Slashdot Mirror
Guardent To Sell Snort And Nessus
Cally writes: "An interesting article appeared on the Info-Sec News list the other day about Guardent's new security appliance. Based on Snort,
Nessus and IPTables, Guardent are taking the unusal step of trying to sell a product based on Free software into the highly resistant corporate security market.
Although Free/Open security software is widely acknowledged to be better than commercial alternatives, it's rarely been trusted in the enterprise - the article points out that, although the NSA use Free
software, the need for an expensive government audit prevents the
government from saving money and improving security."
Based on previous security issues in open source it has pretty much become obvious that a major security problem in an open source product is fixed much faster than an equivalent closed source product.
:)
Also, due to the number of people looking at the code of the open source product there's more chance of those hairy bugs being weeded out, or in the case of the software being used here probably has been given the maturity of the software and the caliber of the kind of people who use it.
With closed source or hardware based security solutions you might end up getting hacked because the hacker found a hole the vendor didn't know about and you can't even look at the source to try and work out how they did it.
I'd say the advantages of open source security outweigh the disadvantages, and it's been said time and time again. I doubt it will make a difference with enterprise customers though, they're all in bed with the big companies anyway.
The major issue for them is probably support, even though i'm sure this company will support their hardware there's still the "stigma" that with OSS you've got no central reliable resource to turn to for support.
Anyway, enough rantage
Like almost every IP implementation, the one in Win32 is heavily based on the Berkeley Net4 code. This is hardly surprising. The Berkeley implementation was TCP/IP - long before ther were others. Large blocks of the original Berkeley Net code appear to be copied unmodified in the NT/2000/XP system. This is probably true of AIX, Solaris, etc...
This is a feature of the Berkeley licence.
"Flyin' in just a sweet place,
Never been known to fail..."
It would be nice to know that Guardent is contributing to the respective projects that are being implemented on this device (IPTables, Snort, Nessus), but I haven't been able to find any ackknowledgement of it on either Nessus's thanks page or in the credits for Snort.
Certainly they've got people working for them who have the know-how to add substancial features to the projects and it would be nice to know that they're not just freeriding on the software for the managed services platform that this device really is.
OpenBSD has several advantages over Linux for this application:
- More cohesive codebase, tighter integrated security audits. (==more secure foundation to work from)
- Better firewall and nat features, syntax.
- BSD-licensed foundation, so no hassles if you're using it in a product.
- Cooler logo.
;-)
And of course, since the OpenBSD community has a lot of paranoidQuite frankly, seeing someone selling a security solution based on open source software and finding out the OS isn't OpenBSD is like finding your cousin Larry using an egg beater to polish his car's paint... You know they must have some reason, but damn if it has any obvious logic to it...
(Linux has it's own place. I use it a lot for developing and deploying java applications, also it's a better DB platform than obsd becuase it has SMP support. Right tool, right job. For security, obsd is the right tool.)
There are probably countless "hardware" boxes that use FreeBSD or some other BSD derivative as a base. The company takes that base and adds their own code to do whatever it is that would be unique to the box, then sells the result as a hardware solution. The box itself might have a lot of proprietary hardware in it, or it might not. That'll just depend on the box.
But either way, open source probably powers a lot more of the hardware (routers, proxies, firewalls, etc.) than the average PHB would expect.
Use 'slashdot stuff' in the subject line in any email you send me if you want to get past the spam filter.
"Although Free/Open security software is widely acknowledged to be better than commercial alternatives..."
I'm sure this point will rapidly become a chorus in this thread, but that sentence is pointless fluff.
Open source means you can could inspect the source. Iff you choose to expertly inspect the source you may come to understand the security parameters of the application. You'll know how it works, and a lot of what it depends on in terms of libraries, OS calls etc. And you can evaluate on those terms whether it provides an adequate level of security for the environment in which you intend to use it.
If you haven't audited the code, all you know is that the code is auditable. You know nothing about the security of the system.
Most of us here haven't performed any of these steps on systems like OpenSSH, for instance. Instead we rely on two things: that someone else has peformed a competent, honest audit; that so many people use it that if it had problems we'd all know (surely). Both of those are flimsy, when you come right down to it.
Open source only means you could audit it if you wanted to. It doesn't make it any more or less secure than anything else.
I find this statement terribly interesting. This implies that opensource software is more heavily auditted by the US government than closed source software.
Does anyone else find this ludicrous ?
One of the basic tenets of opensource software is that its bugs/vulnerabilities are presented for worldwide review. Any holes, trojans or vulnerabilities are caught faster and fixed almost immediately. Eric Raymond's find-fix-release cycle has been pretty much implemented in all active opensource projects. I find it interesting that the government, even if it is the NSA, is suspicious of opensource software, yet will trust the closed source products they buy. Isnt this placing your bets in the wrong basket ?
