Welcome!

Linux Containers Authors: Liz McMillan, James Carlini, Elizabeth White, Vaibhaw Pandey, Pat Romanski

Related Topics: Linux Containers, Containers Expo Blog

Linux Containers: Article

Open Source for Perimeter Security

Two open source projects provide answers

Does the open source community provide world-class security technology? Can organizations stop dealing with commercial vendors for security software?

To avoid any undue suspense, the answers are: "Emphatically yes" and "Maybe, but you probably need to make an investment of some kind." But let's take a look at the evidence - this article references two open source projects: netfilter and Snort.

Escalating Challenges

First, it's clear that the challenges related to security are escalating. Outbreaks of viruses and worms are becoming more virulent and spreading faster. Blended threats and application-specific attacks are becoming more sophisticated and harder to detect. Wireless communications, instant messaging, and peer-to-peer networks are opening new holes in corporate defenses. Top management is taking a sudden and unaccustomed interest in IT security. Yet IT departments are not getting additional resources to meet these growing pressures.

Innovation in Open Source

How can the open source community help? Clearly there is a terrific surge of innovation in the field of IT security coming from open source developers and the supporting infrastructure of Linux- and open source-related organizations, Web sites, and publications.

A search on the word "security" on the freshmeat Web site (http://freshmeat.net) turns up more than 1,200 entries (see Table 1).

Security Advantages of Open Source

There is a lively discussion about the virtues of security applications on Linux versus Windows, and of open source projects versus proprietary software.

There is no doubt that today there are far more worms and exploits on Windows-based systems than on Linux-based products. It is not certain if this is simply because the larger number of Windows systems makes a more inviting target for hackers, or if the architecture of Linux is inherently more resistant to attack.

There is a strong case that Linux does have structural advantages for security. For example, at Astaro we have stripped out elements of Linux that are not needed for our security package. This removes many vulnerabilities that a hacker could use to attack a more complex version of the operating system. Performing this kind of pruning would be far more difficult with Windows.

A more important factor, however, is the fundamental development process used for open source projects.

For major projects, code is rigorously examined and exhaustively tested by hundreds of individuals - far more than even the largest commercial vendor can bring to bear on a single product.

The pace of learning and improvement is also much faster than would be possible in a typical commercial setting. Vulnerabilities are exposed more quickly, and solutions developed and tested more readily.

Perhaps most important, in the open source world it is impossible to hide or downplay security vulnerabilities. The open source development process harnesses human nature to ruthlessly expose and eliminate weaknesses, rather than to deny mistakes or delay remediation.

Myths About Open Source Development

There is a widespread and wholly inaccurate impression that open source development is somehow haphazard and undisciplined, a free-for-all among brilliant but uncoordinated individuals. In fact, most major open source projects are very tightly managed by a small, highly disciplined core team. This team determines the architecture of the software, selects the code to be included, and manages all phases of the development process. It enforces strict source control processes, and establishes detailed coding styles and security guidelines.

Critical mass in the open source world comes from the dozens, hundreds, or even thousands of developers who examine and test existing software and submit new code. These developers provide the quantity of inspiration, innovation, and plain hard work that is impossible to duplicate in a commercial setting. However, the core team is always there to coordinate the work of the masses and select the best work to include in the primary branch of the software.

An Example: The netfilter Project

An excellent example of a cutting-edge open source effort is the netfilter project (www.netfilter.org). This is a Linux-based packet filter that features stateful firewalling, Network Address Translation (NAT), load balancing, and other kinds of packet mangling.

The project was founded in 1999 in Australia and has now grown to more than 100,000 lines of code contributed by over 700 developers. There are currently about 300 active developers submitting about 1,400 postings a month to the development mailing lists.

The netfilter project is managed by a core team of 4 members who winnow down the submissions to an average of 65 code improvements and fixes per month.

This is an excellent illustration of the principles we've been discussing - an effort that utilizes the contributions of hundreds of developers, working on a project they love, managed by a small and disciplined core team.

