Forgot your password?
typodupeerror
Security Software

Free Open-Source vs. Commercial Security Tools? 234

Posted by Cliff
from the don't-buy-into-the-FUD dept.
sahirh asks: "I work as a penetration tester and recently started writing a whitepaper on the benefits of free, open-source security tools over commercial tools. Through my own experiences, I've found that many free tools such as Nessus and Kismet are more reliable and have better features than expensive commercial alternatives like ISS Internet Scanner or Airopeek. I've also noticed that tools like Ettercap have no commercial alternative. Further, the flexibility offered by the open-source nature of such tools is a great benefit. I'd like to ask for Slashdot's experiences and opinions on why you don't need to spend thousands of dollars on an expensive tool to perform a professional security assessment." Update: 02/07 11:15pm EDT by C : Thanks to all who wrote in to let us know the proper URL to the Kismet site.
This discussion has been archived. No new comments can be posted.

Free Open-Source vs. Commercial Security Tools?

Comments Filter:
  • by YankeeInExile (577704) * on Monday February 07, 2005 @03:03PM (#11599196) Homepage Journal

    I have no joke here, I just like saying, I work as a penetration tester ...

  • Snort (Score:4, Interesting)

    by ikewillis (586793) on Monday February 07, 2005 @03:03PM (#11599202) Homepage
    One of the best NIS tools available, the only thing you can get better are... commercial Snort derivatives. Not mentioned, WTF?
    • Re:Snort (Score:2, Informative)

      by SquadBoy (167263)
      Sourcefire. Martin Roesch's company. It gives you, the admin, the goodness of Snort and OSS tools and gives your bosses a contract to feel all warm and fuzzy about. Pretty much a win-win. I love my Sourcefire boxen and they cost less than the other commercial IDSes.
      • Re:Snort (Score:3, Informative)

        by checkitout (546879)
        It gives you, the admin, the goodness of Snort and OSS tools and gives your bosses a contract to feel all warm and fuzzy about.

        Actually we found that Sentarus is a much better snort-based product. We kicked Sourcefire out after 2 weeks, they just don't get the concept of a GUI. Talk about butt ugly and unmanagable.
    • Re:Snort (Score:4, Informative)

      by gclef (96311) on Monday February 07, 2005 @03:38PM (#11599611)
      Snort's not really a pen-test tool, though.

      For pen-testing, check out the Metasploit framework [metasploit.com]. It's truly cool.

      Also, have a look for scanrand, part of paketto keiretsu (doxpara.com appears to be having trouble right now, so don't go looking right now).

      There's always the old standbys, as well, like dsniff.
      • by gclef (96311)
        I know it's bad form to reply to your own posts, but having re-read the Ask Slashdot question (reading comprehension good), it seems he's not looking for a list of good open-source tools. Instead, he's looking for a discussion of "why you don't need to spend thousands of dollars" on expensive tools.

        Ummm...'cause tools with the same functionality are available for free? Seriously, I think part of it's just social...the hackers who write the tools tend to be more the open-source mentality than the corporat
  • by kiwidefunkt (855968) on Monday February 07, 2005 @03:05PM (#11599226) Homepage
    Ethereal [ethereal.com], nmap [insecure.org], and snort [snort.org] always get the job done for me.
    • Agreed. I usually throw in tripwire [tripwire.org] too from the start, it makes things easier later on.
    • by Gyorg_Lavode (520114) on Monday February 07, 2005 @03:14PM (#11599333)
      How do you use Snort and Tripwire (from the child's response) for penetration testing and risk assessment? I understand using them as part of an IDS, but not for the initial risk assessment.
      • The other cool thing you could do with Snort (if you are a consultant conducting a network security assessment) is to deploy Snort on the inside network and then show the customer all of the IIS-based attacks that are making it through their Layer 3 firewall because they have their firewall configured to allow inbound TCP port 80 to their webserver.

        "But I thought my firewall blocked that stuff!!!"

