Translate

Tuesday, February 15, 2005

Be open -- be secure

Be open -- be secure
[ By David Gabel, Contributor ]

It may seem like a paradox, but companies can use open source software (OSS) to secure the whole enterprise. The contradiction comes in this observation: Information that is secure is normally not open. Can you imagine some sort of classified government information that was open to view? Now, we know that some of that type information does become public, but not to the delight of the people who want it to remain under wraps.

It's the same for sensitive personal information: It's not open. So why can OSS, which a company can download the source code and modify it to suit its particular situation, secure the enterprise? If everyone can see it, then how secure can it be?

The solution to the paradox is in the nature of the information and the software. The information companies want to secure needs to stay private, but the toll for accomplishing that task is available for study, download and modification. That is the nature of OSS and, many people argue, that is the primary benefit of such software.

"Open source software is sometimes more secure than proprietary software, sometimes it isn't," said David A. Wheeler, author of the reports "Why Open Source Software/Free Software (OSS/FS, FLOSS or FOSS)? Look at the Numbers!" and "Secure Programming for Linux and Unix HOW-TO." "In fact," he added, "a lot of enterprises would be in trouble were they not using OSS." But, he added, companies have to first determine their security requirements. Then, they need to examine and compare their options.

It's much like everything else in life, or at least in information technology. You have to suit the tool to the requirement, after determining which tools are available to take care of that need and then compare the tools against one another to see which is the best fit.

But what can OSS tools do for companies? For one thing, there is a whole list of OSS that performs various security functions, from Snort, which is a very well-known and widely used intrusion-detection solution, to firewalls, to software that will lock down a PC and stop intrusion.

"You can just about create your whole security infrastructure [with OSS] and be very well served," said Bernard Golden, president of Navica Inc., a systems integrator that uses open source software in many of its applications.

He added that he has several clients who have used OSS, either alone or in combination with proprietary software, to build their security setup. Wheeler reinforced this point as well, noting, "OSS is already important to computer security." He also said the U.S. Department of Defense has been using free and OSS for computer security purposes for years.

Golden explains that security software is often like a burglar alarm: People put them in after an intrusion. In IT, it's too often an afterthought in system planning, and when IT managers get to thinking about it, there's no budget left. So the lower cost of OSS (for most OSS, there isn't a license fee) makes it a good choice.

So, if a company decides to use OSS for its security requirements, then is there a good method for determining how to do it? Of course. It turns out that it's a lot like the method a company would use for any similar kind of choice.

For example, Wheeler said, the most important task is that companies need to first figure out what their requirements are. "That's a step too many people forget," he added. "What are your threats? What are you trying to accomplish?"

He noted that it might be that once a company analyzes its situation thoroughly, it will find it may not need software for at least some of the requirements. "Maybe buying a separate un-networked machine will meet your requirements, for example," he said.

Once a company has determined what its needs are, it will have to answer more questions: Should it create an information fortress into which no one can penetrate? Or does it just need firewalls? If there specific machines that need to be locked down, then Golden recommends a multi-step process for going about it. "First, harden the machine, then protect the machine, then harden the network and then, finally, manage the whole thing," he said.

By hardening, he means putting policies in place that will keep the machine secure. And protecting, he said, is putting something (a firewall, perhaps) in front of the machine to keep people from getting to it.

Once the company has identified the tasks and the steps to follow, it is in the selection stage. Said Wheeler: "Once you get down to the point of starting to evaluate specific software products, you need to evaluate them on the basis of a whole host of important attributes." He proposed four basic steps for selection: identify candidates, read existing reviews, briefly compare the leading programs' attributes to the company's needs and then perform an in-depth analysis of the top candidates."

Golden explained that once the software is in place, managing a company's security situation is critical. That's because there will be so much security information generated by the company's security solutions that it will be difficult making sense out of it all.

"How can you use that real-time information?" he asked rhetorically. Well, there are various open source tools for this management task. Golden mentioned Analysis Console for Intrusion Databases (ACID) in particular, noting that companies can hook ACID up to a database and to Snort, and "ACID will let you make sense out of mountains of data."

So it's a sure thing that companies can secure their enterprise with OSS. If they do, there will be two distinct advantages: lower cost than proprietary software, and the fact that OSS is, well, open. If a company gets attacked, it may be able to change its security infrastructure quickly. And there's a huge community of developers that can help companies and get patches ready much faster than a proprietary vendor typically does. In some ways, this makes the open source solution better than the alternatives.

ABOUT THE AUTHOR:
David Gabel has been testing and writing about computer and information technology for 25 years.