Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Open Source For Perimeter Security 56

An anonymous reader writes "IT Observer has a look at some of the perceived problems with an OpenSource approach to security and what could be done to improve the situation. From the article: 'There is a widespread and wholly inaccurate impression that open source development is somehow haphazard and undisciplined, a free-for-all among brilliant but uncoordinated individuals. In fact, most major open source projects are very tightly managed highly disciplined teams. This article gives examples of very successful Open Source security projects -- netfilter and Snort -- and also describes some weaknesses that need to be addressed by IT organizations or vendors.'"
This discussion has been archived. No new comments can be posted.

Open Source For Perimeter Security

Comments Filter:
  • by neoshroom ( 324937 ) on Monday April 03, 2006 @12:54PM (#15051891)
    When it comes to Linux versus Windows it is almost a matter of philosophy.

    "The unexamined [code] is not worth [coding]." -- Socrates (Apology 38a [philosophypages.com])

    __
    Elephant Essays [elephantessays.com] - Custom-created essays and research papers.
  • Since I've been dabbling in some home automation stuff a bit recently, I was hoping for a good article on some wireless home security to secure my house - open source stuff. The title was not what I had hoped...anyone know of some good "Open Source Perimeter" hardware and software that works with misterhouse http://misterhouse.sourceforge.net/ [sourceforge.net], or other open source projects.
  • by xxxJonBoyxxx ( 565205 ) on Monday April 03, 2006 @12:56PM (#15051907)
    "An excellent example of a cutting-edge open source effort is the netfilter project (www.netfilter.org), a Linux-based packet filter that features stateful firewalling, Network Address Translation (NAT), load balancing, and other kinds of packet mangling. The project was founded in 1999 in Australia and has now grown to more than 100,000 lines of code contributed by over 700 developers. There are currently about 300 active developers submitting about 1,400 postings a month to the development mailing lists. The core team consists of 4 members who winnow down the submissions to an average of 65 code improvements and fixes per month. "

    "By Walter Schumann, VP Sales and Marketing, Astaro"

    You Slashdotters may make fun of marketing people, but I think Walter just showed you how YOU need to make your pitch for your favorite open source project at your company.

    • You Slashdotters may make fun of marketing people, but I think Walter just showed you how YOU need to make your pitch for your favorite open source project at your company.

      Like spinning netfilter (over 100 000 lines of code) as something great when there is a much better packet filter, like pf [openbsd.org]?

      • "Like spinning X as something great when there is a much better Y?"

        Well...yes. That's kind of the whole point behind a specific pitch. Once you've decided to get X, you need to turn around and make an audience that may know a little something about both X and Y feel that X is clearly better. It's the very definition of spin...

    • "The project was founded in 1999 in Australia and has now grown to more than 100,000 lines of code contributed by over 700 developers."

      And therein lies a large chunk of "the problem" for OSS projects if you ask me. It's much easier to manage 20 developers who each have to write 5,000 lines of code than to manage 700 developers who each write (I'm sure it doesn't work out like this) 143 lines of code. I'd love to have 700 people reviewing the code written by the 20, but 700 cooks in the kitchen it's extrem
    • You need to look at who he's making the pitch to. For a technically inclined management, which some are, the first question they're going to ask is, "So?"

      Having a large development footprint is great for quantity, but how is the product's quality? No amount of marketing will tell you the true measure of of something's worth to a business. Sure you can make it sound like the best thing since sliced bread, but the reality is if it doesn't live up to expectations (something bad if you marketed it to your own m
  • > Finally, support options are limited for most open source software.

    But if the author has written a book about the product - or even anything vaguely related - then buy it! For example, DenyHosts [sourceforge.net] is an excellent tool, and the online documentation is good enough that I can use it without any more docs. But if the author were to put together a book, I would certainly pick it up in appreciation for his time spent in developing and supporting that fine utility. In the meantime, I PayPal'd him a few bucks
  • Snort is a libpcap-based packet sniffer/logger which can be used as a lightweight network intrusion detection system. It features rules based logging and can perform content searching/matching in addition to being used to detect a variety of other attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more. Snort has a real-time alerting capability, with alerts being sent to syslog, a separate "alert" file, or even to a Windows computer via Samba.

    With ne

  • by shmlco ( 594907 ) on Monday April 03, 2006 @01:03PM (#15051956) Homepage
    "In fact, most major open source projects are very tightly managed highly disciplined teams."

    Which is one of the reasons they became major open source projects in the first place. Of course, that tightly managed highly disciplined team ALSO needs to be working on something we all want, and the end result needs to do the job, and do it well.

  • by digitaldc ( 879047 ) * on Monday April 03, 2006 @01:08PM (#15052012)
    perceived problems with an OpenSource approach to security and what could be done to improve the situation.

    Could it possibly have something to do with the fact that some people just don't like having the words 'Open Source' attached to their computer security? Maybe rename it to something like 'Closed Fortress OS' or 'Locked Down OS' to give a more positive ring to it?
    Maybe I am just thinking about it too much.
  • my 2 cents (Score:4, Interesting)

    by Jaqui ( 905797 ) on Monday April 03, 2006 @01:09PM (#15052028) Homepage Journal
    I'm sorry, but I find the constant argument that open source is less secure because everyone can see the source to be a silly waste of effort, usually promoted by the commercial security software vendors.