        -Scott

    • Same here. And about the open vs. commercial, I've been using both Ethereal and Network General's Sniffer and in my opinion Ethereal is way much better starting from the simple GUI.
    • Agreed (Score:3, Insightful)

      by paranode (671698)
      Those are great tools to use and the fact that they are free is even better. The only thing I might recommend replacing for a commercial alternative is Nessus. If you can afford it, something like eEye's Retina scanner is a very nice product. It doesn't come cheap, but if you work in a big corporate environment you can probably justify the cost. Not to mention, Nessus is a bit flaky so if you start crashing machines during your testing you will have some angry people to answer to. Don't get me wrong, N
      • Isn't retina scanner a windows app? whereas nessus is a unix app, i do all my testing from unix machines so this isn't appropriate.. Also, i frequently encounter bugs in scanning tools and would like to be able to fix them myself or atleast understand what the problem is..
        Aside from that, last time we tested retina it wasn't very good atall and was especially bad at detecting known vulns in unix machines, it was more windows oriented.
    • by Homology (639438) on Monday February 07, 2005 @03:23PM (#11599438)
      Ethereal, nmap, and snort always get the job done for me.

      Heh, recommending a security tool that OpenBSD removed because the Ethereal team does not care about security [openbsd.org]

      Mark it as BROKEN:

      Right during 3.5, it had more than
      a dozen remote holes being fixed, that we shipped with. Weeks later
      things have not improved, and there continue to be problems reported
      to bugtraq, and respective band-aids - but it is clear the ethereal
      team does not care about security, as new protocols get added, and
      nothing gets done about the many more holes that exist.

      Just because something is open source does not imply that it's secure.

      • Heh, recommending a security tool that OpenBSD removed because the Ethereal team does not care about security

        I was just thinking about structural ways to work around this in ethereal (like priv sep) -- in the meantime, I would point out that the biggest difference between ethereal and it's commercial equivalents is is that, with ethereal, you find out about the security problems quickly -- whereas with commercial equivalents, you might not find out for a while (if ever), and you'll probably end up paying for the upgrade to make it secure.

        Another point is that it's most often the newer disectors that contain the holes. If you're worried about security and working in a 'hostile' environment, you're probably best to disable any disector that you're not intending to use. -- in fact, that might be a good idea to do in Ethereal, generally: Disable all but the most common dissectors and wait for the user to enable them explicitly.

      • Right during 3.5, it had more than a dozen remote holes being fixed

        Part of the nature of ethereal is that just about any hole is going to be a remot hole, since it is pretty much only dealing with remote (network) data. This is made worse by the fact that it's usually run as root and has no privelege separation (that I know of). OBSD, on the other hand has the luxury of separating remote holes from local holes when they carp about OpenBSD's security.

        This, however, does not excuse the ethereal community

  • Accountability (Score:3, Insightful)

    by JaxWeb (715417) on Monday February 07, 2005 @03:06PM (#11599236) Homepage Journal
    If I were to choose software protecting my company, I would use commercial software. Why? Because if something does go wrong, it is the vendors fault and not yours. With free software, it is your fault.

    However, for protecting yourself, I think there are ethical reasons to use Free Software - Stallman argues that you should choose software for those reasons alone, and not technical reasons. If you listen to Linus, however, he tells us that technical reasons are valid reasons to choose to software. Your decision on this issue is the first step to your overall decision.
    • Re:Accountability (Score:4, Interesting)

      by Nothinman (22765) on Monday February 07, 2005 @03:11PM (#11599309)
      Right, because pointing a finger at someone you can't really hold accountable or make a lawsuit against is worthwhile. Telling your CEO "but the tool didn't see that problem" potentially makes you look just as dumb as the tool you paid for.

      I'm on our network security team and when doing audits we do have a few commercial tools, but we also use OSS tools like Nessus because IME they're better overall.
      • Re:Accountability (Score:4, Insightful)

        by fm6 (162816) on Monday February 07, 2005 @03:22PM (#11599431) Homepage Journal
        Telling your CEO "but the tool didn't see that problem" potentially makes you look just as dumb as the tool you paid for.
        Why? It's not your job to see the problem. By hiding the implentation of the security software, its designers assumed responsibility for making it reliable.

