Guardent To Sell Snort And Nessus 105
Cally writes: "An interesting article appeared on the Info-Sec News list the other day about Guardent's new security appliance. Based on Snort,
Nessus and IPTables, Guardent are taking the unusal step of trying to sell a product based on Free software into the highly resistant corporate security market.
Although Free/Open security software is widely acknowledged to be better than commercial alternatives, it's rarely been trusted in the enterprise - the article points out that, although the NSA use Free
software, the need for an expensive government audit prevents the
government from saving money and improving security."
FreeBSD network Stack (Score:1)
Re:FreeBSD network Stack (Score:4, Informative)
Like almost every IP implementation, the one in Win32 is heavily based on the Berkeley Net4 code. This is hardly surprising. The Berkeley implementation was TCP/IP - long before ther were others. Large blocks of the original Berkeley Net code appear to be copied unmodified in the NT/2000/XP system. This is probably true of AIX, Solaris, etc...
This is a feature of the Berkeley licence.
Re:FreeBSD network Stack (Score:1)
Re:FreeBSD network Stack (Score:2)
Re:FreeBSD network Stack (Score:1)
Re:FreeBSD network Stack (Score:2)
Re:FreeBSD network Stack (Score:1)
RMS is not happy (Score:1, Funny)
There's no real reason NOT to use open source (Score:3, Interesting)
Also, due to the number of people looking at the code of the open source product there's more chance of those hairy bugs being weeded out, or in the case of the software being used here probably has been given the maturity of the software and the caliber of the kind of people who use it.
With closed source or hardware based security solutions you might end up getting hacked because the hacker found a hole the vendor didn't know about and you can't even look at the source to try and work out how they did it.
I'd say the advantages of open source security outweigh the disadvantages, and it's been said time and time again. I doubt it will make a difference with enterprise customers though, they're all in bed with the big companies anyway.
The major issue for them is probably support, even though i'm sure this company will support their hardware there's still the "stigma" that with OSS you've got no central reliable resource to turn to for support.
Anyway, enough rantage
If the balance tips too much... (Score:1, Interesting)
Re:If the balance tips too much... (Score:1)
Wait a minute, isn't that what Microsoft programmers should be doing already?!
Seriously, with the cash reserves MS has (enough to buy half of Africa I think.. hmm, maybe that's the plan?) they could easily hire 100 good programmers and do a full line-by-line security audit of all their code for their major products.
Then again, "good programmers" usually have scruples and wouldn't work for MS anyway
Re:If the balance tips too much... (Score:1, Insightful)
Equivalently, where are you going to find 100 programmers good enough to do the job in a reasonable amount of time? Although a lot of people have overinflated valuations of their skills, most would probably weigh in as marginal at best.
Re:There's no real reason NOT to use open source (Score:2, Insightful)
At least with a faceless corporation you have a piece of paper saying what both parties are legally obliged to do - you know for a fact that their definitions are supposed to be updated with X frequency etc. You also get a guaranteed level of support, someone to blame when it goes wrong and a company with deep pockets to sue if they are negligent!
Now with open source, aside from the contract problem you get another issue - if it all goes horribly wrong the blame can't be passed external to the company, the person that allowed this software to be deployed gets the blame!
Once it comes down to "spend all the money I requested and have my ass covered" or "save the company money but risk being the scapegoat if it fails" which option would you choose, bearing in mind that it's not your money and you doubtlessly have enough to cover the cost of a proper installation...
In situations like this the free open source will not prevail because there are no safety nets such as someone external to blame, no support contract, no guarantees, and no faceless entity with deep pockets to sue.
The thing about big business and critical applications is that it's less about cost of ownership than it is about being able to shift the blame if it all goes wrong...
Contributions? (Score:3, Insightful)
It would be nice to know that Guardent is contributing to the respective projects that are being implemented on this device (IPTables, Snort, Nessus), but I haven't been able to find any ackknowledgement of it on either Nessus's thanks page [nessus.org] or in the credits [snort.org] for Snort.
Certainly they've got people working for them who have the know-how to add substancial features to the projects and it would be nice to know that they're not just freeriding on the software for the managed services platform that this device really is.
why linux as a platform? (import post.not_a_troll) (Score:5, Insightful)
OpenBSD has several advantages over Linux for this application:
- More cohesive codebase, tighter integrated security audits. (==more secure foundation to work from)
- Better firewall and nat features, syntax.
