Slashdot Mirror

← Back to Stories (view on slashdot.org)

Free Open-Source vs. Commercial Security Tools?

Posted by Cliff on from the don't-buy-into-the-FUD dept.

sahirh asks: "I work as a penetration tester and recently started writing a whitepaper on the benefits of free, open-source security tools over commercial tools. Through my own experiences, I've found that many free tools such as Nessus and Kismet are more reliable and have better features than expensive commercial alternatives like ISS Internet Scanner or Airopeek. I've also noticed that tools like Ettercap have no commercial alternative. Further, the flexibility offered by the open-source nature of such tools is a great benefit. I'd like to ask for Slashdot's experiences and opinions on why you don't need to spend thousands of dollars on an expensive tool to perform a professional security assessment." Update: 02/07 11:15pm EDT by C : Thanks to all who wrote in to let us know the proper URL to the Kismet site.

19 of 234 comments (clear)

  1. I want his job by YankeeInExile · · Score: 5, Funny

    I have no joke here, I just like saying, I work as a penetration tester ...

    --
    How does the Slashdot Effect happen given that no slashdotters ever RTFA?
    1. Re:I want his job by Aliencow · · Score: 4, Funny

      As long as you're not a "backdoor AnalYzer" ..

  2. Valuable Open Source Security Assement Tools? by kiwidefunkt · · Score: 5, Informative

    Ethereal, nmap, and snort always get the job done for me.

    --
    www.kiwilyrics.com - a wiki for lyrics
    1. Re:Valuable Open Source Security Assement Tools? by Homology · · Score: 4, Informative
      Ethereal, nmap, and snort always get the job done for me.

      Heh, recommending a security tool that OpenBSD removed because the Ethereal team does not care about security

      Mark it as BROKEN:

      Right during 3.5, it had more than
      a dozen remote holes being fixed, that we shipped with. Weeks later
      things have not improved, and there continue to be problems reported
      to bugtraq, and respective band-aids - but it is clear the ethereal
      team does not care about security, as new protocols get added, and
      nothing gets done about the many more holes that exist.

      Just because something is open source does not imply that it's secure.

    2. Re:Valuable Open Source Security Assement Tools? by Stephen+Samuel · · Score: 4, Informative
      Heh, recommending a security tool that OpenBSD removed because the Ethereal team does not care about security

      I was just thinking about structural ways to work around this in ethereal (like priv sep) -- in the meantime, I would point out that the biggest difference between ethereal and it's commercial equivalents is is that, with ethereal, you find out about the security problems quickly -- whereas with commercial equivalents, you might not find out for a while (if ever), and you'll probably end up paying for the upgrade to make it secure.

      Another point is that it's most often the newer disectors that contain the holes. If you're worried about security and working in a 'hostile' environment, you're probably best to disable any disector that you're not intending to use. -- in fact, that might be a good idea to do in Ethereal, generally: Disable all but the most common dissectors and wait for the user to enable them explicitly.

      --
      Free Software: Like love, it grows best when given away.
  3. I have a similar job. by bigtallmofo · · Score: 4, Funny

    My job duties sound similar to the story poster... My job description is "Penetration Preventer". My business card title just says, "Cockblocker".

    --
    I'm a big tall mofo.
  4. That's your day job... by AtariAmarok · · Score: 4, Funny

    "Penetration tester" is your day job, but tell me, do you solve crimes in the evening as a "private dick" ?

    --
    Don't blame Durga. I voted for Centauri.
  5. Go to SANS training. by Matey-O · · Score: 5, Informative

    $3200 spent in a snort bootcamp made the need to buy a $120,000 IDS box moot.

    We were reviewing everal six-figure pieces of equipment and found the same thing - we knew they saw traffic they didn't like, but we didn't know WHY.

    Now that everybody uses snort rules, the training is still helpful to show you WHAT you're seeing and IF it's truly bad or just another false positive.

    FWIW, why get the snort stuff one vendor removed? Just go straight to the source.

    --
    "Draco dormiens nunquam titillandus."
  6. VIsa / MC Compliance by jfroot · · Score: 5, Informative

    One reason that many companies need to use a commercial security tool is because of Visa and Mastercard CISP and SDP compliance.

    In order to comply you must have various levels of security testing done and certified by an approved vendor.

  7. What a pile of shit? by Foofoobar · · Score: 4, Funny

    So if something goes wrong with your setup, a commercial company will quickly take credit? Riiiiight.

    I know Microsoft readily accepts monetary responsibility for their products being crap and causing crashes, viruses and trojans in my system.

    In fact, Bill and Steve cut me a check weekly.

    --
    This is my sig. There are many like it but this one is mine.
  8. besides the obvious by JeanBaptiste · · Score: 5, Informative

    snort, ethereal, nmap, etc

    one commercial one that I _really_ like is Languard Network Scanner from GFI.