Limitations of Open Source

Open source projects are an outstanding source of world-class security technology, but they are not a panacea for developers or IT managers who need to deploy reliable, manageable software in a real-world production environment.

The open source community is driven by technical enthusiasm, not commercial needs. While most open source developers understand the requirements of IT departments very well, they cannot reasonably be expected to donate their free time to working on mundane management issues.

As a result, open source projects provide brilliant, innovative solutions to fundamental problems, but ease of use and ease of management are typically afterthoughts.

This tendency can manifest itself in several ways: command-line interfaces or less-than-intuitive GUIs, lack of documentation and help facilities, highly manual methods to update software and threat signatures, and limited reporting capabilities. These shortcomings are minor for the highly skilled developer who enjoys digging into a new piece of technology, but they are fatal for the systems administrator or IT manager who needs to complete a lot of tasks in a short time.

Beyond the level of the individual open source project, there is no incentive to integrate separate packages into what an IT manager would view as a complete solution.

While all open source code is available for inspection, that does not mean that all of it is inspected with equal thoroughness. Many eyes will view the technically exciting parts, but the environment does not lend itself to saying: Will you please review and test the boring parts?

Finally, support options are limited for most open source software.

Harnessing Open Source Software for Security

How can organizations harness the explosive growth and innovation of the open source community (and its low costs) without suffering from limitations?

There are basically two choices:

  1. Allocate sufficient resources to fill the gaps themselves.
  2. Let a commercial vendor integrate and support a complete solution based on open source components.
In both cases the tasks are basically the same:
  • Somebody needs to create the interfaces and the documentation to make the tech-nology readily accessible to the typical overworked user or administrator (who is being distracted by a constant barrage of competing demands).
  • Somebody needs to set up automated processes to validate settings, patch software, update threat signatures, and back up configurations.
  • Somebody needs to create the reports so that the average administrator (who is still distracted and harried) can troubleshoot problems and track trends.
  • And if the solution involves multiple components (which is typical in security), someone needs to integrate the components and do thorough testing to make sure that the pieces work together under all types of hostile conditions.

An Illustration: Preparing Snort for the Typical Administrator

One of the most successful open source projects is Snort (www.snort.org), a network intrusion detection system. Snort's intrusion detection engine is widely considered to be equal to or better than any vendor-developed alternative, and the project supports a database of more than 2,000 intrusion detection rules.

However, the Snort technology in its raw form is much better suited to a highly trained security specialist than to the average systems administrator. Configuring the system and the large number of rules requires a fairly high level of expertise, not to mention a lot of time. Updating the rule set on a regular basis is also a time-consuming manual process.

About a year ago Astaro decided to utilize the Snort project as the core of a new "Intrusion Protection" module of our Linux perimeter security solution (see Figure 1). However, to fit the software to the needs of a typical administrator, we had to add quite a bit of functionality. For example, we:

  • Created a user interface that made it simple to turn intrusion detection rules on and off either individually or in categories relating to different applications and protocols (so, for example, if a particular application or protocol is not in use at a site all of the related rules could be turned off for better performance)
  • Modified the automated update service so that new intrusion threat patterns could be added with the same process that updates the firewall software and virus signatures
  • Integrated the intrusion detection engine with our firewall so that the firewall could immediately block intrusions (and modified the user interface mentioned above so that the administrator could toggle back and forth between "intrusion detection" and "intrusion prevention" for each rule)
  • Removed some of the functionality from the open source project by eliminating some of the intrusion detection rules that we felt would cause too many false positives or slow down per-formance without providing a measurable benefit to security
If you want to make this comparison yourself, you can download a free version of Astaro Security Linux at https://my.astaro.com/download and download the Snort code from www.snort.org/dl.

A Two-Way Street

Commercial companies who utilize open source projects must make significant contributions back to the community, such as funding projects and developers and making versions of proprietary software available at no cost. It's also important to adhere to the various open source licensing rules, for example, by publishing any changes made to the project code. These activities make commercial companies active contributors to the growth and success of the open source movement.

