Slashdot Mirror

← Back to Stories (view on slashdot.org)

Open Source For Perimeter Security

Posted by ryuzaki0 on from the people-still-afraid-of-oss dept.

An anonymous reader writes "IT Observer has a look at some of the perceived problems with an OpenSource approach to security and what could be done to improve the situation. From the article: 'There is a widespread and wholly inaccurate impression that open source development is somehow haphazard and undisciplined, a free-for-all among brilliant but uncoordinated individuals. In fact, most major open source projects are very tightly managed highly disciplined teams. This article gives examples of very successful Open Source security projects -- netfilter and Snort -- and also describes some weaknesses that need to be addressed by IT organizations or vendors.'"

56 comments

  1. pf baby! by Zendar · · Score: 0, Troll

    We use OpenBSD and pf for our dept firewall. They tried to shove (read: sell us) those Nokia Firewalls down our throats awhile back and we told them to buzz off.

  2. SourceForge: Were discipline comes to play. by Anonymous Coward · · Score: 0

    "From the article: 'There is a widespread and wholly inaccurate impression that open source development is somehow haphazard and undisciplined, a free-for-all among brilliant but uncoordinated individuals. In fact, most major open source projects are very tightly managed highly disciplined teams. "

    So in a nutshell, only use OSS from the majour projects.

  3. Socrates on Security by neoshroom · · Score: 5, Funny

    When it comes to Linux versus Windows it is almost a matter of philosophy.

    "The unexamined [code] is not worth [coding]." -- Socrates (Apology 38a)

    __
    Elephant Essays - Custom-created essays and research papers.

    --
    Big apple, new Yorik, undig it, something's unrotting in Edenmark.
    1. Re:Socrates on Security by Anonymous Coward · · Score: 0

      Put your goddamned spam in your signature where I don't have to see it, asshole.

  4. Well, sort of. by AltGrendel · · Score: 1

    I think that the main issue here is discipline, be it exibited by a team or an individual.

    --
    The simple truth is that interstellar distances will not fit into the human imagination

    - Douglas Adams

    1. Re:Well, sort of. by Anonymous Coward · · Score: 1, Informative

      The idea that open source software can't be disciplined is belied by the OpenBSD project. In the last eight years or so, they have released new versions six months apart as regularly as clockwork.

  5. Hoping for "home perimeter" security by us7892 · · Score: 1, Informative

    Since I've been dabbling in some home automation stuff a bit recently, I was hoping for a good article on some wireless home security to secure my house - open source stuff. The title was not what I had hoped...anyone know of some good "Open Source Perimeter" hardware and software that works with misterhouse http://misterhouse.sourceforge.net/, or other open source projects.

    1. Re:Hoping for "home perimeter" security by Anonymous Coward · · Score: 0

      Why not skip it and have a drink instead? You don't need home security.

    2. Re:Hoping for "home perimeter" security by Anonymous Coward · · Score: 0

      Sure he does. Everyone needs a couple of them alien turrets to guard the perimeter.

  6. Marketeer shows how to pitch open source... by xxxJonBoyxxx · · Score: 4, Insightful
    "An excellent example of a cutting-edge open source effort is the netfilter project (www.netfilter.org), a Linux-based packet filter that features stateful firewalling, Network Address Translation (NAT), load balancing, and other kinds of packet mangling. The project was founded in 1999 in Australia and has now grown to more than 100,000 lines of code contributed by over 700 developers. There are currently about 300 active developers submitting about 1,400 postings a month to the development mailing lists. The core team consists of 4 members who winnow down the submissions to an average of 65 code improvements and fixes per month. "

    "By Walter Schumann, VP Sales and Marketing, Astaro"

    You Slashdotters may make fun of marketing people, but I think Walter just showed you how YOU need to make your pitch for your favorite open source project at your company.

    1. Re:Marketeer shows how to pitch open source... by Homology · · Score: 1
      You Slashdotters may make fun of marketing people, but I think Walter just showed you how YOU need to make your pitch for your favorite open source project at your company.

      Like spinning netfilter (over 100 000 lines of code) as something great when there is a much better packet filter, like pf?

    2. Re:Marketeer shows how to pitch open source... by xxxJonBoyxxx · · Score: 2, Insightful
      "Like spinning X as something great when there is a much better Y?"

      Well...yes. That's kind of the whole point behind a specific pitch. Once you've decided to get X, you need to turn around and make an audience that may know a little something about both X and Y feel that X is clearly better. It's the very definition of spin...