    While it is closed source, it has 30-day full functionality, and has limited functionality after that. Still even with the 'limited' functionality, it provides the full scanning capabilities, it just doesn't let you use some of the features that I never use anyways (scheduling, etc).

    I'd really recommend giving it a try, its pretty slick.

  9. Re:Accountability by yamla · · Score: 5, Interesting

    So, you believe that EULAs are completely unenforceable?

    --

    Oceania has always been at war with Eastasia.
  10. Assumed a thief by rtkluttz · · Score: 5, Interesting

    I work for a company that has an EtherpeekNX license. When they started with the NX line, they now have activation. One time per license. I had to call and threaten a move to open source alternatives with a forced refund due to their policy.

    They provide a remote collection agent that can be monitored with the licensed full version. That was not good enough in our instance due to the layout of our network and needing to install our licensed copy, at the work site, fix the problem and then uninstall the software. After much desk pounding they finally gave in and let us have unlimited installs of the same number. But only after threatening a move to open source.

    Our take on the issue is, we need to install the product how we see fit. We payed for it. It doesn't matter to us if we aren't using the software how they "envision" it should be used. We were due a refund if they refused to let us use a product we payed for.

    --
    Digital is, by definition, imperfect. Analog is the way to go.
  11. Accountability vs Responsibility by A+nonymous+Coward · · Score: 4, Insightful

    How do you know you can get any resolution from the people who sold you the software, or developed it? Have you checked the contracts or EULAs? Most EULAs I've seen explicitly disclaim any responsibilty.

    Your responsibility is to protect your company AND get it back on its feet after a breakin. You can't rely on a lawsuit to do that in any timely fashion, only after the company has gone out of business and everyone has long since gotten new jobs. Even then, you'd be lucky to get pennies on teh dollar in restitution. So what good does it to sue the developer or seller?

    You have to get the company going again as quickly as possible. It just might be helpful to have sources to what failed to see how it failed and how the breakin occurred. Proprietary software is useless there.

    --
    Infuriate left and right
  12. Re:Huh? by OblongPlatypus · · Score: 5, Funny

    You don't use programs? What, you put the cat-5 in your mouth and try to *taste* the intruders?

    --
    -- If no truths are spoken then no lies can hide --
  13. Deploying Software by markmcb · · Score: 5, Interesting

    I work for DoD. We tend to go with commercial software for several reasons:

    1. Personnel changeover. DoD loves to move people around between departments and installations. It's hard to find people savvy enough to run open-source software and keep them in one spot. It's much easier to give whoever is holding the position a phone number and tell them to call tech support with problems.
    2. Personnel skills. DoD is huge. Because of this, the chances of getting skilled and motivated people at all of your sites is slim. Again, the phone call seems to make everything better.
    3. Contracts. Things are usually purchased in bundles and as part of a big plan. It's much easier to brief to a non-tech boss that you have the support of another company and not that "I'm sure we can figure it out."
    4. Uncle Sam's pockets are deep.

    I agree that open source software is often better. But it doesn't give the non-tech group that warm fuzzy it needs to. In the end, the boss doesn't want to up a creek without a paddle. Having that phone number to call adds a much wanted security blanket, even if it's only a facade.

    --
    Mark A. McBride -- OmniNerd.com
    1. Re:Deploying Software by Stinking+Pig · · Score: 4, Insightful

      Bingo -- same attitude exists in most of the American corporate market, in spades. Maybe rightly so, maybe not, but take note of Red Hat and IBM's successes... this is not about source code or product licensing, it's about that tech support phone number.

      Linuxcare and the like flamed out for poor core business practices and poor market targeting (do not ever, I repeat do not EVER, try to make money directly supporting end users). MySQL AB, Best Practical, Trolltech, &c seem to be doing pretty well though....

      --
      "Nothing was broken, and it's been fixed." -- Jon Carroll
  14. Re:Accountability -- Reminde me not to hire you by Stephen+Samuel · · Score: 5, Insightful
    I would use commercial software. Why? Because if something does go wrong, it is the vendors fault and not yours.

    grunt: Admiral! There's a missile comming our way, and the defence systems have just blue screened!
    admiral: Thank god I can blame Microsoft for this!
    missile: BOOM!
    So you'd use inferior software just because you can point the finger at someone else when the software fails??? Wouldn't you rather use the best software for the job (even if it's cheaper)??

    I mean, it's not like most commercial vendors take any responsibility for their software, anyways -- have you read your EULA's recently?

    At least with open source software, you have the option of fixing any bugs yourself if the vendor refuses to. With Proprietary code, your only choice is to grin, bend over and wait for your bill.

    --
    Free Software: Like love, it grows best when given away.
  15. Docmentation by CKnight · · Score: 4, Funny

    I'm thinking of writing a how-to for "penetration testers". It'll be titled "Locating Unprotected Backdoor Entrances" or more aptly, "Lube"

    --
    http://www.watacrackaz.com