might end up getting hacked because the hacker found a hole the vendor didn't know about and you can't even look at the source to try and work out how they did it.
I'd say the advantages of open source security outweigh the disadvantages, and it's been said time and time again. I doubt it will make a difference with enterprise customers though, they're all in bed with the big companies anyway.
The major issue for them is probably support, even though i'm sure this company will support their hardware there's still the "stigma" that with OSS you've got no central reliable resource to turn to for support.
Anyway, enough rantage
Microsoft only has to start offering money prizes for security holes. Then more white hats will get interested in disassembling Microsoft's binaries (MS would have to permit it in it's EULA I guess). It's much harder for open source people to offer $10,000 per security hole found. So in the long run closed source has the advantage, they're just not capitalizing on it yet.
I find this statement terribly interesting. This implies that opensource software is more heavily auditted by the US government than closed source software.
Does anyone else find this ludicrous ?
One of the basic tenets of opensource software is that its bugs/vulnerabilities are presented for worldwide review. Any holes, trojans or vulnerabilities are caught faster and fixed almost immediately. Eric Raymond's find-fix-release cycle has been pretty much implemented in all active opensource projects. I find it interesting that the government, even if it is the NSA, is suspicious of opensource software, yet will trust the closed source products they buy. Isnt this placing your bets in the wrong basket ?
I wont got into the benefit of using opensource in detail, for it is bound to be flogged like a dead horse in the ensuing /. discussion below, but surely to suggest increased audit spending on opensource is FUD.
Additionally, it peeves me a little when everytime opensource is mentioned, the immediate line is drawn to Linux. I think the existence of other top notch operating systems such as FreeBSD, NetBSD and OpenBSD should also play a role in government procurement. The mindshare which Linux has managed to garner in this space is eclipsing decision makers away from proper evaluation and just jumping on to the Linux bandwagon.
After all, one of the basic tenets of opensource is choice. We dont want the lack of choice we have replaced with another lack of choice in operating systems, Linux only.
This is good news for the Open Source community. It's great to see a company making OSS the core of its business. However, the article also points out some of the traditional weak points of OSS.
One is that OSS focusses much more on technical prowess than on anything resembling a workable UI. For the true geek, no more than a command line is necessary for a UI. However, in the "real world" a user will not even consider touching the best software around if his only UI is a command line or a bad looking bunch of poorly designed widgets. It matters. Perhaps more than it should, but it is the reality. If functionality is (for the user) more or less comparable, the sleeker look will win.
Another point is of course the traditional lack of a single support channel. There is simply no guarantee for support for most OSS and face it, the actual software is at most half of the total cost, support being one of the largest money sinks. To a true company, the guarantees of support are much more important. And saying that they can do their own support (it's Open Source, right?) is simply no alternative, and neither is waiting for the whim of the masses to get round to their bug (yes, I know, they are now dependent on the whim of the supplier. But at least there's a binding support contract there).
Finally, for more critical applications, there are certain audits and certificates. I've rarely considered that with respect to OSS, but it does raise an interesting point. Especially with government applications and more critical applications, there will be a need for certain certificates. The Open Source community just hasn't got the money to fund such audits.
So, what can a company like Guardent do to repell these fears?
First off, as commercial suppliers, they can actually sign the support contracts and be held responsible for timely updates and fixes. Also, fixes now will be gathered and maintained by a single body, which is much preferable from a customer's point of view than scanning the Nets blindly every day for new updates.
Second, as suppliers, Guardent can create the UI necessary when packaging and integrating the seperate applications. This makes the package accessible to the users. Again, I cannot stress how important this is!
And finally, as a commercial company, they may be able to raise the cash necessary to get the necessary certificates and maintain them. Without these, a whole market segment will be closed to them no matter how well the software performs.
The article mentioned that Guardent will sell their appliance for "$1,500 a pop" and that their solution "relies solely on open-source programs to protect customers".Your article
Although the Guardent site specifies:
- "For a low MONTHLY FEE of $1,500, organizations get complete 24x7 managed security protection for any Internet-facing network segment."
- "...with Guardent's PROPRIETARY event correlation, reporting and alerting capabilities"
I loves "experts" that dont know what they are talking about.
many of the biggest corperations regulary trust open source tools, espically snort and the others for security.
they dont run around screaming "we use snort! we use snort!"
I know at the corperation that owns my soul we have a clause in the new computer and security policy that free tools are to be sought out and used before money is spent on software.
Yes, they dont have a "linux and oss is evil" clause.... even with Microsoft being one of our major "investors".
Do not look at laser with remaining good eye.
with few, if any of them, actually auditing the code for security holes before installing it to protect their mission-critical data.
In my 20 years of experience as a systems programmer, I am well-versed in the idea that it is much easier to throw out the existing code base and start from scratch rather than wasting time on trying to fix horribly flawed or poorly documented code that can be millions of lines long. Therefore, it should not come as much of a surprise that the security-conscious agencies in the federal government (CIA, NSA, DIA, Dept. of Commerce, etc.) largely write their own software inhouse rather than rely on fixing up something like Linux and hoping that they caught all the bugs. I mean, really folks, let's face it: Linux was designed by many people in a chaotic manner, and rarely were the features implemented with security at the top of their priorities.
So while it is all well and good that Guardent is trying to sell free software to enterprise customers, I can certainly see why major corporations would be hesitant to trust their security to messy open source software. Besides the fact that most of the biggest customers of closed source software vendors get to see the sourcecode for review anyway, because they are paying so much money for support, etc.
Is your company running tools written by ma
I was a longtime sr. security architect at a NSP with security services ranked highly by Gartner. One thing I know from interaction with hundreds of customers is that they are interested in your assurances far more than the products you use. We had occasion from time to time to shift vendors, and the customers did follow. There are plus and minus points to everything. The real market isn't for an appliance, but for services sold month-to-month or year-by-year which implement traditional security methods (firewalling, vuln. analysis, IDS, etc) using free software. Instead of saying, "trust this software", you simply say, "We use best-of-breed tools" and you use YOUR reputation to back them.
This isn't all that common yet, although nessus is making a lot of headway being used commercially. It will be more common, though, if the OSS alternatives remain ahead of the curve in development (and eventually probably get funding).