Managing Security in a Free/Open Source Environment Jay Beale Intelguardians,, LLC Information Security Magazine Bastille Linux
Outline 1. FOSS security tools success stories 2. FOSS security issues
Success Stories Snort Intrusion Detection System Nessus Vulnerability Assessment Nmap Host/application Enumeration Bastille Config lockdown / Firewall Ethereal Network Analysis / Sniffer Iptables Firewall Frees/wan Virtual Private Network
Snort Network-based Intrusion Detection System Captures every packet on its network link Checks packets against rules that define attacks Checks packets against protocol definitions, or at least norms Largest install base in the world
Reason: Ability to create content In signature-based IDS, speed to create new signatures rules is a major success factor. The community of IDS analysts creates and shares Snort signatures as they respond to a new type of attack. Being able to create your own rules is a powerful capability for organizations with capable staff.
Commercial products supporting Snort rules ISS RealSecure Symantec s s Manhunt Enterays Dragon Intrusion Inc s s SecureNet
Snort: a Standard? The SANS Institute, which probably trains more IDS analysyts than any other org, teaches a day on Snort in their IDS certification. Snort rules have become the standard method for communicating an IDS rule.
Snort: Performance Snort almost always places in the Top 3 in tests of IDS s,, placing above commercial solutions.
Snort: Support Author, Martin Roesch,, started Sourcefire Inc to support and productize Snort. Managed Security Service Providers have used Snort to provide an outsourced IDS deployment and monitoring service.
Nessus Vulnerability Assessment software Extremely popular Many organizations have built their internal VA practice around Nessus. Author, Renaud Deraisson,, helped to start Tenable Security, productizing Nessus. Servers are hosted by financial-related US Government departments.
Support for Nessus Primary web and FTP servers hosted by: US Department of Commerce National Technical Information Service CVS and Mail servers hosted by: US Treasury Inspector General for Tax Administration: Strategic Enforcement Division
Nmap Host and application enumeration Industry-leading host and application enumeration technology. Author has licensed code to commercial companies.
Bastille Lockdown tool and firewall. Dramatically reduces out-of-the-box vulnerabilities through Best Practices. Hewlett Packard contributes actively toward both HP-UX support and software at large. IBM contributes for SuSE support.
Ethereal Network sniffer and protocol parser. Gathers packets, reconstructs streams and parses protocols to help in analysis. Comparable to the best commercial products in its space.
iptables Linux built-in firewall code Comparable capabilities to Checkpoint Firewall-1, but no GUI Ex: USI Application Service Provider
FreeS/WAN Virtual private network capability for Linux Allows an administrator to quickly build point-to-point encryption tunnels or entire private networks. Ex: well-authenticated, private wireless networks
Part II Free / Open Source Software Issues to Consider
Code Integrity: Install-time How do I make sure I got the right program code and prevent tampering? Programs are generally PGP-signed. To do it yourself, check the PGP signatures against the key acquired from keyservers, mailing lists, or program web site. We usually offload this task onto a vendor like Red Hat or one specific to this code.
Code Audit: Advantage Open Source code allows for code audit. In reality, few organizations audit their code. It s s too time-intensive. At the same time, the code is available. Some organizations pay consultants to audit code they re using or considering. This is especially true for commercial companies building solutions on open source programs.
Code Contributors If a program is Open Source and anyone can work on it, how do I make sure a hostile party hasn t inserted malicious code? Open Source programs are maintained by a project lead (PL), who vets code submissions. Once programmers show quality in their code and designs, the PL may give them submission rights. Is this same standard held in commercial companies?
Patch Management How do I know when I need to patch? How do I acquire patches? What if the program maintainer decides not to issue a patch? How do I confirm that a patch is authentic? Generally, we offload all three of these questions onto our vendor, like Red Hat.
When to Patch? Each project maintains a web site listing vulnerabilities and patches. If we use a distribution vendor (like Red Hat), they maintain a central repository for patches and announce both vulnerabilities and patches. Many vendors make patching easy: Red Hat includes a tool called up2date which downloads necessary patches and can, optionally, install them automatically.
How do I acquire patches? The program maintainer releases patches. Occasionally, the community releases a patch before the maintainer, who still releases the official patch. We can create our own patch if we have the staff, as many vulnerabilities require only one to five lines of code to correct. Normally, we offload packaging these patches and alerting to our distribution vendor.
Patch Abandonment What if the program maintainer abandons our version of the software or such? Our distribution vendor often creates their own independent patches. If the community creates a patch, we can vet it ourselves, wait for our distribution vendor to do the same, or find a service that does the same for us. Ex: Progeny s s patching service
Patch Authenticity Patches to a program are generally PGP-signed, just like the software. You can read the patch, if you have staff. Generally, we offload checking both the authenticity of the patch and reading the code to our distribution or patch-services vendor.
Expertise Free / Open Source Software seems to require greater expertise to configure and maintain. Test new hires expertise by using existing skilled staff for interviewing. Consider looking into these certifications: Red Hat Certfied Engineer SANS GIAC certification GCUX Obviously, comparable certifications will do.
Small Organizations 1/2 Is FOSS possible in a small organization, like a tiny community bank with little IT expertise? Increased expertise is almost always necessary with FOSS. System administration requires a more solid understanding of the operating system and TCP/IP networking. Programming experience is also very useful, especially in C. In a small organization with no IT staff, some FOSS solutions are difficult to maintain. Vendors and/or consultants make this easier. Look for productized solutions built on FOSS technology instead.
Small Organizations 2/2 On the other hand, small organizations with no IT staff rarely have the money for security-enhancing solutions. In this case, FOSS s s price may allow for better security, depending on how much maintenance is required after initial installation. Low maintenance solutions: Firewalls Virtual Private Networks Configuration Lockdown High maintenance solutions: Intrusion Detection Systems Vulnerability assessment?
Hardening Taking hardening steps eliminates or mitigates 90 percent or more vulnerabilities. The Center for Internet Security Creates hardening procedures for operating system and applications. Software covered includes Open Source and Commercial software.
Choosing a Vendor Much of what we re doing becomes easier or possible simply by tapping a vendor to help. Distribution vendors: Red Hat Consulting company: IBM PWC Support vendor: Progeny
Questions / Discussion Let s s talk about your experiences and worries.
Bio Jay Beale is a consultant with DC-based Intelguardians,, LLC where he performs architecture reviews, penetration tests and generalized security consulting. Columnist: Information Security Magazine Lead Developer: Bastille Linux Linix Lead: Center for Internet Security Senior Research Scientist, GWU CSPRI Member, Honeynet Project jay@intelguardians.com