Slashdot Mirror
Free Open-Source vs. Commercial Security Tools?
sahirh asks: "I work as a penetration tester and recently started writing a whitepaper on the benefits of free, open-source security tools over commercial tools. Through my own experiences, I've found that many free tools such as Nessus and Kismet are more reliable and have better features than expensive commercial alternatives like ISS Internet Scanner or Airopeek. I've also noticed that tools like Ettercap have no commercial alternative. Further, the flexibility offered by the open-source nature of such tools is a great benefit. I'd like to ask for Slashdot's experiences and opinions on why you don't need to spend thousands of dollars on an expensive tool to perform a professional security assessment." Update: 02/07 11:15pm EDT by C : Thanks to all who wrote in to let us know the proper URL to the Kismet site.
I have no joke here, I just like saying, I work as a penetration tester ...
How does the Slashdot Effect happen given that no slashdotters ever RTFA?
One of the best NIS tools available, the only thing you can get better are... commercial Snort derivatives. Not mentioned, WTF?
How can you tell someone what your job is without laughing. I need that gig. Penetration Tester. Bah.
Did I get that right?
Ethereal, nmap, and snort always get the job done for me.
www.kiwilyrics.com - a wiki for lyrics
If I were to choose software protecting my company, I would use commercial software. Why? Because if something does go wrong, it is the vendors fault and not yours. With free software, it is your fault.
However, for protecting yourself, I think there are ethical reasons to use Free Software - Stallman argues that you should choose software for those reasons alone, and not technical reasons. If you listen to Linus, however, he tells us that technical reasons are valid reasons to choose to software. Your decision on this issue is the first step to your overall decision.
- Jax
My job duties sound similar to the story poster... My job description is "Penetration Preventer". My business card title just says, "Cockblocker".
I'm a big tall mofo.
I don't use commercial applications. I don't use programs for my security tests. I do the tests myself everyday.
ajf
"Penetration tester" is your day job, but tell me, do you solve crimes in the evening as a "private dick" ?
Don't blame Durga. I voted for Centauri.
It seems like there is an implicit bias in the question. I would like to see a fair assesment of commercial vs open source tools over a biased statement about how open source tools are better. I'm sure there are worthwhile products in both categories.
$3200 spent in a snort bootcamp made the need to buy a $120,000 IDS box moot.
We were reviewing everal six-figure pieces of equipment and found the same thing - we knew they saw traffic they didn't like, but we didn't know WHY.
Now that everybody uses snort rules, the training is still helpful to show you WHAT you're seeing and IF it's truly bad or just another false positive.
FWIW, why get the snort stuff one vendor removed? Just go straight to the source.
"Draco dormiens nunquam titillandus."
Penetration Tester?? Not only looking for the obvious (security) holes, but also the tricky ones? Those you don't normally see? Damn where do you learn that
If Microsoft was mass, stupidity would be gravity.
Even a great methodology is open source [osstmm]
One reason that many companies need to use a commercial security tool is because of Visa and Mastercard CISP and SDP compliance.
In order to comply you must have various levels of security testing done and certified by an approved vendor.
There is security implied simply by the fact that the product is open source. That is to say that its failings and potential security weaknesses have been evaluated by a community beyond the original developers and is always open to scrutiny.
Ha, ha! Nobody ever says Italy.
So if something goes wrong with your setup, a commercial company will quickly take credit? Riiiiight.
I know Microsoft readily accepts monetary responsibility for their products being crap and causing crashes, viruses and trojans in my system.
In fact, Bill and Steve cut me a check weekly.
This is my sig. There are many like it but this one is mine.
snort, ethereal, nmap, etc
one commercial one that I _really_ like is Languard Network Scanner from GFI.
While it is closed source, it has 30-day full functionality, and has limited functionality after that. Still even with the 'limited' functionality, it provides the full scanning capabilities, it just doesn't let you use some of the features that I never use anyways (scheduling, etc).
I'd really recommend giving it a try, its pretty slick.
a) it does the job
b) see a.
I do not see the need to stick to ideals in a world of security, use the best tool for the job, and stay vigilant (if OS is the best tool, then only merit it on this, not the fact that it is OS)
#hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
Yes, it may sound like one of the best jobs, but one misstep and you may find yourself on the Worst Jobs in Science list:
flyingtoaster writes "For the second year in a row, Popular Science published their annual countdown of the worst jobs in science. This year's list includes Anal-Wart Researcher...
"I work as a penetration tester and recently started writing a whitepaper on the benefits of free, open-source security tools over commercial tools."
Excellent the porn industry is on our side, there is no way we can lose now!
b/c this is what the majority of hackers/crackers are out there using...
use the tools they use...not that commercial products dont have any value to them. perhaps just use OSS first then supplement that with some commercial solutions.
www.packetstormsecurity.com is a good place to start also.
It's understandable, they have a lot of leeches on their back that aren't returning anything to the community. From the sound of things some are just outright trying to take credit for what nessus does.
I work for a company that has an EtherpeekNX license. When they started with the NX line, they now have activation. One time per license. I had to call and threaten a move to open source alternatives with a forced refund due to their policy.
They provide a remote collection agent that can be monitored with the licensed full version. That was not good enough in our instance due to the layout of our network and needing to install our licensed copy, at the work site, fix the problem and then uninstall the software. After much desk pounding they finally gave in and let us have unlimited installs of the same number. But only after threatening a move to open source.
Our take on the issue is, we need to install the product how we see fit. We payed for it. It doesn't matter to us if we aren't using the software how they "envision" it should be used. We were due a refund if they refused to let us use a product we payed for.