        Passing the buck is standard corporate politics. It's true that this leads to a lot of dysfunctional organizations and bad decisions. But if you choose to fight this trend, you better be very good at what you do. And at covering your ass.

      • Re:Accountability (Score:3, Interesting)

        by ifwm (687373)
        "you can't really hold accountable or make a lawsuit against is worthwhile"

        Why can't you? The law on this is untested in many areas. What makes you so sure you couldn't make a case against them?
    • by Foofoobar (318279) on Monday February 07, 2005 @03:13PM (#11599326)
      So if something goes wrong with your setup, a commercial company will quickly take credit? Riiiiight.

      I know Microsoft readily accepts monetary responsibility for their products being crap and causing crashes, viruses and trojans in my system.

      In fact, Bill and Steve cut me a check weekly.
    • Re:Accountability (Score:5, Interesting)

      by yamla (136560) <chris@@@hypocrite...org> on Monday February 07, 2005 @03:14PM (#11599338)
      So, you believe that EULAs are completely unenforceable?
    • Yeah, and if it were up to Stallman, we'd be using HURD.
      • You know that he uses Linux as his kernel, don't you?
        • There's a difference between idealism and realism, and even Stallman recognizes this. Just because he wishes HURD could be used widely, he also needs to get his work done, and Linux is the closest free software alternative to what HURD is going for.
    • If I were to choose software protecting my company, I would use commercial software. Why? Because if something does go wrong, it is the vendors fault and not yours. With free software, it is your fault.

      How does this work in the real world, exactly?

      IME, it's always your fault, as it should be, mostly.
    • by A nonymous Coward (7548) * on Monday February 07, 2005 @03:18PM (#11599386)
      How do you know you can get any resolution from the people who sold you the software, or developed it? Have you checked the contracts or EULAs? Most EULAs I've seen explicitly disclaim any responsibilty.

      Your responsibility is to protect your company AND get it back on its feet after a breakin. You can't rely on a lawsuit to do that in any timely fashion, only after the company has gone out of business and everyone has long since gotten new jobs. Even then, you'd be lucky to get pennies on teh dollar in restitution. So what good does it to sue the developer or seller?

      You have to get the company going again as quickly as possible. It just might be helpful to have sources to what failed to see how it failed and how the breakin occurred. Proprietary software is useless there.
      • Other's have made the same point. EULA's may protect the company against libility if you get screwed, but they may not. The law is unclear, and generally untetested.

        I'll wait until the law is clearer, but the idea that EULA's absolve a company of guilt simply is not correct (yet).
      • Personal liability is far different than saying it is the fault of your vendor.

        If there is a vendor that provides open source solutions then they should be able to support them just as a proprietary vendor would.

        The issue isn't a point of how you can legally screw them over, its how you can speak to your boss in terms that he understands. If your boss knows you screwed up or didn't know something you were supposed to then its harder for him to pass that up through management than if you used a canned app
        • The issue isn't a point of how you can legally screw them over, its how you can speak to your boss in terms that he understands. If your boss knows you screwed up or didn't know something you were supposed to then its harder for him to pass that up through management than if you used a canned app that failed and you were doing you job in sustaining that app.

          While you are right in PHB terms, this does you no good whatsoever if your business relies on the Internet and you suffer a major security breakin.

          I'
    • I would use commercial software. Why? Because if something does go wrong, it is the vendors fault and not yours.

      grunt: Admiral! There's a missile comming our way, and the defence systems have just blue screened!

      admiral: Thank god I can blame Microsoft for this!
      missile: BOOM!
      So you'd use inferior software just because you can point the finger at someone else when the software fails??? Wouldn't you rather use the best software for the job (even if it's cheaper)??

      I mean, it's not like most commercial vendors take any responsibility for their software, anyways -- have you read your EULA's recently?

      At least with open source software, you have the option of fixing any bugs yourself if the vendor refuses to. With Proprietary code, your only choice is to grin, bend over and wait for your bill.

    • Re:Accountability (Score:2, Informative)

      by Daedala (819156)
      "Because if something does go wrong, it is the vendors fault and not yours. With free software, it is your fault."

