Slashdot Mirror

← Back to Stories (view on slashdot.org)

Free Open-Source vs. Commercial Security Tools?

Posted by Cliff on from the don't-buy-into-the-FUD dept.

sahirh asks: "I work as a penetration tester and recently started writing a whitepaper on the benefits of free, open-source security tools over commercial tools. Through my own experiences, I've found that many free tools such as Nessus and Kismet are more reliable and have better features than expensive commercial alternatives like ISS Internet Scanner or Airopeek. I've also noticed that tools like Ettercap have no commercial alternative. Further, the flexibility offered by the open-source nature of such tools is a great benefit. I'd like to ask for Slashdot's experiences and opinions on why you don't need to spend thousands of dollars on an expensive tool to perform a professional security assessment." Update: 02/07 11:15pm EDT by C : Thanks to all who wrote in to let us know the proper URL to the Kismet site.

17 of 234 comments (clear)

  1. Snort by ikewillis · · Score: 3, Interesting

    One of the best NIS tools available, the only thing you can get better are... commercial Snort derivatives. Not mentioned, WTF?

  2. Hmmm by spiffy_dude · · Score: 3, Interesting

    It seems like there is an implicit bias in the question. I would like to see a fair assesment of commercial vs open source tools over a biased statement about how open source tools are better. I'm sure there are worthwhile products in both categories.

  3. Re:Accountability by Nothinman · · Score: 3, Interesting

    Right, because pointing a finger at someone you can't really hold accountable or make a lawsuit against is worthwhile. Telling your CEO "but the tool didn't see that problem" potentially makes you look just as dumb as the tool you paid for.

    I'm on our network security team and when doing audits we do have a few commercial tools, but we also use OSS tools like Nessus because IME they're better overall.

  4. Re:Valuable Open Source Security Assement Tools? by Gyorg_Lavode · · Score: 3, Interesting

    How do you use Snort and Tripwire (from the child's response) for penetration testing and risk assessment? I understand using them as part of an IDS, but not for the initial risk assessment.

    --
    I do security
  5. Re:Accountability by yamla · · Score: 5, Interesting

    So, you believe that EULAs are completely unenforceable?

    --

    Oceania has always been at war with Eastasia.
  6. Assumed a thief by rtkluttz · · Score: 5, Interesting

    I work for a company that has an EtherpeekNX license. When they started with the NX line, they now have activation. One time per license. I had to call and threaten a move to open source alternatives with a forced refund due to their policy.

    They provide a remote collection agent that can be monitored with the licensed full version. That was not good enough in our instance due to the layout of our network and needing to install our licensed copy, at the work site, fix the problem and then uninstall the software. After much desk pounding they finally gave in and let us have unlimited installs of the same number. But only after threatening a move to open source.

    Our take on the issue is, we need to install the product how we see fit. We payed for it. It doesn't matter to us if we aren't using the software how they "envision" it should be used. We were due a refund if they refused to let us use a product we payed for.

    --
    Digital is, by definition, imperfect. Analog is the way to go.
  7. Deploying Software by markmcb · · Score: 5, Interesting

    I work for DoD. We tend to go with commercial software for several reasons:

    1. Personnel changeover. DoD loves to move people around between departments and installations. It's hard to find people savvy enough to run open-source software and keep them in one spot. It's much easier to give whoever is holding the position a phone number and tell them to call tech support with problems.
    2. Personnel skills. DoD is huge. Because of this, the chances of getting skilled and motivated people at all of your sites is slim. Again, the phone call seems to make everything better.
    3. Contracts. Things are usually purchased in bundles and as part of a big plan. It's much easier to brief to a non-tech boss that you have the support of another company and not that "I'm sure we can figure it out."
    4. Uncle Sam's pockets are deep.

    I agree that open source software is often better. But it doesn't give the non-tech group that warm fuzzy it needs to. In the end, the boss doesn't want to up a creek without a paddle. Having that phone number to call adds a much wanted security blanket, even if it's only a facade.