    They ignore that the driving principle in open source development is quality software, so everyone who works with it is always looking to find the flaws and remove them.

    Neither is inherently more secure, open source has the benefit of more people actively working to improve the code base than any commercial software company can afford to pay. That includes Microsoft. Yes, Microsoft cannot afford to pay the same number of programmers as are actively donating code improvements to open source software solutions.

    Those of us that use open source software are more likely to learn the code to improve software we like than those using proprietary products are likely to do anything to help improve the software, including submitting the automatic crash reports that most software has implemented.
    [ I personally don't use that even with open source software, running gdb against the core, then seeing what caused the crash and submitting a patch is more usefull. ]
    • Re:my 2 cents (Score:4, Interesting)

      by Homology ( 639438 ) on Monday April 03, 2006 @01:23PM (#15052137)
      They ignore that the driving principle in open source development is quality software, so everyone who works with it is always looking to find the flaws and remove them.

      We would like to think so, however, the driving principle of many open source projects is more features [openbsd.org]:

      Revision 1.75.2.1 / (download) - annotate - [select for diffs] , Wed Jul 21 16:20:07 2004 UTC (20 months, 1 week ago) by robert
      Branch: OPENBSD_3_4
      Changes since 1.75: +2 -1 lines
      Diff to previous 1.75 (colored) next main 1.76 (colored)

      Mark it as BROKEN:

      Right during 3.5, it had more than
      a dozen remote holes being fixed, that we shipped with. Weeks later
      things have not improved, and there continue to be problems reported
      to bugtraq, and respective band-aids - but it is clear the ethereal
      team does not care about security, as new protocols get added, and
      nothing gets done about the many more holes that exist.

      requested and ok'd by brad@
      • I actually think, that security must be geared towards use...

        For example, ethereal is a tool to analize packages, I really dont care much about it's security, is a analisis tool, not a preventive or perimetral tool...

        Im much more concerned about linux kernel security, apache, dns, squid, sendmail, snort and all other tools used to provide a service, which have 24x7 hours open ports...

        And for example, OpenOffice, Konqueror security should be biased to avoid unauthorized contact between the application and th
      • Okay, the team developing ethereal are more interested in features.
        Most other projects do pay more attention to code quality, and fixing bugs is a priority for them.
        A good example was the Critical exploit for linux based Firefox, patched within 24 hours of the exploit being found.
        [ from Secunia's reports. This was at the beginning of Feb, when the WMF exploit caused MS to release a patch early for the first time. ]
    • open source has the benefit of more people actively working to improve the code base than any commercial software company can afford to pay.

      Why is it then, that flagship projects like OpenOffice.org and Firefox are organized. led, staffed and funded by a single corporate entity like IBM, Sun or the Moz Foundation? That many open source projects do not attract an army of volunteers and are in fact starving for manpower and resources?

      • The number of people donating time to an open source prject is directly porportional to the popularity of the project.

        no-one wants to use it, no-one offers help.

        Mozilla was actually started by Netscape, to get the faster develpoment of open source into the code base behind Netscape Communicator. They still use the NPL, rewritten to be the MPL, for a lot of the code in all the Mozilla tools.

        the successful open source projects do wind up starting a company, which has control / ownership of the code base, this
  • For real (tm) security, try a (true) layer-7 firewall (in case anyone knows a product that matches up to this, cisco's pix does NOT, pf does not, and checkpoint does not either, they just have some checks that can be easily fucked up by playing with tcp window size (setting it very low for example))

    http://www.balabit.com/products/zorp/ [balabit.com]

    Check it out.
    • Level 7? That's like a hungarian guy standing next to every user and pounding them on head with a mallet every time they are about to do something stupid?

      The "layers" have been switching around in OSI model so many times, I can't even figure out anymore how many there are supposed to be...
      • When have you EVER seen a layer change in the OSI model ? Please give a web reference.

        (There are multiple models, of course, but OSI layer 7 is quite an accurate description of something)
  • Partial quote: There is a widespread...impression that open source development is...a free-for-all among brilliant...individuals

    I don't think it's that widespread, except amongst Open Source fans. :-)

    The impression I usually see is that Open Source projects are done by guys who were laid off and need something to fill in the time between gaming sessions.

  • OSS is real software for people who know what they are doing. If you don't know anything about security and you want some, hire a professional (who may implement OSS for you) or buy a commercial closed product. The commercial product is likely to be more secure than an OSS product selected and implemented by someone who doesn't know anything about security. It's too easy to make a secure program very vulnerable by doing something stupid.
  • Haphazard? (Score:2, Insightful)

    by Beefslaya ( 832030 )
    Ever since I've discovered the magic of Open Source (Linux, BSD) I have implemented the rule with every network I've run...No Windows box will ever talk to the Internet without going through a Unix/Linux box.

    Since then (7 years now) I have had ZERO worms, ZERO security breaches, have cut the Windows server reboots by 80%.

    These 2 projects have saved me countless hours of time...

    <li>http://www.squid-cache.org/<li/>
    and
    <li>http://vlsi.cornell.edu/~rajit/fbsd/bridge.htm l<li/>

God help those who do not help themselves. -- Wilson Mizner

Working...