Slashdot Mirror

← Back to Stories (view on slashdot.org)

Open Source For Perimeter Security

Posted by ryuzaki0 on from the people-still-afraid-of-oss dept.

An anonymous reader writes "IT Observer has a look at some of the perceived problems with an OpenSource approach to security and what could be done to improve the situation. From the article: 'There is a widespread and wholly inaccurate impression that open source development is somehow haphazard and undisciplined, a free-for-all among brilliant but uncoordinated individuals. In fact, most major open source projects are very tightly managed highly disciplined teams. This article gives examples of very successful Open Source security projects -- netfilter and Snort -- and also describes some weaknesses that need to be addressed by IT organizations or vendors.'"

11 of 56 comments (clear)

  1. Socrates on Security by neoshroom · · Score: 5, Funny

    When it comes to Linux versus Windows it is almost a matter of philosophy.

    "The unexamined [code] is not worth [coding]." -- Socrates (Apology 38a)

    __
    Elephant Essays - Custom-created essays and research papers.

    --
    Big apple, new Yorik, undig it, something's unrotting in Edenmark.
  2. Marketeer shows how to pitch open source... by xxxJonBoyxxx · · Score: 4, Insightful
    "An excellent example of a cutting-edge open source effort is the netfilter project (www.netfilter.org), a Linux-based packet filter that features stateful firewalling, Network Address Translation (NAT), load balancing, and other kinds of packet mangling. The project was founded in 1999 in Australia and has now grown to more than 100,000 lines of code contributed by over 700 developers. There are currently about 300 active developers submitting about 1,400 postings a month to the development mailing lists. The core team consists of 4 members who winnow down the submissions to an average of 65 code improvements and fixes per month. "

    "By Walter Schumann, VP Sales and Marketing, Astaro"

    You Slashdotters may make fun of marketing people, but I think Walter just showed you how YOU need to make your pitch for your favorite open source project at your company.

    1. Re:Marketeer shows how to pitch open source... by xxxJonBoyxxx · · Score: 2, Insightful
      "Like spinning X as something great when there is a much better Y?"

      Well...yes. That's kind of the whole point behind a specific pitch. Once you've decided to get X, you need to turn around and make an audience that may know a little something about both X and Y feel that X is clearly better. It's the very definition of spin...

    2. Re:Marketeer shows how to pitch open source... by Alkrun · · Score: 3, Interesting

      "The project was founded in 1999 in Australia and has now grown to more than 100,000 lines of code contributed by over 700 developers."

      And therein lies a large chunk of "the problem" for OSS projects if you ask me. It's much easier to manage 20 developers who each have to write 5,000 lines of code than to manage 700 developers who each write (I'm sure it doesn't work out like this) 143 lines of code. I'd love to have 700 people reviewing the code written by the 20, but 700 cooks in the kitchen it's extremely difficult to adhere to conventions for APIs, standard error handling, etc...

      The solution for closed source projects to come inline with the perceived vastly superior security of OSS projects is to overload their projects with white-box testing harnesses and QA testers who know how to do white-box testing. Unfortunately that's extremely expensive so it gets pushed in favor of more black-box testing. I do believe OSS projects have a better security track record, but I don't believe it's nearly as large as the Slashdot illuminati make it out to be.

    3. Re:Marketeer shows how to pitch open source... by BobSutan · · Score: 2, Insightful

      You need to look at who he's making the pitch to. For a technically inclined management, which some are, the first question they're going to ask is, "So?"

      Having a large development footprint is great for quantity, but how is the product's quality? No amount of marketing will tell you the true measure of of something's worth to a business. Sure you can make it sound like the best thing since sliced bread, but the reality is if it doesn't live up to expectations (something bad if you marketed it to your own management), bad juju will come looking for you.

      --
      "On a scale from 1 to 10, people are stupid"
  3. Forgot some ingredients... by shmlco · · Score: 4, Insightful
    "In fact, most major open source projects are very tightly managed highly disciplined teams."

    Which is one of the reasons they became major open source projects in the first place. Of course, that tightly managed highly disciplined team ALSO needs to be working on something we all want, and the end result needs to do the job, and do it well.

    --
    Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
  4. Open Source Security Nomenclature by digitaldc · · Score: 4, Insightful

    perceived problems with an OpenSource approach to security and what could be done to improve the situation.

    Could it possibly have something to do with the fact that some people just don't like having the words 'Open Source' attached to their computer security? Maybe rename it to something like 'Closed Fortress OS' or 'Locked Down OS' to give a more positive ring to it?
    Maybe I am just thinking about it too much.

    --
    He who knows best knows how little he knows. - Thomas Jefferson
  5. my 2 cents by Jaqui · · Score: 4, Interesting

    I'm sorry, but I find the constant argument that open source is less secure because everyone can see the source to be a silly waste of effort, usually promoted by the commercial security software vendors.

    They ignore that the driving principle in open source development is quality software, so everyone who works with it is always looking to find the flaws and remove them.

    Neither is inherently more secure, open source has the benefit of more people actively working to improve the code base than any commercial software company can afford to pay. That includes Microsoft. Yes, Microsoft cannot afford to pay the same number of programmers as are actively donating code improvements to open source software solutions.

    Those of us that use open source software are more likely to learn the code to improve software we like than those using proprietary products are likely to do anything to help improve the software, including submitting the automatic crash reports that most software has implemented.
    [ I personally don't use that even with open source software, running gdb against the core, then seeing what caused the crash and submitting a patch is more usefull. ]

    --
    J. Henager: If the average user can put a CD in and boot the system and follow the prompts, he can install and use Linux
    1. Re:my 2 cents by Homology · · Score: 3, Interesting
      They ignore that the driving principle in open source development is quality software, so everyone who works with it is always looking to find the flaws and remove them.

      We would like to think so, however, the driving principle of many open source projects is more features:

      Revision 1.75.2.1 / (download) - annotate - [select for diffs] , Wed Jul 21 16:20:07 2004 UTC (20 months, 1 week ago) by robert
      Branch: OPENBSD_3_4
      Changes since 1.75: +2 -1 lines
      Diff to previous 1.75 (colored) next main 1.76 (colored)

      Mark it as BROKEN:

      Right during 3.5, it had more than
      a dozen remote holes being fixed, that we shipped with. Weeks later
      things have not improved, and there continue to be problems reported
      to bugtraq, and respective band-aids - but it is clear the ethereal
      team does not care about security, as new protocols get added, and
      nothing gets done about the many more holes that exist.

      requested and ok'd by brad@
  6. Re:Snort and Netfilter by cyberkahn · · Score: 2, Interesting

    Boy that's the truth brother! IPTABLE syntax is for those who like to write rule sets in C. pf is definitely the example of how a command line firewall syntax should be done. Easier to read is equal to less chance for mistakes.

  7. Haphazard? by Beefslaya · · Score: 2, Insightful

    Ever since I've discovered the magic of Open Source (Linux, BSD) I have implemented the rule with every network I've run...No Windows box will ever talk to the Internet without going through a Unix/Linux box.

    Since then (7 years now) I have had ZERO worms, ZERO security breaches, have cut the Windows server reboots by 80%.

    These 2 projects have saved me countless hours of time...

    <li>http://www.squid-cache.org/<li/>
    and
    <li>http://vlsi.cornell.edu/~rajit/fbsd/bridge.htm l<li/>