Click here to close now.


Linux Containers Authors: Pat Romanski, JP Morgenthal, PagerDuty Blog, Liz McMillan, Derek Weeks

Related Topics: Linux Containers, Containers Expo Blog

Linux Containers: Article

Open Source for Perimeter Security

Two open source projects provide answers

Does the open source community provide world-class security technology? Can organizations stop dealing with commercial vendors for security software?

To avoid any undue suspense, the answers are: "Emphatically yes" and "Maybe, but you probably need to make an investment of some kind." But let's take a look at the evidence - this article references two open source projects: netfilter and Snort.

Escalating Challenges

First, it's clear that the challenges related to security are escalating. Outbreaks of viruses and worms are becoming more virulent and spreading faster. Blended threats and application-specific attacks are becoming more sophisticated and harder to detect. Wireless communications, instant messaging, and peer-to-peer networks are opening new holes in corporate defenses. Top management is taking a sudden and unaccustomed interest in IT security. Yet IT departments are not getting additional resources to meet these growing pressures.

Innovation in Open Source

How can the open source community help? Clearly there is a terrific surge of innovation in the field of IT security coming from open source developers and the supporting infrastructure of Linux- and open source-related organizations, Web sites, and publications.

A search on the word "security" on the freshmeat Web site ( turns up more than 1,200 entries (see Table 1).

Security Advantages of Open Source

There is a lively discussion about the virtues of security applications on Linux versus Windows, and of open source projects versus proprietary software.

There is no doubt that today there are far more worms and exploits on Windows-based systems than on Linux-based products. It is not certain if this is simply because the larger number of Windows systems makes a more inviting target for hackers, or if the architecture of Linux is inherently more resistant to attack.

There is a strong case that Linux does have structural advantages for security. For example, at Astaro we have stripped out elements of Linux that are not needed for our security package. This removes many vulnerabilities that a hacker could use to attack a more complex version of the operating system. Performing this kind of pruning would be far more difficult with Windows.

A more important factor, however, is the fundamental development process used for open source projects.

For major projects, code is rigorously examined and exhaustively tested by hundreds of individuals - far more than even the largest commercial vendor can bring to bear on a single product.

The pace of learning and improvement is also much faster than would be possible in a typical commercial setting. Vulnerabilities are exposed more quickly, and solutions developed and tested more readily.

Perhaps most important, in the open source world it is impossible to hide or downplay security vulnerabilities. The open source development process harnesses human nature to ruthlessly expose and eliminate weaknesses, rather than to deny mistakes or delay remediation.

Myths About Open Source Development

There is a widespread and wholly inaccurate impression that open source development is somehow haphazard and undisciplined, a free-for-all among brilliant but uncoordinated individuals. In fact, most major open source projects are very tightly managed by a small, highly disciplined core team. This team determines the architecture of the software, selects the code to be included, and manages all phases of the development process. It enforces strict source control processes, and establishes detailed coding styles and security guidelines.

Critical mass in the open source world comes from the dozens, hundreds, or even thousands of developers who examine and test existing software and submit new code. These developers provide the quantity of inspiration, innovation, and plain hard work that is impossible to duplicate in a commercial setting. However, the core team is always there to coordinate the work of the masses and select the best work to include in the primary branch of the software.

An Example: The netfilter Project

An excellent example of a cutting-edge open source effort is the netfilter project ( This is a Linux-based packet filter that features stateful firewalling, Network Address Translation (NAT), load balancing, and other kinds of packet mangling.

The project was founded in 1999 in Australia and has now grown to more than 100,000 lines of code contributed by over 700 developers. There are currently about 300 active developers submitting about 1,400 postings a month to the development mailing lists.

The netfilter project is managed by a core team of 4 members who winnow down the submissions to an average of 65 code improvements and fixes per month.

This is an excellent illustration of the principles we've been discussing - an effort that utilizes the contributions of hundreds of developers, working on a project they love, managed by a small and disciplined core team.

Limitations of Open Source

Open source projects are an outstanding source of world-class security technology, but they are not a panacea for developers or IT managers who need to deploy reliable, manageable software in a real-world production environment.

The open source community is driven by technical enthusiasm, not commercial needs. While most open source developers understand the requirements of IT departments very well, they cannot reasonably be expected to donate their free time to working on mundane management issues.

As a result, open source projects provide brilliant, innovative solutions to fundamental problems, but ease of use and ease of management are typically afterthoughts.