- BSD-licensed foundation, so no hassles if you're using it in a product.
- Cooler logo.
;-)
And of course, since the OpenBSD community has a lot of paranoidQuite frankly, seeing someone selling a security solution based on open source software and finding out the OS isn't OpenBSD is like finding your cousin Larry using an egg beater to polish his car's paint... You know they must have some reason, but damn if it has any obvious logic to it...
(Linux has it's own place. I use it a lot for developing and deploying java applications, also it's a better DB platform than obsd becuase it has SMP support. Right tool, right job. For security, obsd is the right tool.)
Re:why linux as a platform? (import post.not_a_tro (Score:2)
Because OpenBSD's connection state tracker with ipfilter isn't as good as iptables.
Dont get me wrong, I like the syntax of ipf more, but I hate every minute of being behind my firewall when it was openbsd.
I cant comment on ipf or pf, but I do agree that iptables is a huge jump in firewall ability for linux.
I was behind an ipchains firewall, and I had tried every trick in the book, but there was no way to get 2 people an my subnet to play each other over battlenet. Plus my firewall script was a huge mess, hard to maintain. And the automatic IPchains load/restore didnt save port-forward settings properly- so I had to hook in another shell script to kick it off.
With a 2.4 kernel upgrade and iptables, my firewall does more, anyone can play starcraft even vs each other, it restores after power failure automatically with no initscript hacking, and the shell script to kick it off it simple and easy to understand.
So I like iptables.
Re:why linux as a platform? (import post.not_a_tro (Score:5, Insightful)
1) LIDS. If they're using a 2.4 kernel, they can do LOTS of nice security things, like striping root of lots of it's dangerous abilities. Less danger if root is cracked. I don't know if LIDS is in use, but it probably should be.
2) Your 'better firewall and nat features, syntax' is highly debatable. As somone else pointed out, IPTables stateful inspection is far ahead of either ipfilter or pf. And your syntax comment is nothing more than a personal preference.
3) I don't like this reason much, but 'Linux' is much more widely recognised in the business world than 'OpenBSD'. When you come down to it, you have to be able to market this thing. Is this the way it should be? No. But it is, and we have to deal with it.
another important linux feature (Score:2, Flamebait)
Not as uncommon as you might think... (Score:3, Informative)
There are probably countless "hardware" boxes that use FreeBSD or some other BSD derivative as a base. The company takes that base and adds their own code to do whatever it is that would be unique to the box, then sells the result as a hardware solution. The box itself might have a lot of proprietary hardware in it, or it might not. That'll just depend on the box.
But either way, open source probably powers a lot more of the hardware (routers, proxies, firewalls, etc.) than the average PHB would expect.
Free != Open Source (Score:1)
Spouting (Score:4, Insightful)
I'm sure this point will rapidly become a chorus in this thread, but that sentence is pointless fluff.
Open source means you can could inspect the source. Iff you choose to expertly inspect the source you may come to understand the security parameters of the application. You'll know how it works, and a lot of what it depends on in terms of libraries, OS calls etc. And you can evaluate on those terms whether it provides an adequate level of security for the environment in which you intend to use it.
If you haven't audited the code, all you know is that the code is auditable. You know nothing about the security of the system.
Most of us here haven't performed any of these steps on systems like OpenSSH, for instance. Instead we rely on two things: that someone else has peformed a competent, honest audit; that so many people use it that if it had problems we'd all know (surely). Both of those are flimsy, when you come right down to it.
Open source only means you could audit it if you wanted to. It doesn't make it any more or less secure than anything else.
Not Spouting (Score:1)
Besides, if you can show anyone, all the plans to your most secure lock in the world, and they still can't break it, i'd say that's amazing.
Re:Not Spouting (Score:1)
It is amazing. If, on the other hand, everyone assumes your lock cannot be broken *because* you are willing to share the plans with them, it's just stupid.
Re:Spouting (Score:2)
"Although Free/Open security software is widely acknowledged to be better than commercial alternatives..."
> I'm sure this point will rapidly become a chorus in
> this thread, but that sentence is pointless fluff.
