Click here to close now.

Welcome!

Linux Authors: Esmeralda Swartz, Pat Romanski, Jason Bloomberg, Elizabeth White, Liz McMillan

Related Topics: Linux, Virtualization

Linux: Article

Open Source for Perimeter Security

Two open source projects provide answers

Does the open source community provide world-class security technology? Can organizations stop dealing with commercial vendors for security software?

To avoid any undue suspense, the answers are: "Emphatically yes" and "Maybe, but you probably need to make an investment of some kind." But let's take a look at the evidence - this article references two open source projects: netfilter and Snort.

Escalating Challenges

First, it's clear that the challenges related to security are escalating. Outbreaks of viruses and worms are becoming more virulent and spreading faster. Blended threats and application-specific attacks are becoming more sophisticated and harder to detect. Wireless communications, instant messaging, and peer-to-peer networks are opening new holes in corporate defenses. Top management is taking a sudden and unaccustomed interest in IT security. Yet IT departments are not getting additional resources to meet these growing pressures.

Innovation in Open Source

How can the open source community help? Clearly there is a terrific surge of innovation in the field of IT security coming from open source developers and the supporting infrastructure of Linux- and open source-related organizations, Web sites, and publications.

A search on the word "security" on the freshmeat Web site (http://freshmeat.net) turns up more than 1,200 entries (see Table 1).

Security Advantages of Open Source

There is a lively discussion about the virtues of security applications on Linux versus Windows, and of open source projects versus proprietary software.

There is no doubt that today there are far more worms and exploits on Windows-based systems than on Linux-based products. It is not certain if this is simply because the larger number of Windows systems makes a more inviting target for hackers, or if the architecture of Linux is inherently more resistant to attack.

There is a strong case that Linux does have structural advantages for security. For example, at Astaro we have stripped out elements of Linux that are not needed for our security package. This removes many vulnerabilities that a hacker could use to attack a more complex version of the operating system. Performing this kind of pruning would be far more difficult with Windows.

A more important factor, however, is the fundamental development process used for open source projects.

For major projects, code is rigorously examined and exhaustively tested by hundreds of individuals - far more than even the largest commercial vendor can bring to bear on a single product.

The pace of learning and improvement is also much faster than would be possible in a typical commercial setting. Vulnerabilities are exposed more quickly, and solutions developed and tested more readily.

Perhaps most important, in the open source world it is impossible to hide or downplay security vulnerabilities. The open source development process harnesses human nature to ruthlessly expose and eliminate weaknesses, rather than to deny mistakes or delay remediation.

Myths About Open Source Development

There is a widespread and wholly inaccurate impression that open source development is somehow haphazard and undisciplined, a free-for-all among brilliant but uncoordinated individuals. In fact, most major open source projects are very tightly managed by a small, highly disciplined core team. This team determines the architecture of the software, selects the code to be included, and manages all phases of the development process. It enforces strict source control processes, and establishes detailed coding styles and security guidelines.

Critical mass in the open source world comes from the dozens, hundreds, or even thousands of developers who examine and test existing software and submit new code. These developers provide the quantity of inspiration, innovation, and plain hard work that is impossible to duplicate in a commercial setting. However, the core team is always there to coordinate the work of the masses and select the best work to include in the primary branch of the software.

An Example: The netfilter Project

An excellent example of a cutting-edge open source effort is the netfilter project (www.netfilter.org). This is a Linux-based packet filter that features stateful firewalling, Network Address Translation (NAT), load balancing, and other kinds of packet mangling.

The project was founded in 1999 in Australia and has now grown to more than 100,000 lines of code contributed by over 700 developers. There are currently about 300 active developers submitting about 1,400 postings a month to the development mailing lists.

The netfilter project is managed by a core team of 4 members who winnow down the submissions to an average of 65 code improvements and fixes per month.

This is an excellent illustration of the principles we've been discussing - an effort that utilizes the contributions of hundreds of developers, working on a project they love, managed by a small and disciplined core team.

Limitations of Open Source

Open source projects are an outstanding source of world-class security technology, but they are not a panacea for developers or IT managers who need to deploy reliable, manageable software in a real-world production environment.

The open source community is driven by technical enthusiasm, not commercial needs. While most open source developers understand the requirements of IT departments very well, they cannot reasonably be expected to donate their free time to working on mundane management issues.

As a result, open source projects provide brilliant, innovative solutions to fundamental problems, but ease of use and ease of management are typically afterthoughts.

