Click here to close now.

Welcome!

Linux Authors: Pat Romanski, Mike Kavis, Lori MacVittie, VictorOps Blog, Marty Puranik

Related Topics: Linux, Virtualization

Linux: Article

Open Source for Perimeter Security

Two open source projects provide answers

Does the open source community provide world-class security technology? Can organizations stop dealing with commercial vendors for security software?

To avoid any undue suspense, the answers are: "Emphatically yes" and "Maybe, but you probably need to make an investment of some kind." But let's take a look at the evidence - this article references two open source projects: netfilter and Snort.

Escalating Challenges

First, it's clear that the challenges related to security are escalating. Outbreaks of viruses and worms are becoming more virulent and spreading faster. Blended threats and application-specific attacks are becoming more sophisticated and harder to detect. Wireless communications, instant messaging, and peer-to-peer networks are opening new holes in corporate defenses. Top management is taking a sudden and unaccustomed interest in IT security. Yet IT departments are not getting additional resources to meet these growing pressures.

Innovation in Open Source

How can the open source community help? Clearly there is a terrific surge of innovation in the field of IT security coming from open source developers and the supporting infrastructure of Linux- and open source-related organizations, Web sites, and publications.

A search on the word "security" on the freshmeat Web site (http://freshmeat.net) turns up more than 1,200 entries (see Table 1).

Security Advantages of Open Source

There is a lively discussion about the virtues of security applications on Linux versus Windows, and of open source projects versus proprietary software.

There is no doubt that today there are far more worms and exploits on Windows-based systems than on Linux-based products. It is not certain if this is simply because the larger number of Windows systems makes a more inviting target for hackers, or if the architecture of Linux is inherently more resistant to attack.

There is a strong case that Linux does have structural advantages for security. For example, at Astaro we have stripped out elements of Linux that are not needed for our security package. This removes many vulnerabilities that a hacker could use to attack a more complex version of the operating system. Performing this kind of pruning would be far more difficult with Windows.

A more important factor, however, is the fundamental development process used for open source projects.

For major projects, code is rigorously examined and exhaustively tested by hundreds of individuals - far more than even the largest commercial vendor can bring to bear on a single product.

The pace of learning and improvement is also much faster than would be possible in a typical commercial setting. Vulnerabilities are exposed more quickly, and solutions developed and tested more readily.

Perhaps most important, in the open source world it is impossible to hide or downplay security vulnerabilities. The open source development process harnesses human nature to ruthlessly expose and eliminate weaknesses, rather than to deny mistakes or delay remediation.

Myths About Open Source Development

There is a widespread and wholly inaccurate impression that open source development is somehow haphazard and undisciplined, a free-for-all among brilliant but uncoordinated individuals. In fact, most major open source projects are very tightly managed by a small, highly disciplined core team. This team determines the architecture of the software, selects the code to be included, and manages all phases of the development process. It enforces strict source control processes, and establishes detailed coding styles and security guidelines.

Critical mass in the open source world comes from the dozens, hundreds, or even thousands of developers who examine and test existing software and submit new code. These developers provide the quantity of inspiration, innovation, and plain hard work that is impossible to duplicate in a commercial setting. However, the core team is always there to coordinate the work of the masses and select the best work to include in the primary branch of the software.

An Example: The netfilter Project

An excellent example of a cutting-edge open source effort is the netfilter project (www.netfilter.org). This is a Linux-based packet filter that features stateful firewalling, Network Address Translation (NAT), load balancing, and other kinds of packet mangling.

The project was founded in 1999 in Australia and has now grown to more than 100,000 lines of code contributed by over 700 developers. There are currently about 300 active developers submitting about 1,400 postings a month to the development mailing lists.

The netfilter project is managed by a core team of 4 members who winnow down the submissions to an average of 65 code improvements and fixes per month.

This is an excellent illustration of the principles we've been discussing - an effort that utilizes the contributions of hundreds of developers, working on a project they love, managed by a small and disciplined core team.

Limitations of Open Source

Open source projects are an outstanding source of world-class security technology, but they are not a panacea for developers or IT managers who need to deploy reliable, manageable software in a real-world production environment.

The open source community is driven by technical enthusiasm, not commercial needs. While most open source developers understand the requirements of IT departments very well, they cannot reasonably be expected to donate their free time to working on mundane management issues.

As a result, open source projects provide brilliant, innovative solutions to fundamental problems, but ease of use and ease of management are typically afterthoughts.

This tendency can manifest itself in several ways: command-line interfaces or less-than-intuitive GUIs, lack of documentation and help facilities, highly manual methods to update software and threat signatures, and limited reporting capabilities. These shortcomings are minor for the highly skilled developer who enjoys digging into a new piece of technology, but they are fatal for the systems administrator or IT manager who needs to complete a lot of tasks in a short time.