Digital is, by definition, imperfect. Analog is the way to go.
I use several open source programs to do various tests, nmap and nessus mostly. But one commercial package that I use is WebInspect. Does anyone know of an open source equivalent?
How do you know you can get any resolution from the people who sold you the software, or developed it? Have you checked the contracts or EULAs? Most EULAs I've seen explicitly disclaim any responsibilty.
Your responsibility is to protect your company AND get it back on its feet after a breakin. You can't rely on a lawsuit to do that in any timely fashion, only after the company has gone out of business and everyone has long since gotten new jobs. Even then, you'd be lucky to get pennies on teh dollar in restitution. So what good does it to sue the developer or seller?
You have to get the company going again as quickly as possible. It just might be helpful to have sources to what failed to see how it failed and how the breakin occurred. Proprietary software is useless there.
Infuriate left and right
IANASS (...Security Specialist) but to me, logic seems to state that having an open source system has an advantage in that the code is there for everyone to see, and that you can add your own code.
Take physical security as a metaphor. You want to secure your physical plant, so you hire a security specialist. You hire his services and he peruses your building. He suggests locks here, cameras there, and a whole plan on making your business less prone to break-ins and the like.
However, what's so great about this? Two things. One, everything is transparent. It's not like joe security officer is selling you a security package and not telling you where he's going to put that $50,000 you just paid for. He has to give you a full plan (the code!) that you approve of. Plus, the plan is customized for you. It's your plan, not someone elses. It's based on your requirements and your specifications. If a security company comes to you and says they'll put a camera in every room and be done with it, is that really enough for you?
Tie that back to open source. The code for open source security solutions are that plan you need. You can provide input on it and change it as much as you want to match your individual needs. And the code will be more unique than a commercial security program, which is the same from site to site.
I can't say that open source is necessarily for everyone. Maybe a camera in every room is all you need. Maybe you just need a security guard out front. The advantages I see here are businesses where security is an important part of business, and where companies don't want control of their own data in the hands of anyone but themselves.
"All great wisdom is contained in .signature files"
"I have no joke here, I just like saying, I work as a penetration tester ..."
Inspector 12 at the Trojan Factory.
Those are great tools to use and the fact that they are free is even better. The only thing I might recommend replacing for a commercial alternative is Nessus. If you can afford it, something like eEye's Retina scanner is a very nice product. It doesn't come cheap, but if you work in a big corporate environment you can probably justify the cost. Not to mention, Nessus is a bit flaky so if you start crashing machines during your testing you will have some angry people to answer to. Don't get me wrong, Nessus is great for a free tool, but it lacks professionalism and is a bit overintrusive at times, even with the safe settings activated.
I don't have a lot of experience with free software, but I can tell you why people prefer to pay for it: Security in spending.
Basically, most people (including CEOs and the like) think that the more something costs, the better it must be. After all, if Product A costs you $100 and Product B costs you $5, then there must be a lot more features and hard work put into Product A to make it cost more than Product B.
Plus, when people hear 'open source', they think of crackers/evil people getting their hands on the source code and exploiting all sorts of 'holes'. Since they can find out how it works, it must be really easy for them to exploit it.
I wouldn't be surprised if many people, on first look, would rather pay $10 for a Linux distro rather than get it for free because 'free' has all sorts of bad connotations locked in with it this day and age. They assume it's the difference between going to a 12-year old's lemonade stand and going to starbucks for a smoothie. "You get what you pay for."
... than being a public dick ....
Infuriate left and right
I think that it is a bit dangerous and irresponsible to evaluate the effectiveness of a tool based on its licensing. The real debate about its effectiveness should not be linked to how much it costs. Doing that changes the debate from how good something is to pricing, and open-source community support. There are many closed source tools that are better than open, but you cannot then derive that all closed source is better. Software ease of use and effectiveness debates should remain licensing neutral, and not a forum for open or closed source advocacy.
I work for DoD. We tend to go with commercial software for several reasons:
1. Personnel changeover. DoD loves to move people around between departments and installations. It's hard to find people savvy enough to run open-source software and keep them in one spot. It's much easier to give whoever is holding the position a phone number and tell them to call tech support with problems.
2. Personnel skills. DoD is huge. Because of this, the chances of getting skilled and motivated people at all of your sites is slim. Again, the phone call seems to make everything better.
3. Contracts. Things are usually purchased in bundles and as part of a big plan. It's much easier to brief to a non-tech boss that you have the support of another company and not that "I'm sure we can figure it out."
4. Uncle Sam's pockets are deep.
I agree that open source software is often better. But it doesn't give the non-tech group that warm fuzzy it needs to. In the end, the boss doesn't want to up a creek without a paddle. Having that phone number to call adds a much wanted security blanket, even if it's only a facade.
Mark A. McBride -- OmniNerd.com
Ben Dover.
Ironically, the word ironically is often used incorrectly.
For security applications, how can you say with any confidence that a closed source product does an adequate job? You are not allowed to examine what it does, instead you have to rely on what the vendor says. Maybe some tool is certified by some "trusted" entity in your industry, but you don't have any control yourself. With open source, you can look, or hire someone to look who works for you.
What keeps me going is my inertia.
Nessus is a great scanner, but it's far from perfect. I see far more false positives coming from Nessus plugins and I expect to. Why? Any dork with a text editor can write a Nessus plugin and have it posted on their site for download. Unless you trust the source, you shouldn't trust its validity or reliability of it's signature. I typically only select Tenable Security plugins for use Nessus and it's still far from 100%.
