[ISN] Is Open-Source Security Software Safe?

Wed Dec 12 18:08:21 EST 2001

--- begin forwarded text

Status:  U
Date: Tue, 11 Dec 2001 23:55:21 -0600 (CST)
From: InfoSec News <isn at c4i.org>
To: <isn at attrition.org>
Subject: [ISN] Is Open-Source Security Software Safe?
Sender: owner-isn at attrition.org
Reply-To: InfoSec News <isn at c4i.org>

http://www.businessweek.com/bwdaily/dnflash/dec2001/nf20011211_3015.htm

DECEMBER 11, 2001
SECURITY NET
By Alex Salkever

Will the average bank care if the hacking underground can examine the
basic source code of the security software protecting its networks?
That's what information-security company Guardent is about to find
out.

On Dec. 11, the Waltham (Mass.)-based company rolled out a hardware
security appliance that relies solely on open-source programs to
protect customers. Guardent will use these appliances, priced at
$1,500 a pop, to monitor and guard corporate networks. That's a
fraction of the cost of most integrated security appliances.

One small step for Guardent, one giant leap for open-source security.
Corporations are loath to take a chance on a piece of security
software they don't completely trust. But Guardent doesn't seem to be
worried. Open-source proponents have long argued that their software
is more secure due the exposure of the raw code to thousands of
eyeballs, and the ability of anyone using the software to incorporate
code changes to quickly patch vulnerabilities. What's more, Guardent
will emphasize top-quality service first, good software second. "The
thing that has the value is the service, rather than the software
itself," says Guardent co-founder Daniel R. McCall.

CHEAPER PACKAGE.  A quick look under the hood of Guardent's new box
reveals no surprises. The device incorporates a handful of customized
versions of well known open-source security software tools including
the Snort intrusion-detection package, the Nessus vulnerability
scanner, and the IPTables firewall program. Guardent will manage the
devices using specialized software backed by a PostGres database,
another open-source system.

"By combining these things, you get something that transcends what
straight firewalls and straight intrusion-detection system [IDS] can
offer," says Guardent Chief Technology Officer Gerard Brady. "You can
put the thing together at a cost where the hardware, the software, and
the service for a year come in around the same cost of a traditional
IDS system with just the hardware to run it."

Guardent isn't alone. Other vendors are starting to incorporate
open-source programs as part of their security solutions. Big systems
integrator EDS markets a package of open-source security programs to
credit unions from German company Astaro. Security company Silicon
Defense offers commercial support contracts for Snort. Web-server
specialist Covalent sells and supports a secure version of the popular
open-source program Apache that wraps intrusion detection and
antivirus capabilities in the same package. IBM, too, uses open-source
security products in its consulting and technology-management
contracts.

UNLIMITED ACCESS.  Although no one tallies the number of corporations
using open-source security software, something must be going on in the
market. "It could be there are more people out there who use the
open-source security and firewall tools, but it never gets reported
because no one executed a purchase order for it," speculates Brian
Behlendorf, the CTO of Collabnet, which has done a lot of work on
open-source products.

Open-source proponents argue that, by making the code visible to all,
possible security holes will likely have been spotted. They also say
the ability to make quick changes in the code is a boon, as is the
fact that the user wields ultimate control. "With open-source
software, we are assured that we will have access to the software for
as long as we desire," says Grant Wagner, the technical director of
the Secure Systems Research Office at the National Security Agency.

Most important, removing the cost of software licenses makes a huge
difference in the competitive field of managed security services,
where Guardent hopes to make a big splash. Co-founder McCall thinks he
can maintain profit margins in the 60% to 70% range with the
open-source appliance. All of this might sound familiar to those who
have watched Red Hat's struggle to create a workable model, one in
which software is free and service revenues generate the profit. If
that effort is any guide, driving open-source security software into
the mainstream will doubtless prove a very difficult task.

SEALS OF APPROVAL.  The open-source movement rarely puts a premium on
nifty interfaces that can make it easier to manage and configure
software. But that's precisely what network engineers need to give
them easier tools for operating firewalls and IDS systems on large
corporate networks. "The people who are really good at building
open-source things are happy with a less sophisticated interface,"
explains Gary McGraw, CTO of Cigital and an expert in building secure
software. "Part of being a good firewall is the quality of the code,
but don't forget that someone has to manage the firewall."

Open-source security products will struggle down the road unless they
can obtain seals of approval such as the Federal Information
Processing Standard audit, as administered by the National Institute
of Standards & Technolgy. Those audits are mandatory before the
federal government signs certain types of contracts. But open-source
projects rarely can raise the cash to pay for and maintain these
audits. That's not even considering how an audit could be conducted on
a constantly changing body of code.

Another potential problem: As open source pushes into more complex
pieces of software, such as firewalls and IDS, frequent code-patching
can spawn its own difficulties. "If there is a problem, somebody
patches it. People like that about open source," explains Mary Ann
Davidson, the chief security officer at Oracle, who adds: "But if you
are a company with a large code base, these alterations ripple through
all the products that depend on it. So patching every week
destabilizes your code base."

CRUNCH TIME.  Davidson is quick to point out that she's not opposed to
open-source code in principle. In fact, Oracle considered using
open-source libraries of cryptograhic algorithms a few months ago, but
it rejected that approach in part due to a belief that product support
would be superior from an established proprietary-code vendor.

Now comes the moment of truth: How many companies are willing to put
everything on the line with open-source software as their bulwark
again malicious hackers and other intruders? While the algorithms
themselves are very public, "I have never seen anyone using
open-source cryptography software in really heavy duty,
mission-critical applications," says Davidson.

Guardent says it counts one of the 10 largest financial institutions
in the country among the beta customers for its open-source appliance.
True, that unnamed outfit isn't using the device to protect
bond-trading systems or anything else quite so sensitive. But if
Guardent can show that management and service are more important than
the code itself, that could mark a huge opportunity for open source to
pile into a market where high software costs still hurt.

Salkever covers computer security issues twice a month in his Security
Net column, only on BusinessWeek Online Edited by Douglas Harbrecht

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo at attrition.org with 'unsubscribe isn' in the BODY
of the mail.

--- end forwarded text

-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com