Beyond the level of the individual open source project, there is no incentive to integrate separate packages into what an IT manager would view as a complete solution.

While all open source code is available for inspection, that does not mean that all of it is inspected with equal thoroughness. Many eyes will view the technically exciting parts, but the environment does not lend itself to saying: Will you please review and test the boring parts?

Finally, support options are limited for most open source software.

Harnessing Open Source Software for Security

How can organizations harness the explosive growth and innovation of the open source community (and its low costs) without suffering from limitations?

There are basically two choices:

  1. Allocate sufficient resources to fill the gaps themselves.
  2. Let a commercial vendor integrate and support a complete solution based on open source components.
In both cases the tasks are basically the same:
  • Somebody needs to create the interfaces and the documentation to make the tech-nology readily accessible to the typical overworked user or administrator (who is being distracted by a constant barrage of competing demands).
  • Somebody needs to set up automated processes to validate settings, patch software, update threat signatures, and back up configurations.
  • Somebody needs to create the reports so that the average administrator (who is still distracted and harried) can troubleshoot problems and track trends.
  • And if the solution involves multiple components (which is typical in security), someone needs to integrate the components and do thorough testing to make sure that the pieces work together under all types of hostile conditions.

An Illustration: Preparing Snort for the Typical Administrator

One of the most successful open source projects is Snort (www.snort.org), a network intrusion detection system. Snort's intrusion detection engine is widely considered to be equal to or better than any vendor-developed alternative, and the project supports a database of more than 2,000 intrusion detection rules.

However, the Snort technology in its raw form is much better suited to a highly trained security specialist than to the average systems administrator. Configuring the system and the large number of rules requires a fairly high level of expertise, not to mention a lot of time. Updating the rule set on a regular basis is also a time-consuming manual process.

About a year ago Astaro decided to utilize the Snort project as the core of a new "Intrusion Protection" module of our Linux perimeter security solution (see Figure 1). However, to fit the software to the needs of a typical administrator, we had to add quite a bit of functionality. For example, we:

  • Created a user interface that made it simple to turn intrusion detection rules on and off either individually or in categories relating to different applications and protocols (so, for example, if a particular application or protocol is not in use at a site all of the related rules could be turned off for better performance)
  • Modified the automated update service so that new intrusion threat patterns could be added with the same process that updates the firewall software and virus signatures
  • Integrated the intrusion detection engine with our firewall so that the firewall could immediately block intrusions (and modified the user interface mentioned above so that the administrator could toggle back and forth between "intrusion detection" and "intrusion prevention" for each rule)
  • Removed some of the functionality from the open source project by eliminating some of the intrusion detection rules that we felt would cause too many false positives or slow down per-formance without providing a measurable benefit to security
If you want to make this comparison yourself, you can download a free version of Astaro Security Linux at https://my.astaro.com/download and download the Snort code from www.snort.org/dl.

A Two-Way Street

Commercial companies who utilize open source projects must make significant contributions back to the community, such as funding projects and developers and making versions of proprietary software available at no cost. It's also important to adhere to the various open source licensing rules, for example, by publishing any changes made to the project code. These activities make commercial companies active contributors to the growth and success of the open source movement.

Open Source: Leverage the Pros, Ditch the Cons

Let's come back to the questions we posed at the beginning of this article:
  • Does the open source community provide world-class security technology?
  • Can organizations stop dealing with commercial vendors for security software?
The answer to the first question is clearly yes. In fact, we would argue that the best security technology in the world today is being created by the open source community. The level of expertise, and the number of contributors to security-related open source projects, is truly incredible. And as we discussed earlier, open source development processes are well organized and disciplined.

The answer to the second question is: maybe, but you probably you need to make an investment of some kind:

  • You can use open source security projects "out of the box" if you have a high skill level, a tolerance for rough edges, and no need to rely on less dedicated coworkers.
  • Your organization can commit resources to adding management features, integrating components, and providing support so that the technology can be utilized by your average administrator.
  • You can work with a vendor who integrates and packages open source projects for a commercial audience.
In all three of these cases you can take advantage of a very dynamic source of sophisticated technology at a total cost that is significantly lower than traditional security packages. This is truly an area where everyone can win.