Still, you should never only rely on one source (Layered security and all that). So I leverge eEye Retina a long side Nessus for most assessments. I find eEye has nearly the same or better accuracy than Nessus and adds great reporting functionality.
You also menion Airopeak and Kismet. Kismet is great, no question. It gives you actionable information in a fairly user friendly ascii interface... Airopeak on the other hand is far from the standard commercial recommendation. Take a look at AirMagnet and then compare it to Kismet, you'll find it's light years beyond Kismet and once again, has great reporting functionaility.
Basically, if you're on a budget, open source will get you where you want to be, no question. But if you have some $ to throw down, for the most part, commercial solutions will get you there much faster.
I am writing a paper on big software companies. Anybody have an opinion about Microsoft?
I mean, it's not like most commercial vendors take any responsibility for their software, anyways -- have you read your EULA's recently?
At least with open source software, you have the option of fixing any bugs yourself if the vendor refuses to. With Proprietary code, your only choice is to grin, bend over and wait for your bill.
Free Software: Like love, it grows best when given away.
That's pretty common, sadly.
Quark is a classic for that. The app *scans* *the* *network* for other instances with the same license key. I bought 6 licenses, why the heck can't I deploy with disk images?
In Quark's case, the answer is "you can if you buy a site license and run a license server". Of course, in exchange for the ability to use your software more practically, what do you get? The same prices, and a new requirement to upgrade all licenses to a new version at once. That's right - less flexibility! Arrggh!
Your pain is far from unique, I'm afraid.
At least my tool box, Tcpdump, Tcpflow, ettercap, iptraf, arping. You should pretty much be able to determine most problems through those. A good friend once told me a true network security specialist can become a network Gunslinger through the use of just tcpdump, tcpflow, arping, and iptraf. (Rich at securiant dot com). IMHO Tcpdump is the jewel of all of those, and if your a real commandline Commando, dont need much else.
"God of Rock, thank you for this chance to kick ass. "
Is that the right question to ask?
"I'd like to ask for Slashdot's experiences and opinions on why you don't need to spend thousands of dollars on an expensive tool to perform a professional security assessment."
It sounds like you're already set in your opinion and just asking for justifications. That doesn't usually develop any new insights or make good comparisons. If you really want to sell people on Open Source, do a fair and un-biased comparison. An obviously biased comparison is easily detectable and loses credibility. I really don't think Open Source needs biased comparisons to look good.
EvilCON - Made Famous by
http://www.portknocking.org/
If I were to choose software protecting my company, I would use commercial software. Why? Because if something does go wrong, it is the vendors fault and not yours. With free software, it is your fault.
;]).
So basicly what you're saying is that you care more about covering your ass when things go wrong, than _preventing_ them from going wrong. IMO that pretty much makes your opinion in the subject completely worthless (not to mention the quality of your work if you do this kind of job
I'm thinking of writing a how-to for "penetration testers". It'll be titled "Locating Unprotected Backdoor Entrances" or more aptly, "Lube"
http://www.watacrackaz.com
I work for a government client who's invested a sizeable chunk of change in Harris Stat Scanner They evaluated a number of products, including some leading open source tools like nessus. Their bottom line is that Stat makes the job relatively easy for a largely Windows shop (that is, if you have admin rights to all the boxes, turn on remote registry editing, kill all firewalls/IDSes, etc. - leaving you wide open for the duration of the testing!) to perform a multitude of tests and to install patches on the fly. Reporting is centralized, easy to read, and fairly comprehensive. It works on a fairly heterogeneous network as well, covering Macs, *x boxes, Cisco routers, HP printers, etc. Updates are frequent and easy to apply (basically a reinstall of the product). Most of the folks that will run this product for this client are computer professionals, but few are truly security professionals. This tool makes it almost point-and-shoot simple to understand what's going on and provides the Windows administrators an easy way to get "caught up" on patches they may have missed.
I agree - opensource tools are often at least equally good. However in some industries, specific tools are mandated, by either government or other overseeing institutions. In our case we are required to be compliant with VISA's Cardholder Information Security Program, and that is very precise as to what tools should be used and how often (and by whom)
Likewise on the other end of the same thing, while I think I could configure iptables/snort etc. to be equally if not more secure than commercial packages - they won't enable me to put the ticks in the right checkboxes that very expensive products from Checkpoint/Cisco/ISS will.
The issue is the lack of understanding by higher ups that a poorly configured/applied commercial package is just as useless as a poorly utilised opensource one. Even worse in fact, as they have wasted a ton of money that could have been better invested in training.
Sure, obviously nmap, tcpdump, and snort, (plus ethereal and etherape if you like pretty pictures). Another I don't see mentioned here is SING (which stands for "send ICMP nasty garbage").
It's a command line tool (sort of like netcat) for fabricating ICMP packets.
Talk to Dug Song or the phenoelit guys about m-i-t-m attacks, and ARP or ICMP level hacking, and you might find some uses for SING.
The market for commercial security tools is quite different. To begin with, it's smaller than the market for OSS tools. While security professionals may use either, any crackers worth their (or somebody elses) salt are won't be caught using commercial products. Thus, there're probably more 'feature requests' and feedback for the OSS developers to respond to.
Also, a number of commercial products are not written with just the user in mind - the larger ones also involve things like generating pretty reports for use in the CTO's bonus negotiations and suchlike.
Finally, lots of the commercial products try to be competitive by doing everything at once, whereas the OSS tools tend to be more focused on specific functionality, following the traditional unix approach.
