Free Open-Source vs. Commercial Security Tools?

sahirh asks: "I work as a penetration tester and recently started writing a whitepaper on the benefits of free, open-source security tools over commercial tools. Through my own experiences, I've found that many free tools such as Nessus and Kismet are more reliable and have better features than expensive commercial alternatives like ISS Internet Scanner or Airopeek. I've also noticed that tools like Ettercap have no commercial alternative. Further, the flexibility offered by the open-source nature of such tools is a great benefit. I'd like to ask for Slashdot's experiences and opinions on why you don't need to spend thousands of dollars on an expensive tool to perform a professional security assessment." Update: 02/07 11:15pm EDT by C : Thanks to all who wrote in to let us know the proper URL to the Kismet site.

Snort

[ikewillis]

One of the best NIS tools available, the only thing you can get better are... commercial Snort derivatives. Not mentioned, WTF?

Hmmm

[spiffy_dude]

It seems like there is an implicit bias in the question. I would like to see a fair assesment of commercial vs open source tools over a biased statement about how open source tools are better. I'm sure there are worthwhile products in both categories.

Re:Accountability

[Nothinman]

Right, because pointing a finger at someone you can't really hold accountable or make a lawsuit against is worthwhile. Telling your CEO "but the tool didn't see that problem" potentially makes you look just as dumb as the tool you paid for.

I'm on our network security team and when doing audits we do have a few commercial tools, but we also use OSS tools like Nessus because IME they're better overall.

Re:Valuable Open Source Security Assement Tools?

[Gyorg_Lavode]

How do you use Snort and Tripwire (from the child's response) for penetration testing and risk assessment? I understand using them as part of an IDS, but not for the initial risk assessment.

Re:Accountability

[yamla]

So, you believe that EULAs are completely unenforceable?

Assumed a thief

[rtkluttz]

I work for a company that has an EtherpeekNX license. When they started with the NX line, they now have activation. One time per license. I had to call and threaten a move to open source alternatives with a forced refund due to their policy.

They provide a remote collection agent that can be monitored with the licensed full version. That was not good enough in our instance due to the layout of our network and needing to install our licensed copy, at the work site, fix the problem and then uninstall the software. After much desk pounding they finally gave in and let us have unlimited installs of the same number. But only after threatening a move to open source.

Our take on the issue is, we need to install the product how we see fit. We payed for it. It doesn't matter to us if we aren't using the software how they "envision" it should be used. We were due a refund if they refused to let us use a product we payed for.

Deploying Software

[markmcb]

I work for DoD. We tend to go with commercial software for several reasons:

1. Personnel changeover. DoD loves to move people around between departments and installations. It's hard to find people savvy enough to run open-source software and keep them in one spot. It's much easier to give whoever is holding the position a phone number and tell them to call tech support with problems.
2. Personnel skills. DoD is huge. Because of this, the chances of getting skilled and motivated people at all of your sites is slim. Again, the phone call seems to make everything better.
3. Contracts. Things are usually purchased in bundles and as part of a big plan. It's much easier to brief to a non-tech boss that you have the support of another company and not that "I'm sure we can figure it out."
4. Uncle Sam's pockets are deep.

I agree that open source software is often better. But it doesn't give the non-tech group that warm fuzzy it needs to. In the end, the boss doesn't want to up a creek without a paddle. Having that phone number to call adds a much wanted security blanket, even if it's only a facade.

vuln scanners

[neoThoth]

With vulnerability scanning there are a few different aspects to consider. the most important feature of a scanner (aside from speed and accuracy) is the level of updates. An out of date scanner is only mildly better then no scanner at all. In this regard commercial software has some advantage for the consumers (IT organizations). It's not that they can blame anyone (as was mentioned in several posts) but there is someone to yell "hey! where the hell is my signature for Vuln XYZ?" With open source there isn't a guarentee that the signature will be made quickly enough. Even nessus (as I pointed out in another post here somewhere) has moved to a pay model for plugins because of the cost of keeping those signatures up to date.
Now one can also take the Open Source approach here and write their OWN signatures but many companies just don't have the staff for that type of thing. The vulnerabilty details are so sparse these days (not so open disclosure rules) that recreating the actual exploit never mind finding a way to detect it remotely is beyond the skill of most teams in the limited timeframe that it's of vital importance. A team will have around 24-48 hours after a patch is released until some evil doer[s] have reverse engineered the patch and created an exploit out of it, slipped in a pre packaged payload and owned 3 out of your 7 class B segments. Sometimes less. I think the ISS worm last year was the record, something like > 20 hours from patch to worm [witty worm i think].
Some intersting article on scanning here and here

Just one other side note about the articles, Foundstone was purchased by McAfee last year so disregard those.