Forwarded from: Marjorie Simmons <lawyer@private> http://www.newsfactor.com//story.xhtml?story_id=100000024QCG By Mark Long June 14, 2005 According to most security professionals, a top-tier, open-source security tool must have sufficient history to allow a practitioner to use it with confidence. And it must have a sufficiently large developer base to ensure that fixes will be available in light of discovered vulnerabilities. Those responsible for enterprise security Latest News about Security are increasingly turning to open-source applications in lieu of security products based on proprietary code -- and for many good reasons. "Where open-source tools have an advantage in an enterprise is in their timeliness," said cryptography guru Ed Moyle of Security Curve. "Since no budget has to be allocated to deploy an open-source tool, it can often hit the ground faster than a commercial counterpart." On the other hand, there is the question of accountability, Moyle noted. "Since there is no commercial entity overseeing a tool, on whom can the enterprise place pressure for added features or support?" According to most security professionals, a top-tier, open-source security tool must have sufficient history to allow a practitioner to use it with confidence. And it must have a sufficiently large developer base to ensure that fixes will be available in light of discovered vulnerabilities. Also, it must have a reasonably large user base so that support questions will already have been answered in a public forum. But there are many tools that meet these requirements and are in fact deployed at many large companies. Tackling Basic Security Issues Anthony Nadalin, Chief Security Architect for IBM's software group, recommends Bouncy Castle crypto interfaces and OpenSSL -- an open-source implementation of the secure sockets layer (SSL) and transport layer security (TLS) protocols. "What most customers are looking for are secure, reliable transactions," Nadalin said. Bouncy Castle and OpenSSL form the basis for crypto and transport-level security, Nadalin said, which is one of the base requirements every customer has. Indeed, OpenSSL is at the top of nearly everyone's list. "I don't think the impact of OpenSSL can be overstated," said Yankee Group senior analyst Andrew Jaquith. "It single-handedly democratized encryption Latest News about encryption by making a very high-quality implementation available for everyone to use -- and all for free." OpenSSL is commercial-grade and interoperates with digital certificates issued by public certificate authorities like VeriSign Latest News about VeriSign, Thawte and GoDaddy Latest News about GoDaddy. "Equally important, it includes the ability to generate your own private certificates for testing purposes," he said. OpenSSL also includes a library of basic crypto functions essential for validating the integrity of downloads from third-party sites via checksum algorithms. Remote Connectivity OpenSSH is another software package that comes highly recommended. This open-source implementation of the Secure SHell (SSH) session technology is designed to let administrators and users open a command shell on a remote host. The impact of OpenSSH has been profound because it enables secure, safe and easy-to-use communications with remote hosts when used in tandem with public keys instead of passwords, said Jaquith. "There is no 'password' to be guessed -- the user either possesses the key (a physical file) or not." OpenSSH lets admins use public keys with a "key agent" on the client side so that communications can be effectively passwordless. "The upshot is that using OpenSSH with public keys instead of passwords makes session communications more secure and easier to use," Jaquith said. Like OpenSSL, OpenSSH is pretty much everywhere and comes standard on all commercial Linux Latest News about Linux distributions. "I wish Microsoft Latest News about Microsoft would just bite the bullet and include OpenSSH in Windows," Jaquith said. "It's much better than what they include now for a remote shell." Jaquith also suggested that every company should use it, in all cases, instead of telnet or other legacy session protocols. "You can, of course, compile OpenSSH for Windows yourself, or buy commercial versions from companies like F-Secure Latest News about F-Secure or SSH Corporation. Regulatory and Security Implications Still, OpenSSH and OpenSSL might not meet the needs of everyone, especially given that certain companies might be limited by the regulatory constraints of Federal Information Processing Standard (FIPS) 140-2, which requires that any cryptographic module be certified before it can be used for federal data processing. "While OpenSSL is currently being evaluated against FIPS 140, this certification is not yet completed," noted Moyle. "It is therefore inappropriate in a federal government context. The same is true of OpenSSH." Some companies use FIPS 140 as a guideline and require that deployed cryptographic tools be certified just like would be required in a government context. In these cases, the tools can't be used because they would violate policy. There have certainly been plenty of security flaws found in OpenSSH, OpenSSL and open-source packages like Apache Tomcat, observed Jaquith. "But generally speaking, any of the highly used packages have large user bases and a strong developer community that is motivated to fix things quickly," he said. "All of these packages have gone through multiple releases -- dozens of revisions, actually," Jaquith said. "In the long run, the stability and longevity of the code base is an asset." Scanning for Vulnerabilities When it comes down to it, no matter what security system you use, you'll need to test for security vulnerabilities in your code. Both Jaquith and Moyle rate Nessus as a top-tier open-source vulnerability scanner. "Every security assessment nerd worth his salt knows what Nessus is," said Jaquith. "It's a good open alternative to some of the vulnerability management services. Companies that don't have active vulnerability-assessment testing programs in place should start with Nessus." Particularly noteworthy is the fact that Nessus incorporates application-level vulnerability testing for common exploits. What that means, explained Jaquith, is that it will use a port scanner to identify the operating system and available services. Once it finds something, it will start iterating through a series of tests written in the Nessus Attack Scripting Language. The open-source vulnerability scanner then generates a report telling the administrator what it found -- evidence of missing patches, outdated software versions, susceptibility to buffer overflows and the like. Network Monitoring Applications Beyond tapping OpenSSH, OpenSSL and Nessus as their top-tier picks, security experts see considerable merit in the