Of course, all these points are generalisations and there are exceptions to them all, but that's what you get for asking such a general question.
Vs lbh pna ernq guvf, ybt bss abj. Tb bhgfvqr. Syl n xvgr.
misinterpreting your position
And that's the sound of another thousand after wondering just what that phrase referred to.
If I would have been drinking something when I read that, my screen would be soaked right now...
Hexy - a strategy game for iPhone/iPod Touch
I work as a penetration tester and recently started writing a whitepaper on the benefits of free, open-source security tools over commercial tools.
What if some of the developers of those F/OSS packages are paid money to code free software? MySQL comes to mind when I think commercial free software, although it isn't related to the software you search. There has been always money to be made in free software business. Your question should be about free vs. non-free.
Quoting RMS:``Free software'' does not mean ``non-commercial''. A free program must be available for commercial use, commercial development, and commercial distribution. Commercial development of free software is no longer unusual; such free commercial software is very important.
For anyone wanting o get into the field, BTW (which really is absolutely fascinating but a monstrous time thief as you must know at least as much as the devs or sysadmins of the system you're attacking abuot it's weaknesses, so you need to keep up with web dev / daemon architecture / IE bug of the week Linx, Windows,Solaris,..) - my advice is: get a small LAN. Put a couple of Linux machines and a coulpe of windows machines on it. Fire up Nmap, Nessus, tcpdump and ethereal and have a ball for a couple of years. If you're still interested / excited after a two years' devotion of your own spare time (evenings, weekends -- if you can afford a break from work, take it) you'll make a good pentester.
Incidentally why do the UK's pentesters seem to congregate around the Medway? Odd, that.
"So you'd use inferior software"
Commercial is not the same as inferior. MANY MANY commercial products are better than the open source version. Your bias is showing.
I would love to see statistics on how many companies actually perform examination of open-source software. Then to go one step further I would really like to see some indication of how effective those examinations are. I'm skeptical that they are thorough or effective. Instead, people reply "oh but, we *can* expect it" as if that is some holy Grail and the possibility of inspection actually replaces in people's minds the necessity of the inspection itself.
I've been doing external and internal security assessments for several years now.
Initially, back in the 1998-2001 era, we had an ISS Internet Scanner travelling license, which is required if you're, say, a consultant doing scans for other companies. The only alternative is having the company buy the license and then using it for them. It cost in the neighborhood of $20k per year.
But even then, I used Nessus for external scans, because it was heavily oriented towards external scanning. At first, I would always run ISS on the external side as well, but it was frankly a pain to get it to even admit there were machines there, much less scan them. After a while, I stopped using ISS at all for external scans.
Then, in the 2001-2002 timeframe, work dropped enough that we didn't feel it was worth it to renew the ISS license. I did one or two assessments with Nessus only and was pretty pleased with the results.
Now, present time, I just got done with a full-blown external and internal assessment for a client and used Nessus. It gave me GREAT output. We used Microsoft Baseline Security Analyzer (MBSA) to assess their patch management, and I think that Nessus' output was better than MBSA's.
I've run Snort-based IDS sensors for quite a long time as well - using Demarc PureSecure (a topic for another day) as the frontend. While ISS Realsecure has some nice "more than x events in a five-minute timeframe" filtering possible with their engine, overall, Snort does a great job for us. With Demarc I have a great interface for drilling into events real-time to get a good idea of what's going on. ISS doesn't have anywhere near the usability for that.
So to sum up, yes, OSS works great!
Somebody should develop an open-source network monitoring tool that displays real information like those matrix screensavers. The lines coming down could correspond to tcp connections or http sessions maybe. Do not try to put all the data on the screen -- that would be impossible. Instead, just visualize the truth (ie packet loss / retransits, general 'flow' as in connection lifetime, transfer speed, etc).
The current tools like tcpdump and ethereal are impossible to use to get an overview of the network because they don't convert the data into a visual representation.
Since it wasn't mentioned... and since others brought it up in comments:
Snort is possibly the exception to the open-source vs commercial software bit.
Snort itself is vastly superior to any other IDS tool out there. BUT, the open-source data analysis tools/applications for reporting, etc on snort are terrible compared to the commercial versions.
Though, in the end, most of the commercial ones aren't much better than a decaying turd, either.
My previous employer decided to build their own. I just wish they'd have opensourced it or at least sold it, as it was muy mejor to any other commercial IDS application.. (and used snort on the backend).
Yeah like you'd need to buy a man-in-the-middle software for your private company network.
While there are lots of great open source tools for penetration testing and security auditing, open source tools are seriously lacking in the web application penetration testing department. No tool I've found is even in the ballpark of Spidynamics Webinspect.
Webinspect can check for common vulnerabilities, regulatory compliance, DoS possibilities, XSS etc all from a GUI and has the ability to create professional reports.
A lot of open source software often lacks business/commercial focuses like compliance auditing for HIPAA, SOX and other common security requirements. While a knowledgeable person can go through the steps of creating an equivalent through perl scripts this SHOULD be a focus within open source software that is already there. For these reasons, OSS software is often looked over in application penetration testing.
Open source alternatives also lack reporting capabilities.
Being a security professional, quite possibly the most important component of the penetration test is submitting your findings with understandable, concise and professional metrics to your customer. Open source tools like Nessus lack the capability to generate professional looking supports and professionalism is extremely important in security. Being able to present all levels of management within a company with useful information on the vulnerabilities within their infrastructure is key and OSS alternatives to commercial products simply don't offer that right now.