Well, I don't see anyone else saying so... in fact YOU don't say why
this is fluff. I was trying to refer to the Slashdot story a couple of
weeks ago - IIRC it was the IDS comparison done by one of the ZDN / CNET
type sites, posted by Hemos, but when I was writing the submission I
couldn't find the story I was thinking of (I thought it was about
sec software in general, rather than just IDS.)
The fact is that real in-the-trenches infosec people know that Open
and Free security software is an essential part of the toolkit. If
you're running an IDS, snort is definitely better than the
commerical IDS out there. If you're properly paranoid and have the
budget, of course, it's nice to run two or more for comparison.
*OK, OK, Tripwire's not free, but there are several Free clones.
This is just off the top of my bookmarks file, you understand, and these programs are all at the very least amongst the best of breed in their categories. And of course what self-respecting network security person uses exclusively GUI apps? A crap one. Bash (or your favourite shell) and the GNU utils are pretty indispensible even if you're only looking after Windows boxes . I'd find my work pretty damn difficult if I couldn't use any of the above tools [*1].
There are plenty of reasons why this is so, but that's a detail. But I've always found it interesting that this is one area where Free software is the furthest ahead, technically, and simultaenously one of the most backward areas in the corporate world.
As many other posters have pointed out, there's a lot more Free/open stuff in use than the survey-responders typically know about - as someone suggested, perhaps because there are no P.O.s == no budget == no big meetings, minutes, memos etc, so it just doesn't show up on the managerial radar. And there are certainly SOME corporates happy to use such tools. (Indeed, most security consultancies that aren't owned by a software vendor - bad conflict of interest IMHO...)
I just find it interesting that many of the most successful companies are the most perverse in such an important area of policy.
I haven't audited ssh or GPG either, but I trust those who have done (and wrote it in the first place) a damn site more than a random large proprietary software company.
<shameless>
[1] Or rather, it would do if I had a job at present... anyone looking for info-sec people in London, drop me a mail
</shameless>
No audits for closed source ? (Score:4, Interesting)
I find this statement terribly interesting. This implies that opensource software is more heavily auditted by the US government than closed source software.
Does anyone else find this ludicrous ?
One of the basic tenets of opensource software is that its bugs/vulnerabilities are presented for worldwide review. Any holes, trojans or vulnerabilities are caught faster and fixed almost immediately. Eric Raymond's find-fix-release cycle has been pretty much implemented in all active opensource projects. I find it interesting that the government, even if it is the NSA, is suspicious of opensource software, yet will trust the closed source products they buy. Isnt this placing your bets in the wrong basket ?
I wont got into the benefit of using opensource in detail, for it is bound to be flogged like a dead horse in the ensuing /. discussion below, but surely to suggest increased audit spending on opensource is FUD.
Additionally, it peeves me a little when everytime opensource is mentioned, the immediate line is drawn to Linux. I think the existence of other top notch operating systems such as FreeBSD, NetBSD and OpenBSD should also play a role in government procurement. The mindshare which Linux has managed to garner in this space is eclipsing decision makers away from proper evaluation and just jumping on to the Linux bandwagon.
After all, one of the basic tenets of opensource is choice. We dont want the lack of choice we have replaced with another lack of choice in operating systems, Linux only.
Re:No audits for closed source ? (Score:4, Insightful)
Does anyone else find this ludicrous ?
This is actually quite sensible. Someone has to pay for the audits. In commercial applications, it will be the vendor.
But with OSS, it isn't clear who is the one responsible for the audits. And it isn't clear which version will be audited (with a theoretically possible fix made every minute). So, it will probably have to be the version to be implemented. Since there is no clear responsible party who can fund the audit, it will have to be the customer.
So in that sense, it is the customer who winds up for the cost of the audit directly, while with commercial products, it will be the vendor who winds up for the cost (and calculates that back into the price of the product).
In one sense, the customer paying for it is preferable, since they can now see how the money is being spent, on the other hand, having the customer pay for it prevents the spreading of the cost. In commercial products, every customer pays for a part of the costs, in OSS, every customer has to pay for the complete audit again unless the results are frozen.
Re:No audits for closed source ? (Score:1)
Remember, who ever pays for the audit is who the auditor works for. I agree with Spunk's comments that free software does skew the ratio of cost of software to the cost of audit making the audit look expensive. However the audit would be done anyway.