More Stories By Jon Friedman

Jon Friedman is vice president of product marketing at Astaro Corporation. He has 20 years of experience with technology companies in marketing, business planning, market analysis, and sales. He was worked with both start-ups and Fortune 500 companies, including Systems Engineering, ePresence (formerly Banyan Systems), Nortel Networks, EPiCON, Wang Software, and Unisys.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
One of the biggest impacts of the Internet of Things is and will continue to be on data; specifically data volume, management and usage. Companies are scrambling to adapt to this new and unpredictable data reality with legacy infrastructure that cannot handle the speed and volume of data. In his session at @ThingsExpo, Don DeLoach, CEO and president of Infobright, will discuss how companies need to rethink their data infrastructure to participate in the IoT, including: Data storage: Understanding the kinds of data: structured, unstructured, big/small? Analytics: What kinds and how responsiv...
Since 2008 and for the first time in history, more than half of humans live in urban areas, urging cities to become “smart.” Today, cities can leverage the wide availability of smartphones combined with new technologies such as Beacons or NFC to connect their urban furniture and environment to create citizen-first services that improve transportation, way-finding and information delivery. In her session at @ThingsExpo, Laetitia Gazel-Anthoine, CEO of Connecthings, will focus on successful use cases.
The Workspace-as-a-Service (WaaS) market will grow to $6.4B by 2018. In his session at 16th Cloud Expo, Seth Bostock, CEO of IndependenceIT, will begin by walking the audience through the evolution of Workspace as-a-Service, where it is now vs. where it going. To look beyond the desktop we must understand exactly what WaaS is, who the users are, and where it is going in the future. IT departments, ISVs and service providers must look to workflow and automation capabilities to adapt to growing demand and the rapidly changing workspace model.
Sensor-enabled things are becoming more commonplace, precursors to a larger and more complex framework that most consider the ultimate promise of the IoT: things connecting, interacting, sharing, storing, and over time perhaps learning and predicting based on habits, behaviors, location, preferences, purchases and more. In his session at @ThingsExpo, Tom Wesselman, Director of Communications Ecosystem Architecture at Plantronics, will examine the still nascent IoT as it is coalescing, including what it is today, what it might ultimately be, the role of wearable tech, and technology gaps stil...
Almost everyone sees the potential of Internet of Things but how can businesses truly unlock that potential. The key will be in the ability to discover business insight in the midst of an ocean of Big Data generated from billions of embedded devices via Systems of Discover. Businesses will also need to ensure that they can sustain that insight by leveraging the cloud for global reach, scale and elasticity.
The Internet of Things (IoT) promises to evolve the way the world does business; however, understanding how to apply it to your company can be a mystery. Most people struggle with understanding the potential business uses or tend to get caught up in the technology, resulting in solutions that fail to meet even minimum business goals. In his session at @ThingsExpo, Jesse Shiah, CEO / President / Co-Founder of AgilePoint Inc., showed what is needed to leverage the IoT to transform your business. He discussed opportunities and challenges ahead for the IoT from a market and technical point of vie...
IoT is still a vague buzzword for many people. In his session at @ThingsExpo, Mike Kavis, Vice President & Principal Cloud Architect at Cloud Technology Partners, discussed the business value of IoT that goes far beyond the general public's perception that IoT is all about wearables and home consumer services. He also discussed how IoT is perceived by investors and how venture capitalist access this space. Other topics discussed were barriers to success, what is new, what is old, and what the future may hold. Mike Kavis is Vice President & Principal Cloud Architect at Cloud Technology Pa...
Hadoop as a Service (as offered by handful of niche vendors now) is a cloud computing solution that makes medium and large-scale data processing accessible, easy, fast and inexpensive. In his session at Big Data Expo, Kumar Ramamurthy, Vice President and Chief Technologist, EIM & Big Data, at Virtusa, will discuss how this is achieved by eliminating the operational challenges of running Hadoop, so one can focus on business growth. The fragmented Hadoop distribution world and various PaaS solutions that provide a Hadoop flavor either make choices for customers very flexible in the name of opti...
The true value of the Internet of Things (IoT) lies not just in the data, but through the services that protect the data, perform the analysis and present findings in a usable way. With many IoT elements rooted in traditional IT components, Big Data and IoT isn’t just a play for enterprise. In fact, the IoT presents SMBs with the prospect of launching entirely new activities and exploring innovative areas. CompTIA research identifies several areas where IoT is expected to have the greatest impact.
The Internet of Things (IoT) is rapidly in the process of breaking from its heretofore relatively obscure enterprise applications (such as plant floor control and supply chain management) and going mainstream into the consumer space. More and more creative folks are interconnecting everyday products such as household items, mobile devices, appliances and cars, and unleashing new and imaginative scenarios. We are seeing a lot of excitement around applications in home automation, personal fitness, and in-car entertainment and this excitement will bleed into other areas. On the commercial side, m...
