Open Source For Perimeter Security

← Back to Stories (view on slashdot.org)

Open Source For Perimeter Security

Posted by ryuzaki0 on Monday April 3, 2006 @05:43AM from the people-still-afraid-of-oss dept.

An anonymous reader writes "IT Observer has a look at some of the perceived problems with an OpenSource approach to security and what could be done to improve the situation. From the article: 'There is a widespread and wholly inaccurate impression that open source development is somehow haphazard and undisciplined, a free-for-all among brilliant but uncoordinated individuals. In fact, most major open source projects are very tightly managed highly disciplined teams. This article gives examples of very successful Open Source security projects -- netfilter and Snort -- and also describes some weaknesses that need to be addressed by IT organizations or vendors.'"

39 of 56 comments (clear)

Min score:

Reason:

Sort:

Socrates on Security by neoshroom · 2006-04-03 05:54 · Score: 5, Funny

When it comes to Linux versus Windows it is almost a matter of philosophy.

"The unexamined [code] is not worth [coding]." -- Socrates (Apology 38a)

__
Elephant Essays - Custom-created essays and research papers.

--
Big apple, new Yorik, undig it, something's unrotting in Edenmark.
Well, sort of. by AltGrendel · 2006-04-03 05:55 · Score: 1

I think that the main issue here is discipline, be it exibited by a team or an individual.

--
The simple truth is that interstellar distances will not fit into the human imagination
- Douglas Adams
1. Re:Well, sort of. by Anonymous Coward · 2006-04-03 08:32 · Score: 1, Informative
  
  The idea that open source software can't be disciplined is belied by the OpenBSD project. In the last eight years or so, they have released new versions six months apart as regularly as clockwork.
Hoping for "home perimeter" security by us7892 · 2006-04-03 05:56 · Score: 1, Informative

Since I've been dabbling in some home automation stuff a bit recently, I was hoping for a good article on some wireless home security to secure my house - open source stuff. The title was not what I had hoped...anyone know of some good "Open Source Perimeter" hardware and software that works with misterhouse http://misterhouse.sourceforge.net/, or other open source projects.
Marketeer shows how to pitch open source... by xxxJonBoyxxx · 2006-04-03 05:56 · Score: 4, Insightful

"An excellent example of a cutting-edge open source effort is the netfilter project (www.netfilter.org), a Linux-based packet filter that features stateful firewalling, Network Address Translation (NAT), load balancing, and other kinds of packet mangling. The project was founded in 1999 in Australia and has now grown to more than 100,000 lines of code contributed by over 700 developers. There are currently about 300 active developers submitting about 1,400 postings a month to the development mailing lists. The core team consists of 4 members who winnow down the submissions to an average of 65 code improvements and fixes per month. "
"By Walter Schumann, VP Sales and Marketing, Astaro"
You Slashdotters may make fun of marketing people, but I think Walter just showed you how YOU need to make your pitch for your favorite open source project at your company.
1. Re:Marketeer shows how to pitch open source... by Homology · 2006-04-03 06:08 · Score: 1
  
  You Slashdotters may make fun of marketing people, but I think Walter just showed you how YOU need to make your pitch for your favorite open source project at your company.
  Like spinning netfilter (over 100 000 lines of code) as something great when there is a much better packet filter, like pf?
2. Re:Marketeer shows how to pitch open source... by xxxJonBoyxxx · 2006-04-03 06:19 · Score: 2, Insightful
  
  "Like spinning X as something great when there is a much better Y?"
  Well...yes. That's kind of the whole point behind a specific pitch. Once you've decided to get X, you need to turn around and make an audience that may know a little something about both X and Y feel that X is clearly better. It's the very definition of spin...
3. Re:Marketeer shows how to pitch open source... by Alkrun · 2006-04-03 06:53 · Score: 3, Interesting
  
  "The project was founded in 1999 in Australia and has now grown to more than 100,000 lines of code contributed by over 700 developers."
  
  And therein lies a large chunk of "the problem" for OSS projects if you ask me. It's much easier to manage 20 developers who each have to write 5,000 lines of code than to manage 700 developers who each write (I'm sure it doesn't work out like this) 143 lines of code. I'd love to have 700 people reviewing the code written by the 20, but 700 cooks in the kitchen it's extremely difficult to adhere to conventions for APIs, standard error handling, etc...
  
  The solution for closed source projects to come inline with the perceived vastly superior security of OSS projects is to overload their projects with white-box testing harnesses and QA testers who know how to do white-box testing. Unfortunately that's extremely expensive so it gets pushed in favor of more black-box testing. I do believe OSS projects have a better security track record, but I don't believe it's nearly as large as the Slashdot illuminati make it out to be.
4. Re:Marketeer shows how to pitch open source... by BobSutan · 2006-04-03 08:19 · Score: 2, Insightful
  
  You need to look at who he's making the pitch to. For a technically inclined management, which some are, the first question they're going to ask is, "So?"
  