If I recally the openSSH license had some really weird language in it that amounted to "There is a lot of code in this tool. I'm not sure of everything and there may very well be something in here that belongs to someone else. So if they come after you Mr. MegaCorp, don't ask me. It's not my problem."
And that is a bigger problem for our lawyers then the efficacy of the tool itself.
Otherwise, why must it be an either/or decision? Why can't you have a mix of open and commercial and achieve a balance of cost and effectiveness?
Also consider the total lifecycle costs. A $30,000 appliance out of the box may be cheaper than an open source tool running on an 'extra' server you have laying around plus 250 hours/year of your time fucking with it. Sometime the best security is the security that makes the most rational sense for you to afford.
Kismet can be found at http://www.kismetwireless.net/ not at kismetwireless.ORG as the article says.
I'd like to ask for Slashdot's experiences and opinions on why you don't need to spend thousands of dollars on an expensive tool
I'd find it easier to explain, when applicable, why I do need to spend thousands of dollars on an expensive tool...
I don't. There is a lot of old, ugly and obese ...
True, most people blindly trust the tools. But still I prefer having an alternative, which I do not have with closed source.
What keeps me going is my inertia.
But I can't think of a free equivalent of
Core Impact http://www.coresecurity.com/products/coreimpact/in dex.php
It's so easy, an AOL subscribing, Mac using, chimpanzee could figure out the GUI, yet its an extremely powerful tool for any security consultant or script kiddie with a lot of cash. It scans for exploits Nessus style, then tries to exploit them so you don't get all the false posatives Nessus does. It also has the ability to give you a shell on an exploited host and use that to further penitrate a network. It has a built in library of exploits and new ones can be added via a python API. It totally automates the penitration process! (No I do not work for Core Security Technologies)
I've written a few small, text only, c++ programs that would basically grep nmap logs to find potentially vulnerable systems, automatically test exploits on them and then attempt to continue the process recursivly through a nework.. by scanning off the exploited host (new version of scanner/expoiter is uploaded/executed by the original exploit's shellcode). It was buggy, CLI only, and only worked on a small scale with a couple exploits...more proof of concept then usable tool. I wonder if anyone would want to make a core impact style system by extending Nessus?
------ Take away the right to say fuck and you take away the right to say fuck the government.
Basically, what you are saying is that you don't really care what your servers are running as long as you have a phone number you can call for support. If that phone number goes to Novell or IBM you will probably have lots of open source software. Even better, if you run open source software there will in most cases be more than one firm to choose from for providing support.
Thanks for browsing at -1
Please vistit my blog: www.framtiden.nu
And that's a wonderful thing if you have the time and skills to go over the source for each app you use. Most companies don't have that luxury. Most of the time their network admins are already busy with the tasks they already have to preform. The company is in the buisness of producing widgets, not auditing sourcecode for portscanners. If they can farm out the job to a company that will do the work for them, they will.
It's worse than that. This question is not trying to seek out reasons to dump commercial tools (which are not even mentioned by name) but to prosletyze other users of the commercial programs. I admit that the open-source programs are quite powerful and useful, but is certainly isn't the poster's business to try to destroy the software businesses of others. If he's so convinced of their superiority, then let the free market win out on behalf of ethereal, etc. Meanwhile, he should shut up.
Most of the shrink wrapped software companies I worked for in the past no longer have the same development staff that were around in my day. Developers get outsourced and so does entire support organizations. So I am not surprised that every time I have ever called any company for support (with a paid support contract) the only answer I ever get is: 'You are screwed, maybe the next version due sometime won't suck as bad. Thank you for calling. Come again.' Of course I always check into my own problems so the only time I need to call is when I am screwed. Not only that but how do you know that the shrink wrapped product you just bought is even open to fixing? Many products are in wide use and declared EOL by marketing. I guarantee that support personnel will tell you it's planned for the next release when they know damn well it isn't. Some have said that 3rd party agreements demand verified security audits performed by approved vendor products, fine but if you trust those tools blindly and something goes wrong then it is your own dumb fault. Shrink wrapped software is only superior to OS software by default in one tiny area: passing the buck when stuff craps out.
Common, asking a bunch of /.ers why open-source software is better and cheaper is like asking Bill Gates why M$ Windows is the best OS (not that I agree)! If I could rate an article, I would rate it as a Troll!
-ItsME
Who do you go to when your nessus false positives on everything?
At least with foundstone I now have someone to complain to, they can open a ticket, and fix the problem.
We had nessus in here and foundstone finished faster, was more accurate, and does MUCH better reporting. It's just so damn expensive.
... you're using tools you've developed yourself, as well as open source and commercial tools, all where they're appropriate.
Kismet is at www.kismetwireless.net not .org as the poster linked to.
The one place I do not agree is with wireless security monitoring. I have not seen any open source offering, or combination of offerings, that can hold a candle to Airmagnet. I test various open source offerings as I hear about them, and to date have seen nothing with the power and flexibility Airmagnet provides. It was worth every penny we paid for it.
I was just wondering about that title "Penetration Tester." Somehow, it seems to garner immediate respect.
I might know what I'm talkin' about, but then again, this is Slashdot...
Surprising that no ones mentioned it: http://www.modsecurity.org/ - available as either an Apache module (C) or as a servlet filter (Java).
Basically it's aware of HTTP "variables" being submitted via a browser in GET / POST or in cookies and is able to screen them using regular expressions and "access list like" rules, before they get to any application code for processing. That means you can add it to a server transparently, without needing to change existing code.
