Free Open-Source vs. Commercial Security Tools? 234
sahirh asks: "I work as a penetration tester and recently started writing a whitepaper on the benefits of free, open-source security tools over commercial tools. Through my own experiences, I've found that many free tools such as Nessus and Kismet are more reliable and have better features than expensive commercial alternatives like ISS Internet Scanner or Airopeek. I've also noticed that tools like Ettercap have no commercial alternative. Further, the flexibility offered by the open-source nature of such tools is a great benefit. I'd like to ask for Slashdot's experiences and opinions on why you don't need to spend thousands of dollars on an expensive tool to perform a professional security assessment." Update: 02/07 11:15pm EDT by C : Thanks to all who wrote in to let us know the proper URL to the Kismet site.
Valuable Open Source Security Assement Tools? (Score:5, Informative)
Huh? (Score:1, Informative)
Go to SANS training. (Score:5, Informative)
We were reviewing everal six-figure pieces of equipment and found the same thing - we knew they saw traffic they didn't like, but we didn't know WHY.
Now that everybody uses snort rules, the training is still helpful to show you WHAT you're seeing and IF it's truly bad or just another false positive.
FWIW, why get the snort stuff one vendor removed? Just go straight to the source.
Re:Valuable Open Source Security Assement Tools? (Score:3, Informative)
OSSTMM (Score:2, Informative)
VIsa / MC Compliance (Score:5, Informative)
In order to comply you must have various levels of security testing done and certified by an approved vendor [visa.com].
besides the obvious (Score:5, Informative)
one commercial one that I _really_ like is Languard Network Scanner from GFI.
While it is closed source, it has 30-day full functionality, and has limited functionality after that. Still even with the 'limited' functionality, it provides the full scanning capabilities, it just doesn't let you use some of the features that I never use anyways (scheduling, etc).
I'd really recommend giving it a try, its pretty slick.
It makes more sense to use open source ... (Score:1, Informative)
use the tools they use...not that commercial products dont have any value to them. perhaps just use OSS first then supplement that with some commercial solutions.
www.packetstormsecurity.com is a good place to start also.
Re:Valuable Open Source Security Assement Tools? (Score:2, Informative)
Re:Snort (Score:2, Informative)
Re:Valuable Open Source Security Assement Tools? (Score:5, Informative)
Heh, recommending a security tool that OpenBSD removed because the Ethereal team does not care about security [openbsd.org]
Just because something is open source does not imply that it's secure.
Re:Snort (Score:3, Informative)
Actually we found that Sentarus is a much better snort-based product. We kicked Sourcefire out after 2 weeks, they just don't get the concept of a GUI. Talk about butt ugly and unmanagable.
Re:Snort (Score:4, Informative)
For pen-testing, check out the Metasploit framework [metasploit.com]. It's truly cool.
Also, have a look for scanrand, part of paketto keiretsu (doxpara.com appears to be having trouble right now, so don't go looking right now).
There's always the old standbys, as well, like dsniff.
There is commercial free/open source software (Score:4, Informative)
What if some of the developers of those F/OSS packages are paid money to code free software? MySQL comes to mind when I think commercial free software, although it isn't related to the software you search. There has been always money to be made in free software business. Your question should be about free vs. non-free.
Quoting RMS:``Free software'' does not mean ``non-commercial''. A free program must be available for commercial use, commercial development, and commercial distribution. Commercial development of free software is no longer unusual; such free commercial software is very important.
Re:Valuable Open Source Security Assement Tools? (Score:5, Informative)
I was just thinking about structural ways to work around this in ethereal (like priv sep) -- in the meantime, I would point out that the biggest difference between ethereal and it's commercial equivalents is is that, with ethereal, you find out about the security problems quickly -- whereas with commercial equivalents, you might not find out for a while (if ever), and you'll probably end up paying for the upgrade to make it secure.
Another point is that it's most often the newer disectors that contain the holes. If you're worried about security and working in a 'hostile' environment, you're probably best to disable any disector that you're not intending to use. -- in fact, that might be a good idea to do in Ethereal, generally: Disable all but the most common dissectors and wait for the user to enable them explicitly.