    3. Re:Marketeer shows how to pitch open source... by Alkrun · · Score: 3, Interesting

      "The project was founded in 1999 in Australia and has now grown to more than 100,000 lines of code contributed by over 700 developers."

      And therein lies a large chunk of "the problem" for OSS projects if you ask me. It's much easier to manage 20 developers who each have to write 5,000 lines of code than to manage 700 developers who each write (I'm sure it doesn't work out like this) 143 lines of code. I'd love to have 700 people reviewing the code written by the 20, but 700 cooks in the kitchen it's extremely difficult to adhere to conventions for APIs, standard error handling, etc...

      The solution for closed source projects to come inline with the perceived vastly superior security of OSS projects is to overload their projects with white-box testing harnesses and QA testers who know how to do white-box testing. Unfortunately that's extremely expensive so it gets pushed in favor of more black-box testing. I do believe OSS projects have a better security track record, but I don't believe it's nearly as large as the Slashdot illuminati make it out to be.

    4. Re:Marketeer shows how to pitch open source... by Anonymous Coward · · Score: 0

      And therein lies a large chunk of "the problem" for OSS projects if you ask me.

      No one did, and it seems to be working for them. Netfilter is great, you can't argue with the results, really.

    5. Re:Marketeer shows how to pitch open source... by BobSutan · · Score: 2, Insightful

      You need to look at who he's making the pitch to. For a technically inclined management, which some are, the first question they're going to ask is, "So?"

      Having a large development footprint is great for quantity, but how is the product's quality? No amount of marketing will tell you the true measure of of something's worth to a business. Sure you can make it sound like the best thing since sliced bread, but the reality is if it doesn't live up to expectations (something bad if you marketed it to your own management), bad juju will come looking for you.

      --
      "On a scale from 1 to 10, people are stupid"
    6. Re:Marketeer shows how to pitch open source... by jthill · · Score: 1

      You're trolling for "funny" mods, right?

      --
      As always, all IMO. Insert "I think" everywhere grammatically possible.
    7. Re:Marketeer shows how to pitch open source... by Alkrun · · Score: 1

      I was pretty proud of "Slashdot illuminati" but I wasn't really trolling for any reaction either way. I just saw the 100,000 lines of code and 700 developers figure and it struck me as something that would never happen in commercial software. Besides, anything posted here that even hints at suggesting OSS & Linux aren't the silver bullets of software development are pretty much guaranteed no positive mod-points.

  7. Buy the book! by tcopeland · · Score: 1

    > Finally, support options are limited for most open source software.

    But if the author has written a book about the product - or even anything vaguely related - then buy it! For example, DenyHosts is an excellent tool, and the online documentation is good enough that I can use it without any more docs. But if the author were to put together a book, I would certainly pick it up in appreciation for his time spent in developing and supporting that fine utility. In the meantime, I PayPal'd him a few bucks.

    Of course, I'm biased...

    --
    The Army reading list
  8. Snort and Netfilter by Douglas+Simmons · · Score: 1, Informative
    Snort is a libpcap-based packet sniffer/logger which can be used as a lightweight network intrusion detection system. It features rules based logging and can perform content searching/matching in addition to being used to detect a variety of other attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more. Snort has a real-time alerting capability, with alerts being sent to syslog, a separate "alert" file, or even to a Windows computer via Samba.

    With netfilter, you can do the following: What can I do with netfilter/iptables? * build internet firewalls based on stateless and stateful packet filtering * use NAT and masquerading for sharing internet access if you don't have enough public IP addresses * use NAT to implement transparent proxies * aid the tc and iproute2 systems used to build sophisticated QoS and policy routers * do further packet manipulation (mangling) like altering the TOS/DSCP/ECN bits of the IP header

    1. Re:Snort and Netfilter by Homology · · Score: 1
      With netfilter, you can do the following: What can I do with netfilter/iptables?

      For Christ sake, only those into S&M like the iptables syntax. Use something decent

    2. Re:Snort and Netfilter by cyberkahn · · Score: 2, Interesting

      Boy that's the truth brother! IPTABLE syntax is for those who like to write rule sets in C. pf is definitely the example of how a command line firewall syntax should be done. Easier to read is equal to less chance for mistakes.

    3. Re:Snort and Netfilter by Anonymous Coward · · Score: 0

      looking at the pf examples i would say the syntax is just as confusing just differently so. it didn't take me very long to get the hang of the iptables syntax by any means.

  9. Forgot some ingredients... by shmlco · · Score: 4, Insightful
    "In fact, most major open source projects are very tightly managed highly disciplined teams."