This tendency can manifest itself in several ways: command-line interfaces or less-than-intuitive GUIs, lack of documentation and help facilities, highly manual methods to update software and threat signatures, and limited reporting capabilities. These shortcomings are minor for the highly skilled developer who enjoys digging into a new piece of technology, but they are fatal for the systems administrator or IT manager who needs to complete a lot of tasks in a short time.

Beyond the level of the individual open source project, there is no incentive to integrate separate packages into what an IT manager would view as a complete solution.

While all open source code is available for inspection, that does not mean that all of it is inspected with equal thoroughness. Many eyes will view the technically exciting parts, but the environment does not lend itself to saying: Will you please review and test the boring parts?

Finally, support options are limited for most open source software.

Harnessing Open Source Software for Security

How can organizations harness the explosive growth and innovation of the open source community (and its low costs) without suffering from limitations?

There are basically two choices:

  1. Allocate sufficient resources to fill the gaps themselves.
  2. Let a commercial vendor integrate and support a complete solution based on open source components.
In both cases the tasks are basically the same:
  • Somebody needs to create the interfaces and the documentation to make the tech-nology readily accessible to the typical overworked user or administrator (who is being distracted by a constant barrage of competing demands).
  • Somebody needs to set up automated processes to validate settings, patch software, update threat signatures, and back up configurations.
  • Somebody needs to create the reports so that the average administrator (who is still distracted and harried) can troubleshoot problems and track trends.
  • And if the solution involves multiple components (which is typical in security), someone needs to integrate the components and do thorough testing to make sure that the pieces work together under all types of hostile conditions.

An Illustration: Preparing Snort for the Typical Administrator

One of the most successful open source projects is Snort (www.snort.org), a network intrusion detection system. Snort's intrusion detection engine is widely considered to be equal to or better than any vendor-developed alternative, and the project supports a database of more than 2,000 intrusion detection rules.

However, the Snort technology in its raw form is much better suited to a highly trained security specialist than to the average systems administrator. Configuring the system and the large number of rules requires a fairly high level of expertise, not to mention a lot of time. Updating the rule set on a regular basis is also a time-consuming manual process.

About a year ago Astaro decided to utilize the Snort project as the core of a new "Intrusion Protection" module of our Linux perimeter security solution (see Figure 1). However, to fit the software to the needs of a typical administrator, we had to add quite a bit of functionality. For example, we:

  • Created a user interface that made it simple to turn intrusion detection rules on and off either individually or in categories relating to different applications and protocols (so, for example, if a particular application or protocol is not in use at a site all of the related rules could be turned off for better performance)
  • Modified the automated update service so that new intrusion threat patterns could be added with the same process that updates the firewall software and virus signatures
  • Integrated the intrusion detection engine with our firewall so that the firewall could immediately block intrusions (and modified the user interface mentioned above so that the administrator could toggle back and forth between "intrusion detection" and "intrusion prevention" for each rule)
  • Removed some of the functionality from the open source project by eliminating some of the intrusion detection rules that we felt would cause too many false positives or slow down per-formance without providing a measurable benefit to security
If you want to make this comparison yourself, you can download a free version of Astaro Security Linux at https://my.astaro.com/download and download the Snort code from www.snort.org/dl.

A Two-Way Street

Commercial companies who utilize open source projects must make significant contributions back to the community, such as funding projects and developers and making versions of proprietary software available at no cost. It's also important to adhere to the various open source licensing rules, for example, by publishing any changes made to the project code. These activities make commercial companies active contributors to the growth and success of the open source movement.

Open Source: Leverage the Pros, Ditch the Cons

Let's come back to the questions we posed at the beginning of this article:
  • Does the open source community provide world-class security technology?
  • Can organizations stop dealing with commercial vendors for security software?
The answer to the first question is clearly yes. In fact, we would argue that the best security technology in the world today is being created by the open source community. The level of expertise, and the number of contributors to security-related open source projects, is truly incredible. And as we discussed earlier, open source development processes are well organized and disciplined.

The answer to the second question is: maybe, but you probably you need to make an investment of some kind:

  • You can use open source security projects "out of the box" if you have a high skill level, a tolerance for rough edges, and no need to rely on less dedicated coworkers.
  • Your organization can commit resources to adding management features, integrating components, and providing support so that the technology can be utilized by your average administrator.
  • You can work with a vendor who integrates and packages open source projects for a commercial audience.
In all three of these cases you can take advantage of a very dynamic source of sophisticated technology at a total cost that is significantly lower than traditional security packages. This is truly an area where everyone can win.

