1 W H I T E P A P E R Open Source Software for Cyber Operations: Delivering Network Security, Flexibility and Interoperability
2 Introduction For the last decade, the use of open source software (OSS) in corporate and government environments has steadily increased, a fact not only due to the significant number of available applications but also to the widespread acknowledgement of the technological and business advantages that are realized with OSS deployments. Beyond the business applications, OSS also has a strong presence in the network security and cyber intelligence world, as innovative and feature-rich cyber tools available as open source distributions are a mainstay in many NOCs, SOCs, and enterprise IT security groups. Network and cyber security professionals, whether managing networks for enterprises or complex federal government agencies, face a constantly evolving world of cyber attacks and threats by criminals and hackers that remain relentless in their determination to compromise targets and access high-value data. However, tight budgets are forcing these companies and agencies to look for ways to meet their information assurance and network security objectives while also containing spending. The result is an increasing demand for economically viable cyber intelligence and network defense capabilities to insure secure information delivery and assurance in this volatile networking environment. Fortunately, some of the most innovative cyber security and network traffic analysis solutions are available to companies and government agencies as open source software applications. Adoption of OSS has soared in recent years across a variety of industries and at all levels of government, as corporate executives, agency leaders and key stakeholders increasingly embrace the advantages these applications present over proprietary solutions and selffunded initiatives. By deploying open source cyber applications, companies and agencies can implement the best solutions for their needs without many of the security, interoperability and cost challenges associated with proprietary or in-house developed tools. This white paper explores some key benefits to companies and agencies when open source applications are deployed to enhance cyber security and network awareness. In addition to offering a list of commonly deployed applications, the paper also discusses the improvements in flexibility, agility, solution stability, as well as the potential reduction in the total cost of ownership that comes with open source solutions. 1
3 5 Key Values of Open Source Software 1. Breadth and Depth of Open Source Cyber Security Solutions Given the complex, bandwidth-intensive, and typically sensitive nature of many enterprise and government agency networks, cyber teams are especially eager to deploy open source applications that provide greater visibility, security, and control over network traffic. Several leading edge open source cyber applications are available to and are being deployed by corporate and government IT and security managers today, particularly to address network security, flow analysis, and traffic monitoring requirements. Key Open Source IDS/IPS Applications: Application Purpose Description Bro Passive Intrusion Detection Active Inline Prevention Network IDS/IPS application using event-oriented analysis for network traffic analysis and network security monitoring SNORT Passive Intrusion Detection Active Inline Prevention Network IDS/IPS application that combines the benefits of signature, protocol, and anomaly-based inspection methods Suricata Passive Intrusion Detection Active Inline Prevention High performance Network IDS/IPS and Network Security Monitoring engine, developed by the Open Information Security Foundation (OISF) Key Open Source Flow Monitoring Applications: Application Purpose Description Argus System & Network Monitoring Audit data to support network operations, performance, and security management, including network forensics, non-repudiation, network asset and service inventory SiLK Flow Analysis Engine Delivers historic and real-time analysis of network traffic YAF Flow Analysis Sensor Network flow recording program that processes packet flows into IPFIX format for later analysis Key Open Source Utility Applications: Application Purpose Description Barnyard2 Spooler for SNORT Binary Output Files Offloads the processing of the SNORT unified2 binary output into textual or database type formats nprobe NetFlow Collector Scalable network monitoring architecture that passively monitors and collects netflow information on high-speed network links ntop GUI for Network Metrics Network traffic probe that displays network usage TCPdump Packet Capture Open source tool for capturing and analyzing packets 2
4 Location #1 Location #2 Network Characteristics Classified and Unclassified (or Public) Networks Single and/or Multiple Locations Legitimate and Malicious Users Internal & External Threats Unclassified or Public Network INTERNET Open Source Cyber Security Applications Argus Barnyard2 Bro nprobe ntop Classified or Private Network SiLK SNORT Suricata TCPdump YAF Location #3 Protection Tools for Government and Company Networks A high-performance networking device capable of aggregating multiple cyber applications on a single platform: Intrusion Detection & Prevention Network Flow Analysis Monitoring & Surveillance For example, open source network flow recording and analysis tools, like YAF and SiLK, can provide network security and cyber analysts with comprehensive visibility into network protocols and data traversing the network, presenting an all-inclusive view of the network environment, network users, and bandwidth trends. By recording and analyzing network flows, YAF and SiLK can help identify and report policy violations as well as viruses, worms, botnets, malware and other vulnerabilities. As seen above, open source software for cyber operations is widely available for corporate and government use. However, companies and agencies must carefully select the appropriate host processing platform(s) to meet network security and bandwidth requirements; usually these applications function best when integrated with a high-performance platform that is optimized for packet processing applications. 2. Empowering Cyber Operations with Flexibility and Agility Given the continually changing landscape of cyber threats, cyber teams need flexibility, control and oftentimes scalability over the form, fit and function of network security solutions. However, rather than enabling teams with customized solutions that are best-suited for their objectives, proprietary products can create vendor dependency, locking the group into costly products with pricey licensing agreements. Unfortunately, once locked-in to a single vendor solution, the switching costs to more flexible, value-add solutions may be high. Open source software based solutions eliminate vendor lock-in and dependency. Instead of relying on one specific vendor, cyber security professionals have access to a wide range of best of breed technologies and are freed from dependency (and risk) on a single vendor for upgrades, security patches and other enhancements. Similarly, government-off-the-shelf (GOTS) solutions afford agencies a high level of direct control over product specifications and can be freely shared among agencies, however these applications require dedicated software programmers and can be costly to modify and maintain. Modular open source systems allow programmers and cyber analysts to adapt key features or add new capabilities when needed, rapidly developing and deploying customized applications to address their specific challenges. Open source allows these cyber professionals to tailor existing open source code, minimizing the time and money needed to create a custom solution. 3