Open Source: Leverage the Pros, Ditch the Cons

Let's come back to the questions we posed at the beginning of this article:
  • Does the open source community provide world-class security technology?
  • Can organizations stop dealing with commercial vendors for security software?
The answer to the first question is clearly yes. In fact, we would argue that the best security technology in the world today is being created by the open source community. The level of expertise, and the number of contributors to security-related open source projects, is truly incredible. And as we discussed earlier, open source development processes are well organized and disciplined.

The answer to the second question is: maybe, but you probably you need to make an investment of some kind:

  • You can use open source security projects "out of the box" if you have a high skill level, a tolerance for rough edges, and no need to rely on less dedicated coworkers.
  • Your organization can commit resources to adding management features, integrating components, and providing support so that the technology can be utilized by your average administrator.
  • You can work with a vendor who integrates and packages open source projects for a commercial audience.
In all three of these cases you can take advantage of a very dynamic source of sophisticated technology at a total cost that is significantly lower than traditional security packages. This is truly an area where everyone can win.

More Stories By Jon Friedman

Jon Friedman is vice president of product marketing at Astaro Corporation. He has 20 years of experience with technology companies in marketing, business planning, market analysis, and sales. He was worked with both start-ups and Fortune 500 companies, including Systems Engineering, ePresence (formerly Banyan Systems), Nortel Networks, EPiCON, Wang Software, and Unisys.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
Gemini is Yahoo’s native and search advertising platform. To ensure the quality of a complex distributed system that spans multiple products and components and across various desktop websites and mobile app and web experiences – both Yahoo owned and operated and third-party syndication (supply), with complex interaction with more than a billion users and numerous advertisers globally (demand) – it becomes imperative to automate a set of end-to-end tests 24x7 to detect bugs and regression. In th...
"Cloud Academy is an enterprise training platform for the cloud, specifically public clouds. We offer guided learning experiences on AWS, Azure, Google Cloud and all the surrounding methodologies and technologies that you need to know and your teams need to know in order to leverage the full benefits of the cloud," explained Alex Brower, VP of Marketing at Cloud Academy, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clar...
In his session at 21st Cloud Expo, Carl J. Levine, Senior Technical Evangelist for NS1, will objectively discuss how DNS is used to solve Digital Transformation challenges in large SaaS applications, CDNs, AdTech platforms, and other demanding use cases. Carl J. Levine is the Senior Technical Evangelist for NS1. A veteran of the Internet Infrastructure space, he has over a decade of experience with startups, networking protocols and Internet infrastructure, combined with the unique ability to it...
"There's plenty of bandwidth out there but it's never in the right place. So what Cedexis does is uses data to work out the best pathways to get data from the origin to the person who wants to get it," explained Simon Jones, Evangelist and Head of Marketing at Cedexis, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Large industrial manufacturing organizations are adopting the agile principles of cloud software companies. The industrial manufacturing development process has not scaled over time. Now that design CAD teams are geographically distributed, centralizing their work is key. With large multi-gigabyte projects, outdated tools have stifled industrial team agility, time-to-market milestones, and impacted P&L stakeholders.
"Akvelon is a software development company and we also provide consultancy services to folks who are looking to scale or accelerate their engineering roadmaps," explained Jeremiah Mothersell, Marketing Manager at Akvelon, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"MobiDev is a software development company and we do complex, custom software development for everybody from entrepreneurs to large enterprises," explained Alan Winters, U.S. Head of Business Development at MobiDev, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
SYS-CON Events announced today that CrowdReviews.com has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5–7, 2018, at the Javits Center in New York City, NY. CrowdReviews.com is a transparent online platform for determining which products and services are the best based on the opinion of the crowd. The crowd consists of Internet users that have experienced products and services first-hand and have an interest in letting other potential buye...
"IBM is really all in on blockchain. We take a look at sort of the history of blockchain ledger technologies. It started out with bitcoin, Ethereum, and IBM evaluated these particular blockchain technologies and found they were anonymous and permissionless and that many companies were looking for permissioned blockchain," stated René Bostic, Technical VP of the IBM Cloud Unit in North America, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Conventi...