It is possible that these agencies are paying for the learning curve for the auditors to learn the "new" software so they can audit it. This just means that the "approved" auditors are somewhat remiss in knowing their business.
Yes, it is really ludicrous. Isn't it nice to know that even with the expensive audits, the free software passes.
Re:No audits for closed source ? (Score:1)
I believe they would do this for the same reason that some businesses don't like open source alternatives: they have nobody to blame if something goes wrong.
Re:No audits for closed source ? (Score:1)
IIRC, WinNT was C2 certified at one point, but it got yanked..
Re:No audits for closed source ? (Score:3, Insightful)
I find this statement terribly interesting. This implies that opensource software is more heavily auditted by the US government than closed source software.
I'm not sure where the quote is from, so I can't put it in context, but the NSA certainly does audit closed-source software. I think it's more likely the statement is saying that it is irrelevent whether they go with a $500 product or a $0 product; the audit costs far outweigh either.
Change "Free Software" above to "new product" and it makes more sense. Anything new has to be sufficiently better to justify the audit cost.
OSS not viable until it focusses on nontech issues (Score:2, Interesting)
One is that OSS focusses much more on technical prowess than on anything resembling a workable UI. For the true geek, no more than a command line is necessary for a UI. However, in the "real world" a user will not even consider touching the best software around if his only UI is a command line or a bad looking bunch of poorly designed widgets. It matters. Perhaps more than it should, but it is the reality. If functionality is (for the user) more or less comparable, the sleeker look will win.
Another point is of course the traditional lack of a single support channel. There is simply no guarantee for support for most OSS and face it, the actual software is at most half of the total cost, support being one of the largest money sinks. To a true company, the guarantees of support are much more important. And saying that they can do their own support (it's Open Source, right?) is simply no alternative, and neither is waiting for the whim of the masses to get round to their bug (yes, I know, they are now dependent on the whim of the supplier. But at least there's a binding support contract there).
Finally, for more critical applications, there are certain audits and certificates. I've rarely considered that with respect to OSS, but it does raise an interesting point. Especially with government applications and more critical applications, there will be a need for certain certificates. The Open Source community just hasn't got the money to fund such audits.
So, what can a company like Guardent do to repell these fears?
First off, as commercial suppliers, they can actually sign the support contracts and be held responsible for timely updates and fixes. Also, fixes now will be gathered and maintained by a single body, which is much preferable from a customer's point of view than scanning the Nets blindly every day for new updates.
Second, as suppliers, Guardent can create the UI necessary when packaging and integrating the seperate applications. This makes the package accessible to the users. Again, I cannot stress how important this is!
And finally, as a commercial company, they may be able to raise the cash necessary to get the necessary certificates and maintain them. Without these, a whole market segment will be closed to them no matter how well the software performs.
Re:OSS not viable until it focusses on nontech iss (Score:2)
http://www.fwbuilder.org/ is GUI which should work
with this product nicely.
Re:OSS not viable until it focusses on nontech iss (Score:1)
this is true for the flighty home user. this is not true by any means for business or corperate.
all of my users have 5 vertical apps that are ugly as sin and are hardwer to use than a command prompt. (Imagine clicking in the password field to type your name and then having to backspace to erase the spaces that are there from the idiot programmer. or a UI that constantly scrambles data display or crashes the system.
why? because we HAVE NO CHOICE. there are 2 vendors for this type of app, they both suck. One still tries to use an access database for 300 people to access, and the one we use at least uses SQL for the database.
these aren't crap apps, they are mission critical, if the app goes away we die a horrible miserable death called "the money stopped flowing".
so companies put up with super horrible UI's all the time. I installed a Linux box for their web-surfing in the sales land for on the cable modem(to save on bandwidth to corperate and then to the internet) and I have had at least 50 comments that KDE looks and feels so much nicer than windows does, and our apps do.
so your argument is true for the 10% that buys the high dollar apps for home. the other 90% dont care at all how it looks, just how it works.
Re:OSS not viable until it focusses on nontech iss (Score:2)
I really don't think end-users have any need to configure a network security product. People who do need to set these up judge them based on their maintainability, configurability, and suitability to task.
