Armed with open source

By Joel Snyder
Computer World, March, 2007

Original Article on Network World Web Site

Open source technologies already permeate most data centres, and their influence is spreading. However, data centre managers who wouldn't think twice about dropping a new Linux server into a rack feel very differently about building an open source firewall as the main barrier between their own network and the great unwashed. Security remains outside the open-source comfort zone.

Still, there are four primary arguments in favour of open-source security tools: agility in the face of changing threats, control of one's own destiny with full source code, customization to one's own requirements, and lower cost. With that in mind, good examples of freely available security products abound.

Greater agility in mail security< p <>

The e-mail security gateway is a perfect example of how open source products can answer the need for agility. The function of this gateway has changed from interoperability between disparate mail systems to security, with protection against spam and viruses - and now phishing protection and compliance requirements - at the top of the list. The gateway landscape continues to change quickly, with commercial products entering or leaving the market rapidly, and requirements changing just as fast. If companies opt for an open source solution - in which they build their own gateway from multiple components - they gain a high degree of agility, even though they also take on a substantial integration effort.

Antispam tool SpamAssassin, probably the poster child for open source security, is powerful enough to be at the core of several commercial products, including the popular Barracuda mail gateway. SpamAssassin is far from data centre-ready, however. Companies using it probably will have to create (or adapt existing open source) Web front-end applications and find a framework for scaling across multiple systems. There also is the need for user quarantines for suspect mail, tools to deliver mail, periodic quarantine management, reporting and alerting, and system management. Companies also will have to wrap a message transport agent, such as Postfix, around SpamAssassin to send, queue and receive e-mail. While some open source projects, such as the MailWasher server and Maia Mailguard, have integrated an antispam engine with management tools and quarantine, none has the active and lively development and huge user community that SpamAssassin does.

SpamAssassin by itself is no longer the state of the art in spam identification. Reputation-based filtering has been demonstrated to be very effective when combined with a good content filter; and new protocols, such as Sender ID and DomainKeys, help fight phishing attacks. Integrating freely available reputation-based services, such as SpamHaus or SpamCop, with other antispam tools isn't impossible, but requires expertise in mail-gateway design and the open source applications. Antivirus capabilities also belong in any mail security gateway. The only credible open source option is ClamAV, although a company choosing a Linux base for its e-mail gateway also has the option of several commercial engines that run on Unix.

Other antispam engines, such as CRM114, DSPAM and Bogofilter, are not as popular in large-scale environments because they rely on user training to achieve very high spam catch-rates. However, those building their own custom gateways can experiment with any filtering tool to see if it fits into the enterprise.

In control with intrusion-detection systems

An intrusion-detection system (IDS) doesn't just detect attacks. It also is useful for forensics, detecting network misuse and misconfiguration, and even network performance profiling.

To meet such varied needs, the IDS requires a way to collect and store events from sensors deployed throughout a network, as well as to search, collate and analyze events as they come in, archive and retrieve IDS events, generate instant alerts from some sets of events, manage all these components, and report on long-term trends. In more advanced deployments, IDS data uses a correlation engine to look for trends across events.

The Snort team (most of whom work for Sourcefire, selling a commercial IDS and intrusion-prevention system [IPS] based on the open source Snort engine) has taken care of the first half of this picture with its powerful IDS detection engine. As with SpamAssassin, Snort alone is almost completely useless. Yet it is easily layered on top of operating systems such as Linux or BSD (Berkeley Software Distribution or Berkeley Unix) to build an IDS sensor that detects traffic and generates events. Still, without an infrastructure to manage Snort and the events, companies might as well not bother.

Data center managers who want to build a 100 percent open source IDS they fully control might consider starting with Snort-based IDS sensors that typically run on Linux and then using a dozen or more other open source components to manage the sensors.

Managing the sensors can require home-grown scripts or applications, although there are specific tools, such as Oinkmaster and IDS Policy Manager, for keeping Snort rule sets updated properly. To log events, the common approach is to use Barnyard, a Snort add-on, along with the MySQL database. Once events are logged, tools such as Analysis Console for Intrusion Databases or the newer Basic Analysis and Security Engine - combined with a Web server and various scripting and graphics tools - can be used for trending and forensics.

But because the most difficult part of creating an enterprise IDS is turning the sensor's data into useful information, rather than building from scratch, a better solution may be to use open-source IDS sensors and a commercial IDS "super console" to handle events, alerts, archiving and forensics. This approach still minimizes the risk of being stuck with a network of IDS sensors from a commercial vendor that goes out of business, a significant concern considering that 40 percent of the IDS and IPS vendors in Network World's 2003 test (and 50 percent in our 2002 test) have gone under or left the IDS/IPS market.