I wont got into the benefit of using opensource in detail, for it is bound to be flogged like a dead horse in the ensuing /. discussion below, but surely to suggest increased audit spending on opensource is FUD.
Additionally, it peeves me a little when everytime opensource is mentioned, the immediate line is drawn to Linux. I think the existence of other top notch operating systems such as FreeBSD, NetBSD and OpenBSD should also play a role in government procurement. The mindshare which Linux has managed to garner in this space is eclipsing decision makers away from proper evaluation and just jumping on to the Linux bandwagon.
After all, one of the basic tenets of opensource is choice. We dont want the lack of choice we have replaced with another lack of choice in operating systems, Linux only.
This is good news for the Open Source community. It's great to see a company making OSS the core of its business. However, the article also points out some of the traditional weak points of OSS.
One is that OSS focusses much more on technical prowess than on anything resembling a workable UI. For the true geek, no more than a command line is necessary for a UI. However, in the "real world" a user will not even consider touching the best software around if his only UI is a command line or a bad looking bunch of poorly designed widgets. It matters. Perhaps more than it should, but it is the reality. If functionality is (for the user) more or less comparable, the sleeker look will win.
Another point is of course the traditional lack of a single support channel. There is simply no guarantee for support for most OSS and face it, the actual software is at most half of the total cost, support being one of the largest money sinks. To a true company, the guarantees of support are much more important. And saying that they can do their own support (it's Open Source, right?) is simply no alternative, and neither is waiting for the whim of the masses to get round to their bug (yes, I know, they are now dependent on the whim of the supplier. But at least there's a binding support contract there).
Finally, for more critical applications, there are certain audits and certificates. I've rarely considered that with respect to OSS, but it does raise an interesting point. Especially with government applications and more critical applications, there will be a need for certain certificates. The Open Source community just hasn't got the money to fund such audits.
So, what can a company like Guardent do to repell these fears?
First off, as commercial suppliers, they can actually sign the support contracts and be held responsible for timely updates and fixes. Also, fixes now will be gathered and maintained by a single body, which is much preferable from a customer's point of view than scanning the Nets blindly every day for new updates.
Second, as suppliers, Guardent can create the UI necessary when packaging and integrating the seperate applications. This makes the package accessible to the users. Again, I cannot stress how important this is!
And finally, as a commercial company, they may be able to raise the cash necessary to get the necessary certificates and maintain them. Without these, a whole market segment will be closed to them no matter how well the software performs.
I hope that, if they make profit using these free softwares, they give some money back to the developers. I know that Renaud Deraison, one of the Nessus core developers, is tired of seing derivatives of his product sold by many companies which *never* give anything (bug reports, patches, plugins, money) back.
Hell, free software needs financial *and* technical support from those who use it. Or you won't be able to use it very long.
One is that OSS focusses much more on technical prowess than on anything resembling a workable UI.
http://www.fwbuilder.org/ is GUI which should work
with this product nicely.
I've noticed one thing though, in all this endeavor : the more "touchy" the system was, the greater the resistance to change to a better and more reliable open source alternative.
Than I started asking why ?
Let me point out some reasons behind this, which of course most of you already know:
- Open source projects don't send out nice brochures telling how great the product is
- Since there is almost no advertising (what ?! do you expect square headed managers to read slashdot ?! they barely can read !
:), there's little info about what a product can and cannot do. Of course, you can always ask that geek down the hall that seems to know them all, but how much can you trust a guy without social life ?
- We don't know if the new open source app will preserve/convert the data from the old app. I wanna be honest and say most of the time open source apps regard themselves as being the only apps out there (scratching someone's itch - ESR might say) and provide little feature to import existing data
- But the number one reason behind not accepting open source replacement of sensitive software is the fact that there is no one to blame
The latest reason applies to both managers and sysadmins or whomever is in charge of getting things done.Pointing fingers is big business when things go wrong. Commercial app means that you have someone to call almost 24-7, someone to swear at and still be nice (you paid them a shitload of money to do so). If things break, sysadmins can always say: it was that creepy product's fault.
But that is one thing you cannot do to open source. First of all, you paid nothing. The creator lets you use the software because he's a nice guy. If the system crashes, the managers will point fingers at the sysadmin: you're the one going with this solution - you fix it!.
Now security is probably one of the most sensitive and touchy part of an organization. Yes open source security software works better, yes it provides you more options, no it won't send your secret data neither to NSA nor FBI, no it's not hard to setup up neither to maintain, and no, microsoft didn't invent it. But, sometimes it may screw things up. And when that happens, the first question on everybody's minds is:
Whom do we point fingers at?
__________
Don't belong. Never join. Think for yourself. Peace!
