Welcome!

Linux Containers Authors: Mehdi Daoudi, Stackify Blog, Liz McMillan, Yeshim Deniz, Derek Weeks

Related Topics: Linux Containers, Containers Expo Blog

Linux Containers: Article

Open Source for Perimeter Security

Two open source projects provide answers

Does the open source community provide world-class security technology? Can organizations stop dealing with commercial vendors for security software?

To avoid any undue suspense, the answers are: "Emphatically yes" and "Maybe, but you probably need to make an investment of some kind." But let's take a look at the evidence - this article references two open source projects: netfilter and Snort.

Escalating Challenges

First, it's clear that the challenges related to security are escalating. Outbreaks of viruses and worms are becoming more virulent and spreading faster. Blended threats and application-specific attacks are becoming more sophisticated and harder to detect. Wireless communications, instant messaging, and peer-to-peer networks are opening new holes in corporate defenses. Top management is taking a sudden and unaccustomed interest in IT security. Yet IT departments are not getting additional resources to meet these growing pressures.

Innovation in Open Source

How can the open source community help? Clearly there is a terrific surge of innovation in the field of IT security coming from open source developers and the supporting infrastructure of Linux- and open source-related organizations, Web sites, and publications.

A search on the word "security" on the freshmeat Web site (http://freshmeat.net) turns up more than 1,200 entries (see Table 1).

Security Advantages of Open Source

There is a lively discussion about the virtues of security applications on Linux versus Windows, and of open source projects versus proprietary software.

There is no doubt that today there are far more worms and exploits on Windows-based systems than on Linux-based products. It is not certain if this is simply because the larger number of Windows systems makes a more inviting target for hackers, or if the architecture of Linux is inherently more resistant to attack.

There is a strong case that Linux does have structural advantages for security. For example, at Astaro we have stripped out elements of Linux that are not needed for our security package. This removes many vulnerabilities that a hacker could use to attack a more complex version of the operating system. Performing this kind of pruning would be far more difficult with Windows.

A more important factor, however, is the fundamental development process used for open source projects.

For major projects, code is rigorously examined and exhaustively tested by hundreds of individuals - far more than even the largest commercial vendor can bring to bear on a single product.

The pace of learning and improvement is also much faster than would be possible in a typical commercial setting. Vulnerabilities are exposed more quickly, and solutions developed and tested more readily.

Perhaps most important, in the open source world it is impossible to hide or downplay security vulnerabilities. The open source development process harnesses human nature to ruthlessly expose and eliminate weaknesses, rather than to deny mistakes or delay remediation.

Myths About Open Source Development

There is a widespread and wholly inaccurate impression that open source development is somehow haphazard and undisciplined, a free-for-all among brilliant but uncoordinated individuals. In fact, most major open source projects are very tightly managed by a small, highly disciplined core team. This team determines the architecture of the software, selects the code to be included, and manages all phases of the development process. It enforces strict source control processes, and establishes detailed coding styles and security guidelines.

Critical mass in the open source world comes from the dozens, hundreds, or even thousands of developers who examine and test existing software and submit new code. These developers provide the quantity of inspiration, innovation, and plain hard work that is impossible to duplicate in a commercial setting. However, the core team is always there to coordinate the work of the masses and select the best work to include in the primary branch of the software.

An Example: The netfilter Project

An excellent example of a cutting-edge open source effort is the netfilter project (www.netfilter.org). This is a Linux-based packet filter that features stateful firewalling, Network Address Translation (NAT), load balancing, and other kinds of packet mangling.

The project was founded in 1999 in Australia and has now grown to more than 100,000 lines of code contributed by over 700 developers. There are currently about 300 active developers submitting about 1,400 postings a month to the development mailing lists.

The netfilter project is managed by a core team of 4 members who winnow down the submissions to an average of 65 code improvements and fixes per month.

This is an excellent illustration of the principles we've been discussing - an effort that utilizes the contributions of hundreds of developers, working on a project they love, managed by a small and disciplined core team.