Most of the security information management products from such vendors as ArcSight, NetIQ, Network Intelligence and Tenable Network Security, for example, will work perfectly well with Snort-based sensors. For an additional license fee, Sourcefire's 3D Defense Centre will accept events from open source Snort as easily as from Sourcefire's packaged offerings.

Custom code for vulnerability analysis

Knowing what's on the network and what services are in use is an important part of security. Unfortunately, application programmers and system operators don't always keep the security team in the loop as systems are brought online, updated, patched and reconfigured. A referee, in the form of a vulnerability-analysis tool, can be a valuable adjunct in keeping abreast of services and servers automatically.

Tenable's Nessus, a popular tool for service discovery and vulnerability management, is pushing the limits of what open source means in the data center. Originally it was a fully open source tool; last year, the primary developers of Nessus made it free, but also proprietary, when they released Version 3 of the scanning engine. Changing the license was unpopular with the always-volatile open source community, but the number of enthusiastic users doesn't seem to have diminished. Nessus Version 2 is maintained as an open source project.

With a client/server architecture and several GUI interfaces available, Nessus needs less additional software to make a fully functional package than does SpamAssassin or Snort, depending on how the information Nessus provides will be used. Other vulnerability-analysis scanners and network discovery tool vendors offer more tools for managing scan results, linking to patch-management systems and handling the vulnerability life cycle, but the Nessus team has focused more on making a highly configurable engine.

To gain closer parity with commercial products, Nessus users can buy Tenable's Security Centre. This is a centralized management tool for Nessus scan data that contributes reporting functions, asset and vulnerability management, and a correlation engine that links IDS engine events with detected vulnerabilities to give security managers a better idea of what's important. In addition, most commercial security information management products can digest and correlate Nessus scan data.

Nessus is an active vulnerability scanner, which means it probes systems to discover services, operating systems and vulnerabilities. At many organizations, however, active scanning is unacceptable. The bad reputation they have for crashing or slowing systems, along with other political issues, has spawned a market for passive scanners.

Some limited types of passive scanning (such as operating system fingerprinting) are available from the open source community, but network managers interested in a more comprehensive approach should stick to commercial scanners available from Sourcefire (Realtime Network Awareness) and Tenable (Passive Vulnerability Scanner). (See our Clear Choice Test on these products.)

Containing costs in VPNs

As inexpensive as centrally managed firewall-VPN devices are, the cost to build a large-scale, site-to-site VPN can be high. Sometimes the problem is the vendor mix, because vendor-supplied firewall management tools can't handle multiple vendors. Other times, it's a question of a company being stuck with perfectly good branch-office firewalls that don't do VPN very well.

The best open source alternative is OpenVPN, an SSL-based VPN tool that easily and quickly links broadband-connected remote sites to a central data center. As a technology, OpenVPN has advantages, even over some commercial VPN products based on the more efficient and better-behaved IPSec protocols. Because most broadband ISPs use network address translation (NAT), businesses using low-cost connections without statically assigned IP addresses have found that the complex IPSec protocols don't always work reliably through NAT devices. Encapsulating traffic inside a single TCP connection is a good way to get around the problem, and SSL-based VPNs such as OpenVPN have always done this.

From the point of view of cost, OpenVPN is even more attractive. If there's a remote server running Windows, almost any flavor of Unix, or Mac OS X, the server can be used as a VPN gateway to connect the remote site securely using OpenVPN. Because the software works with the servers already deployed at remote sites, it can be retrofitted easily into existing networks without requiring new hardware.

OpenVPN isn't the answer to all ills. High-speed connections work better over IPSec, and the idea of running VPN traffic through a server won't go over well in many environments. In addition, OpenVPN is not suitable for large, meshed VPNs because it lacks a large-scale management system.

Like many open source tools, the OpenVPN management interface is a command line. Because of the popularity of the product and the well-documented API in OpenVPN, a number of open source, GUI-based tools are available to help in configuration and system monitoring.

In hub-and-spoke VPN configurations of small branch offices - broadband connections coming into a central data center - OpenVPN works well and has high availability and scalability features that wouldn't normally be expected in open source products.