The article mentioned that Guardent will sell their appliance for "$1,500 a pop" and that their solution "relies solely on open-source programs to protect customers".Your article
Although the Guardent site specifies:
- "For a low MONTHLY FEE of $1,500, organizations get complete 24x7 managed security protection for any Internet-facing network segment."
- "...with Guardent's PROPRIETARY event correlation, reporting and alerting capabilities"
I loves "experts" that dont know what they are talking about.
many of the biggest corperations regulary trust open source tools, espically snort and the others for security.
they dont run around screaming "we use snort! we use snort!"
I know at the corperation that owns my soul we have a clause in the new computer and security policy that free tools are to be sought out and used before money is spent on software.
Yes, they dont have a "linux and oss is evil" clause.... even with Microsoft being one of our major "investors".
Do not look at laser with remaining good eye.
Well not only the TCP/IP-Stack, but when you open IE and look at the about box, you'll see that MSIE is based on NCSA Mosaic, which was at least somewhat open-source (look at the initial announcement and the README).
SecureWorks has been selling their iSensor product for some time now. It is also based on OpenSource Software using Snort and IPChains. The product comes with monitoring and constant signature updates for the IDS functionality, so that could be seen as the "value-add" for buying what is basically a bunch of free software in a PC box.
with few, if any of them, actually auditing the code for security holes before installing it to protect their mission-critical data.
In my 20 years of experience as a systems programmer, I am well-versed in the idea that it is much easier to throw out the existing code base and start from scratch rather than wasting time on trying to fix horribly flawed or poorly documented code that can be millions of lines long. Therefore, it should not come as much of a surprise that the security-conscious agencies in the federal government (CIA, NSA, DIA, Dept. of Commerce, etc.) largely write their own software inhouse rather than rely on fixing up something like Linux and hoping that they caught all the bugs. I mean, really folks, let's face it: Linux was designed by many people in a chaotic manner, and rarely were the features implemented with security at the top of their priorities.
So while it is all well and good that Guardent is trying to sell free software to enterprise customers, I can certainly see why major corporations would be hesitant to trust their security to messy open source software. Besides the fact that most of the biggest customers of closed source software vendors get to see the sourcecode for review anyway, because they are paying so much money for support, etc.
Is your company running tools written by ma
NetWolves' FoxBox/WolfPac is really a rackmount PC running FreeBSD. The front end and "glue" is proprietary and there's licensed software in it, but most of the heavy lifting in the services it provides--firewall, VPN, file sharing, etc.--is done by free software. And it offers intrusion detection being run by Snort.
I'm sure there are other little companies doing similar things--this is just leveraging open source IDS software in "turnkey appliances" the same way it's been leveraged for other services. eSoft's Instagate Firewall/VPN product is Linux-based, and every Slashdot reader knows Sun Cobalt....
OpenBSD has a fantastic reputation for security. However, there are several side notes that probably pushed linux over the top.
1) LIDS. If they're using a 2.4 kernel, they can do LOTS of nice security things, like striping root of lots of it's dangerous abilities. Less danger if root is cracked. I don't know if LIDS is in use, but it probably should be.
2) Your 'better firewall and nat features, syntax' is highly debatable. As somone else pointed out, IPTables stateful inspection is far ahead of either ipfilter or pf. And your syntax comment is nothing more than a personal preference.
3) I don't like this reason much, but 'Linux' is much more widely recognised in the business world than 'OpenBSD'. When you come down to it, you have to be able to market this thing. Is this the way it should be? No. But it is, and we have to deal with it.
Zapman
Because OpenBSD's connection state tracker with ipfilter isn't as good as iptables.
Dont get me wrong, I like the syntax of ipf more, but I hate every minute of being behind my firewall when it was openbsd.
I cant comment on ipf or pf, but I do agree that iptables is a huge jump in firewall ability for linux.
I was behind an ipchains firewall, and I had tried every trick in the book, but there was no way to get 2 people an my subnet to play each other over battlenet. Plus my firewall script was a huge mess, hard to maintain. And the automatic IPchains load/restore didnt save port-forward settings properly- so I had to hook in another shell script to kick it off.
With a 2.4 kernel upgrade and iptables, my firewall does more, anyone can play starcraft even vs each other, it restores after power failure automatically with no initscript hacking, and the shell script to kick it off it simple and easy to understand.
So I like iptables.
But I typically poke around at least a little bit in any application I run to see if it's doing what it says. That's also why I run Microsoft products behind restrictive ACLs -- I can't see what they're trying to pull by looking at the code, so I am forced to explicitly restrict those bastards.
What can I say, I like to make sure my installation works before I hang my job security on it. I'm astounded that more people don't. Then again, I worked with grumpy old bastards like you and discovered that they were the ones whose installations stayed up and didn't get hacked. Must have made an impression...