Limitations of Open Source

Open source projects are an outstanding source of world-class security technology, but they are not a panacea for developers or IT managers who need to deploy reliable, manageable software in a real-world production environment.

The open source community is driven by technical enthusiasm, not commercial needs. While most open source developers understand the requirements of IT departments very well, they cannot reasonably be expected to donate their free time to working on mundane management issues.

As a result, open source projects provide brilliant, innovative solutions to fundamental problems, but ease of use and ease of management are typically afterthoughts.

This tendency can manifest itself in several ways: command-line interfaces or less-than-intuitive GUIs, lack of documentation and help facilities, highly manual methods to update software and threat signatures, and limited reporting capabilities. These shortcomings are minor for the highly skilled developer who enjoys digging into a new piece of technology, but they are fatal for the systems administrator or IT manager who needs to complete a lot of tasks in a short time.

Beyond the level of the individual open source project, there is no incentive to integrate separate packages into what an IT manager would view as a complete solution.

While all open source code is available for inspection, that does not mean that all of it is inspected with equal thoroughness. Many eyes will view the technically exciting parts, but the environment does not lend itself to saying: Will you please review and test the boring parts?

Finally, support options are limited for most open source software.

Harnessing Open Source Software for Security

How can organizations harness the explosive growth and innovation of the open source community (and its low costs) without suffering from limitations?

There are basically two choices:

  1. Allocate sufficient resources to fill the gaps themselves.
  2. Let a commercial vendor integrate and support a complete solution based on open source components.
In both cases the tasks are basically the same:
  • Somebody needs to create the interfaces and the documentation to make the tech-nology readily accessible to the typical overworked user or administrator (who is being distracted by a constant barrage of competing demands).
  • Somebody needs to set up automated processes to validate settings, patch software, update threat signatures, and back up configurations.
  • Somebody needs to create the reports so that the average administrator (who is still distracted and harried) can troubleshoot problems and track trends.
  • And if the solution involves multiple components (which is typical in security), someone needs to integrate the components and do thorough testing to make sure that the pieces work together under all types of hostile conditions.

An Illustration: Preparing Snort for the Typical Administrator

One of the most successful open source projects is Snort (www.snort.org), a network intrusion detection system. Snort's intrusion detection engine is widely considered to be equal to or better than any vendor-developed alternative, and the project supports a database of more than 2,000 intrusion detection rules.

However, the Snort technology in its raw form is much better suited to a highly trained security specialist than to the average systems administrator. Configuring the system and the large number of rules requires a fairly high level of expertise, not to mention a lot of time. Updating the rule set on a regular basis is also a time-consuming manual process.

About a year ago Astaro decided to utilize the Snort project as the core of a new "Intrusion Protection" module of our Linux perimeter security solution (see Figure 1). However, to fit the software to the needs of a typical administrator, we had to add quite a bit of functionality. For example, we:

  • Created a user interface that made it simple to turn intrusion detection rules on and off either individually or in categories relating to different applications and protocols (so, for example, if a particular application or protocol is not in use at a site all of the related rules could be turned off for better performance)
  • Modified the automated update service so that new intrusion threat patterns could be added with the same process that updates the firewall software and virus signatures
  • Integrated the intrusion detection engine with our firewall so that the firewall could immediately block intrusions (and modified the user interface mentioned above so that the administrator could toggle back and forth between "intrusion detection" and "intrusion prevention" for each rule)
  • Removed some of the functionality from the open source project by eliminating some of the intrusion detection rules that we felt would cause too many false positives or slow down per-formance without providing a measurable benefit to security
If you want to make this comparison yourself, you can download a free version of Astaro Security Linux at https://my.astaro.com/download and download the Snort code from www.snort.org/dl.

A Two-Way Street

Commercial companies who utilize open source projects must make significant contributions back to the community, such as funding projects and developers and making versions of proprietary software available at no cost. It's also important to adhere to the various open source licensing rules, for example, by publishing any changes made to the project code. These activities make commercial companies active contributors to the growth and success of the open source movement.