    Which is one of the reasons they became major open source projects in the first place. Of course, that tightly managed highly disciplined team ALSO needs to be working on something we all want, and the end result needs to do the job, and do it well.

    --
    Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
  10. Open Source Security Nomenclature by digitaldc · · Score: 4, Insightful

    perceived problems with an OpenSource approach to security and what could be done to improve the situation.

    Could it possibly have something to do with the fact that some people just don't like having the words 'Open Source' attached to their computer security? Maybe rename it to something like 'Closed Fortress OS' or 'Locked Down OS' to give a more positive ring to it?
    Maybe I am just thinking about it too much.

    --
    He who knows best knows how little he knows. - Thomas Jefferson
    1. Re:Open Source Security Nomenclature by xenoterracide · · Score: 0

      yeah... I think some people here open and think insecure. But open source is better than free software. Because when people here free they usually think insecure, and poorly made.

    2. Re:Open Source Security Nomenclature by tdemark · · Score: 1

      I have the perfect name:

      OS Defender

      There shouldn't be a problem with that, right?

      - Tony

    3. Re:Open Source Security Nomenclature by HolyCrapSCOsux · · Score: 1

      Isn't Defender owned by Atari?

      --
      0xB315AA8D852DCD3F3DCA578FD2E0BF88
    4. Re:Open Source Security Nomenclature by Brunellus · · Score: 1

      Yeah, when was the last time you heard of an Atari ST getting hacked?

    5. Re:Open Source Security Nomenclature by triso · · Score: 1
      Yeah, when was the last time you heard of an Atari ST getting hacked?
      It was around the same time Netscape was ported to the Amiga and the Coleco Adam had its first Ethernet card for sale.
  11. my 2 cents by Jaqui · · Score: 4, Interesting

    I'm sorry, but I find the constant argument that open source is less secure because everyone can see the source to be a silly waste of effort, usually promoted by the commercial security software vendors.

    They ignore that the driving principle in open source development is quality software, so everyone who works with it is always looking to find the flaws and remove them.

    Neither is inherently more secure, open source has the benefit of more people actively working to improve the code base than any commercial software company can afford to pay. That includes Microsoft. Yes, Microsoft cannot afford to pay the same number of programmers as are actively donating code improvements to open source software solutions.

    Those of us that use open source software are more likely to learn the code to improve software we like than those using proprietary products are likely to do anything to help improve the software, including submitting the automatic crash reports that most software has implemented.
    [ I personally don't use that even with open source software, running gdb against the core, then seeing what caused the crash and submitting a patch is more usefull. ]

    --
    J. Henager: If the average user can put a CD in and boot the system and follow the prompts, he can install and use Linux
    1. Re:my 2 cents by Homology · · Score: 3, Interesting
      They ignore that the driving principle in open source development is quality software, so everyone who works with it is always looking to find the flaws and remove them.

      We would like to think so, however, the driving principle of many open source projects is more features:

      Revision 1.75.2.1 / (download) - annotate - [select for diffs] , Wed Jul 21 16:20:07 2004 UTC (20 months, 1 week ago) by robert
      Branch: OPENBSD_3_4
      Changes since 1.75: +2 -1 lines
      Diff to previous 1.75 (colored) next main 1.76 (colored)

      Mark it as BROKEN:

      Right during 3.5, it had more than
      a dozen remote holes being fixed, that we shipped with. Weeks later
      things have not improved, and there continue to be problems reported
      to bugtraq, and respective band-aids - but it is clear the ethereal
      team does not care about security, as new protocols get added, and
      nothing gets done about the many more holes that exist.

      requested and ok'd by brad@
    2. Re:my 2 cents by bubulubugoth · · Score: 1

      I actually think, that security must be geared towards use...

      For example, ethereal is a tool to analize packages, I really dont care much about it's security, is a analisis tool, not a preventive or perimetral tool...

      Im much more concerned about linux kernel security, apache, dns, squid, sendmail, snort and all other tools used to provide a service, which have 24x7 hours open ports...

      And for example, OpenOffice, Konqueror security should be biased to avoid unauthorized contact between the application and the host or network...

      And of course, the normal attacks from coding error should be automatically asserted...

      Sourceforge should offer that service to all the codebase it has...

      Each tier should have it's own security, maybe everything should have a microkernel design...

      Trying to secure tiers, is much more easy and mesurable than trying to make everything secure...The goal MUST be that: make everything secure, but meanwhile, each tier should be secure enough...

      --
      Â_Â
    3. Re:my 2 cents by westlake · · Score: 1
      open source has the benefit of more people actively working to improve the code base than any commercial software company can afford to pay.