More Stories By Jon Friedman

Jon Friedman is vice president of product marketing at Astaro Corporation. He has 20 years of experience with technology companies in marketing, business planning, market analysis, and sales. He was worked with both start-ups and Fortune 500 companies, including Systems Engineering, ePresence (formerly Banyan Systems), Nortel Networks, EPiCON, Wang Software, and Unisys.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
GENBAND has announced that SageNet is leveraging the Nuvia platform to deliver Unified Communications as a Service (UCaaS) to its large base of retail and enterprise customers. Nuvia’s cloud-based solution provides SageNet’s customers with a full suite of business communications and collaboration tools. Two large national SageNet retail customers have recently signed up to deploy the Nuvia platform and the company will continue to sell the service to new and existing customers. Nuvia’s capabilities include HD voice, video, multimedia messaging, mobility, conferencing, Web collaboration, deskt...
The Open Compute Project is a collective effort by Facebook and a number of players in the datacenter industry to bring lessons learned from the social media giant's giant IT deployment to the rest of the world. Datacenters account for 3% of global electricity consumption – about the same as all of Switzerland or the Czech Republic -- according to people I met at the recent Open Compute Summit in San Jose. With increasing mobility at the edge of the cloud and vast new dataflows being predicted with the growth of the Internet of Things (and The Coming Age of Many Zettabytes) in the near...
Wearable technology was dominant at this year’s International Consumer Electronics Show (CES) , and MWC was no exception to this trend. New versions of favorites, such as the Samsung Gear (three new products were released: the Gear 2, the Gear 2 Neo and the Gear Fit), shared the limelight with new wearables like Pebble Time Steel (the new premium version of the company’s previously released smartwatch) and the LG Watch Urbane. The most dramatic difference at MWC was an emphasis on presenting wearables as fashion accessories and moving away from the original clunky technology associated with t...
The WebRTC Summit 2014 New York, to be held June 9-11, 2015, at the Javits Center in New York, NY, announces that its Call for Papers is open. Topics include all aspects of improving IT delivery by eliminating waste through automated business models leveraging cloud technologies. WebRTC Summit is co-located with 16th International Cloud Expo, @ThingsExpo, Big Data Expo, and DevOps Summit.
SYS-CON Events announced today that Cisco, the worldwide leader in IT that transforms how people connect, communicate and collaborate, has been named “Gold Sponsor” of SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Cisco makes amazing things happen by connecting the unconnected. Cisco has shaped the future of the Internet by becoming the worldwide leader in transforming how people connect, communicate and collaborate. Cisco and our partners are building the platform for the Internet of Everything by connecting the...
15th Cloud Expo, which took place Nov. 4-6, 2014, at the Santa Clara Convention Center in Santa Clara, CA, expanded the conference content of @ThingsExpo, Big Data Expo, and DevOps Summit to include two developer events. IBM held a Bluemix Developer Playground on November 5 and ElasticBox held a Hackathon on November 6. Both events took place on the expo floor. The Bluemix Developer Playground, for developers of all levels, highlighted the ease of use of Bluemix, its services and functionality and provide short-term introductory projects that developers can complete between sessions.
Temasys has announced senior management additions to its team. Joining are David Holloway as Vice President of Commercial and Nadine Yap as Vice President of Product. Over the past 12 months Temasys has doubled in size as it adds new customers and expands the development of its Skylink platform. Skylink leads the charge to move WebRTC, traditionally seen as a desktop, browser based technology, to become a ubiquitous web communications technology on web and mobile, as well as Internet of Things compatible devices.
SYS-CON Events announced today that robomq.io will exhibit at SYS-CON's @ThingsExpo, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. robomq.io is an interoperable and composable platform that connects any device to any application. It helps systems integrators and the solution providers build new and innovative products and service for industries requiring monitoring or intelligence from devices and sensors.
The list of ‘new paradigm’ technologies that now surrounds us appears to be at an all time high. From cloud computing and Big Data analytics to Bring Your Own Device (BYOD) and the Internet of Things (IoT), today we have to deal with what the industry likes to call ‘paradigm shifts’ at every level of IT. This is disruption; of course, we understand that – change is almost always disruptive.
WebRTC is an up-and-coming standard that enables real-time voice and video to be directly embedded into browsers making the browser a primary user interface for communications and collaboration. WebRTC runs in a number of browsers today and is currently supported in over a billion installed browsers globally, across a range of platform OS and devices. Today, organizations that choose to deploy WebRTC applications and use a host machine that supports audio through USB or Bluetooth can use Plantronics products to connect and transit or receive the audio associated with the WebRTC session.