Open Source: Leverage the Pros, Ditch the Cons

Let's come back to the questions we posed at the beginning of this article:
  • Does the open source community provide world-class security technology?
  • Can organizations stop dealing with commercial vendors for security software?
The answer to the first question is clearly yes. In fact, we would argue that the best security technology in the world today is being created by the open source community. The level of expertise, and the number of contributors to security-related open source projects, is truly incredible. And as we discussed earlier, open source development processes are well organized and disciplined.

The answer to the second question is: maybe, but you probably you need to make an investment of some kind:

  • You can use open source security projects "out of the box" if you have a high skill level, a tolerance for rough edges, and no need to rely on less dedicated coworkers.
  • Your organization can commit resources to adding management features, integrating components, and providing support so that the technology can be utilized by your average administrator.
  • You can work with a vendor who integrates and packages open source projects for a commercial audience.
In all three of these cases you can take advantage of a very dynamic source of sophisticated technology at a total cost that is significantly lower than traditional security packages. This is truly an area where everyone can win.

More Stories By Jon Friedman

Jon Friedman is vice president of product marketing at Astaro Corporation. He has 20 years of experience with technology companies in marketing, business planning, market analysis, and sales. He was worked with both start-ups and Fortune 500 companies, including Systems Engineering, ePresence (formerly Banyan Systems), Nortel Networks, EPiCON, Wang Software, and Unisys.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
To get the most out of their data, successful companies are not focusing on queries and data lakes, they are actively integrating analytics into their operations with a data-first application development approach. Real-time adjustments to improve revenues, reduce costs, or mitigate risk rely on applications that minimize latency on a variety of data sources. Jack Norris reviews best practices to show how companies develop, deploy, and dynamically update these applications and how this data-first...
Intelligent Automation is now one of the key business imperatives for CIOs and CISOs impacting all areas of business today. In his session at 21st Cloud Expo, Brian Boeggeman, VP Alliances & Partnerships at Ayehu, will talk about how business value is created and delivered through intelligent automation to today’s enterprises. The open ecosystem platform approach toward Intelligent Automation that Ayehu delivers to the market is core to enabling the creation of the self-driving enterprise.
WebRTC is the future of browser-to-browser communications, and continues to make inroads into the traditional, difficult, plug-in web communications world. The 6th WebRTC Summit continues our tradition of delivering the latest and greatest presentations within the world of WebRTC. Topics include voice calling, video chat, P2P file sharing, and use cases that have already leveraged the power and convenience of WebRTC.
"We're a cybersecurity firm that specializes in engineering security solutions both at the software and hardware level. Security cannot be an after-the-fact afterthought, which is what it's become," stated Richard Blech, Chief Executive Officer at Secure Channels, in this SYS-CON.tv interview at @ThingsExpo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
Consumers increasingly expect their electronic "things" to be connected to smart phones, tablets and the Internet. When that thing happens to be a medical device, the risks and benefits of connectivity must be carefully weighed. Once the decision is made that connecting the device is beneficial, medical device manufacturers must design their products to maintain patient safety and prevent compromised personal health information in the face of cybersecurity threats. In his session at @ThingsExpo...
SYS-CON Events announced today that Massive Networks will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Massive Networks mission is simple. To help your business operate seamlessly with fast, reliable, and secure internet and network solutions. Improve your customer's experience with outstanding connections to your cloud.
The question before companies today is not whether to become intelligent, it’s a question of how and how fast. The key is to adopt and deploy an intelligent application strategy while simultaneously preparing to scale that intelligence. In her session at 21st Cloud Expo, Sangeeta Chakraborty, Chief Customer Officer at Ayasdi, will provide a tactical framework to become a truly intelligent enterprise, including how to identify the right applications for AI, how to build a Center of Excellence to ...
From 2013, NTT Communications has been providing cPaaS service, SkyWay. Its customer’s expectations for leveraging WebRTC technology are not only typical real-time communication use cases such as Web conference, remote education, but also IoT use cases such as remote camera monitoring, smart-glass, and robotic. Because of this, NTT Communications has numerous IoT business use-cases that its customers are developing on top of PaaS. WebRTC will lead IoT businesses to be more innovative and address...
