In the world of open source software development, 1998 was a significant year. At that time, Netscape announced
the release of the source code for Netscape Navigator, then the most popular Internet browser. The Open Source Initiative formed shortly afterward, and since then there has been an incredible range of software projects launched under the banner of open source. Some have become household names; the Apache Web server, Mozilla Firefox and Linux to name a few. That, in turn, paved the way for a number of popular open source security initiatives, such as Nmap, Snort, Metasploit Framework and OpenSSH, all of which are used commonly in enterprise environments today. In short, today's open source security offerings include an impressive selection of robust, easy-to-use tools.
So in these tough economic times, when increasingly open networks still need securing, it may be helpful to look at open source security tools as a sufficient low- or no-cost alternative to pricey commercial products. Before investing a portion of your hard-won security budget on any technology, it makes sense to trial and compare both open source and commercial products.
But do open source security tools make sense in a large enterprise? Let's first review some of the issues that may make security managers reluctant to consider open source alternatives, and some areas in which open source technologies may or may not be appropriate.
Open source tool drawbacks
Liability -- Sure, open source tools don't come with any warranty protection, but it's extremely unusual for proprietary software suppliers to actually warrant that their software will provide uninterrupted and error-free operation. To me, the vibrancy of an open source project's community and a proper model for supporting updates is more important than a viable business model, which is critical when considering investing heavily in a commercial product. However, commercial vendors usually have roadmaps for their product's development, often a shortcoming of smaller open source projects and disconcerting if you need to know how new technologies are to be incorporated in future releases.
Updates -- Given the fast-changing threat landscape that network administrators have to deal with, any security technology needs constant improvement to remain effective. Well-established open source tools are tested and constantly refined by large, diverse and dedicated development teams, something that commercial vendors may struggle to match, given that they must cope with budget constraints of their own.
Hidden costs -- Many open source projects provide active forums, up-to-date documentation and detailed tutorials, but there is a trend towards charging for dedicated support, something to watch out for if your budget is tight.
Finding a place for open source
So in which areas does it make sense to consider open source technology? Certainly when it comes to tasks such as network exploration and scanning, traffic capture and monitoring file integrity, open source tools are an obvious choice. Tools like Nmap, Wireshark, Netcat, Metasploit and the open source version of Tripwire all compare favorably with commercial alternatives in terms of features, reliability and support. These options are particularly effective in spotting anomalies and other types of network and system vulnerabilities.
However, when it comes to prevention functions like perimeter defenses, rather than discovery functions, the choice is not so clear cut. Snort, for example, has become a popular open source network intrusion detection and prevention system, whereas open source Web application firewalls such as ModSecurity and Aqtronix WebKnight have had less success gaining traction against competing commercial products. For applications as critical as a firewall, administrators feel they may need to have backup support on the end of a phone in case of an emergency, something an open source application can't offer. Of course, you can audit the software of an open source package without having to obtain the unlikely permission of the vendor.
When assessing any security product or tool, it is important to ensure that its functionality matches your requirements for a particular task. Before undergoing an implementation, it's important to be confident that you have the in-house skills to configure, manage and get the best out of the product or tool you finally choose. Due to the lack of formal support, open source tools tend to suit best the administrator who is a self-starter. Open source software is not the answer to every situation, but some offerings have been around for several years and do offer a viable alternative to organizations on a tight budget.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.