      Um, check the EULA. Unless you've written a change into your contract, it's unlikely that the vendor actually is responsible.

      Free software relieves you of the burden of believing the vendor's got your back. For the most part, they don't.
    • if i were hiring people to protect my company, i certainly wouldn't hire a snivling gimp like yourself, why? because i want someone to be doign the best job they can, not spending all day dreaming up ways to cover their arsehole.
  • by bigtallmofo (695287) on Monday February 07, 2005 @03:07PM (#11599246)
    My job duties sound similar to the story poster... My job description is "Penetration Preventer". My business card title just says, "Cockblocker".

  • by AtariAmarok (451306) on Monday February 07, 2005 @03:07PM (#11599255)
    "Penetration tester" is your day job, but tell me, do you solve crimes in the evening as a "private dick" ?
  • Hmmm (Score:3, Interesting)

    by spiffy_dude (762559) on Monday February 07, 2005 @03:08PM (#11599261)
    It seems like there is an implicit bias in the question. I would like to see a fair assesment of commercial vs open source tools over a biased statement about how open source tools are better. I'm sure there are worthwhile products in both categories.
    • Re:Hmmm (Score:2, Funny)

      by YrWrstNtmr (564987)
      I would like to see a fair assesment of commercial vs open source tools over a biased statement about how open source tools are better.

      You're new here, right?

  • Go to SANS training. (Score:5, Informative)

    by Matey-O (518004) <michaeljohnmiller@mSPAMsSPAMnSPAM.com> on Monday February 07, 2005 @03:08PM (#11599269) Homepage Journal
    $3200 spent in a snort bootcamp made the need to buy a $120,000 IDS box moot.

    We were reviewing everal six-figure pieces of equipment and found the same thing - we knew they saw traffic they didn't like, but we didn't know WHY.

    Now that everybody uses snort rules, the training is still helpful to show you WHAT you're seeing and IF it's truly bad or just another false positive.

    FWIW, why get the snort stuff one vendor removed? Just go straight to the source.
    • by JimmytheGeek (180805) <jamesaffeld@nOSpAM.yahoo.com> on Monday February 07, 2005 @05:04PM (#11600478) Journal
      Amen! Go if you can.

      I dig Snort, been using it a while. The SANS training made it USEFUL. The course filled in gaps in my knowledge at a rapid rate, and I usually HATE computer training courses precisely because the bandwidth is too low.

      Richard Beijtlich wrote "Tao of Network Security Monitoring" which is a really, really good next step.(http://www.bookpool.com/.x/kzaxqc7ob1/sm/032 1246772)
      It covers the use of a variety of different types of intrusion indicators to quickly get to the meat of the matter. He's critical of the SANS course as too bit-addled. I can see what he means - you do spend 2 days (of 6) on tcpdump, vs. just one on Snort per se, but that gives you a great background to use tons of other tools. Once you have that, the other tools are easy.

      SANS also has security auditing, incident handling, firewall + VPN, and some PHB type classes.

      I'm a fanboy.
      • He's critical of the SANS course as too bit-addled. I can see what he means - you do spend 2 days (of 6) on tcpdump, vs. just one on Snort per se, but that gives you a great background to use tons of other tools. Once you have that, the other tools are easy.

        I took the IDIC course a while back (i.e. my analyst number is less than 100) and noticed the same thing. The layout was a bit different then, but I caught myself thinking "why are we spending a day and a half reviewing TCP/IP?" After listening to

      • Northcutt et. al. have a seriousness assessment that is completely broken. Their model rates an incident by a formula that does not make sense:

        S = (C + L) - (HCM + NCM)

        Where:
        S = severity
        C = Criticality (how important the target host is)
        L = Lethality of attack
        HCM = Host-based countermeasures
        NCM = network-based countermeasures

        They use different variable names, I think.

        Assign a value from 1-5 for C,L,HCM, and NCM

        Remember ordinal numbers? You can't multiply them (or do other operations on them) and get a
    • by fm6 (162816)
      In other words, you guys rely on the intelligence of well-trained employees, rather than expensive security (no pun intended) blankets.