    --
    Mark A. McBride -- OmniNerd.com
    1. Re:Deploying Software by 99BottlesOfBeerInMyF · · Score: 2, Interesting

      Having that phone number to call adds a much wanted security blanket, even if it's only a facade.

      My first though on reading this was, "well their must be dozens of security firms that will offer support for such popular tools." I mean surely IBM if no on else will be happy to take your money and answer calls about nmap or snort or ethereal? So I did what anyone would do, and googled a bit. I could not find anyone in 2 minutes of searching. Perhaps my google-fu is weak. Is this really an untapped market? I find it hard to believe that no one has jumped on this. I know most enterprise and government shops like to have their own security team, which may preclude the need for this, but it really seems like their should be a huge mid-sized market just looking for a safety net. Heck if you can sell a 5K or 10K a year support contract for open source tools, and all you need is personnel a phone line and a pretty web/download site it seems like you could make out like a fiend. Hmm, forget I said anything.

  8. Right Question? by Comatose51 · · Score: 2, Interesting

    Is that the right question to ask?

    "I'd like to ask for Slashdot's experiences and opinions on why you don't need to spend thousands of dollars on an expensive tool to perform a professional security assessment."

    It sounds like you're already set in your opinion and just asking for justifications. That doesn't usually develop any new insights or make good comparisons. If you really want to sell people on Open Source, do a fair and un-biased comparison. An obviously biased comparison is easily detectable and loses credibility. I really don't think Open Source needs biased comparisons to look good.

    --
    EvilCON - Made Famous by /.
  9. Re:Accountability by ifwm · · Score: 2, Interesting

    "you can't really hold accountable or make a lawsuit against is worthwhile"

    Why can't you? The law on this is untested in many areas. What makes you so sure you couldn't make a case against them?

  10. Re:Valuable Open Source Security Assement Tools? by Stephen+Samuel · · Score: 2, Interesting
    Right during 3.5, it had more than a dozen remote holes being fixed

    Part of the nature of ethereal is that just about any hole is going to be a remot hole, since it is pretty much only dealing with remote (network) data. This is made worse by the fact that it's usually run as root and has no privelege separation (that I know of). OBSD, on the other hand has the luxury of separating remote holes from local holes when they carp about OpenBSD's security.

    This, however, does not excuse the ethereal community's somewhat lackadasical attitude towards security. Quite to the contrary, you could argue that it makes security in the design all the more important.

    --
    Free Software: Like love, it grows best when given away.
  11. Bad link by parkrrrr · · Score: 2, Interesting

    Kismet can be found at http://www.kismetwireless.net/ ; the link above redirects to the no doubt appropriately-named wirelesscon.com.

    1. Re:Bad link by KingBahamut · · Score: 2, Interesting

      http://airfart.sourceforge.net/ Is also a really good project.

      --
      "God of Rock, thank you for this chance to kick ass. "
  12. Re:Valuable Open Source Security Assement Tools? by scottv67 · · Score: 2, Interesting

    The other cool thing you could do with Snort (if you are a consultant conducting a network security assessment) is to deploy Snort on the inside network and then show the customer all of the IIS-based attacks that are making it through their Layer 3 firewall because they have their firewall configured to allow inbound TCP port 80 to their webserver.

    "But I thought my firewall blocked that stuff!!!"

    -Scott

  13. Re:Go to SANS training. by fm6 · · Score: 2, Interesting
    In other words, you guys rely on the intelligence of well-trained employees, rather than expensive security (no pun intended) blankets.

    Wild idea. It'll never catch on.

