Open-source security tools that can be used on both Linux and Windows platforms could see a spike in popularity,...
thanks to Microsoft's recent license price increases and security fears about Windows platforms.
Analysts say that the high cost of the new Windows licensing, coupled with concerns that Windows is more exploitable than other operating systems, is driving IT administrators to take a hard look at Linux and the prospect of using open-source.
"They say: 'Our bills are going up X per year because of this [licensing] change -- let's look at switching even some of our systems,'" said Charles King, an analyst at The Sageza Group Inc. in Mountain View, Calif.
The downside of using open-source tools, of course, is that you need to be literate with Linux. King said that Linux tools are not as easy to use as commercial tools, "but people who are using these [Linux] tools don't expect them to be."
At Casey Family Program, a Seattle-based social services agency, senior LAN/WAN engineer Jeremiah Cruit-Salzberg said that most of his applications run on the Windows operating system, and that all of his security tools are open-source. All provide professional-class power and flexibility, and they are free, whereas a proprietary vulnerability scanner can cost up to $40,000.
The three most widely-known open-source security tools are Snort, the Nessus Security Scanner and Nmap, although there are many others. They all detect vulnerabilities on heterogeneous platforms. Cruit-Salzberg says that Snort, an open-source intrusion detection, sniffing and packet logging utility, is as good as or better than any commercial intrusion detection system on the market.
With Snort, which is command-line driven, some of the configuration files must be edited by hand, he said. If this presents a problem, then there is an enterprise-class intrusion detection system made by Sourcefire Inc., the Columbia, Md., open-source vendor that bases its technology on Snort. Sourcefire adds a GUI to eliminate some of the complexity.
IT administrators also like the Nessus Security Scanner, which is produced by the Nessus Project and is commonly known simply as "Nessus." An open-source vulnerability scanner, Nessus audits a network remotely and looks for cracks that can be exploited. The software is a little tricky to set up, but there are some good how-to documents out there, users said. Once Nessus is up and running, it does a great job, said Corey Shields, a Unix system specialist at Indiana University in Bloomington.
Nmap, which is sometimes referred to by its full name, Network Mapper, rapidly scans large networks, although it can also scan single hosts.
"It's a powerful tool that doesn't have a good Windows equivalent," Shields said.
There are system log utilities that will watch a system for unusual changes and e-mail the administrator when something out of the ordinary happens. Tripwire Inc. of Portland, Ore., makes a tool that falls into this category. The company makes a free version of its product for Linux and a commercial one for Windows.
"If one file that is not expected to change changes, it fires off an alert," Shields said. "Depending on how you set it up, it can contact you. This is important if a hacker gets in and changes a system file."
There is a variety of products that map to each of these open-source utilities. Some vendors that are leaders in this category are Internet Security Systems Inc. (ISS), Enterasys Networks Inc., Symantec Corp. and Secure Computing Corp.
The choice of whether to use an open-source security tool or a vendor- supported security tool might also hinge on a customer's comfort zone. Open-source tools may not have avenues of support -- like a hotline to call when there are problems.
"Community-supported software has a tight feedback loop, and it tends to converge on a more correct solution than the proprietary [solutions]," said Martin Roesch, founder and chief technology officer at Sourcefire Inc. Roesch was also the author and lead developer of Snort.
A proprietary tool will usually have an integrated GUI, whereas open-source tools may not, Roesch said. Software written for Windows also takes advantage of Windows better than an open-source tool, which can be a double-edged sword when an application is built on top of an underlying library.
An integrated GUI can offer a lot. Market leader ISS, for example, makes a security tool that ties sensors from a multitude of security functions -- from vulnerability assessment to intrusion detection -- into one interface so that customers have a universal platform from which to monitor their platforms.
"It's like a single burglar alarm for the entire enterprise," said Christopher Klaus, ISS founder and chief technology officer. Open-source tools monitor each problem separately.
Klaus said his company chooses to keep its own source code proprietary because with the idea that doing so makes it harder for hackers to penetrate a system.
ISS also lets administrators add Snort security logic to ISS tools, so they can get the additional protection that comes from the ability to write their own rules. In other words, ISS logic is a superset that can include Snort logic if the user wishes.
"Users get the best of both worlds," Klaus said.