SYS-CON Events announced today that Telecom Reseller has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5-7, 2018, at the Javits Center in New York, NY. Telecom Reseller reports on Unified Communications, UCaaS, BPaaS for enterprise and SMBs. They report extensively on both customer premises based solutions such as IP-PBX as well as cloud based and hosted platforms.
"Space Monkey by Vivent Smart Home is a product that is a distributed cloud-based edge storage network. Vivent Smart Home, our parent company, is a smart home provider that places a lot of hard drives across homes in North America," explained JT Olds, Director of Engineering, and Brandon Crowfeather, Product Manager, at Vivint Smart Home, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Coca-Cola’s Google powered digital signage system lays the groundwork for a more valuable connection between Coke and its customers. Digital signs pair software with high-resolution displays so that a message can be changed instantly based on what the operator wants to communicate or sell. In their Day 3 Keynote at 21st Cloud Expo, Greg Chambers, Global Group Director, Digital Innovation, Coca-Cola, and Vidya Nagarajan, a Senior Product Manager at Google, discussed how from store operations and ...
It is of utmost importance for the future success of WebRTC to ensure that interoperability is operational between web browsers and any WebRTC-compliant client. To be guaranteed as operational and effective, interoperability must be tested extensively by establishing WebRTC data and media connections between different web browsers running on different devices and operating systems. In his session at WebRTC Summit at @ThingsExpo, Dr. Alex Gouaillard, CEO and Founder of CoSMo Software, presented ...
WebRTC is great technology to build your own communication tools. It will be even more exciting experience it with advanced devices, such as a 360 Camera, 360 microphone, and a depth sensor camera. In his session at @ThingsExpo, Masashi Ganeko, a manager at INFOCOM Corporation, introduced two experimental projects from his team and what they learned from them. "Shotoku Tamago" uses the robot audition software HARK to track speakers in 360 video of a remote party. "Virtual Teleport" uses a multip...
A strange thing is happening along the way to the Internet of Things, namely far too many devices to work with and manage. It has become clear that we'll need much higher efficiency user experiences that can allow us to more easily and scalably work with the thousands of devices that will soon be in each of our lives. Enter the conversational interface revolution, combining bots we can literally talk with, gesture to, and even direct with our thoughts, with embedded artificial intelligence, whic...
SYS-CON Events announced today that Evatronix will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Evatronix SA offers comprehensive solutions in the design and implementation of electronic systems, in CAD / CAM deployment, and also is a designer and manufacturer of advanced 3D scanners for professional applications.
Leading companies, from the Global Fortune 500 to the smallest companies, are adopting hybrid cloud as the path to business advantage. Hybrid cloud depends on cloud services and on-premises infrastructure working in unison. Successful implementations require new levels of data mobility, enabled by an automated and seamless flow across on-premises and cloud resources. In his general session at 21st Cloud Expo, Greg Tevis, an IBM Storage Software Technical Strategist and Customer Solution Architec...
To get the most out of their data, successful companies are not focusing on queries and data lakes, they are actively integrating analytics into their operations with a data-first application development approach. Real-time adjustments to improve revenues, reduce costs, or mitigate risk rely on applications that minimize latency on a variety of data sources. In his session at @BigDataExpo, Jack Norris, Senior Vice President, Data and Applications at MapR Technologies, reviewed best practices to ...
An increasing number of companies are creating products that combine data with analytical capabilities. Running interactive queries on Big Data requires complex architectures to store and query data effectively, typically involving data streams, an choosing efficient file format/database and multiple independent systems that are tied together through custom-engineered pipelines. In his session at @BigDataExpo at @ThingsExpo, Tomer Levi, a senior software engineer at Intel’s Advanced Analytics gr...
When talking IoT we often focus on the devices, the sensors, the hardware itself. The new smart appliances, the new smart or self-driving cars (which are amalgamations of many ‘things’). When we are looking at the world of IoT, we should take a step back, look at the big picture. What value are these devices providing? IoT is not about the devices, it’s about the data consumed and generated. The devices are tools, mechanisms, conduits. In his session at Internet of Things at Cloud Expo | DXWor...