You're already using open source security

Open source security is already in data centres, even if network executives think it isn't. One common example is OpenSSL, an open source-library implementation of the SSL encryption standard with an accompanying set of tools and utilities. Any commercial product that uses SSL for such features as Web-based management or client/server control channels almost certainly is using OpenSSL. With no reason to believe that they could write better or more bug-free code, commercial developers naturally gravitate to reusable, open source components wherever possible.

In the security world, open source has had its greatest success at the component level, rather than as full-fledged stand-alone products. These well-tested and well-accepted security components are incorporated into complete products by the ever-growing corps of security product vendors. The Nmap and Nessus network and vulnerability scanners, the Snort intrusion-detection system (IDS), and the iptables firewall often are found - sometimes carefully hidden, sometimes openly promoted - inside the newest security products. In addition, some open-source security products have been taken commercial by their own development teams: Sourcefire's Snort IDS and Tenable's Nessus vulnerability-management scanner are well-known examples.

A consistent trend in security products has been the creation of appliances, packaging familiar open source basics, such as Linux, Apache and MySQL, as a base, then adding a combination of open source security tools and value-added software for management to make a complete product. Most of the packaged security appliances for everything from firewalls to security information management are built on the same BSD Unix and Linux distributions as the application servers you build yourself.

Is it free or isn't it?

The most popular open-source security products - virus scanners, spam filters, intrusion-detection and -prevention (IDS/IPS) engines, and vulnerability management tools - require a fairly constant stream of updates to their internal rules databases to stay useful and abreast of the latest threats.

These rules updates have different names depending on the products, but they're very distinct from software updates. Rules updates for ClamAV and SpamAssassin are still free, at least for now. Indeed, one of the astonishing things about the ClamAV project - certainly the most frequent updater of rules - how long the team has been able to keep updates free (although contributions are solicited). Because these updates consume a lot of time, many enterprise network managers have shied away from ClamAV in the fear that the updates will slow down or, one day simply stop.

>Sourcefire (maintainer of the Snort IDS) and Tenable Network Security (maintainer of the Nessus vulnerability-management scanner) have opted for a mixed commercial and freeware approach to releasing their rules. Recognizing that a major part of the value of these applications is in their frequent rules updates, both companies have made timely updates subject to a modest subscription fee. If a company is willing to wait, it can have the updates at a later date for free.

A subscription fee caters to enterprise-class customers who are willing to pay for security products and need current updates, but prefer open source. Those fees can go into paying people to maintain the rules databases, a fairly thankless job where remuneration is the key to consistency and currency.

Agility, control, customization, affordability

With a healthy, vigorous market in security appliances based on open source components, why would anyone in a data center go to the trouble of assembling their own? The arguments boil down to agility, control, customization and affordability.

In the world of security, agility means being able to respond quickly to threats and to change policy and products to maintain a secure network. With a packaged solution, responding to a new threat may mean installing a new box. If a company builds its own appliance based on existing tools, it can vary the components and configuration quickly. This may be true even if the company isn't using open source tools. For example, an e-mail security gateway typically has a virus scanner, and while there is a good open source option in ClamAV, a corporate license might make products from Trend Micro, McAfee or Sophos just as good choices. Changing the antivirus engine is easy if a company controls the appliance, but not as easy if it has a packaged solution.

In the data centre, control can mean many things, but often control means knowing that if push came to shove, a company could always fix the open source tools itself. In addition, control means knowing that the product will be around for as long as a company wants to use it: Although the security marketplace is active, it has a high churn rate, and today's great product from a small start-up can be tomorrow's dot-com scrap. Also, success can weigh on new products: Vendors are bought; products go on hiatus for a year or are cancelled entirely. Open source code is insurance against that happening, even though developer organizations are just as likely to disappear as commercial vendors.

Customization long has been a benefit of open source, and it's just as important in security. If a company's unique security requirements can't be met by off-the-shelf products, it probably can put together what it wants out from open source components. Sometimes customization is more important on the control plane, especially in large data centers. For example, if the data center has a provisioning system that needs to interact with parts of the network's security infrastructure, it's more likely that an open source tool built by the company can be controlled with configuration files and command lines - unlike a commercial product that requires a Java-based GUI for configuration.

Finally, cost is the eternal and obvious argument in favor of open source. A single appliance in a data center may not be much of a budget item, but costs do add up. E-mail security appliances, for example, typically are licensed per user, per function (spam, antivirus and so on), per year. A thousand users multiplied by US$30 or so per user, per year: That's a powerful incentive for a company to build its own gateway of open source components. One intrusion-detection system sensor is not worth worrying about, but if a company wants to deploy 100 of them, it can realize significant savings with open source.