use of open-source applications for network monitoring, host-based firewalls and Java Latest News about Java 2 Enterprise Edition authentication and authorization. In particular, Moyle and Jaquith recommend the Nmap port scanner, which is designed to interrogate remote hosts to see what services they are running. The open-source application usually can detect the operating system correctly as well. "Nmap is one of those basic security-assessment tools that has a lot of uses," noted Jaquith. "For example, many companies use it to 'sweep' their networks to see what hosts are there, and to see if any of them are running services that would violate policy." Jaquith himself uses Nmap to scan his production server from time to time to verify that only certain services are running. Barracuda Networks vice president of engineering Zach Levow points to Nagios as one of the most widely used open-source, network-monitoring applications. "Utilizing a modular-based 'polling' system, administrators can monitor hardware appliances, network equipment, server equipment and various other electronic devices to check the health of the device," Levow noted. "In cases where machines are often being exploited or hacked, certain aspects of those devices will change very rapidly, thus triggering a monitoring alarm in Nagios, which can send an alert so the issue can be investigated," he added. Host-Based Firewalls IPTables and IPFW are host-based firewalls for Linux and BSD, respectively. Both of them do the same thing: They block access to particular server ports using a flexible rule-based-language. "If you've got Mac OS X Latest News about OS X, for instance, you've got IPFW under the covers -- with an absolutely fantastic and intuitive GUI, I might add," said Jaquith. The firewall software can be configured to reject connections -- typically the default -- or not respond at all. This is often called "stealth mode" because it makes the ports invisible, which frustrates scanners like Nmap. The firewall also can redirect traffic, serve as a gateway host for network address translation, or "shape" traffic for applications likeVoIP Latest News about VoIP. Finally, both packages can log suspicious packets, where they can be analyzed by an intrusion-detection system. "All major Linux distributions have IPTables, and all major BSDs have IPFW," Jaquith noted. "Companies should use them to block access to all ports other than those in use; running it in 'stealth' mode is also a good idea, in my view." J2EE Authentication and Authorization Many companies building serious Web-based applications now use commercial Java 2 Enterprise Edition servers like BEA Latest News about BEA Systems, IBM WebSphere Latest News about WebSphere and Oracle Latest News about Oracle Application Server, as well as open-source products that implement the J2EE specification, including Tomcat, JBoss and Jetty. To pass the compatibility test, all of these servers must support a particular set of authentication and authorization standards. The authentication part enables companies to plug in whatever method they choose -- looking up a password in a Lightweight Directory Access Protocol (LDAP) directory or database Latest News about database or demanding a digital certificate or a SecureID token. The authorization part maps the user to a set of named roles: customer, manager, administrator, auditor and so forth. This can be used by the Web application to allow or deny access to particular pages or program functions. All J2EE servers must have this capability to be considered J2EE-compliant. What this means is that the Java world has been able to develop a highly standardized way of thinking about role-based access control. "If you're building a Web-based application, you should be using J2EE security," Jaquith said. "Tomcat, in particular, is pervasive in enterprises for testing purposes, and increasingly for production applications. And there are plenty of do-it-yourselfers like me who use it in production." Every Bit as Good? Barracuda Networks' Levow sees considerable merit in the use of open-source antivirus and antispam tools, and specifically points to ClamAV as the largest and also most widely used open-source antivirus technology. "With a well-built team of contributors helping improve the accuracy and virus definitions as they enter the digital age, ClamAV is a highly respected and very accurate antivirus engine," said Levov. SpamAssasin, another widely used tool and one worth mentioning here, relies on a feature-rich code-base that is used to rate particular characteristics of e-mail on a point system. The administrators can then control how those e-mails will be treated, based on their point score. "With respect to the tools I've mentioned, I don't think there is any question that they are every bit as good as their commercial equivalents," Jaquith said. From the eyes of an attacker, said Jaquith, it certainly helps to have the source code. "But remember that most of the successful attacks are remote buffer overflows," he said. "You don't need access to the source to tell you how to mount a successful attack; either the server falls over when you throw voodoo packets at it, or it doesn't." Bottom Line on Coding "My view is that it is hard to compare both [open-source and proprietary security applications] on an equal footing," said CEO Mary Kirwan of international security consultancy Headfry, Inc. Kirwan is not convinced that quality code is invariably found in open-source applications, although she would like to be persuaded otherwise. "I suspect that the real issue is the extent to which anyone -- especially in the commercial sector -- is motivated to write decent code, with a continued emphasis on feature-rich environments and speed to market," Kirwan said. "If good coding habits and skills are taught in school, they are quickly abandoned in the real world, as promotions are rarely based on ability to spit out quality code." By contrast, Moyle believes that the support obtained from reading an archive of an open-source tool's user list often is more accurate and timely than the support paid for in the context of a commercial purchase. The actual delivery of the tool also is timely -- "usually just minutes for a download to complete rather than weeks or months waiting for the procurement cycle," he said. "From an audit perspective, it is beneficial that the source code is exposed." As a caveat, Moyle noted, the open-source community typically espouses the philosophy of release early, release often. "What this means in practice is that enterprises using a given tool need to keep abreast of patches and updates for the tools." _________________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 23-28 - 2,000+ international security experts, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Thu Jun 16 2005 - 23:11:36 PDT