This tendency can manifest itself in several ways: command-line interfaces or less-than-intuitive GUIs, lack of documentation and help facilities, highly manual methods to update software and threat signatures, and limited reporting capabilities. These shortcomings are minor for the highly skilled developer who enjoys digging into a new piece of technology, but they are fatal for the systems administrator or IT manager who needs to complete a lot of tasks in a short time.

Beyond the level of the individual open source project, there is no incentive to integrate separate packages into what an IT manager would view as a complete solution.

While all open source code is available for inspection, that does not mean that all of it is inspected with equal thoroughness. Many eyes will view the technically exciting parts, but the environment does not lend itself to saying: Will you please review and test the boring parts?

Finally, support options are limited for most open source software.

Harnessing Open Source Software for Security

How can organizations harness the explosive growth and innovation of the open source community (and its low costs) without suffering from limitations?

There are basically two choices:

  1. Allocate sufficient resources to fill the gaps themselves.
  2. Let a commercial vendor integrate and support a complete solution based on open source components.
In both cases the tasks are basically the same:
  • Somebody needs to create the interfaces and the documentation to make the tech-nology readily accessible to the typical overworked user or administrator (who is being distracted by a constant barrage of competing demands).
  • Somebody needs to set up automated processes to validate settings, patch software, update threat signatures, and back up configurations.
  • Somebody needs to create the reports so that the average administrator (who is still distracted and harried) can troubleshoot problems and track trends.
  • And if the solution involves multiple components (which is typical in security), someone needs to integrate the components and do thorough testing to make sure that the pieces work together under all types of hostile conditions.

An Illustration: Preparing Snort for the Typical Administrator

One of the most successful open source projects is Snort (, a network intrusion detection system. Snort's intrusion detection engine is widely considered to be equal to or better than any vendor-developed alternative, and the project supports a database of more than 2,000 intrusion detection rules.

However, the Snort technology in its raw form is much better suited to a highly trained security specialist than to the average systems administrator. Configuring the system and the large number of rules requires a fairly high level of expertise, not to mention a lot of time. Updating the rule set on a regular basis is also a time-consuming manual process.

About a year ago Astaro decided to utilize the Snort project as the core of a new "Intrusion Protection" module of our Linux perimeter security solution (see Figure 1). However, to fit the software to the needs of a typical administrator, we had to add quite a bit of functionality. For example, we:

  • Created a user interface that made it simple to turn intrusion detection rules on and off either individually or in categories relating to different applications and protocols (so, for example, if a particular application or protocol is not in use at a site all of the related rules could be turned off for better performance)
  • Modified the automated update service so that new intrusion threat patterns could be added with the same process that updates the firewall software and virus signatures
  • Integrated the intrusion detection engine with our firewall so that the firewall could immediately block intrusions (and modified the user interface mentioned above so that the administrator could toggle back and forth between "intrusion detection" and "intrusion prevention" for each rule)
  • Removed some of the functionality from the open source project by eliminating some of the intrusion detection rules that we felt would cause too many false positives or slow down per-formance without providing a measurable benefit to security
If you want to make this comparison yourself, you can download a free version of Astaro Security Linux at and download the Snort code from

A Two-Way Street

Commercial companies who utilize open source projects must make significant contributions back to the community, such as funding projects and developers and making versions of proprietary software available at no cost. It's also important to adhere to the various open source licensing rules, for example, by publishing any changes made to the project code. These activities make commercial companies active contributors to the growth and success of the open source movement.

Open Source: Leverage the Pros, Ditch the Cons

Let's come back to the questions we posed at the beginning of this article:
  • Does the open source community provide world-class security technology?
  • Can organizations stop dealing with commercial vendors for security software?
The answer to the first question is clearly yes. In fact, we would argue that the best security technology in the world today is being created by the open source community. The level of expertise, and the number of contributors to security-related open source projects, is truly incredible. And as we discussed earlier, open source development processes are well organized and disciplined.

The answer to the second question is: maybe, but you probably you need to make an investment of some kind:

  • You can use open source security projects "out of the box" if you have a high skill level, a tolerance for rough edges, and no need to rely on less dedicated coworkers.
  • Your organization can commit resources to adding management features, integrating components, and providing support so that the technology can be utilized by your average administrator.
  • You can work with a vendor who integrates and packages open source projects for a commercial audience.
In all three of these cases you can take advantage of a very dynamic source of sophisticated technology at a total cost that is significantly lower than traditional security packages. This is truly an area where everyone can win.