Like Apache config files, the rules can be similar to "permit xyz" or "deny abc". In other words you could block certain input globally, such as attempted XSS attacks while having a set of rules that are like a "signature" of permissable input for a given application i.e. "here's all the permissable input for PHP-Nuke. Block all the rest".
Certainly, for shared LAMP hosts, modsecurity could help lots to keep the rampaging PHP apps under control. Apparently the commercial offerings in the same field (web intrusion detection and prevention) are more mature right now, in particular where friendly admin GUIs are concerned, but typically come with hefty price tags.
Kismet can be found at http://www.kismetwireless.net/ ; the link above redirects to the no doubt appropriately-named wirelesscon.com.
I'm not saying that all commercial software is inferior. The original poster seemed to imply that he recognized that the OS alternatives to at least some of his commercially-used suggestions were better, but he was recommending the (inferior) proprietary alternative because it afforded a level of finger-pointing that the OS did not.
Free Software: Like love, it grows best when given away.
Please mod the parent up!
For security applications, how can you say with any confidence that a closed source product does an adequate job? You are not allowed to examine what it does, instead you have to rely on what the vendor says. Maybe some tool is certified by some "trusted" entity in your industry, but you don't have any control yourself. With open source, you can look, or hire someone to look who works for you.
Barring software which explicitly prevents reverse engineering, closed source is not a barrier to determining if it will or will not do a good job (just as it's no protection for hiding bugs).
.NET Security
Java Security
Web Application Assessment documentation
Although I'm one of the designers and have a financial interest in the company, I'll still say that if you are interested in network snooping, the most powerful tool out there is Sandstorm's NetIntercept. This is a full-content network interception device that captures all the traffic, decrypts the SSH and SSL connections (if we have the keys or if you are using our modified SSH server), and builds a huge databse of everything that's moved over the wire. It's frightening spook stuff.
Enjoy
(Yes, I really am Simson Garfinkel)
There is a single commercial app that not only costs us a LOT of money, but is the single reason i keep a copy of windows installed on vmware.. This is webinspect, from spi dynamics.. An incredibly buggy app, also very bloated, slow, and very prone to false positives. Unfortunately, there is no opensource equivalent. I would very much like to get rid of this huge festering pile of crap, the developers of which tell me i must configure IE as the default browser in order to use the product (outrageous, how can a security professional be seen to be using the most insecure browser?)
I have a list of complaints about this program and it's developers a mile long, and when i submitted these complaints to the developers i was just brushed off, as if bugs are normal and i should just live with poorly written buggy crap..
Anyway, i would love to use an opensource equivalent application for this, all it really does is trawl a website looking for flaws in the code, sql injection, cross site scripting, command injection etc.
If anyone is familiar with a project to write such an app, i would be very interested in participating..
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
The Open Source Security Testing Methodology Manual is here.
I want to drag this out as long as possible. Bring me my protractor.
Sure, some foreign government or well-funded industrial spy may use a $10,000 or $100,000 tool. Ditto for someone who has a cracked version of a commercial tool.
It seems much more likely that the black-hat types are either going to use freely available tools, or will write their own custom jobs before they will submit to using some fancy point-and-click GUI that attempts to hide complexity from them (even if their employer provides it). It's dangerous to assume that no one will attack you with commercial tools. I think it's valid to assume the probability of getting scanned by nmap and nessus is much higher than being scanned by some expensive proprietary tools. Therefore it makes sense to test with the free tools to ensure that the most common scenarios are covered.
"But actually trying to use m4 as a general-purpose langage would be deeply perverse" --ESR
I also do security reviews for customers. Probably the most useful security application I've purchased is L0phtCrack (used both LC4 and LC5). It makes auditing password compliance on windows networks painless. Other than LC5, all of the security tools I use are open source.
My experience with the commercial security software is they are trying to transfer the intelligence requirements from the user into the application. Great for some things, security isn't one of them.
An intelligent user with an intelligent application is a powerful combination. But an uneducated user with an intelligent application is just asking for trouble.
Now, given the application vendor claims the application is easy to use, what kind of person is the pointy haired boss going to hire to run it?
I call that 24K tech support syndrome.
---
Yea, yea, I'll get around to a sig sometime...
This argument is pretty poor, IMHO.
First, most people *don't* look at the source anyway - they trust the OS community to do so.
Second, why is the opinion of someone I hired any more valid than the opinion of some company I hired?
Ah, but if the choice is between downloading Snort or paying $100,000 for a similar commercial package, couldn't they spend some of that money on auditing some/all of the Snort code?
If they spend $50,000 on some 3rd party to do the audit, then 1) they've saved $50,000 over buying the commercial solution, and 2) they've had the code audited by someone other than the manufacturer. Who would you believe- the manufacturer of a product, who stands to gain by convincing you the product is Good, or a third party, who gains the same whether it's good or not?
from http://www.nessus.org/plugins/index.php?consultant =1&email=c&product=
:
Using the Plugins to detect vulnerabilities on the system or network of third parties is subject to authorization.
To obtain an authorization
* Download and sign this license agreement
* Fax it to the following number : +1 (410) 510 1889
also, from the nmap-hackers list:
"[nessus] also instituted a $1200/year charge for the latest plugins ( a
delayed feed is available free with registration for certain limited
uses). They also now claim that many of the existing Nessus plugins
were never open source. At the same time, they rewrote the Nessus web
page to emphasis that Nessus is "the open-source vulnerability
scanner".