Believe it or not, in many cases a CLI interface is MUCH easier to deal with than a GUI. In addition, most GUI's for security products are simply pretty interfaces to the text-based back ends, and may or may not be up to date with all of the capabilities of the CLI tools (always developed first). The GUI can, and will, screw things up (trust me on this...I used to test and certifiy commercial firewall/vpn products for a living, and have seen every interface under the sun and can name some very big well-known companies whose GUI would totally hose the firewall/VPN config under certain conditions, but the CLI tools would work just fine)
The GUI adds tons of complexity to the programmer's job, just for an INTERFACE! This time can be much better spent on writing and improving the tool itself. Why do you think so many linux GUI tools are simply interfaces to existing text tools? The guys writing the actual TOOL spend their time on that, and somebody else decides to write a different interface to it. No problems there.
Giving back to the community (Score:5, Insightful)
Hell, free software needs financial *and* technical support from those who use it. Or you won't be able to use it very long.
Re:Giving back to the community (Score:4, Insightful)
Why money? (Score:2)
Having commercial users, then, lends itself to having patches, bug reports and the like provided; monetary donations, while nice, hardly strike me as so necessary. Most heavy commercial users of open source also hire at least one heavy developer to the projects they use; paying these folks' salaries certainly should count as financial contribution towards the project.
What I'm saying here is that just as a result of use, any commercial user of open source savvy enough to take full advantage of the development model (by having the community maintain a unified tree, having their own paid developers contribute so their customers get the features they need, &c) is providing all the benefit to the community they should be obligated to provide. There certainly should be no guilt trip for them to give back even more. Any vendor not savvy enough to take advantage of the model is just shooting themselves in the foot and should be urged to contribute to the community for reasons of self-interest rather than goodwill -- this sort of reasoning is much more likely to succeed.
Re:Why money? (Score:2)
time = money
I have often seen people make the comment about Linux companies not giving back, but by SELLING Linux, they are evangelizing. The are also legitmatizing (is that a word?) the use of Linux in the corporate world. One does not have to be a code monkey to give back to the community.
Combining pen testing and firewalls (Score:1)
Based on the current description, Guardent also seem to be missing a trick: combining IDS and firewall allows the creation of an IPS (Intrusion Prevention System) where detection of selected IDS signatures would cause the connection to be dropped.
Comments?
The need to point fingers stands in the way... (Score:2, Redundant)
I've noticed one thing though, in all this endeavor : the more "touchy" the system was, the greater the resistance to change to a better and more reliable open source alternative.
Than I started asking why ?
Let me point out some reasons behind this, which of course most of you already know:
- Open source projects don't send out nice brochures telling how great the product is
- Since there is almost no advertising (what ?! do you expect square headed managers to read slashdot ?! they barely can read !
:), there's little info about what a product can and cannot do. Of course, you can always ask that geek down the hall that seems to know them all, but how much can you trust a guy without social life ?
- We don't know if the new open source app will preserve/convert the data from the old app. I wanna be honest and say most of the time open source apps regard themselves as being the only apps out there (scratching someone's itch - ESR might say) and provide little feature to import existing data
- But the number one reason behind not accepting open source replacement of sensitive software is the fact that there is no one to blame
The latest reason applies to both managers and sysadmins or whomever is in charge of getting things done.Pointing fingers is big business when things go wrong. Commercial app means that you have someone to call almost 24-7, someone to swear at and still be nice (you paid them a shitload of money to do so). If things break, sysadmins can always say: it was that creepy product's fault.
But that is one thing you cannot do to open source. First of all, you paid nothing. The creator lets you use the software because he's a nice guy. If the system crashes, the managers will point fingers at the sysadmin: you're the one going with this solution - you fix it!.
Now security is probably one of the most sensitive and touchy part of an organization. Yes open source security software works better, yes it provides you more options, no it won't send your secret data neither to NSA nor FBI, no it's not hard to setup up neither to maintain, and no, microsoft didn't invent it. But, sometimes it may screw things up. And when that happens, the first question on everybody's minds is:
Whom do we point fingers at?
Re:The need to point fingers stands in the way... (Score:1)
If you buy commercial software you (unless support is bundled) have no right to blame anyone for anything - it is the associated SUPPORT CONTRACT that gives you the SLA/availability guarantee/etc. Even if support is included, after the year/number of incidents runs out, what do you have to do to get more?
That is why most software is relatively cheap, the manufacturer makes most of their money selling support (and associated services), why do you think Sun give away Solaris?