      Wild idea. It'll never catch on.

  • Penetration Tester (Score:3, Insightful)

    by RasendeRutje (829555) on Monday February 07, 2005 @03:08PM (#11599272)
    Penetration Tester?? Not only looking for the obvious (security) holes, but also the tricky ones? Those you don't normally see? Damn where do you learn that
  • OSSTMM (Score:2, Informative)

    by randori82 (797156)
    Even a great methodology is open source [osstmm]
  • VIsa / MC Compliance (Score:5, Informative)

    by jfroot (455025) <darmok@tanagra.ca> on Monday February 07, 2005 @03:11PM (#11599306) Homepage
    One reason that many companies need to use a commercial security tool is because of Visa and Mastercard CISP [visa.com] and SDP [mastercardintl.com]compliance.

    In order to comply you must have various levels of security testing done and certified by an approved vendor [visa.com].
  • Don't Forget (Score:3, Insightful)

    by iammrjvo (597745) on Monday February 07, 2005 @03:12PM (#11599310) Homepage Journal

    There is security implied simply by the fact that the product is open source. That is to say that its failings and potential security weaknesses have been evaluated by a community beyond the original developers and is always open to scrutiny.
    • Nope. Security has more to do with architecture than bugs. If the architecture is secure, then bugs will be unlikely to be severe.

      That being said, security is more *knowable* in open source software. Sendmail vs. Postfix etc. is a good case in point. Someday I am going to get around to patching that local exploit in Qmail... Until then, that security issue can be blocked by not giving anyone local interactive access to the mailserver...
  • besides the obvious (Score:5, Informative)

    by JeanBaptiste (537955) on Monday February 07, 2005 @03:13PM (#11599328)
    snort, ethereal, nmap, etc

    one commercial one that I _really_ like is Languard Network Scanner from GFI.

    While it is closed source, it has 30-day full functionality, and has limited functionality after that. Still even with the 'limited' functionality, it provides the full scanning capabilities, it just doesn't let you use some of the features that I never use anyways (scheduling, etc).

    I'd really recommend giving it a try, its pretty slick.
  • by tod_miller (792541) on Monday February 07, 2005 @03:14PM (#11599339) Journal
    a) it does the job
    b) see a.

    I do not see the need to stick to ideals in a world of security, use the best tool for the job, and stay vigilant (if OS is the best tool, then only merit it on this, not the fact that it is OS)
  • "I work as a penetration tester and recently started writing a whitepaper on the benefits of free, open-source security tools over commercial tools."

    Excellent the porn industry is on our side, there is no way we can lose now!
  • Assumed a thief (Score:5, Interesting)

    by rtkluttz (244325) on Monday February 07, 2005 @03:17PM (#11599373) Homepage
    I work for a company that has an EtherpeekNX license. When they started with the NX line, they now have activation. One time per license. I had to call and threaten a move to open source alternatives with a forced refund due to their policy.

    They provide a remote collection agent that can be monitored with the licensed full version. That was not good enough in our instance due to the layout of our network and needing to install our licensed copy, at the work site, fix the problem and then uninstall the software. After much desk pounding they finally gave in and let us have unlimited installs of the same number. But only after threatening a move to open source.

    Our take on the issue is, we need to install the product how we see fit. We payed for it. It doesn't matter to us if we aren't using the software how they "envision" it should be used. We were due a refund if they refused to let us use a product we payed for.
    • That's pretty common, sadly.

      Quark is a classic for that. The app *scans* *the* *network* for other instances with the same license key. I bought 6 licenses, why the heck can't I deploy with disk images?

      In Quark's case, the answer is "you can if you buy a site license and run a license server". Of course, in exchange for the ability to use your software more practically, what do you get? The same prices, and a new requirement to upgrade all licenses to a new version at once. That's right - less flexibility
  • by hellfire (86129) <`moc.liamg' `ta' `vdalived'> on Monday February 07, 2005 @03:19PM (#11599398) Homepage
    IANASS (...Security Specialist) but to me, logic seems to state that having an open source system has an advantage in that the code is there for everyone to see, and that you can add your own code.

