Open security. Sounds like an oxymoron, doesn't it? Security is truly a secret business, so how can it be managed openly?
When it's managed with open source software (OSS), that's when.
Managing security with OSS may be just the ticket for you. For one thing, OSS will save you quite a bit in license fees, although the savings won't be so great in such areas as maintenance, training and the like. Then again, there are some pretty hefty license fees out there for enterprise software; saving those fees could be a real boon.
"Open source is a good bet for security management, just because of the cost factors," said Bernard Golden, CEO of Navica Inc., a systems integrator based in San Carlos, Calif. "Often security is the last thing people think of and, when they do, there's just no budget left."
Open source tools can be used for a variety of problems, including security management, and they can be just as good, or even better, than their proprietary counterparts. "Organizations are using a variety of open source tools, which often rank among the best-of-breed," said Jay Beale, a senior security consultant at Intelguardians and lead developer of the
Snort's IDS is taught at SANS to every IDS analyst, and its rules language is the de facto standard used by that community to describe new attacks, Beale said.
Of course, security management is about processes as much as software. Managing security involves a whole host of things, such as personnel reliability, access control, authorization levels, human factors, hardware and software setup, detection of hostile intrusions on your computer networks and infrastructure and much more. Fortunately, there are open source security management programs that will help you through a couple of these things. For instance, there are tools that help you make sure that your infrastructure is set up and configured the way it should be, that it includes permissions and access levels, and it helps you deal with the plethora of information that other security software, such as hardening software, or intrusion-detection software, will provide for you.
Making sure that all your infrastructure is properly set up and configured is the first step to securing your network, according to Golden. These two chores are not the simple procedures that they sound, so finding tools that automate the process is a good idea.
How about the first step: setting up and configuring properly? It's one thing to have some program like General Hardware Oriented System Transfer (Symantec Ghost) that will automatically write a system image to new desktops in your company. But do you want all of the desktops to have the same image? Surely, you don't. From a security standpoint, you want some of them to have higher access than others. So you need to customize those system images depending on where the person who will be using the system will be working, what his/her level in the corporation is and more.
To set up access permissions, you can use an OSS called Cfengine to help you get the appropriate access levels and permissions to the proper workstations. Cfengine can be thought of as a simple holder for many different scripts that you use to manage your security infrastructure. One of those scripts can let you define access levels and permissions, and you can define more than one, so that you can customize what you provide to whom, so to speak.
Once your system is set up the way you think it should be, you have to evaluate your security situation. Managing anything means you have to know what it is you're managing. Sounds elementary, but it's amazing, according to experts, how many IT managers don't really know what exactly is hanging onto their network. So you need some sort of analyzer.
Two good open source analytical tools come in handy in security evals. Nessus, Beale said, is one of the best and widely used vulnerability assessment tools. This open source program is so well trusted, he said, that its main download mirror was once hosted at the U.S. Department of the Treasury. Also, Network Mapper (Nmap) is used for network inventory more than probably any other port scanner, Beale added.
With Nmap, a utility for network exploration or security auditing, you can figure out which hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems and versions they are running and what type of packet filters or firewalls are in use, according to Insecure.org. This program will give you a great deal of information on what is really out there on the network, where it is and what it's doing. You should run something like this frequently, because your infrastructure isn't static. People will bring new things into the organization and connect them, and you may not even know about it. With something like Nmap, you will know.
Now, we come to the question of information. You need information about your security to manage that security. Try to glean important info from an event log. There will be so much information that you won't be able to separate the wheat from the chaff. Now add in some intrusion detection system, like Snort, and the problem gets worse. You need some way to make sure that you can get to the information you need quickly and efficiently.Analysis Console for Intrusion Databases (ACID) is an open source tool that enables you cut to the chase, so to speak. "ACID provides you a sort of data warehouse environment that let's you find events that are of interest," Golden said. "It's like a power tool for your purposes."
You could run ACID once a day, for instance, to find out what kinds of intrusions were attempted the day before. In essence, ACID will let you get to the information that Snort provides and write to an SQL database, like MySQL, without having to write SQL queries (and wonder why the query didn't work).
OSS is not going to take all of the labor out of securing your enterprise. You're going to have be vigilant and use some people skills, too. You're going to have read and interpret reports. You're going to have to act quickly when the bad guys have a good day. Fortunately, however, you've some very inexpensive best-of-breed tools -- Snort, Bastille Linux, Nessus, Nmap, Cfengine and ACID -- to help you. Even better, these are only a few of the possibilities. You can find out a lot more by visiting SourceForge. Take the time to investigate thoroughly, and you're pretty sure to find an open source project that will do most, if not all, of what you need.
The bottom line: If your IT budget is bottoming out, and you don't have a fortune to invest in much-needed security management software, then OSS can save the day. Or if you have lots of money left in your budget, why not save some of it by using OSS and make yourself look good to the boss?
About the author: David Gabel has been testing and writing about computers for more than 25 years.
This was first published in March 2005