As you know proper enterprise support, is not cheap, and there are many consultancies out there tapping into this market offering
Alex
Re:The need to point fingers stands in the way... (Score:2)
The company will gladly use OSS tools if the sysadmin stands behind them.
There are very few of us, but we are out there. Sysadmins that are man enough to take responsibility. How many of you will run into your boss'es office and say "I just crashed the server, I know, I'm an idiot for installing a service pack at 3pm instead of waiting until 5pm, it'll be back up in 50 minutes." instead of "that damned microsoft service pack crashed the server upon install."
My boss respects me and I have gotten up the ladder to the sysadmin job (I took that job away from the previous pinhead) by being honest and taking responsibility.
any sysadmin that wont stand behind their own decision needs to get the hell out of the business.
we use OSS toolls exclusively, because I stand behind them. I am the one to blame, and I am very proud of that.
Heh... you, too? [OT] (Score:1)
I'd raidhotadded the whole drive (which happened to be the one containing the
The funny thing is that when I explained what had happened, The Boss wasn't half as upset with me as I was with myself -- indeed, he seemed to accept the occasional mishap as a cost of doing business. Thus, I can certainly vouch for honesty as the best policy.
Any place where management cares more about finger-pointing than getting the system back up is somewhere I don't want to work.
Linux is used more than you think (Score:1, Redundant)
Rohan
Pricing is wrong totally in the linked article (Score:2, Interesting)
Although the Guardent site specifies:
- "For a low MONTHLY FEE of $1,500, organizations get complete 24x7 managed security protection for any Internet-facing network segment."
- "...with Guardent's PROPRIETARY event correlation, reporting and alerting capabilities"
rarely been trusted?? (Score:3, Interesting)
many of the biggest corperations regulary trust open source tools, espically snort and the others for security.
they dont run around screaming "we use snort! we use snort!"
I know at the corperation that owns my soul we have a clause in the new computer and security policy that free tools are to be sought out and used before money is spent on software.
Yes, they dont have a "linux and oss is evil" clause.... even with Microsoft being one of our major "investors".
Re:rarely been trusted?? (Score:2)
many of the biggest corperations regulary trust open source tools, espically snort and the others for security.
Most of those corporations' management don't trust Open Source, and either aren't aware they're using it, or tell themselves "we're not treating it like Open Source" because they bought it from a company as part of a product.
I guarantee you there will be companies that will buy this product that would absolutely prohibit using Snort in any other way, even if configured 100% identically.
The Fortune 500 company I work for had an incident where a member of upper management sent out an email saying no Open Source would be used in this company. His email was distributed around the company through sendmail servers, which had been configured using vi, running under Bourne and Korn shells. DNS resolution for the distribution happened using BIND. Everybody ignored him and failed to remove those applications from production, of course.
Recently they made the decision to investigate the use of Linux as a production OS. I was present in a meeting where a technical person asked "what does this imply about our stance on Open Source?" The PHB's response was "we're not using it as Open Source, we're buying it from Red Hat."
We didn't bother to try to make him explain what the hell "we're not using it as Open Source" meant, we knew the answer would be silly bullshit.
Re:rarely been trusted?? (Score:2)
It's probably worthwhile to correct this guy, if only because some other dumb manager is going to come by later, read the policy, look at your infrastructure (and figure out that it's Open Source), and force you to replace everything at great expense. There are tons of manager who blindly follow stupid rules.
You can probably sell it by figuring what he really means when he forbids Open Source. Chances are he really means "we don't install unsupported software". That's probably a policy everybody could live with much more easily.
expensive audits? what about expensive repairs? (Score:1)
while it is expensive to audit code, I'd really doubt that microsoft or a few other closed source platforms would even be willing to give up the code to the government for auditing in the first place. Secondly while it may be expensive for the audit we could look at the expense differently and think of how much we are saving by preventing problems and hacks before they happen. Repairing a compromised system I would guess is no small job at that level and Think of all the money lost because of compromised information.
Nothing new (Score:3, Informative)
Open source and inherent trust (Score:2, Interesting)
with few, if any of them, actually auditing the code for security holes before installing it to protect their mission-critical data.