  Having a large development footprint is great for quantity, but how is the product's quality? No amount of marketing will tell you the true measure of of something's worth to a business. Sure you can make it sound like the best thing since sliced bread, but the reality is if it doesn't live up to expectations (something bad if you marketed it to your own management), bad juju will come looking for you.
  
  --
  "On a scale from 1 to 10, people are stupid"
5. Re:Marketeer shows how to pitch open source... by jthill · 2006-04-03 09:49 · Score: 1
  
  You're trolling for "funny" mods, right?
  
  --
  As always, all IMO. Insert "I think" everywhere grammatically possible.
6. Re:Marketeer shows how to pitch open source... by Alkrun · 2006-04-03 09:59 · Score: 1
  
  I was pretty proud of "Slashdot illuminati" but I wasn't really trolling for any reaction either way. I just saw the 100,000 lines of code and 700 developers figure and it struck me as something that would never happen in commercial software. Besides, anything posted here that even hints at suggesting OSS & Linux aren't the silver bullets of software development are pretty much guaranteed no positive mod-points.
Buy the book! by tcopeland · 2006-04-03 05:56 · Score: 1

> Finally, support options are limited for most open source software.

But if the author has written a book about the product - or even anything vaguely related - then buy it! For example, DenyHosts is an excellent tool, and the online documentation is good enough that I can use it without any more docs. But if the author were to put together a book, I would certainly pick it up in appreciation for his time spent in developing and supporting that fine utility. In the meantime, I PayPal'd him a few bucks.

Of course, I'm biased...

--
The Army reading list
Snort and Netfilter by Douglas+Simmons · 2006-04-03 05:57 · Score: 1, Informative

Snort is a libpcap-based packet sniffer/logger which can be used as a lightweight network intrusion detection system. It features rules based logging and can perform content searching/matching in addition to being used to detect a variety of other attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more. Snort has a real-time alerting capability, with alerts being sent to syslog, a separate "alert" file, or even to a Windows computer via Samba.
With netfilter, you can do the following: What can I do with netfilter/iptables? * build internet firewalls based on stateless and stateful packet filtering * use NAT and masquerading for sharing internet access if you don't have enough public IP addresses * use NAT to implement transparent proxies * aid the tc and iproute2 systems used to build sophisticated QoS and policy routers * do further packet manipulation (mangling) like altering the TOS/DSCP/ECN bits of the IP header
1. Re:Snort and Netfilter by Homology · 2006-04-03 06:13 · Score: 1
  
  With netfilter, you can do the following: What can I do with netfilter/iptables?
  For Christ sake, only those into S&M like the iptables syntax. Use something decent
2. Re:Snort and Netfilter by cyberkahn · 2006-04-03 06:57 · Score: 2, Interesting
  
  Boy that's the truth brother! IPTABLE syntax is for those who like to write rule sets in C. pf is definitely the example of how a command line firewall syntax should be done. Easier to read is equal to less chance for mistakes.
Forgot some ingredients... by shmlco · 2006-04-03 06:03 · Score: 4, Insightful

"In fact, most major open source projects are very tightly managed highly disciplined teams."
Which is one of the reasons they became major open source projects in the first place. Of course, that tightly managed highly disciplined team ALSO needs to be working on something we all want, and the end result needs to do the job, and do it well.

--
Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
Open Source Security Nomenclature by digitaldc · 2006-04-03 06:08 · Score: 4, Insightful

perceived problems with an OpenSource approach to security and what could be done to improve the situation.

Could it possibly have something to do with the fact that some people just don't like having the words 'Open Source' attached to their computer security? Maybe rename it to something like 'Closed Fortress OS' or 'Locked Down OS' to give a more positive ring to it?
Maybe I am just thinking about it too much.

--
He who knows best knows how little he knows. - Thomas Jefferson
1. Re:Open Source Security Nomenclature by tdemark · 2006-04-03 06:54 · Score: 1
  
  I have the perfect name:
  
  OS Defender
  
  There shouldn't be a problem with that, right?
  
  - Tony
2. Re:Open Source Security Nomenclature by HolyCrapSCOsux · 2006-04-03 07:29 · Score: 1
  
  Isn't Defender owned by Atari?
  