  14. vuln scanners by neoThoth · · Score: 3, Interesting

    With vulnerability scanning there are a few different aspects to consider. the most important feature of a scanner (aside from speed and accuracy) is the level of updates. An out of date scanner is only mildly better then no scanner at all. In this regard commercial software has some advantage for the consumers (IT organizations). It's not that they can blame anyone (as was mentioned in several posts) but there is someone to yell "hey! where the hell is my signature for Vuln XYZ?" With open source there isn't a guarentee that the signature will be made quickly enough. Even nessus (as I pointed out in another post here somewhere) has moved to a pay model for plugins because of the cost of keeping those signatures up to date.
    Now one can also take the Open Source approach here and write their OWN signatures but many companies just don't have the staff for that type of thing. The vulnerabilty details are so sparse these days (not so open disclosure rules) that recreating the actual exploit never mind finding a way to detect it remotely is beyond the skill of most teams in the limited timeframe that it's of vital importance. A team will have around 24-48 hours after a patch is released until some evil doer[s] have reverse engineered the patch and created an exploit out of it, slipped in a pre packaged payload and owned 3 out of your 7 class B segments. Sometimes less. I think the ISS worm last year was the record, something like > 20 hours from patch to worm [witty worm i think].
    Some intersting article on scanning here and here

    Just one other side note about the articles, Foundstone was purchased by McAfee last year so disregard those.

  15. One problem in SANS ids methodology by JimmytheGeek · · Score: 2, Interesting

    Northcutt et. al. have a seriousness assessment that is completely broken. Their model rates an incident by a formula that does not make sense:

    S = (C + L) - (HCM + NCM)

    Where:
    S = severity
    C = Criticality (how important the target host is)
    L = Lethality of attack
    HCM = Host-based countermeasures
    NCM = network-based countermeasures

    They use different variable names, I think.

    Assign a value from 1-5 for C,L,HCM, and NCM

    Remember ordinal numbers? You can't multiply them (or do other operations on them) and get any sensible result. For example, last year the Mariners finished 4th (last) in the AL West. You can't multiply their rank of 4 by anything. They aren't 4 times as sucky as Oakland or 4/3rds as sucky as Texas. They are ranked 4th and that's all you can say. More sucky than Texas. If they finish 1 game behind #3, they are ranked 4th same as if they finish 150 games behind.

    Similarly, you can't say a Criticality=5 host is 25% more important than a C=4 host. Adding Lethality to Criticality is like adding Favorite Ice Cream to AL West Standings.

    Further, Lethality probably has no sensible 5 step progression. I count 4 max steps. No lethality, recon, user-level, 0wn3d. If a step is not at all lethal, why does that increase the severity? (Should be 0-5)

    Beyond the mathematics, I have some other conceptual problems: subtracting the assessment of network-based countermeasures. Well, let me see. Give the assessment for network-based countermeasures a high value if it stopped the attack and a low value if it didn't. This tautology advances our interests how? If the exercise doesn't provide the severity, but instead takes it as an input, then the exercise is just busywork. Or take an independent assessment of the network countermeasures- we're proud of our kick-ass firewall, score it 5. It didn't stop the attack, as the vector was entirely within permitted traffic. How does a cool firewall that didn't stop the attack reduce the severity of the event?

    The same argument holds for host-based countermeasures (host firewall, av, tripwire, current patching, etc)

    I grant that the folks proposing this model have a lot more experience than I do, but they should probably admit that people pull these numbers out of their asses to fit a predetermined conclusion. The severity rating should inform decisions about response. Most of the steps should give binary results: respond | not respond

    Is this an attack/hostile? yes/no
    Is the target something we care about? yes/no
    Did the attack succeed? yes/no
    Does it represent a threat even if it failed? yes/no
    and so on

    The prioratization of responses is probably inevitably a second calculation.

    It bugged me that I had to use this methodology to get my certification.

    I am otherwise impressed: do not hold SANS/GIAC certs in the same contempt that the CNE and MCSE deserve. The GCIA was a massive amount of work that actually exercised the skills being evaluated. The papers of those who pass it are publically available at the SANS website so you can see someone's chops and writing style, if you are checking someone out for a job or contract.