Free Open-Source vs. Commercial Security Tools?

sahirh asks: "I work as a penetration tester and recently started writing a whitepaper on the benefits of free, open-source security tools over commercial tools. Through my own experiences, I've found that many free tools such as Nessus and Kismet are more reliable and have better features than expensive commercial alternatives like ISS Internet Scanner or Airopeek. I've also noticed that tools like Ettercap have no commercial alternative. Further, the flexibility offered by the open-source nature of such tools is a great benefit. I'd like to ask for Slashdot's experiences and opinions on why you don't need to spend thousands of dollars on an expensive tool to perform a professional security assessment." Update: 02/07 11:15pm EDT by C : Thanks to all who wrote in to let us know the proper URL to the Kismet site.

Valuable Open Source Security Assement Tools?

[kiwidefunkt]

Ethereal, nmap, and snort always get the job done for me.

Re:Valuable Open Source Security Assement Tools?

[Homology]

Ethereal, nmap, and snort always get the job done for me.

Heh, recommending a security tool that OpenBSD removed because the Ethereal team does not care about security

Mark it as BROKEN:

Right during 3.5, it had more than
a dozen remote holes being fixed, that we shipped with. Weeks later
things have not improved, and there continue to be problems reported
to bugtraq, and respective band-aids - but it is clear the ethereal
team does not care about security, as new protocols get added, and
nothing gets done about the many more holes that exist.

Just because something is open source does not imply that it's secure.

Re:Valuable Open Source Security Assement Tools?

[Stephen+Samuel]

Heh, recommending a security tool that OpenBSD removed because the Ethereal team does not care about security

I was just thinking about structural ways to work around this in ethereal (like priv sep) -- in the meantime, I would point out that the biggest difference between ethereal and it's commercial equivalents is is that, with ethereal, you find out about the security problems quickly -- whereas with commercial equivalents, you might not find out for a while (if ever), and you'll probably end up paying for the upgrade to make it secure.

Another point is that it's most often the newer disectors that contain the holes. If you're worried about security and working in a 'hostile' environment, you're probably best to disable any disector that you're not intending to use. -- in fact, that might be a good idea to do in Ethereal, generally: Disable all but the most common dissectors and wait for the user to enable them explicitly.

Go to SANS training.

[Matey-O]

$3200 spent in a snort bootcamp made the need to buy a $120,000 IDS box moot.

We were reviewing everal six-figure pieces of equipment and found the same thing - we knew they saw traffic they didn't like, but we didn't know WHY.

Now that everybody uses snort rules, the training is still helpful to show you WHAT you're seeing and IF it's truly bad or just another false positive.

FWIW, why get the snort stuff one vendor removed? Just go straight to the source.

VIsa / MC Compliance

[jfroot]

One reason that many companies need to use a commercial security tool is because of Visa and Mastercard CISP and SDP compliance.

In order to comply you must have various levels of security testing done and certified by an approved vendor.

besides the obvious

[JeanBaptiste]

snort, ethereal, nmap, etc

one commercial one that I _really_ like is Languard Network Scanner from GFI.

While it is closed source, it has 30-day full functionality, and has limited functionality after that. Still even with the 'limited' functionality, it provides the full scanning capabilities, it just doesn't let you use some of the features that I never use anyways (scheduling, etc).

I'd really recommend giving it a try, its pretty slick.