  --
  0xB315AA8D852DCD3F3DCA578FD2E0BF88
3. Re:Open Source Security Nomenclature by Brunellus · 2006-04-03 08:17 · Score: 1
  
  Yeah, when was the last time you heard of an Atari ST getting hacked?
4. Re:Open Source Security Nomenclature by triso · 2006-04-03 10:21 · Score: 1
  
  Yeah, when was the last time you heard of an Atari ST getting hacked?
  It was around the same time Netscape was ported to the Amiga and the Coleco Adam had its first Ethernet card for sale.
my 2 cents by Jaqui · 2006-04-03 06:09 · Score: 4, Interesting

I'm sorry, but I find the constant argument that open source is less secure because everyone can see the source to be a silly waste of effort, usually promoted by the commercial security software vendors.

They ignore that the driving principle in open source development is quality software, so everyone who works with it is always looking to find the flaws and remove them.

Neither is inherently more secure, open source has the benefit of more people actively working to improve the code base than any commercial software company can afford to pay. That includes Microsoft. Yes, Microsoft cannot afford to pay the same number of programmers as are actively donating code improvements to open source software solutions.

Those of us that use open source software are more likely to learn the code to improve software we like than those using proprietary products are likely to do anything to help improve the software, including submitting the automatic crash reports that most software has implemented.
[ I personally don't use that even with open source software, running gdb against the core, then seeing what caused the crash and submitting a patch is more usefull. ]

--
J. Henager: If the average user can put a CD in and boot the system and follow the prompts, he can install and use Linux
1. Re:my 2 cents by Homology · 2006-04-03 06:23 · Score: 3, Interesting
  
  They ignore that the driving principle in open source development is quality software, so everyone who works with it is always looking to find the flaws and remove them.
  We would like to think so, however, the driving principle of many open source projects is more features:
  Revision 1.75.2.1 / (download) - annotate - [select for diffs] , Wed Jul 21 16:20:07 2004 UTC (20 months, 1 week ago) by robert Branch: OPENBSD_3_4 Changes since 1.75: +2 -1 lines Diff to previous 1.75 (colored) next main 1.76 (colored) Mark it as BROKEN: Right during 3.5, it had more than a dozen remote holes being fixed, that we shipped with. Weeks later things have not improved, and there continue to be problems reported to bugtraq, and respective band-aids - but it is clear the ethereal team does not care about security, as new protocols get added, and nothing gets done about the many more holes that exist. requested and ok'd by brad@
2. Re:my 2 cents by bubulubugoth · 2006-04-03 07:00 · Score: 1
  
  I actually think, that security must be geared towards use...
  
  For example, ethereal is a tool to analize packages, I really dont care much about it's security, is a analisis tool, not a preventive or perimetral tool...
  
  Im much more concerned about linux kernel security, apache, dns, squid, sendmail, snort and all other tools used to provide a service, which have 24x7 hours open ports...
  
  And for example, OpenOffice, Konqueror security should be biased to avoid unauthorized contact between the application and the host or network...
  
  And of course, the normal attacks from coding error should be automatically asserted...
  
  Sourceforge should offer that service to all the codebase it has...
  
  Each tier should have it's own security, maybe everything should have a microkernel design...
  
  Trying to secure tiers, is much more easy and mesurable than trying to make everything secure...The goal MUST be that: make everything secure, but meanwhile, each tier should be secure enough...
  
  --
  Â_Â
3. Re:my 2 cents by westlake · 2006-04-03 08:31 · Score: 1
  
  open source has the benefit of more people actively working to improve the code base than any commercial software company can afford to pay.
  Why is it then, that flagship projects like OpenOffice.org and Firefox are organized. led, staffed and funded by a single corporate entity like IBM, Sun or the Moz Foundation? That many open source projects do not attract an army of volunteers and are in fact starving for manpower and resources?
4. Re:my 2 cents by Jaqui · 2006-04-03 09:49 · Score: 1
  
  The number of people donating time to an open source prject is directly porportional to the popularity of the project.
  
  no-one wants to use it, no-one offers help.
  
  Mozilla was actually started by Netscape, to get the faster develpoment of open source into the code base behind Netscape Communicator. They still use the NPL, rewritten to be the MPL, for a lot of the code in all the Mozilla tools.
  
  the successful open source projects do wind up starting a company, which has control / ownership of the code base, this allows for the people who started it to move on if they want, yet keep the project going.
  
  The linux kernel is arguably the most sucessful open source project, yet is still completely non commercial. supported through donations only. Linus did associate with GNU and the Free Software Foundation, at their request*, but the kernel development is not a FSF or GNU controlled project, it is an independant open source project.
  
  * Gnu had the tools for a base system, the Kernel team had the kernel, by combining projects they managed to get a released version of the operating system nown as GNU-Linux faster than either alone would have done.
  