      Why is it then, that flagship projects like OpenOffice.org and Firefox are organized. led, staffed and funded by a single corporate entity like IBM, Sun or the Moz Foundation? That many open source projects do not attract an army of volunteers and are in fact starving for manpower and resources?

    4. Re:my 2 cents by Jaqui · · Score: 1

      The number of people donating time to an open source prject is directly porportional to the popularity of the project.

      no-one wants to use it, no-one offers help.

      Mozilla was actually started by Netscape, to get the faster develpoment of open source into the code base behind Netscape Communicator. They still use the NPL, rewritten to be the MPL, for a lot of the code in all the Mozilla tools.

      the successful open source projects do wind up starting a company, which has control / ownership of the code base, this allows for the people who started it to move on if they want, yet keep the project going.

      The linux kernel is arguably the most sucessful open source project, yet is still completely non commercial. supported through donations only. Linus did associate with GNU and the Free Software Foundation, at their request*, but the kernel development is not a FSF or GNU controlled project, it is an independant open source project.

      * Gnu had the tools for a base system, the Kernel team had the kernel, by combining projects they managed to get a released version of the operating system nown as GNU-Linux faster than either alone would have done.

      --
      J. Henager: If the average user can put a CD in and boot the system and follow the prompts, he can install and use Linux
    5. Re:my 2 cents by Jaqui · · Score: 1

      Okay, the team developing ethereal are more interested in features.
      Most other projects do pay more attention to code quality, and fixing bugs is a priority for them.
      A good example was the Critical exploit for linux based Firefox, patched within 24 hours of the exploit being found.
      [ from Secunia's reports. This was at the beginning of Feb, when the WMF exploit caused MS to release a patch early for the first time. ]

      --
      J. Henager: If the average user can put a CD in and boot the system and follow the prompts, he can install and use Linux
  12. Zorp by OeLeWaPpErKe · · Score: 1

    For real (tm) security, try a (true) layer-7 firewall (in case anyone knows a product that matches up to this, cisco's pix does NOT, pf does not, and checkpoint does not either, they just have some checks that can be easily fucked up by playing with tcp window size (setting it very low for example))

    http://www.balabit.com/products/zorp/

    Check it out.

    1. Re:Zorp by Fizzl · · Score: 1

      Level 7? That's like a hungarian guy standing next to every user and pounding them on head with a mallet every time they are about to do something stupid?

      The "layers" have been switching around in OSI model so many times, I can't even figure out anymore how many there are supposed to be...

      --
      Bot Assisted Blogging
    2. Re:Zorp by Anonymous Coward · · Score: 0

      Everybody who care about this kind of security (level 7 as you name it) is using a packet filter for packet filtering, and a bastion host in the DMZ doing the application level checks (mod_security or whatever). Gathering both functionalities in a single box is not a very good approach IMHO.

    3. Re:Zorp by OeLeWaPpErKe · · Score: 1

      When have you EVER seen a layer change in the OSI model ? Please give a web reference.

      (There are multiple models, of course, but OSI layer 7 is quite an accurate description of something)

    4. Re:Zorp by OeLeWaPpErKe · · Score: 1

      Then why not replace that "bastion host" with a zorp host and keep your current firewall ?

      This will, however, save seriously on complexity (e.g. try configuring passive ftp in different firewalls a few times, same type of issues for sip etc.)

  13. Brilliant individuals? Where? by Sandor+at+the+Zoo · · Score: 1, Insightful
    Partial quote: There is a widespread...impression that open source development is...a free-for-all among brilliant...individuals

    I don't think it's that widespread, except amongst Open Source fans. :-)

    The impression I usually see is that Open Source projects are done by guys who were laid off and need something to fill in the time between gaming sessions.

    1. Re:Brilliant individuals? Where? by sunwukong · · Score: 1

      Partial quote: Open Source projects are done by guys who were laid ... and need something to fill in the time between gaming sessions.

      There you go, less troll-like and closer to the truth!

    2. Re:Brilliant individuals? Where? by ettlz · · Score: 1
      Open Source projects are done by guys who were laid ... and need something to fill in the time between gaming sessions.
      Yes, yes, um... coding! is what one does to fill in the time between getting laid.
  14. Real trustworthy firewall there. by Anonymous Coward · · Score: 0

    Written by Hungarians. Prolly almost as trustworthy as those Israelis and their ChokePoint firewall.

    I think I'll pass and just stay with iptables myself.