Docker is an excellent platform for organizations interested in running microservices. It offers portability and consistency between development and production environments, quick provisioning times, and a simple way to isolate services. In his session at DevOps Summit at 16th Cloud Expo, Shannon Williams, co-founder of Rancher Labs, will walk through these and other benefits of using Docker to run microservices, and provide an overview of RancherOS, a minimalist distribution of Linux designed expressly to run Docker. He will also discuss Rancher, an orchestration and service discovery platf...
Sonus Networks introduced the Sonus WebRTC Services Solution, a virtualized Web Real-Time Communications (WebRTC) offer, purpose-built for the Cloud. The WebRTC Services Solution provides signaling from WebRTC-to-WebRTC applications and interworking from WebRTC-to-Session Initiation Protocol (SIP), delivering advanced real-time communications capabilities on mobile applications and on websites, which are accessible via a browser.
SYS-CON Events announced today that Aria Systems, the leading innovator in recurring revenue, has been named “Bronze Sponsor” of SYS-CON's @ThingsExpo, which will take place on June 9–11, 2015, at the Javits Center in New York, NY. Proven by the world’s most demanding enterprises, including AAA NCNU, Constant Contact, Falck, Hootsuite, Pitney Bowes, Telekom Denmark, and VMware, Aria helps enterprises grow their recurring revenue businesses. With Aria’s end-to-end active monetization platform, global brands can get to market faster with a wider variety of products and services, while maximizin...
SYS-CON Media announced today that @WebRTCSummit Blog, the largest WebRTC resource in the world, has been launched. @WebRTCSummit Blog offers top articles, news stories, and blog posts from the world's well-known experts and guarantees better exposure for its authors than any other publication. @WebRTCSummit Blog can be bookmarked ▸ Here @WebRTCSummit conference site can be bookmarked ▸ Here
SYS-CON Events announced today that Alert Logic, the leading provider of Security-as-a-Service solutions for the cloud, has been named “Bronze Sponsor” of SYS-CON's 16th International Cloud Expo® and DevOps Summit 2015 New York, which will take place June 9-11, 2015, at the Javits Center in New York City, NY, and the 17th International Cloud Expo® and DevOps Summit 2015 Silicon Valley, which will take place November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA.
SYS-CON Events announced today that Vitria Technology, Inc. will exhibit at SYS-CON’s @ThingsExpo, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Vitria will showcase the company’s new IoT Analytics Platform through live demonstrations at booth #330. Vitria’s IoT Analytics Platform, fully integrated and powered by an operational intelligence engine, enables customers to rapidly build and operationalize advanced analytics to deliver timely business outcomes for use cases across the industrial, enterprise, and consumer segments.
SYS-CON Events announced today that Solgenia will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY, and the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Solgenia is the global market leader in Cloud Collaboration and Cloud Infrastructure software solutions. Designed to “Bridge the Gap” between Personal and Professional Social, Mobile and Cloud user experiences, our solutions help large and medium-sized organizations dr...
SYS-CON Events announced today that Liaison Technologies, a leading provider of data management and integration cloud services and solutions, has been named "Silver Sponsor" of SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York, NY. Liaison Technologies is a recognized market leader in providing cloud-enabled data integration and data management solutions to break down complex information barriers, enabling enterprises to make smarter decisions, faster.
Connected devices and the Internet of Things are getting significant momentum in 2014. In his session at Internet of @ThingsExpo, Jim Hunter, Chief Scientist & Technology Evangelist at Greenwave Systems, examined three key elements that together will drive mass adoption of the IoT before the end of 2015. The first element is the recent advent of robust open source protocols (like AllJoyn and WebRTC) that facilitate M2M communication. The second is broad availability of flexible, cost-effective storage designed to handle the massive surge in back-end data in a world where timely analytics is e...
SYS-CON Events announced today that Akana, formerly SOA Software, has been named “Bronze Sponsor” of SYS-CON's 16th International Cloud Expo® New York, which will take place June 9-11, 2015, at the Javits Center in New York City, NY. Akana’s comprehensive suite of API Management, API Security, Integrated SOA Governance, and Cloud Integration solutions helps businesses accelerate digital transformation by securely extending their reach across multiple channels – mobile, cloud and Internet of Things. Akana enables enterprises to share data as APIs, connect and integrate applications, drive part...