In my 20 years of experience as a systems programmer, I am well-versed in the idea that it is much easier to throw out the existing code base and start from scratch rather than wasting time on trying to fix horribly flawed or poorly documented code that can be millions of lines long. Therefore, it should not come as much of a surprise that the security-conscious agencies in the federal government (CIA, NSA, DIA, Dept. of Commerce, etc.) largely write their own software inhouse rather than rely on fixing up something like Linux and hoping that they caught all the bugs. I mean, really folks, let's face it: Linux was designed by many people in a chaotic manner, and rarely were the features implemented with security at the top of their priorities.
So while it is all well and good that Guardent is trying to sell free software to enterprise customers, I can certainly see why major corporations would be hesitant to trust their security to messy open source software. Besides the fact that most of the biggest customers of closed source software vendors get to see the sourcecode for review anyway, because they are paying so much money for support, etc.
Perhaps most do... (Score:2)
What can I say, I like to make sure my installation works before I hang my job security on it. I'm astounded that more people don't. Then again, I worked with grumpy old bastards like you and discovered that they were the ones whose installations stayed up and didn't get hacked. Must have made an impression...
At IBM, long before the Linux jihad started, I was told to use free software but audit the code and license first. That's what I've been doing ever since, although I don't work at IBM anymore, and haven't for years.
Re:Open source and inherent trust (Score:2)
While I agree with your post, you bring up an interesting point here. The huge benefit of open source (being able to read/audit/modify the code) is almost completely untapped by nearly all of the people who actually use it day-to-day.
BUT, I can audit code by proxy. I know that there are people auditing and rewriting the code, and by following the newsgroups (etc.), I can see if they've come up with anything crucial. It's not perfect, but it _is_ a form of code audit.
Of course, this isn't going to stand up to a complex conspiracy, but I just don't see that being too big of a concern.
Re:Open source and inherent trust (Score:2)
Wow. What world do you live in? The government uses quite a bit of Open Source software - you're just not in a position to realize it.
Speaking of Nessus - I just got done doing a lot of work on it, adapting it to the government's platform so that they can use it. They didn't write their own security scanner - they hired my company to evaluate which one was best and then make it work on their systems. This happens all the time. And we're not talking for sissy little shit places in the government like the Department of Transportation - our work is for DISA [disa.mil], the Defense Information Systems Agency. I'll let you visit the link to figure out what they do. Look at that - they're trusting open source programs to some of their most important computers.
I would direct your attention... (Score:1)
Bob-
(Yes, it's been written up on
We're doing the same thing (Score:1)
I've been working on a similar box for my employer. We're a small shop (3 developers, 3 techs) and we leverage Free software to help us compete with the big boys.
I'd be surprised if a lot of smaller, clued shops aren't doing the same thing. How else can you compete with big guys like IBM who can throw a billion people at a problem? And before you ask, yes we have given code to the community, and yes we provide source code to our customers...
The REAL reason behind this.... (Score:1, Insightful)
Using the IDS portion of this for corporate networks is fine. But IPTables is NOT a firewall I would recommend to any major corporation.
An earlier post suggested Guardent should contribute to the development efforts, since they plan to make some profit off of it. That won't happen, because it cuts into "the bottom line". I have inside info on this, so I know.
Free/Open vs Commercial (Score:1)
I tend to agree that Free/Open security software is better. But one thing you should remember is that it's freeness is just the problem preventing the government from using it.
If the government spends money on software from company x, should it get hacked etc.., company x can be held responsible. It's "their" software.
If the government use free alternatives, granted they are probably more secure, but if they get hacked too, who's gonna take the blame? Certainly not the people who wrote/contributed to the software. After all, you get what you pay for right?
Taking on free/open software makes it the government's responsiblity to check/maintain it's security and if anything goes wrong, they take the wrap themselves instead of company x.
Besides financial implications, it's a whole lot of work to take on so I can see the logic in their choice.
This ain't unusual (Score:2)
I'm sure there are other little companies doing similar things--this is just leveraging open source IDS software in "turnkey appliances" the same way it's been leveraged for other services. eSoft's Instagate Firewall/VPN product is Linux-based, and every Slashdot reader knows Sun Cobalt....
Re:This ain't unusual (Score:1)
They also have an inane incompetance in the sales/marketing department that thought it would be a good idea to spam the entire customer list with an unrestricted majordomo setup.
I'd avoid these guys if you can help it.
Then again, I'm just a dissatisfied customer.