  --
  J. Henager: If the average user can put a CD in and boot the system and follow the prompts, he can install and use Linux
5. Re:my 2 cents by Jaqui · 2006-04-03 09:54 · Score: 1
  
  Okay, the team developing ethereal are more interested in features.
  Most other projects do pay more attention to code quality, and fixing bugs is a priority for them.
  A good example was the Critical exploit for linux based Firefox, patched within 24 hours of the exploit being found.
  [ from Secunia's reports. This was at the beginning of Feb, when the WMF exploit caused MS to release a patch early for the first time. ]
  
  --
  J. Henager: If the average user can put a CD in and boot the system and follow the prompts, he can install and use Linux
Zorp by OeLeWaPpErKe · 2006-04-03 07:13 · Score: 1

For real (tm) security, try a (true) layer-7 firewall (in case anyone knows a product that matches up to this, cisco's pix does NOT, pf does not, and checkpoint does not either, they just have some checks that can be easily fucked up by playing with tcp window size (setting it very low for example))

http://www.balabit.com/products/zorp/

Check it out.
1. Re:Zorp by Fizzl · 2006-04-03 16:48 · Score: 1
  
  Level 7? That's like a hungarian guy standing next to every user and pounding them on head with a mallet every time they are about to do something stupid?
  
  The "layers" have been switching around in OSI model so many times, I can't even figure out anymore how many there are supposed to be...
  
  --
  Bot Assisted Blogging
2. Re:Zorp by OeLeWaPpErKe · 2006-04-04 07:13 · Score: 1
  
  When have you EVER seen a layer change in the OSI model ? Please give a web reference.
  
  (There are multiple models, of course, but OSI layer 7 is quite an accurate description of something)
3. Re:Zorp by OeLeWaPpErKe · 2006-04-04 07:15 · Score: 1
  
  Then why not replace that "bastion host" with a zorp host and keep your current firewall ?
  
  This will, however, save seriously on complexity (e.g. try configuring passive ftp in different firewalls a few times, same type of issues for sip etc.)
Brilliant individuals? Where? by Sandor+at+the+Zoo · 2006-04-03 07:27 · Score: 1, Insightful

Partial quote: There is a widespread...impression that open source development is...a free-for-all among brilliant...individuals
I don't think it's that widespread, except amongst Open Source fans. :-)
The impression I usually see is that Open Source projects are done by guys who were laid off and need something to fill in the time between gaming sessions.
1. Re:Brilliant individuals? Where? by sunwukong · 2006-04-03 08:29 · Score: 1
  
  Partial quote: Open Source projects are done by guys who were laid ... and need something to fill in the time between gaming sessions.
  
  There you go, less troll-like and closer to the truth!
2. Re:Brilliant individuals? Where? by ettlz · 2006-04-03 08:57 · Score: 1
  
  Open Source projects are done by guys who were laid ... and need something to fill in the time between gaming sessions.
  Yes, yes, um... coding! is what one does to fill in the time between getting laid.
Plagerism (Re:Snort and Netfilter by algae · 2006-04-03 09:45 · Score: 1

http://www.google.com/search?q=%22It+features+rule s+based+logging+and+can+perform+content%22

Way to shameless rip off other people's work.

--
Causation can cause correlation
1. Re:Plagerism (Re:Snort and Netfilter by lamp540 · 2006-04-04 11:23 · Score: 1
  
  I just read the wikipedia entry for trolls and then I saw that post... fucked up...
Don't try this at home by angel+one · 2006-04-03 10:03 · Score: 1

OSS is real software for people who know what they are doing. If you don't know anything about security and you want some, hire a professional (who may implement OSS for you) or buy a commercial closed product. The commercial product is likely to be more secure than an OSS product selected and implemented by someone who doesn't know anything about security. It's too easy to make a secure program very vulnerable by doing something stupid.
Haphazard? by Beefslaya · 2006-04-03 13:41 · Score: 2, Insightful

Ever since I've discovered the magic of Open Source (Linux, BSD) I have implemented the rule with every network I've run...No Windows box will ever talk to the Internet without going through a Unix/Linux box.

Since then (7 years now) I have had ZERO worms, ZERO security breaches, have cut the Windows server reboots by 80%.

These 2 projects have saved me countless hours of time...

<li>http://www.squid-cache.org/<li/>
and
<li>http://vlsi.cornell.edu/~rajit/fbsd/bridge.htm l<li/>
1. Re:Haphazard? by Beefslaya · 2006-04-03 13:47 · Score: 1
  
  sorry for making the links right here they are again...:(
  Too Quick on the Trigger...
  http://www.squid-cache.org/
  http://vlsi.cornell.edu/~rajit/fbsd/bridge.htm1