More Stories By Jon Friedman

Jon Friedman is vice president of product marketing at Astaro Corporation. He has 20 years of experience with technology companies in marketing, business planning, market analysis, and sales. He was worked with both start-ups and Fortune 500 companies, including Systems Engineering, ePresence (formerly Banyan Systems), Nortel Networks, EPiCON, Wang Software, and Unisys.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

@ThingsExpo Stories
Today air travel is a minefield of delays, hassles and customer disappointment. Airlines struggle to revitalize the experience. GE and M2Mi will demonstrate practical examples of how IoT solutions are helping airlines bring back personalization, reduce trip time and improve reliability. In their session at @ThingsExpo, Shyam Varan Nath, Principal Architect with GE, and Dr. Sarah Cooper, M2Mi’s VP Business Development and Engineering, explored the IoT cloud-based platform technologies driving this change including privacy controls, data transparency and integration of real time context with p...
The Internet of Things (IoT) is growing rapidly by extending current technologies, products and networks. By 2020, Cisco estimates there will be 50 billion connected devices. Gartner has forecast revenues of over $300 billion, just to IoT suppliers. Now is the time to figure out how you’ll make money – not just create innovative products. With hundreds of new products and companies jumping into the IoT fray every month, there’s no shortage of innovation. Despite this, McKinsey/VisionMobile data shows "less than 10 percent of IoT developers are making enough to support a reasonably sized team....
Just over a week ago I received a long and loud sustained applause for a presentation I delivered at this year’s Cloud Expo in Santa Clara. I was extremely pleased with the turnout and had some very good conversations with many of the attendees. Over the next few days I had many more meaningful conversations and was not only happy with the results but also learned a few new things. Here is everything I learned in those three days distilled into three short points.
DevOps is about increasing efficiency, but nothing is more inefficient than building the same application twice. However, this is a routine occurrence with enterprise applications that need both a rich desktop web interface and strong mobile support. With recent technological advances from Isomorphic Software and others, rich desktop and tuned mobile experiences can now be created with a single codebase – without compromising functionality, performance or usability. In his session at DevOps Summit, Charles Kendrick, CTO and Chief Architect at Isomorphic Software, demonstrated examples of com...
As organizations realize the scope of the Internet of Things, gaining key insights from Big Data, through the use of advanced analytics, becomes crucial. However, IoT also creates the need for petabyte scale storage of data from millions of devices. A new type of Storage is required which seamlessly integrates robust data analytics with massive scale. These storage systems will act as “smart systems” provide in-place analytics that speed discovery and enable businesses to quickly derive meaningful and actionable insights. In his session at @ThingsExpo, Paul Turner, Chief Marketing Officer at...
In his keynote at @ThingsExpo, Chris Matthieu, Director of IoT Engineering at Citrix and co-founder and CTO of Octoblu, focused on building an IoT platform and company. He provided a behind-the-scenes look at Octoblu’s platform, business, and pivots along the way (including the Citrix acquisition of Octoblu).
In his General Session at 17th Cloud Expo, Bruce Swann, Senior Product Marketing Manager for Adobe Campaign, explored the key ingredients of cross-channel marketing in a digital world. Learn how the Adobe Marketing Cloud can help marketers embrace opportunities for personalized, relevant and real-time customer engagement across offline (direct mail, point of sale, call center) and digital (email, website, SMS, mobile apps, social networks, connected objects).
The Internet of Everything is re-shaping technology trends–moving away from “request/response” architecture to an “always-on” Streaming Web where data is in constant motion and secure, reliable communication is an absolute necessity. As more and more THINGS go online, the challenges that developers will need to address will only increase exponentially. In his session at @ThingsExpo, Todd Greene, Founder & CEO of PubNub, exploreed the current state of IoT connectivity and review key trends and technology requirements that will drive the Internet of Things from hype to reality.
Two weeks ago (November 3-5), I attended the Cloud Expo Silicon Valley as a speaker, where I presented on the security and privacy due diligence requirements for cloud solutions. Cloud security is a topical issue for every CIO, CISO, and technology buyer. Decision-makers are always looking for insights on how to mitigate the security risks of implementing and using cloud solutions. Based on the presentation topics covered at the conference, as well as the general discussions heard between sessions, I wanted to share some of my observations on emerging trends. As cyber security serves as a fou...
We all know that data growth is exploding and storage budgets are shrinking. Instead of showing you charts on about how much data there is, in his General Session at 17th Cloud Expo, Scott Cleland, Senior Director of Product Marketing at HGST, showed how to capture all of your data in one place. After you have your data under control, you can then analyze it in one place, saving time and resources.