Secureworks (Score:1)
Why so surprised? (Score:2)
I had even toyed with the idea of writing my own web interface, pretty blinky lights on the box itself, etc. and selling these things myself.
I hope snort improves (Score:2)
Snort is really nice, but I've had problems with it. First of all, if you have it listening on a dial-up and the dial-up goes down, so does snort. Now that's not a big problem, but it makes me wonder about the internal design. An IDS shouldn't quit on it's own, for any reason.
Second, on an RH7.0 machine, snort quits randomly for no apparant reason, and with no diagnostic message. I don't know if that's my fault, or what, it must be since nobody else seems to complain about it. But an IDS shouldn't quit on it's own.
Third, I was making some changes to the code and noticed some sloppy coding, including diagnostic messages not terminated by nulls, and convoluted string-matching code that would match some bytes twice. Again not a big deal, but when you see something like that, you start to wonder what else might be flakey. Will it miss something in a string someplace else?
Fourth, I sent patches for some of this to the authors, for instance rewriting the string matching code down to a few clear lines, and was ignored. After a few new versions came and went I gave up on my patches.
So hopefully this new commercial support will help get Snort cleaned up. But I for one will be very suspicious of using Snort for more than a home LAN. Probably what it needs is a ground-up re-write along the lines of BIND9.
I hate to criticize open-source software, especially something as useful as Snort (I do use it regularly). But when it comes to security stuff, code should be bulletproof and clean.
Re:I hope snort improves (Score:2)
It runs beautifully on FreeBSD.
Re:I hope snort improves (Score:2)
See: www.snort.org/docs/faq.html [snort.org]
A: The Linux IP stack doesn't report lost packet stats. This may be changing in version 2.4 of Linux, but for now you just don't get them. Try one of the BSDs, they work just fine. This also has been recently fixed with the 2.4 kernel in the new version of libpcap... upgrade kernels and libpcap and it should now work.
That's packet loss ***statistics***, not a statement about packet loss.
This is in the context of Linux generally, not RedHat specifically...
There is *no* other mention of "packet loss" and "Linux" together anywhere in the FAQ.
The *only* reference to "RedHat" itself, anywhere in the FAQ, is the very long-standing advice to upgrade to the current version of libpcap. This advice itself has become pretty much irrelevant for anyone running one of the more recent distros, anyway.
Honestly!
People running their little agendas!
Ya'd think they'd try to put a little more substance in 'em...
t_t_b
Re:I hope snort improves (Score:2)
What the hell are you talking about?
snort is listening to the interface.
On a dialup, you're using ppp; when ppp0 goes down, what interface is snort supposed to be listening to?
If the link is down there's nothing for snort to listen to (completely aside from the fact that you're offline and there's no threat of any sort anyway...)
Try checking out the snort list. Wouldn't be running in - D daemon mode by any chance? There's a frequently reoccuring thread about this sort of thing...
Speaking of the snort list:
Ever bother posting anything about this?
*I* sure don't recall reading anything about this topic.
Using snort should be limited to a home LAN?
Yeah, right...
You don't have a clue.
t_t_b
There can be only one. (Score:2)
I'm sorry, but Guardent are only one single company. However, the employees of Guardent is all individuals.
The use of plural verbs with collective nouns when talking about the actions of the whole group ranks right up there with using the word virii [dictionary.com] as the most pretentious grammatical annoyance one can find. It's not a matter of national importance or anything, just a pet peeve.
-B
Re:There can be only one. (Score:1)
Re:There can be only one. (Score:2)
I have to say that yours was one of the funniest replies I've ever had. Thanks!
(BTW, it's not a "trailer"... it's a Double Wide.)
-B
MOD PARENT UP! (Score:1)
Having said this, it is quite understandable that americans would adopt this incorrect usage in their own speech after hearing it form british speakers, because the average brit is far better spoken than the average american. Whenever I travel to the U.K. I enjoy the eloquence of the british people, but the fact remains that british english and american english are not the same.
Re:MOD PARENT UP! (Score:1)
Using OSS in the Managed Services Market (Score:3, Interesting)
This isn't all that common yet, although nessus is making a lot of headway being used commercially. It will be more common, though, if the OSS alternatives remain ahead of the curve in development (and eventually probably get funding).
I can see it now (Score:1)
Warning...
heh heh ~~ Cruz2001