Advanced Persistent Threats (APTs) are increasing at an unprecedented rate. The threat landscape of today is drastically different than just a few years ago. Attacks are much more organized and sophisticated. They are harder to detect and even harder to anticipate. In the foreseeable future it's going to get a whole lot harder. Everything you know today will change. Keeping up with this changing landscape is already a daunting task. Your organization needs to use the latest tools, methods and expertise to guard against those threats. But will that be enough? In the foreseeable future attacks w...
Disruptive macro trends in technology are impacting and dramatically changing the "art of the possible" relative to supply chain management practices through the innovative use of IoT, cloud, machine learning and Big Data to enable connected ecosystems of engagement. Enterprise informatics can now move beyond point solutions that merely monitor the past and implement integrated enterprise fabrics that enable end-to-end supply chain visibility to improve customer service delivery and optimize supplier management. Learn about enterprise architecture strategies for designing connected systems tha...
Dale Kim is the Director of Industry Solutions at MapR. His background includes a variety of technical and management roles at information technology companies. While his experience includes work with relational databases, much of his career pertains to non-relational data in the areas of search, content management, and NoSQL, and includes senior roles in technical marketing, sales engineering, and support engineering. Dale holds an MBA from Santa Clara University, and a BA in Computer Science from the University of California, Berkeley.
Wearable devices have come of age. The primary applications of wearables so far have been "the Quantified Self" or the tracking of one's fitness and health status. We propose the evolution of wearables into social and emotional communication devices. Our BE(tm) sensor uses light to visualize the skin conductance response. Our sensors are very inexpensive and can be massively distributed to audiences or groups of any size, in order to gauge reactions to performances, video, or any kind of presentation. In her session at @ThingsExpo, Jocelyn Scheirer, CEO & Founder of Bionolux, will discuss ho...
The cloud is now a fact of life but generating recurring revenues that are driven by solutions and services on a consumption model have been hard to implement, until now. In their session at 16th Cloud Expo, Ermanno Bonifazi, CEO & Founder of Solgenia, and Ian Khan, Global Strategic Positioning & Brand Manager at Solgenia, will discuss how a top European telco has leveraged the innovative recurring revenue generating capability of the consumption cloud to enable a unique cloud monetization model to drive results.
As organizations shift toward IT-as-a-service models, the need for managing and protecting data residing across physical, virtual, and now cloud environments grows with it. CommVault can ensure protection &E-Discovery of your data – whether in a private cloud, a Service Provider delivered public cloud, or a hybrid cloud environment – across the heterogeneous enterprise. In his session at 16th Cloud Expo, Randy De Meno, Chief Technologist - Windows Products and Microsoft Partnerships, will discuss how to cut costs, scale easily, and unleash insight with CommVault Simpana software, the only si...
Docker is an excellent platform for organizations interested in running microservices. It offers portability and consistency between development and production environments, quick provisioning times, and a simple way to isolate services. In his session at DevOps Summit at 16th Cloud Expo, Shannon Williams, co-founder of Rancher Labs, will walk through these and other benefits of using Docker to run microservices, and provide an overview of RancherOS, a minimalist distribution of Linux designed expressly to run Docker. He will also discuss Rancher, an orchestration and service discovery platf...
Analytics is the foundation of smart data and now, with the ability to run Hadoop directly on smart storage systems like Cloudian HyperStore, enterprises will gain huge business advantages in terms of scalability, efficiency and cost savings as they move closer to realizing the potential of the Internet of Things. In his session at 16th Cloud Expo, Paul Turner, technology evangelist and CMO at Cloudian, Inc., will discuss the revolutionary notion that the storage world is transitioning from mere Big Data to smart data. He will argue that today’s hybrid cloud storage solutions, with commodity...
Cloud data governance was previously an avoided function when cloud deployments were relatively small. With the rapid adoption in public cloud – both rogue and sanctioned, it’s not uncommon to find regulated data dumped into public cloud and unprotected. This is why enterprises and cloud providers alike need to embrace a cloud data governance function and map policies, processes and technology controls accordingly. In her session at 15th Cloud Expo, Evelyn de Souza, Data Privacy and Compliance Strategy Leader at Cisco Systems, will focus on how to set up a cloud data governance program and s...
Roberto Medrano, Executive Vice President at SOA Software, had reached 30,000 page views on his home page - http://RobertoMedrano.SYS-CON.com/ - on the SYS-CON family of online magazines, which includes Cloud Computing Journal, Internet of Things Journal, Big Data Journal, and SOA World Magazine. He is a recognized executive in the information technology fields of SOA, internet security, governance, and compliance. He has extensive experience with both start-ups and large companies, having been involved at the beginning of four IT industries: EDA, Open Systems, Computer Security and now SOA.