  15. OpenBSD! by Anonymous Coward · · Score: 0

    Security by Default! Support OpenBSD buy CD/T-shirt or donate. And remember to donate to OpenSSH.

    http://www.openbsd.org/donations.html
    http://www.openssh.org/donations.html

  16. What you lack is discipline! by pr0digy25 · · Score: 0

    Apologies for the Arnie quote. But I agree, discipline has alot to do with how good Open Source products can be. There is dedication to the code, less politics and less money floating around than lets says a MSFT operation... that combined results in a superior product.

  17. Plagerism (Re:Snort and Netfilter by algae · · Score: 1

    http://www.google.com/search?q=%22It+features+rule s+based+logging+and+can+perform+content%22

    Way to shameless rip off other people's work.

    --
    Causation can cause correlation
    1. Re:Plagerism (Re:Snort and Netfilter by lamp540 · · Score: 1

      I just read the wikipedia entry for trolls and then I saw that post... fucked up...

  18. Don't try this at home by angel+one · · Score: 1

    OSS is real software for people who know what they are doing. If you don't know anything about security and you want some, hire a professional (who may implement OSS for you) or buy a commercial closed product. The commercial product is likely to be more secure than an OSS product selected and implemented by someone who doesn't know anything about security. It's too easy to make a secure program very vulnerable by doing something stupid.

    1. Re:Don't try this at home by Anonymous Coward · · Score: 0
      I agree almost completely. I would suggest that anyone who would be swayed by the lame arguments closed source proprietors present is not qualified to make an informed decision. I'll try to avoid falling into the trap of saying what good security "is about", but it certainly requires transparency to ensure that the security policies you want to implement are actually implemented. Without this transparency, you must rely on trusting the implementor -- which is perfectly fine, if they're actually trustworthy.

      Of course, few actually take advantage of this transparency. But some do, and have established themselves as trustworthy. (For instance, the OpenBSD team, some parts of the NSA, some closed source proprietors)

  19. Haphazard? by Beefslaya · · Score: 2, Insightful

    Ever since I've discovered the magic of Open Source (Linux, BSD) I have implemented the rule with every network I've run...No Windows box will ever talk to the Internet without going through a Unix/Linux box.

    Since then (7 years now) I have had ZERO worms, ZERO security breaches, have cut the Windows server reboots by 80%.

    These 2 projects have saved me countless hours of time...

    <li>http://www.squid-cache.org/<li/>
    and
    <li>http://vlsi.cornell.edu/~rajit/fbsd/bridge.htm l<li/>

    1. Re:Haphazard? by Beefslaya · · Score: 1

      sorry for making the links right here they are again...:(
      Too Quick on the Trigger...
      http://www.squid-cache.org/
      http://vlsi.cornell.edu/~rajit/fbsd/bridge.htm1

  20. This is the stupidest idea in the world by Anonymous Coward · · Score: 0

    The idea that open source "amateurs" are inferior to professionals with professional project managers is the second stupidest idea to be so widely taken for granted. I work for a HUGE multi-national company, based primarily in Germany and the U.S., and my experience is the opposite. In the past I've mostly worked for much much smaller companies (micro-businesses, sometimes) so I've been shocked to see how incredibly inefficient and sloppy work can be in a highly "professional" highly managed workplace, with project managers up the yin-yang.

    The fact is that people here are *incredibly* inefficient. We have offshore developers who take weeks to do what I could do in a day or two, and a day or so to do what I could do in ten minutes. (Everything requires "analysis", which basically means they don't know what they're doing, and have to figure it out.) But enough about offshore developers. The onsite developers work slowly too, partly because they are burdened with all sorts of documentation which no one reads and which mostly consists of useless information. Also, why should we knock ourselves out when the offshore people produce sloppy work and take forever to do it? Why should we care when we're working for bosses who don't have a clue about what we're doing and refuse to give us the tools we need to do our jobs well?

    Although documentation is a major source of our pain, I'm not suggesting that documentation is necessarily useless, so don't argue with me on that point. If you do, you're ENTIRELY missing the point. The point is much closer to this: why wouldn't a highly professional group have some clue about how to produce useful documentation in an efficient manner?

    ince I care about producing good work, all of this (the work conditions) are a hindrance, and the net effect is to sap me of my desire to produce anything worthwhile. If I don't care, then all the project managers in the world won't help.

    On the other hand, open source developers who don't care won't work. This simple fact gives open source developers a huge advantage of corporate wage-slaves who work for a pointy haired boss. The idea that they are sloppy contradicts both the evidence of many successful major projects, but also the logic of the situation.