[ISN] Linux snares security tool

From: InfoSec News (isnat_private)
Date: Wed Nov 07 2001 - 01:35:07 PST

  • Next message: InfoSec News: "[ISN] Compendium of *nix lpd vulnerabilities"

    By Nicole Bellamy
    ZDNet Australia 
    November 6, 2001 5:46 PM PT
    InterSect Alliance says it has developed the first integrated security
    auditing and event logging subsystem for the open source Linux
    operating system, beating much larger organizations to the punch.
    Its new tool, Snare (System iNtrusion Analysis and Reporting
    Environment) has been developed with a goal of reducing the cost of
    entry into system auditing and host-based intrusion detection for
    system managers, simplifying the process of configuration, reducing
    resource requirements and providing meaningful reporting to end-users.
    According to Leigh Purdie, director and principal security consultant,
    this is the first release of code for a host-based intrusion detection
    system, although there have been inroads made into the development of
    source code to address network-based intrusion detection.
    The two systems differ in that while a network-based intrusion
    detection tool enables the user to determine when an intrusion is
    being attempted, the host-based system allows the user to identify
    when an intrusion has been successful.
    Purdie believes that the lack of the Snare code has hindered the
    adoption of Linux into widespread use by organizations in Australia.
    By releasing Snare as open-source software, he hopes this will "set
    Linux on the path towards acceptance by organizations."
    The Snare auditing subsystem is designed to "enhance an organizations
    ability to detect suspicious activity by monitoring system and user
    actions", as stated in its release report.
    Given the current debate surrounding staff-monitoring, Purdie was
    quick to point out that InterSect Alliance is not responsible, nor
    accountable for, any privacy infringements occuring as a result of
    organizations using this system. However, the company does intend to
    provide privacy recommendations to organizations as a part of its
    training on the product.
    "Privacy is critical in a lot of institutions. When we provide
    solutions we recommend one of the things they (organizations)
    implement is staff contact; to let staff know what is happening, why
    it's happening, what data is being used for," said Purdie.
    Snare fills Linux security void
    The lack of integrated security features--perceived or actual--has
    long been a barrier to widespread Linux adoption.
    According to an InterSect Alliance report, "the lack of host-based
    intrusion detection in the form of an auditing system, has been cited
    in the past by organizations as a significant contributor to the
    decision to choose alternative operating systems over Linux in
    operational roles."
    InterSect Alliance decided to pursue the Snare project as a means of
    addressing this shortcoming and therefore boost Linux' appeal.
    While working on similar tools for other operating systems, such as
    Sun's Solaris and Microsoft's Windows NT--all of which contained an
    audit collection subsystem--the company realized the lack of this
    feature in Linux, and "thought something was missing," according to
    What followed was eight months of effort and "not having a life", said
    George Cora, director and principal security consultant.
    While eight months seems minimal in software development terms, Purdie
    maintains that Snare is actually the culmination of ten year's work
    into the host-based intrusion detection system, added to a combined
    total of more than twenty year's experience in security for the
    The short time to market can also be attributed to three other
    factors, according to Cora: "We have the programming skills, we have a
    small company that is not bureaucratic, and we put aside the
    established OSes (operating systems) and started from scratch."
    He also maintains that the presence of the open-source community
    allowed them a shorter development time.
    InterSect Alliance does not have the infrastructure in place to
    distribute Snare commercially, but by using the open-source community,
    it was able to release the software quickly, to a widespread audience.
    Cora believes that releasing Snare as open source should also lead to
    a faster uptake of the product itself.
    "If we had tried to commercialize this [rather than releasing as
    open-source software], people would be less eager to use it due to the
    cost of entry associated with it," Cora said.
    This lowered cost of entry is the ingredient that will ensure much of
    the product's success. Already InterSect Alliance has received
    pre-release queries from local--and global--organizations.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Nov 07 2001 - 03:26:01 PST