5 3. Bolstering Security and Innovation Open source users can count on a large and active community that offers best practices in network security, cyber intelligence and information assurance. This community presents a significant pool of knowledge and resources cyber operations managers can tap for fresh ideas, a variety of opinions and reliable insight, as opposed to relying on a single vendor source. The open source user community is particularly beneficial when it comes to one of the most pressing concerns for large corporations and government agencies: cyber security. For these mission-critical and often highly sensitive networks, security vulnerabilities are not an option. Fortunately, access to open source program blueprints enhances security while also promoting continuous product improvement. User communities are constantly testing and validating open source software. When security patches are required, the open source community responds rapidly to fix the bugs, developing fixes for security vulnerabilities, sharing code patches and continually refining and refreshing software, ensuring that open source solutions continuously evolve and improve. This open source community approach enhances security, since vulnerabilities are quickly identified and remedied before they can be exploited. In other words, cyber security vulnerabilities are minimized when thousands of experienced programmers have the opportunity to independently view, modify and validate the blueprint. 4. Doing More with Less A perennial challenge for cyber operations and IT managers is making the most of tight budgets in networking environments where they lack the necessary human and financial resources required to keep up with software changes, equipment upgrades, licensing fees and maintenance costs that come with closed or proprietary technologies. Open source software has lower total cost of ownership (TCO) than closed solutions, and enables companies and government agencies to develop and deploy scalable applications at a fraction of the time and cost of proprietary software. Often, open source solutions are available for free with technical support in terms of ongoing patches and upgrades provided by the community at large. In additional, further reductions in operating expenditures can be realized by utilizing a highperformance cyber application platform that allows multiple open source applications to run simultaneously on common data streams without impacting performance. 5. Supporting Collaboration and Interoperability With open source, IT managers and cyber operations teams can share critical information among and within peer divisions and agencies. Open source makes it easier for groups to collaborate among themselves and with commercial solutions providers, and to provide any necessary external access to resources and information. For example, companies and government agencies can configure some open source cyber security applications to import real-time threat intelligence or policy updates from commercial data feeds, thereby implementing a continuously updated network security solution. 4
6 Bivio Networks: Optimizing Open Source Applications with High-Performance Infrastructure To optimally support open source network security applications with minimal porting effort, large companies and government agencies need a robust and reliable network infrastructure that can process the deep packet inspection and analysis functions of cyber applications at network speeds from multi-gigabit to over 40 Gbps on a single platform. To this end, Bivio Networks cyber security application platforms have many flexible and agile configuration options that allow the system to be scaled for throughput and performance across a wide range of packet processing workloads. This architecture is uniquely suited to support the deep packet processing capabilities of a variety of open source applications and services. Leveraging Bivio s carrier-grade platforms, companies and government agencies achieve dramatic increases in the performance of open source applications. The Bivio platform is specifically designed to host and manage multiple open source applications on a tightly-integrated system. This capability enables network managers and cyber analysts to simultaneously run multiple security applications in parallel on a shared platform to improve network security posture without compromising the system throughput and performance. For example, a single platform could host Suricata along with Argus to deploy both a high-speed network IDS/IPS and bi-directional flow analysis engine as a consolidated cyber solution. The consolidation of multiple applications on the platform also simplifies and eases system management through a single, efficient, Linux-based interface. This simplified management can reduce the learning curve for users and help reduce system downtime, human error or data loss so that analysts can focus on the core network and cyber monitoring tasks. This same architecture further enables the platform to deliver unprecedented performance in a single system for processor-intensive open source applications such as the Bro Network Security Monitor. Rather than using a cluster of separate servers, the Bivio platform effectively integrates the equivalent processing performance into a less complex, more compact, and simpler to manage cyber security system. Get Ahead with Open Source Budget and security considerations often keep companies and government agencies from getting ahead of the curve when it comes to advancing their networks in support of unique objectives. But with open source software, cyber teams can more readily implement the applications that are best-suited to mitigate network security threats, facilitate collaboration and adapt to evolving network requirements without the restrictions of proprietary or self-funded initiatives. Corporations, government agencies, and educational institutions are increasingly recognizing that, when deployed on high-performance cyber application platforms like Bivio s, the benefits of open source are many and are moving forward to deploy open source applications to lower costs, promote and encourage innovation and safeguard their networks. For more information on how your cyber team can get ahead with open source applications and Bivio platform solutions, please visit 5
7 About Bivio Networks Founded in 2000, Bivio Networks is dedicated to providing leading networking products that enable government agencies and service providers to control, monitor and secure critical network infrastructure. A leader in cyber intelligence, cyber security and network control solutions, Bivio has deployed its products in a wide range of environments. Bivio s global customer base includes leading defense department and intelligence agencies, service providers and enterprises. Bivio is privately-held and is headquartered in the San Francisco Bay Area. More information is available at Bivio Networks, Inc Willow Road, Suite 240 Pleasanton, California Phone: Fax: Bivio Networks, Inc. All rights reserved. The Bivio logo, BiviOS, Bivio 7000 Series, and Bivio 8000 Series are trademarks or registered trademarks of Bivio Networks, Inc. All other company and product names may be trademarks of their respective owners. Bivio Networks may make changes to specifications and product descriptions at any time, without notice.