[ISN] Top Open-Source Security Applications

InfoSec News isn at c4i.org
Fri Jun 17 01:46:19 EDT 2005

Forwarded from: Marjorie Simmons <lawyer at carpereslegalis.com>


By Mark Long
June 14, 2005 

According to most security professionals, a top-tier, open-source
security tool must have sufficient history to allow a practitioner to
use it with confidence. And it must have a sufficiently large
developer base to ensure that fixes will be available in light of
discovered vulnerabilities.

Those responsible for enterprise security Latest News about Security
are increasingly turning to open-source applications in lieu of
security products based on proprietary code -- and for many good

"Where open-source tools have an advantage in an enterprise is in
their timeliness," said cryptography guru Ed Moyle of Security Curve.
"Since no budget has to be allocated to deploy an open-source tool, it
can often hit the ground faster than a commercial counterpart."

On the other hand, there is the question of accountability, Moyle
noted.  "Since there is no commercial entity overseeing a tool, on
whom can the enterprise place pressure for added features or support?"

According to most security professionals, a top-tier, open-source
security tool must have sufficient history to allow a practitioner to
use it with confidence. And it must have a sufficiently large
developer base to ensure that fixes will be available in light of
discovered vulnerabilities.

Also, it must have a reasonably large user base so that support
questions will already have been answered in a public forum. But there
are many tools that meet these requirements and are in fact deployed
at many large companies.

Tackling Basic Security Issues

Anthony Nadalin, Chief Security Architect for IBM's software group,
recommends Bouncy Castle crypto interfaces and OpenSSL -- an
open-source implementation of the secure sockets layer (SSL) and
transport layer security (TLS) protocols.

"What most customers are looking for are secure, reliable
transactions," Nadalin said. Bouncy Castle and OpenSSL form the basis
for crypto and transport-level security, Nadalin said, which is one of
the base requirements every customer has.

Indeed, OpenSSL is at the top of nearly everyone's list. "I don't
think the impact of OpenSSL can be overstated," said Yankee Group
senior analyst Andrew Jaquith. "It single-handedly democratized
encryption Latest News about encryption by making a very high-quality
implementation available for everyone to use -- and all for free."

OpenSSL is commercial-grade and interoperates with digital
certificates issued by public certificate authorities like VeriSign
Latest News about VeriSign, Thawte and GoDaddy Latest News about
GoDaddy. "Equally important, it includes the ability to generate your
own private certificates for testing purposes," he said.

OpenSSL also includes a library of basic crypto functions essential
for validating the integrity of downloads from third-party sites via
checksum algorithms.

Remote Connectivity

OpenSSH is another software package that comes highly recommended.
This open-source implementation of the Secure SHell (SSH) session
technology is designed to let administrators and users open a command
shell on a remote host.

The impact of OpenSSH has been profound because it enables secure,
safe and easy-to-use communications with remote hosts when used in
tandem with public keys instead of passwords, said Jaquith. "There is
no 'password' to be guessed -- the user either possesses the key (a
physical file) or not."

OpenSSH lets admins use public keys with a "key agent" on the client
side so that communications can be effectively passwordless. "The
upshot is that using OpenSSH with public keys instead of passwords
makes session communications more secure and easier to use," Jaquith

Like OpenSSL, OpenSSH is pretty much everywhere and comes standard on
all commercial Linux Latest News about Linux distributions. "I wish
Microsoft Latest News about Microsoft would just bite the bullet and
include OpenSSH in Windows," Jaquith said. "It's much better than what
they include now for a remote shell."

Jaquith also suggested that every company should use it, in all cases,
instead of telnet or other legacy session protocols. "You can, of
course, compile OpenSSH for Windows yourself, or buy commercial
versions from companies like F-Secure Latest News about F-Secure or
SSH Corporation.

Regulatory and Security Implications

Still, OpenSSH and OpenSSL might not meet the needs of everyone,
especially given that certain companies might be limited by the
regulatory constraints of Federal Information Processing Standard
(FIPS) 140-2, which requires that any cryptographic module be
certified before it can be used for federal data processing.

"While OpenSSL is currently being evaluated against FIPS 140, this
certification is not yet completed," noted Moyle. "It is therefore
inappropriate in a federal government context. The same is true of

Some companies use FIPS 140 as a guideline and require that deployed
cryptographic tools be certified just like would be required in a
government context. In these cases, the tools can't be used because
they would violate policy.

There have certainly been plenty of security flaws found in OpenSSH,
OpenSSL and open-source packages like Apache Tomcat, observed Jaquith.
"But generally speaking, any of the highly used packages have large
user bases and a strong developer community that is motivated to fix
things quickly,"  he said.

"All of these packages have gone through multiple releases -- dozens
of revisions, actually," Jaquith said. "In the long run, the stability
and longevity of the code base is an asset."

Scanning for Vulnerabilities

When it comes down to it, no matter what security system you use,
you'll need to test for security vulnerabilities in your code. Both
Jaquith and Moyle rate Nessus as a top-tier open-source vulnerability

"Every security assessment nerd worth his salt knows what Nessus is,"
said Jaquith. "It's a good open alternative to some of the
vulnerability management services. Companies that don't have active
vulnerability-assessment testing programs in place should start with

Particularly noteworthy is the fact that Nessus incorporates
application-level vulnerability testing for common exploits. What that
means, explained Jaquith, is that it will use a port scanner to
identify the operating system and available services. Once it finds
something, it will start iterating through a series of tests written
in the Nessus Attack Scripting Language.