--BlueLines "The cost of living hasn't affected it's popularity." -anonymous
Because, usually, you DO NOT get: 1) Any kind of robust reporting, you are expected to roll-your-own 2) Decent documentation 3) Straightforward installation (can be related to point 2) I'm not knocking open source, I use it and love it. But this is what I've noticed. Sure, there are great open source tools that have none of these problems, but come on -- most of them have at least two of these issues. On the plus side, I've found that open source support forums are almost always faster and provide better answers than commerical solutions. In some cases there are even free public support forums for commercial applications (think Phoneboy), and these are also usually better than the commercial equivalent.
Law abiding hacker/cracker that will only attack systems with contract from the owner. And will report all fault found.
Note Law abiding hacker would test systems so that they can take the slashdot effect ie DOS attacks don't work or don't cause data destruction. As well as back doors.
I just received e-mail from Fyodor and had this bad bad news.
Nobody mentioned that here.
(and probably nobody will read that since I'm stuck at 0
13-4=54/6
If I have a choice between software provider A, who says "trust me it works, but you cannot look at it", and provider B, who says "trust me it works, and you can check for yourself if you want", why should I not prefer provider B?
What keeps me going is my inertia.
While the tool itself *is* still free Lightning has made a change in their pricing model regarding the plugins.
Check it out for yourselves, there are three feeds now. The main feed which used to be free is now on a seven day delay. While this doesn't affect a lot of the scanning efforts it is nice to know about the vulnerability that just came out.
Often when a new serious vulnerabilty makes news a company would like to know how they are affected right away. Now they will have to wait 7 days!
I don't think that there is anything wrong with this, I mean the developers at nessus (tenable lightning) have to eat too. But calling it free just seems sort of inaccurate now. Scanners without updated signatures work about as well as razors without the blades.
A 'Direct Feed' is commercially available which entitles subscribers to the latest vulnerability checks. Customers who purchase a Lightning Console or NeWT Pro scanner receive access to this feed with their annual product maintenance.
A 'Registered Feed' is available for free to the general public, but new plugins are added seven days after they are added to the 'Direct Feed'. To obtain access to the 'Registered Feed', users are required to enter contact information for tracking and also agree to Tenable's license agreement for the plugins.
The 'GPL Feed' does not require registration, and includes plugins written by the user community. As manager of the Nessus project, Tenable continues to accept plugins written from the Nessus and NeWT user communities. Plugins accepted with a copyright under the GNU Public License will be distributed to the Direct, Registered and Public feeds at the same time.
Pricing
The access to the GPL feed and to the Registered Feed is free. Pricing for the 'Direct Feed' is based upon the number of Nessus or complimentary copies of NeWT in use within your organization, consultancy or service. The cost is $1200 per scanner per year. For more information, please contact Tenable's sales staff.
With vulnerability scanning there are a few different aspects to consider. the most important feature of a scanner (aside from speed and accuracy) is the level of updates. An out of date scanner is only mildly better then no scanner at all. In this regard commercial software has some advantage for the consumers (IT organizations). It's not that they can blame anyone (as was mentioned in several posts) but there is someone to yell "hey! where the hell is my signature for Vuln XYZ?" With open source there isn't a guarentee that the signature will be made quickly enough. Even nessus (as I pointed out in another post here somewhere) has moved to a pay model for plugins because of the cost of keeping those signatures up to date.
Now one can also take the Open Source approach here and write their OWN signatures but many companies just don't have the staff for that type of thing. The vulnerabilty details are so sparse these days (not so open disclosure rules) that recreating the actual exploit never mind finding a way to detect it remotely is beyond the skill of most teams in the limited timeframe that it's of vital importance. A team will have around 24-48 hours after a patch is released until some evil doer[s] have reverse engineered the patch and created an exploit out of it, slipped in a pre packaged payload and owned 3 out of your 7 class B segments. Sometimes less. I think the ISS worm last year was the record, something like > 20 hours from patch to worm [witty worm i think].
Some intersting article on scanning here and here
Just one other side note about the articles, Foundstone was purchased by McAfee last year so disregard those.
Alas, to do that I'd need to replace the switch the macs are plugged into with a rather clever router. Don't think I didn't look into it ;-) but it doesn't look practical.
... sure, if I could run our systems on a real OS. Alas, our DTP workstations stil run MacOS 9.
As for a host based firewall
Mostly open source security tools for pentesting, although there are some commercial products listed as well.
i rectory.htm
http://www.liveammo.com/LiveAmmo_Security_Tools_D
---------- http://www.LiveAmmo.com
they are a newco but seem to have good people there ...
MANY MANY commercial products are better than the open source version.
Unfortunately, I have been unable to find those commercial products. Are you only talking about stuff like AutoCAD that are useless for "normal people", then I might agree with you. But for the applications I use, I have yet to see a commercial product that is better.
Unless you're talking about games of course, I know there are not many open source games that beat commercial games. Which is why I have a PS2.
that is, if you have admin rights to all the boxes, turn on remote registry editing, kill all firewalls/IDSes, etc. - leaving you wide open for the duration of the testing
Now, that's an interesting way of making a test tool. First require people to open a lot of holes. Then give them a report that they are very vulnerable, and need to close those holes to be safe. After reading that report and closing the holes, they will be so happy that the tool found all those holes, that they don't think about the possibility of other holes.
Am I the only one who saw the parent's sig and thought "pr0n on slashdot, that's disgusting"... and then clicked the link anyway.
Northcutt et. al. have a seriousness assessment that is completely broken. Their model rates an incident by a formula that does not make sense:
S = (C + L) - (HCM + NCM)
Where:
S = severity
C = Criticality (how important the target host is)
L = Lethality of attack
HCM = Host-based countermeasures
NCM = network-based countermeasures
They use different variable names, I think.