    Take physical security as a metaphor. You want to secure your physical plant, so you hire a security specialist. You hire his services and he peruses your building. He suggests locks here, cameras there, and a whole plan on making your business less prone to break-ins and the like.

    However, what's so great about this? Two things. One, everything is transparent. It's not like joe security officer is selling you a security package and not telling you where he's going to put that $50,000 you just paid for. He has to give you a full plan (the code!) that you approve of. Plus, the plan is customized for you. It's your plan, not someone elses. It's based on your requirements and your specifications. If a security company comes to you and says they'll put a camera in every room and be done with it, is that really enough for you?

    Tie that back to open source. The code for open source security solutions are that plan you need. You can provide input on it and change it as much as you want to match your individual needs. And the code will be more unique than a commercial security program, which is the same from site to site.

    I can't say that open source is necessarily for everyone. Maybe a camera in every room is all you need. Maybe you just need a security guard out front. The advantages I see here are businesses where security is an important part of business, and where companies don't want control of their own data in the hands of anyone but themselves.
  • by RyoShin (610051) <tukaro@@@gmail...com> on Monday February 07, 2005 @03:20PM (#11599405) Homepage Journal
    I don't have a lot of experience with free software, but I can tell you why people prefer to pay for it: Security in spending.

    Basically, most people (including CEOs and the like) think that the more something costs, the better it must be. After all, if Product A costs you $100 and Product B costs you $5, then there must be a lot more features and hard work put into Product A to make it cost more than Product B.

    Plus, when people hear 'open source', they think of crackers/evil people getting their hands on the source code and exploiting all sorts of 'holes'. Since they can find out how it works, it must be really easy for them to exploit it.

    I wouldn't be surprised if many people, on first look, would rather pay $10 for a Linux distro rather than get it for free because 'free' has all sorts of bad connotations locked in with it this day and age. They assume it's the difference between going to a 12-year old's lemonade stand and going to starbucks for a smoothie. "You get what you pay for."
  • Deploying Software (Score:5, Interesting)

    by markmcb (855750) on Monday February 07, 2005 @03:21PM (#11599422) Homepage
    I work for DoD. We tend to go with commercial software for several reasons:

    1. Personnel changeover. DoD loves to move people around between departments and installations. It's hard to find people savvy enough to run open-source software and keep them in one spot. It's much easier to give whoever is holding the position a phone number and tell them to call tech support with problems.
    2. Personnel skills. DoD is huge. Because of this, the chances of getting skilled and motivated people at all of your sites is slim. Again, the phone call seems to make everything better.
    3. Contracts. Things are usually purchased in bundles and as part of a big plan. It's much easier to brief to a non-tech boss that you have the support of another company and not that "I'm sure we can figure it out."
    4. Uncle Sam's pockets are deep.

    I agree that open source software is often better. But it doesn't give the non-tech group that warm fuzzy it needs to. In the end, the boss doesn't want to up a creek without a paddle. Having that phone number to call adds a much wanted security blanket, even if it's only a facade.
    • by Stinking Pig (45860) on Monday February 07, 2005 @03:28PM (#11599506) Homepage
      Bingo -- same attitude exists in most of the American corporate market, in spades. Maybe rightly so, maybe not, but take note of Red Hat and IBM's successes... this is not about source code or product licensing, it's about that tech support phone number.

      Linuxcare and the like flamed out for poor core business practices and poor market targeting (do not ever, I repeat do not EVER, try to make money directly supporting end users). MySQL AB, Best Practical, Trolltech, &c seem to be doing pretty well though....
    • by Locke2005 (849178)
      4. Uncle Sam's pockets are deep.

      Thank you very much for wasting my tax dollars, cretin! Seriously, I think this attitude that the "government has lots of money!" is going to be the downfall of the US... here's a subtle reminder: all the money is taken from hardworking citizens, at gunpoint if need be. Or borrowed against future taking from citizens...

      Read your contract with your vendor. Fact is, most commercial software contracts don't protect against anything more than refunding the purchase price, even i

    • Having that phone number to call adds a much wanted security blanket, even if it's only a facade.