The open-source vulnerability scanner then generates a report telling
the administrator what it found -- evidence of missing patches,
outdated software versions, susceptibility to buffer overflows and the

Network Monitoring Applications

Beyond tapping OpenSSH, OpenSSL and Nessus as their top-tier picks,
security experts see considerable merit in the use of open-source
applications for network monitoring, host-based firewalls and Java
Latest News about Java 2 Enterprise Edition authentication and

In particular, Moyle and Jaquith recommend the Nmap port scanner,
which is designed to interrogate remote hosts to see what services
they are running.  The open-source application usually can detect the
operating system correctly as well.

"Nmap is one of those basic security-assessment tools that has a lot
of uses," noted Jaquith. "For example, many companies use it to
'sweep' their networks to see what hosts are there, and to see if any
of them are running services that would violate policy." Jaquith
himself uses Nmap to scan his production server from time to time to
verify that only certain services are running.

Barracuda Networks vice president of engineering Zach Levow points to
Nagios as one of the most widely used open-source, network-monitoring

"Utilizing a modular-based 'polling' system, administrators can
monitor hardware appliances, network equipment, server equipment and
various other electronic devices to check the health of the device,"
Levow noted.

"In cases where machines are often being exploited or hacked, certain
aspects of those devices will change very rapidly, thus triggering a
monitoring alarm in Nagios, which can send an alert so the issue can
be investigated," he added.

Host-Based Firewalls

IPTables and IPFW are host-based firewalls for Linux and BSD,
respectively.  Both of them do the same thing: They block access to
particular server ports using a flexible rule-based-language.

"If you've got Mac OS X Latest News about OS X, for instance, you've
got IPFW under the covers -- with an absolutely fantastic and
intuitive GUI, I might add," said Jaquith. The firewall software can
be configured to reject connections -- typically the default -- or not
respond at all. This is often called "stealth mode" because it makes
the ports invisible, which frustrates scanners like Nmap.

The firewall also can redirect traffic, serve as a gateway host for
network address translation, or "shape" traffic for applications
likeVoIP Latest News about VoIP. Finally, both packages can log
suspicious packets, where they can be analyzed by an
intrusion-detection system.

"All major Linux distributions have IPTables, and all major BSDs have
IPFW," Jaquith noted. "Companies should use them to block access to
all ports other than those in use; running it in 'stealth' mode is
also a good idea, in my view."

J2EE Authentication and Authorization

Many companies building serious Web-based applications now use
commercial Java 2 Enterprise Edition servers like BEA Latest News
about BEA Systems, IBM WebSphere Latest News about WebSphere and
Oracle Latest News about Oracle Application Server, as well as
open-source products that implement the J2EE specification, including
Tomcat, JBoss and Jetty.

To pass the compatibility test, all of these servers must support a
particular set of authentication and authorization standards. The
authentication part enables companies to plug in whatever method they
choose -- looking up a password in a Lightweight Directory Access
Protocol (LDAP) directory or database Latest News about database or
demanding a digital certificate or a SecureID token.

The authorization part maps the user to a set of named roles:
customer, manager, administrator, auditor and so forth. This can be
used by the Web application to allow or deny access to particular
pages or program functions. All J2EE servers must have this capability
to be considered J2EE-compliant. What this means is that the Java
world has been able to develop a highly standardized way of thinking
about role-based access control.

"If you're building a Web-based application, you should be using J2EE
security," Jaquith said. "Tomcat, in particular, is pervasive in
enterprises for testing purposes, and increasingly for production
applications. And there are plenty of do-it-yourselfers like me who
use it in production."

Every Bit as Good?

Barracuda Networks' Levow sees considerable merit in the use of
open-source antivirus and antispam tools, and specifically points to
ClamAV as the largest and also most widely used open-source antivirus
technology. "With a well-built team of contributors helping improve
the accuracy and virus definitions as they enter the digital age,
ClamAV is a highly respected and very accurate antivirus engine," said

SpamAssasin, another widely used tool and one worth mentioning here,
relies on a feature-rich code-base that is used to rate particular
characteristics of e-mail on a point system. The administrators can
then control how those e-mails will be treated, based on their point

"With respect to the tools I've mentioned, I don't think there is any
question that they are every bit as good as their commercial
equivalents,"  Jaquith said.

 From the eyes of an attacker, said Jaquith, it certainly helps to
have the source code. "But remember that most of the successful
attacks are remote buffer overflows," he said. "You don't need access
to the source to tell you how to mount a successful attack; either the
server falls over when you throw voodoo packets at it, or it doesn't."

Bottom Line on Coding

"My view is that it is hard to compare both [open-source and
proprietary security applications] on an equal footing," said CEO Mary
Kirwan of international security consultancy Headfry, Inc. Kirwan is
not convinced that quality code is invariably found in open-source
applications, although she would like to be persuaded otherwise.

"I suspect that the real issue is the extent to which anyone --
especially in the commercial sector -- is motivated to write decent
code, with a continued emphasis on feature-rich environments and speed
to market,"  Kirwan said. "If good coding habits and skills are taught
in school, they are quickly abandoned in the real world, as promotions
are rarely based on ability to spit out quality code."

By contrast, Moyle believes that the support obtained from reading an
archive of an open-source tool's user list often is more accurate and
timely than the support paid for in the context of a commercial
purchase.  The actual delivery of the tool also is timely -- "usually
just minutes for a download to complete rather than weeks or months
waiting for the procurement cycle," he said. "From an audit
perspective, it is beneficial that the source code is exposed."

As a caveat, Moyle noted, the open-source community typically espouses
the philosophy of release early, release often. "What this means in
practice is that enterprises using a given tool need to keep abreast
of patches and updates for the tools."

More information about the ISN mailing list