At IBM, long before the Linux jihad started, I was told to use free software but audit the code and license first. That's what I've been doing ever since, although I don't work at IBM anymore, and haven't for years.
Remember that what's inside of you doesn't matter because nobody can see it.
I had even toyed with the idea of writing my own web interface, pretty blinky lights on the box itself, etc. and selling these things myself.
I really don't think end-users have any need to configure a network security product. People who do need to set these up judge them based on their maintainability, configurability, and suitability to task.
Believe it or not, in many cases a CLI interface is MUCH easier to deal with than a GUI. In addition, most GUI's for security products are simply pretty interfaces to the text-based back ends, and may or may not be up to date with all of the capabilities of the CLI tools (always developed first). The GUI can, and will, screw things up (trust me on this...I used to test and certifiy commercial firewall/vpn products for a living, and have seen every interface under the sun and can name some very big well-known companies whose GUI would totally hose the firewall/VPN config under certain conditions, but the CLI tools would work just fine)
The GUI adds tons of complexity to the programmer's job, just for an INTERFACE! This time can be much better spent on writing and improving the tool itself. Why do you think so many linux GUI tools are simply interfaces to existing text tools? The guys writing the actual TOOL spend their time on that, and somebody else decides to write a different interface to it. No problems there.
Snort is really nice, but I've had problems with it. First of all, if you have it listening on a dial-up and the dial-up goes down, so does snort. Now that's not a big problem, but it makes me wonder about the internal design. An IDS shouldn't quit on it's own, for any reason.
Second, on an RH7.0 machine, snort quits randomly for no apparant reason, and with no diagnostic message. I don't know if that's my fault, or what, it must be since nobody else seems to complain about it. But an IDS shouldn't quit on it's own.
Third, I was making some changes to the code and noticed some sloppy coding, including diagnostic messages not terminated by nulls, and convoluted string-matching code that would match some bytes twice. Again not a big deal, but when you see something like that, you start to wonder what else might be flakey. Will it miss something in a string someplace else?
Fourth, I sent patches for some of this to the authors, for instance rewriting the string matching code down to a few clear lines, and was ignored. After a few new versions came and went I gave up on my patches.
So hopefully this new commercial support will help get Snort cleaned up. But I for one will be very suspicious of using Snort for more than a home LAN. Probably what it needs is a ground-up re-write along the lines of BIND9.
I hate to criticize open-source software, especially something as useful as Snort (I do use it regularly). But when it comes to security stuff, code should be bulletproof and clean.
I'm sorry, but Guardent are only one single company. However, the employees of Guardent is all individuals.
The use of plural verbs with collective nouns when talking about the actions of the whole group ranks right up there with using the word virii as the most pretentious grammatical annoyance one can find. It's not a matter of national importance or anything, just a pet peeve.
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
I was a longtime sr. security architect at a NSP with security services ranked highly by Gartner. One thing I know from interaction with hundreds of customers is that they are interested in your assurances far more than the products you use. We had occasion from time to time to shift vendors, and the customers did follow. There are plus and minus points to everything. The real market isn't for an appliance, but for services sold month-to-month or year-by-year which implement traditional security methods (firewalling, vuln. analysis, IDS, etc) using free software. Instead of saying, "trust this software", you simply say, "We use best-of-breed tools" and you use YOUR reputation to back them.
This isn't all that common yet, although nessus is making a lot of headway being used commercially. It will be more common, though, if the OSS alternatives remain ahead of the curve in development (and eventually probably get funding).
I work for MontaVista Software, a vendor providing a Linux distribution tailored for embedded system use and development. We do a lot of patches both to the kernel and included software, and push back every one we can. Why? Because the development costs of maintaining our own tree separate from the primary tree for each application we include are just way too high. Folks who don't contribute back, thus, are just shooting themselves in the foot by failing to take full advantage of the open source model.
Having commercial users, then, lends itself to having patches, bug reports and the like provided; monetary donations, while nice, hardly strike me as so necessary. Most heavy commercial users of open source also hire at least one heavy developer to the projects they use; paying these folks' salaries certainly should count as financial contribution towards the project.
What I'm saying here is that just as a result of use, any commercial user of open source savvy enough to take full advantage of the development model (by having the community maintain a unified tree, having their own paid developers contribute so their customers get the features they need, &c) is providing all the benefit to the community they should be obligated to provide. There certainly should be no guilt trip for them to give back even more. Any vendor not savvy enough to take advantage of the model is just shooting themselves in the foot and should be urged to contribute to the community for reasons of self-interest rather than goodwill -- this sort of reasoning is much more likely to succeed.
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
Remote root exploits. I find this to be an extremely important feature in choosing a platform for a firewall product.