Re:Accountability (Score:2, Informative)
Um, check the EULA. Unless you've written a change into your contract, it's unlikely that the vendor actually is responsible.
Free software relieves you of the burden of believing the vendor's got your back. For the most part, they don't.
Re:Go to SANS training. (Score:4, Informative)
I dig Snort, been using it a while. The SANS training made it USEFUL. The course filled in gaps in my knowledge at a rapid rate, and I usually HATE computer training courses precisely because the bandwidth is too low.
Richard Beijtlich wrote "Tao of Network Security Monitoring" which is a really, really good next step.(http://www.bookpool.com/.x/kzaxqc7ob1/sm/03
It covers the use of a variety of different types of intrusion indicators to quickly get to the meat of the matter. He's critical of the SANS course as too bit-addled. I can see what he means - you do spend 2 days (of 6) on tcpdump, vs. just one on Snort per se, but that gives you a great background to use tons of other tools. Once you have that, the other tools are easy.
SANS also has security auditing, incident handling, firewall + VPN, and some PHB type classes.
I'm a fanboy.
Re:Go to SANS training. (Score:3, Informative)
I took the IDIC course a while back (i.e. my analyst number is less than 100) and noticed the same thing. The layout was a bit different then, but I caught myself thinking "why are we spending a day and a half reviewing TCP/IP?" After listening to the questions that some people asked, I realized that no matter how much you warn them, people just aren't prepared for the class. Having realized this themselves, the instructors adjusted the curriculum so they can drag as many people through to some level of competency.
I did enjoy my SANS training and I wish I could find another employer that would pay for it. But if you are the kind of student that already knows the first three days of material, you may want to stay away from the track-based courses and do a mix-and-match if possible. Finally, taking a SANS course should be the beginning of your studies in an area, not the end. I see the training as a good broad base in a particular area. You must become an expert on your own.
Nessus new (weird) plugin licensing terms (Score:3, Informative)
I just received e-mail from Fyodor and had this bad bad news [nessus.org].
Nobody mentioned that here.
(and probably nobody will read that since I'm stuck at 0
Nessus is not quite free anymore (Score:4, Informative)
Check it out for yourselves, there are three feeds now. The main feed which used to be free is now on a seven day delay. While this doesn't affect a lot of the scanning efforts it is nice to know about the vulnerability that just came out.
Often when a new serious vulnerabilty makes news a company would like to know how they are affected right away. Now they will have to wait 7 days!
I don't think that there is anything wrong with this, I mean the developers at nessus (tenable lightning) have to eat too. But calling it free just seems sort of inaccurate now. Scanners without updated signatures work about as well as razors without the blades.
A 'Direct Feed' is commercially available which entitles subscribers to the latest vulnerability checks. Customers who purchase a Lightning Console or NeWT Pro scanner receive access to this feed with their annual product maintenance.
A 'Registered Feed' is available for free to the general public, but new plugins are added seven days after they are added to the 'Direct Feed'. To obtain access to the 'Registered Feed', users are required to enter contact information for tracking and also agree to Tenable's license agreement for the plugins.
The 'GPL Feed' does not require registration, and includes plugins written by the user community. As manager of the Nessus project, Tenable continues to accept plugins written from the Nessus and NeWT user communities. Plugins accepted with a copyright under the GNU Public License will be distributed to the Direct, Registered and Public feeds at the same time.
Pricing
The access to the GPL feed and to the Registered Feed is free. Pricing for the 'Direct Feed' is based upon the number of Nessus or complimentary copies of NeWT in use within your organization, consultancy or service. The cost is $1200 per scanner per year. For more information, please contact Tenable's sales staff.
Re:Valuable Open Source Security Assement Tools? (Score:1, Informative)
http://www.liveammo.com/LiveAmmo_Security_Tools_D
Mostly open-source tools for pentesting, although they list some commercial tools as well.
Good penetration testing resource (Score:2, Informative)
http://www.liveammo.com/LiveAmmo_Security_Tools_D