Guardent To Sell Snort And Nessus

Cally writes: "An interesting article appeared on the Info-Sec News list the other day about Guardent's new security appliance. Based on Snort, Nessus and IPTables, Guardent are taking the unusal step of trying to sell a product based on Free software into the highly resistant corporate security market. Although Free/Open security software is widely acknowledged to be better than commercial alternatives, it's rarely been trusted in the enterprise - the article points out that, although the NSA use Free software, the need for an expensive government audit prevents the government from saving money and improving security."

Re:FreeBSD network Stack

[Jeremiah+Cornelius]

It's not quite right to refer to the Windows IP stack as FreeBSD.

Like almost every IP implementation, the one in Win32 is heavily based on the Berkeley Net4 code. This is hardly surprising. The Berkeley implementation was TCP/IP - long before ther were others. Large blocks of the original Berkeley Net code appear to be copied unmodified in the NT/2000/XP system. This is probably true of AIX, Solaris, etc...

This is a feature of the Berkeley licence.

why linux as a platform? (import post.not_a_troll)

OpenBSD has several advantages over Linux for this application:

• More cohesive codebase, tighter integrated security audits. (==more secure foundation to work from)
• Better firewall and nat features, syntax.
• BSD-licensed foundation, so no hassles if you're using it in a product.
• Cooler logo. ;-)

And of course, since the OpenBSD community has a lot of paranoid ... oops, er ... "security aware" people in it, all the security tools you could ever want are either native or seamlessly ported.

Quite frankly, seeing someone selling a security solution based on open source software and finding out the OS isn't OpenBSD is like finding your cousin Larry using an egg beater to polish his car's paint... You know they must have some reason, but damn if it has any obvious logic to it...

(Linux has it's own place. I use it a lot for developing and deploying java applications, also it's a better DB platform than obsd becuase it has SMP support. Right tool, right job. For security, obsd is the right tool.)

Spouting

[1984]

"Although Free/Open security software is widely acknowledged to be better than commercial alternatives..."

I'm sure this point will rapidly become a chorus in this thread, but that sentence is pointless fluff.

Open source means you can could inspect the source. Iff you choose to expertly inspect the source you may come to understand the security parameters of the application. You'll know how it works, and a lot of what it depends on in terms of libraries, OS calls etc. And you can evaluate on those terms whether it provides an adequate level of security for the environment in which you intend to use it.

If you haven't audited the code, all you know is that the code is auditable. You know nothing about the security of the system.

Most of us here haven't performed any of these steps on systems like OpenSSH, for instance. Instead we rely on two things: that someone else has peformed a competent, honest audit; that so many people use it that if it had problems we'd all know (surely). Both of those are flimsy, when you come right down to it.

Open source only means you could audit it if you wanted to. It doesn't make it any more or less secure than anything else.

No audits for closed source ?

[alphaque]

although the NSA use Free software, the need for an expensive government audit prevents the government from saving money and improving security.

I find this statement terribly interesting. This implies that opensource software is more heavily auditted by the US government than closed source software.

Does anyone else find this ludicrous ?

One of the basic tenets of opensource software is that its bugs/vulnerabilities are presented for worldwide review. Any holes, trojans or vulnerabilities are caught faster and fixed almost immediately. Eric Raymond's find-fix-release cycle has been pretty much implemented in all active opensource projects. I find it interesting that the government, even if it is the NSA, is suspicious of opensource software, yet will trust the closed source products they buy. Isnt this placing your bets in the wrong basket ?

I wont got into the benefit of using opensource in detail, for it is bound to be flogged like a dead horse in the ensuing /. discussion below, but surely to suggest increased audit spending on opensource is FUD.

Additionally, it peeves me a little when everytime opensource is mentioned, the immediate line is drawn to Linux. I think the existence of other top notch operating systems such as FreeBSD, NetBSD and OpenBSD should also play a role in government procurement. The mindshare which Linux has managed to garner in this space is eclipsing decision makers away from proper evaluation and just jumping on to the Linux bandwagon.

After all, one of the basic tenets of opensource is choice. We dont want the lack of choice we have replaced with another lack of choice in operating systems, Linux only.

Re:No audits for closed source ?

[TeeWee]

I find this statement terribly interesting. This implies that opensource software is more heavily auditted by the US government than closed source software.

Does anyone else find this ludicrous ?

This is actually quite sensible. Someone has to pay for the audits. In commercial applications, it will be the vendor.

But with OSS, it isn't clear who is the one responsible for the audits. And it isn't clear which version will be audited (with a theoretically possible fix made every minute). So, it will probably have to be the version to be implemented. Since there is no clear responsible party who can fund the audit, it will have to be the customer.

So in that sense, it is the customer who winds up for the cost of the audit directly, while with commercial products, it will be the vendor who winds up for the cost (and calculates that back into the price of the product).

In one sense, the customer paying for it is preferable, since they can now see how the money is being spent, on the other hand, having the customer pay for it prevents the spreading of the cost. In commercial products, every customer pays for a part of the costs, in OSS, every customer has to pay for the complete audit again unless the results are frozen.

Giving back to the community

[Radium_]

I hope that, if they make profit using these free softwares, they give some money back to the developers. I know that Renaud Deraison, one of the Nessus core developers, is tired of seing derivatives of his product sold by many companies which *never* give anything (bug reports, patches, plugins, money) back.

Hell, free software needs financial *and* technical support from those who use it. Or you won't be able to use it very long.

Re:Giving back to the community

This may be crazy, but if you don't want people doing bad thing X with the code you produce, don't use a license that explicitly permits them to do X.

Re:why linux as a platform? (import post.not_a_tro

[Zapman]

OpenBSD has a fantastic reputation for security. However, there are several side notes that probably pushed linux over the top.

1) LIDS. If they're using a 2.4 kernel, they can do LOTS of nice security things, like striping root of lots of it's dangerous abilities. Less danger if root is cracked. I don't know if LIDS is in use, but it probably should be.

2) Your 'better firewall and nat features, syntax' is highly debatable. As somone else pointed out, IPTables stateful inspection is far ahead of either ipfilter or pf. And your syntax comment is nothing more than a personal preference.

3) I don't like this reason much, but 'Linux' is much more widely recognised in the business world than 'OpenBSD'. When you come down to it, you have to be able to market this thing. Is this the way it should be? No. But it is, and we have to deal with it.