Assign a value from 1-5 for C,L,HCM, and NCM
Remember ordinal numbers? You can't multiply them (or do other operations on them) and get any sensible result. For example, last year the Mariners finished 4th (last) in the AL West. You can't multiply their rank of 4 by anything. They aren't 4 times as sucky as Oakland or 4/3rds as sucky as Texas. They are ranked 4th and that's all you can say. More sucky than Texas. If they finish 1 game behind #3, they are ranked 4th same as if they finish 150 games behind.
Similarly, you can't say a Criticality=5 host is 25% more important than a C=4 host. Adding Lethality to Criticality is like adding Favorite Ice Cream to AL West Standings.
Further, Lethality probably has no sensible 5 step progression. I count 4 max steps. No lethality, recon, user-level, 0wn3d. If a step is not at all lethal, why does that increase the severity? (Should be 0-5)
Beyond the mathematics, I have some other conceptual problems: subtracting the assessment of network-based countermeasures. Well, let me see. Give the assessment for network-based countermeasures a high value if it stopped the attack and a low value if it didn't. This tautology advances our interests how? If the exercise doesn't provide the severity, but instead takes it as an input, then the exercise is just busywork. Or take an independent assessment of the network countermeasures- we're proud of our kick-ass firewall, score it 5. It didn't stop the attack, as the vector was entirely within permitted traffic. How does a cool firewall that didn't stop the attack reduce the severity of the event?
The same argument holds for host-based countermeasures (host firewall, av, tripwire, current patching, etc)
I grant that the folks proposing this model have a lot more experience than I do, but they should probably admit that people pull these numbers out of their asses to fit a predetermined conclusion. The severity rating should inform decisions about response. Most of the steps should give binary results: respond | not respond
Is this an attack/hostile? yes/no
Is the target something we care about? yes/no
Did the attack succeed? yes/no
Does it represent a threat even if it failed? yes/no
and so on
The prioratization of responses is probably inevitably a second calculation.
It bugged me that I had to use this methodology to get my certification.
I am otherwise impressed: do not hold SANS/GIAC certs in the same contempt that the CNE and MCSE deserve. The GCIA was a massive amount of work that actually exercised the skills being evaluated. The papers of those who pass it are publically available at the SANS website so you can see someone's chops and writing style, if you are checking someone out for a job or contract.
Hi List and Fyodor,
:
; ;
:
On Mon, Feb 07, 2005 at 02:34:11PM -0800, Fyodor wrote:
> In other news, some users have expressed concern about the new Nessus
> license. If you want to use Nessus and all its plugins for
> consulting, you are now required to fax Tenable a signed license
> agreement requesting permission.
This is correct. The issue is that in legalese-speak, it's difficult to distinguish between a consultant and a Managed Security Services Provider (MSSP), and some of them have blatantly abused Nessus in the past by claiming they "invented the technology", so we had to find a way which
a) Makes the use of Nessus free for consultants
b) Allows us to prevent such companies from using it if they lie in
their claims
In the same vein that in real life you have to use annoying keys to lock your door to prevent a minority of bad guys from breaking into your house, we had to set up some measures to prevent a minority from abusing the project.
> You must also promise not to redistribute or reverse-engineer the
> plugins (http://www.nessus.org/plugins/index.php?consultan t=1&email=c&product=).
> They also instituted a $1200/year charge for the latest plugins ( a
> delayed feed is available free with registration for certain limited
> uses).
The registred plugin feed (which is _free_) allows you to scan the network of your workplace or home, with all the plugins that have ever been written, although there is a 7 day delay between the time we write the plugins and the time you receive them. If members of the open-source community submit a given plugin, then it's available under the GPL with no delay.
Same thing with consultants and MSSPs: you can get the plugin feed for _free_ but you need to ask for authorization only once. We do NOT use the gathered data for commercial purposes. Actually, we don't even keep a digital copy of the authorizations, since we're talking about a fax, so we do not have a database of consultants and/or MSSPs.
Finally, if you have some kind of religious stance regarding the use of non-GPL software, there is a 100% GPL plugin feed which contains over 2,000 plugins.
> They also now claim that many of the existing Nessus plugins were
> never open source. At the same time, they rewrote the Nessus web page
> to emphasis that Nessus is "the open-source vulnerability
> scanner".
Nessus is an engine, and it is released under the GPL license. A great number of plugins is released under the GPL license. I think that qualifies for "open-source".
[...]
> They argue that this change is neccessary to maintain quality and
> satisfy sharholders
We have never claimed that we clarified the license to satisfy shareholders.
We are privately funded and not dependant on VCs.
What we've claimed is that setting up an environment to react in real time to new vulnerabilities (instead of reacting "whenever I have time"), and hiring people to work full time on new security checks (and QA them) requires more than goodwill, especially when you see that these checks are then being used by our competitors. If the community had submitted more plugins, maybe this would not have been necessary, but when you look back and see that Tenable contributed over 80% of the new plugins in 2004, then there is a problem.
It turns out that when people think of "open-source", most of them think of a million of person writing one line of code each, and this is absolutely false.
Just a quick recap
+ 100% of the Nessus Engine : Michel Arboi and Renaud Deraison (Tenable)
+ 95% of the Nessus Plugins : Michel Arboi, David Maciejak, Noam Rathaus,
Digital Defense Inc., George Theall and Tenable.
I recently explained the rationale behind the license change in a lengthy email, available at