With all the incredible momentum behind the Internet of Things (IoT) industry, it is easy to forget that not a single CEO wakes up and wonders if “my IoT is broken.” What they wonder is if they are making the right decisions to do all they can to increase revenue, decrease costs, and improve customer experience – effectively the same challenges they have always had in growing their business. The exciting thing about the IoT industry is now these decisions can be better, faster, and smarter. Now all corporate assets – people, objects, and spaces – can share information about themselves and thei...
The cloud. Like a comic book superhero, there seems to be no problem it can’t fix or cost it can’t slash. Yet making the transition is not always easy and production environments are still largely on premise. Taking some practical and sensible steps to reduce risk can also help provide a basis for a successful cloud transition. A plethora of surveys from the likes of IDG and Gartner show that more than 70 percent of enterprises have deployed at least one or more cloud application or workload. Yet a closer inspection at the data reveals less than half of these cloud projects involve production...
Continuous processes around the development and deployment of applications are both impacted by -- and a benefit to -- the Internet of Things trend. To help better understand the relationship between DevOps and a plethora of new end-devices and data please welcome Gary Gruver, consultant, author and a former IT executive who has led many large-scale IT transformation projects, and John Jeremiah, Technology Evangelist at Hewlett Packard Enterprise (HPE), on Twitter at @j_jeremiah. The discussion is moderated by me, Dana Gardner, Principal Analyst at Interarbor Solutions.
Discussions of cloud computing have evolved in recent years from a focus on specific types of cloud, to a world of hybrid cloud, and to a world dominated by the APIs that make today's multi-cloud environments and hybrid clouds possible. In this Power Panel at 17th Cloud Expo, moderated by Conference Chair Roger Strukhoff, panelists addressed the importance of customers being able to use the specific technologies they need, through environments and ecosystems that expose their APIs to make true change and transformation possible.
Too often with compelling new technologies market participants become overly enamored with that attractiveness of the technology and neglect underlying business drivers. This tendency, what some call the “newest shiny object syndrome” is understandable given that virtually all of us are heavily engaged in technology. But it is also mistaken. Without concrete business cases driving its deployment, IoT, like many other technologies before it, will fade into obscurity.
Microservices are a very exciting architectural approach that many organizations are looking to as a way to accelerate innovation. Microservices promise to allow teams to move away from monolithic "ball of mud" systems, but the reality is that, in the vast majority of organizations, different projects and technologies will continue to be developed at different speeds. How to handle the dependencies between these disparate systems with different iteration cycles? Consider the "canoncial problem" in this scenario: microservice A (releases daily) depends on a couple of additions to backend B (re...
The Internet of Things is clearly many things: data collection and analytics, wearables, Smart Grids and Smart Cities, the Industrial Internet, and more. Cool platforms like Arduino, Raspberry Pi, Intel's Galileo and Edison, and a diverse world of sensors are making the IoT a great toy box for developers in all these areas. In this Power Panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists discussed what things are the most important, which will have the most profound effect on the world, and what should we expect to see over the next couple of years.
Container technology is shaping the future of DevOps and it’s also changing the way organizations think about application development. With the rise of mobile applications in the enterprise, businesses are abandoning year-long development cycles and embracing technologies that enable rapid development and continuous deployment of apps. In his session at DevOps Summit, Kurt Collins, Developer Evangelist at, examined how Docker has evolved into a highly effective tool for application delivery by allowing increasingly popular Mobile Backend-as-a-Service (mBaaS) platforms to quickly crea...
Growth hacking is common for startups to make unheard-of progress in building their business. Career Hacks can help Geek Girls and those who support them (yes, that's you too, Dad!) to excel in this typically male-dominated world. Get ready to learn the facts: Is there a bias against women in the tech / developer communities? Why are women 50% of the workforce, but hold only 24% of the STEM or IT positions? Some beginnings of what to do about it! In her Day 2 Keynote at 17th Cloud Expo, Sandy Carter, IBM General Manager Cloud Ecosystem and Developers, and a Social Business Evangelist, wil...
PubNub has announced the release of BLOCKS, a set of customizable microservices that give developers a simple way to add code and deploy features for realtime apps.PubNub BLOCKS executes business logic directly on the data streaming through PubNub’s network without splitting it off to an intermediary server controlled by the customer. This revolutionary approach streamlines app development, reduces endpoint-to-endpoint latency, and allows apps to better leverage the enormous scalability of PubNub’s Data Stream Network.