Check Point Software Technologies Inc. believes its $225 million acquisition of Sourcefire Inc. and its Snort IDS...
heralds a new direction for the security giant and a bright future for the open source packet-sniffer. Skeptics and loyalists, though, fear what they believe may be the inevitable demise of one of the industry's most popular security tools.
The Redwood City, Calif.-based security giant last week announced it would acquire Columbia, Md.-based Sourcefire, the company founded in 2001 by Martin Roesch to foster the development of free and commercial network security products.
Foremost among those products is Snort, the real-time, open source packet-sniffing tool Roesch unveiled in 1998 to inspect network data packets for dangerous payloads or suspicious anomalies. Snort has been downloaded millions of times, and its user community remains passionately devoted to the proliferation and advancement of the product.
In a message to the Snort community last week, Roesch pledged that Check Point would not only foster the product's development, but also its community, which he credited for Snort's success.
"Snort is now and will continue to be free to end-users," Roesch wrote. "We will continue to develop and distribute the Snort engine under the GPL, improve and document the program to stay on the cutting edge and expand the Snort.org Web site."
Still, industry observers are hardly optimistic. Martin McKeay, a CISSP and Snort user based in Santa Rosa, Calif., said he's hoping for the best, but expecting the worst.
"I'm hoping [the acquisition] means that Sourcefire will have the money and strength to make an investment in Snort," McKeay said. "I hope that Check Point is going to play it smart, keep its hands off of Snort and just let it garner good will for them."
Richard Bejtlich, founder of the Washington, D.C.-based consultancy Tao Security, said many fail to realize just how expensive it is to support a product like Snort.
"I've been to Sourcefire, and I've seen how many people they have working on the product and on signatures," Bejtlich said. "They have what seems like millions and millions dollars of racks of equipment. I was surprised they were able to continue with Snort as they did."
During a conference call last week, Check Point founder and CEO Gil Shwed said that while detailed product and strategy decisions will not be made until the end of the year, when the acquisition is expected to close, all of Sourcefire's existing products, including Snort, will be continued for the immediate future.
However, the community may be hesitant to embrace Check Point's stewardship of Snort for a number of reasons, one of which is its reluctance to discuss detailed future plans.
"Right now we're focusing on closing the transaction and receiving the approval that we need," said Andrew Singer, Check Point's director of market intelligence. "When we know our future plans, and when we can discuss it, we will."
For a devoted user base that has fostered the product's development and relied on it to help keep their organization's perimeters secure, that may not be enough assurance.
McKeay said users trust that the "quiet yet charismatic" Roesch is doing the right thing. Roesch has accumulated a tremendous amount of good will through his openness and contributions to the community, he said, but that doesn't negate users' anxiety.
Said Bejtlich, "They're a big, nameless, faceless corporation," and users anticipate Check Point's loyalty to Snort and its users won't be a priority as it has been for Sourcefire. Plus, he said, the $225 million Check Point outlaid for Sourcefire means the security giant will be eager to maximize the return on its investment however it can.
Others are concerned by Check Point's past actions. In 2003 it spent $205 million to buy Zone Labs, maker of the popular free ZoneAlarm desktop firewall application. Since that time, users claim Check Point has allowed the product to languish and isn't adequately addressing flaws in the product, both allegations Check Point denies.
Still, even if Check Point recognizes that Snort 's value may be limited, the value of a loyal user community from which it can generate revenue may be limitless.
"If the Snort community doesn't support Check Point," warned McKeay, "there will be problems."
But in today's realm of increasingly sophisticated security threats, does an IDS like Snort still matter?
Greg Young, a research vice president for Stamford, Conn.-based Gartner, said Snort is a small element of the acquisition. He said Check Point's primary objective is to acquire Sourcefire's Real-time Network Awareness network monitoring product, and combine it with its own products to build the industry's best intrusion prevention system (IPS).
What may be more troubling for Snort users is that Young said the intrusion detection market has been in decline for some time, with many organizations instead shifting to a full-blown IPS.
McKeay said, though, that it's too early to sound the death knell for IDS products because IPS technology isn't mature enough for most organizations. Often the slightest problem with an IPS system, he said, can bring down a whole network.
"There are still too many false positives," McKeay said, "and if you turn [the sensitivity] down, you're often missing some of the real action. It's a technology that needs a couple more years of growth before it becomes truly reliable."
Regardless, Young said there are still many enterprises that rely on Snort and will for the foreseeable future, and Check Point's conditional commitment to Snort is good news for them.
Despite the gloom, users do see a ray of hope in the acquisition. McKeay said Check Point's strengths in the firewall market should mesh well with Sourcefire's products to create a compelling IPS.
Bejtlich was less flattering in regard to Check Point's technology, but admitted its vast resources will enable it to advance Sourcefire's products well beyond what's available today.
Young said there's no need for Snort users -- or any Sourcefire customers -- to panic, but the situation is worth monitoring closely.
"Clearly there have to be some changes to Sourcefire products in the future," he said. "Maybe not to Snort, but a common engine across all Check Point's intrusion prevention products is probably where they're heading."
Though Check Point may have tactical reasons to deemphasize Snort as it exists today, Young said, the strategic reasons to stay with it are more compelling.
"It's a channel to a customer base, it's a pathway to vulnerability information and it provides good brand reinforcement and security credibility as well," Young said.