Everything run by electricity will eventually be connected to the Internet. Get ahead of the Internet of Things revolution and join Akvelon expert and IoT industry leader, Sergey Grebnov, in his session at @ThingsExpo, for an educational dive into the world of managing your home, workplace and all the devices they contain with the power of machine-based AI and intelligent Bot services for a completely streamlined experience.
Because IoT devices are deployed in mission-critical environments more than ever before, it’s increasingly imperative they be truly smart. IoT sensors simply stockpiling data isn’t useful. IoT must be artificially and naturally intelligent in order to provide more value In his session at @ThingsExpo, John Crupi, Vice President and Engineering System Architect at Greenwave Systems, will discuss how IoT artificial intelligence (AI) can be carried out via edge analytics and machine learning techn...
SYS-CON Events announced today that GrapeUp, the leading provider of rapid product development at the speed of business, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Grape Up is a software company, specialized in cloud native application development and professional services related to Cloud Foundry PaaS. With five expert teams that operate in various sectors of the market acr...
SYS-CON Events announced today that Datera, that offers a radically new data management architecture, has been named "Exhibitor" of SYS-CON's 21st International Cloud Expo ®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Datera is transforming the traditional datacenter model through modern cloud simplicity. The technology industry is at another major inflection point. The rise of mobile, the Internet of Things, data storage and Big...
In his opening keynote at 20th Cloud Expo, Michael Maximilien, Research Scientist, Architect, and Engineer at IBM, discussed the full potential of the cloud and social data requires artificial intelligence. By mixing Cloud Foundry and the rich set of Watson services, IBM's Bluemix is the best cloud operating system for enterprises today, providing rapid development and deployment of applications that can take advantage of the rich catalog of Watson services to help drive insights from the vast t...
SYS-CON Events announced today that CA Technologies has been named "Platinum Sponsor" of SYS-CON's 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. CA Technologies helps customers succeed in a future where every business - from apparel to energy - is being rewritten by software. From planning to development to management to security, CA creates software that fuels transformation for companies in the applic...
Recently, IoT seems emerging as a solution vehicle for data analytics on real-world scenarios from setting a room temperature setting to predicting a component failure of an aircraft. Compared with developing an application or deploying a cloud service, is an IoT solution unique? If so, how? How does a typical IoT solution architecture consist? And what are the essential components and how are they relevant to each other? How does the security play out? What are the best practices in formulating...
In his session at @ThingsExpo, Arvind Radhakrishnen discussed how IoT offers new business models in banking and financial services organizations with the capability to revolutionize products, payments, channels, business processes and asset management built on strong architectural foundation. The following topics were covered: How IoT stands to impact various business parameters including customer experience, cost and risk management within BFS organizations.
Internet of @ThingsExpo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 21st Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The Internet of Things (IoT) is the most profound change in personal and enterprise IT since the creation of the Worldwide Web more than 20 years ago. All major researchers estimate there will be tens of billions devic...
SYS-CON Events announced today that Elastifile will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Elastifile Cloud File System (ECFS) is software-defined data infrastructure designed for seamless and efficient management of dynamic workloads across heterogeneous environments. Elastifile provides the architecture needed to optimize your hybrid cloud environment, by facilitating efficient...
There is only one world-class Cloud event on earth, and that is Cloud Expo – which returns to Silicon Valley for the 21st Cloud Expo at the Santa Clara Convention Center, October 31 - November 2, 2017. Every Global 2000 enterprise in the world is now integrating cloud computing in some form into its IT development and operations. Midsize and small businesses are also migrating to the cloud in increasing numbers. Companies are each developing their unique mix of cloud technologies and service...
SYS-CON Events announced today that Golden Gate University will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Since 1901, non-profit Golden Gate University (GGU) has been helping adults achieve their professional goals by providing high quality, practice-based undergraduate and graduate educational programs in law, taxation, business and related professions. Many of its courses are taug...