      My first though on reading this was, "well their must be dozens of security firms that will offer support for such popular tools." I mean surely IBM if no on else will be happy to take your money and answer calls about nmap or snort or ethereal? So I did what anyone would do, and googled a bit. I could not find anyone in 2 minutes of searching. Perhaps my google-fu is weak. Is this really an untapped mark

    • I also work for the DoD, and our program DOES use open source tools for the most part. The reason though, (I think as I wasn't here when the decision was made), is that the contractor who's doing it had OS advicates and is also cheap.
  • by Eternally optimistic (822953) on Monday February 07, 2005 @03:22PM (#11599435)
    For security applications, how can you say with any confidence that a closed source product does an adequate job? You are not allowed to examine what it does, instead you have to rely on what the vendor says. Maybe some tool is certified by some "trusted" entity in your industry, but you don't have any control yourself. With open source, you can look, or hire someone to look who works for you.
  • Right Question? (Score:3, Interesting)

    by Comatose51 (687974) on Monday February 07, 2005 @03:27PM (#11599492) Homepage
    Is that the right question to ask?

    "I'd like to ask for Slashdot's experiences and opinions on why you don't need to spend thousands of dollars on an expensive tool to perform a professional security assessment."

    It sounds like you're already set in your opinion and just asking for justifications. That doesn't usually develop any new insights or make good comparisons. If you really want to sell people on Open Source, do a fair and un-biased comparison. An obviously biased comparison is easily detectable and loses credibility. I really don't think Open Source needs biased comparisons to look good.
    • Just because most of his tools are open source doesn't mean that he's not willing to use commercial products... He just doesn't seem to have found many of them that are better than the open source equivalents.

      Asking for comments on what's out there that's better than Open Source is one way to broaden your horizon. (and what better place to ask than SlashDot, where you'll probably get comments from people who work for, and/or use, much of the proprietary competition).

  • by CKnight (92200) on Monday February 07, 2005 @03:29PM (#11599516) Homepage
    I'm thinking of writing a how-to for "penetration testers". It'll be titled "Locating Unprotected Backdoor Entrances" or more aptly, "Lube"
    • I'm thinking of writing a how-to for "penetration testers". It'll be titled "Locating Unprotected Backdoor Entrances" or more aptly, "Lube"

      Don't forget a section on avoiding Trojans. Although they sometimes help with L.U.B.E., they can often get in the way of a successful test.

  • I work for a government client who's invested a sizeable chunk of change in Harris Stat Scanner [harris.com] They evaluated a number of products, including some leading open source tools like nessus. Their bottom line is that Stat makes the job relatively easy for a largely Windows shop (that is, if you have admin rights to all the boxes, turn on remote registry editing, kill all firewalls/IDSes, etc. - leaving you wide open for the duration of the testing!) to perform a multitude of tests and to install patches on the
  • I agree - opensource tools are often at least equally good. However in some industries, specific tools are mandated, by either government or other overseeing institutions. In our case we are required to be compliant with VISA's Cardholder Information Security Program, and that is very precise as to what tools should be used and how often (and by whom)
    Likewise on the other end of the same thing, while I think I could configure iptables/snort etc. to be equally if not more secure than commercial packages -

  • Sure, obviously nmap, tcpdump, and snort, (plus ethereal and etherape if you like pretty pictures). Another I don't see mentioned here is SING [sourceforge.net] (which stands for "send ICMP nasty garbage").

    It's a command line tool (sort of like netcat) for fabricating ICMP packets.

    Talk to Dug Song or the phenoelit guys about m-i-t-m attacks, and ARP or ICMP level hacking, and you might find some uses for SING. ;^)
  • Different markets (Score:3, Insightful)

    by ectoraige (123390) on Monday February 07, 2005 @03:33PM (#11599555) Homepage
    The market for commercial security tools is quite different. To begin with, it's smaller than the market for OSS tools. While security professionals may use either, any crackers worth their (or somebody elses) salt are won't be caught using commercial products. Thus, there're probably more 'feature requests' and feedback for the OSS developers to respond to.

    Also, a number of commercial products are not written with just the user in mind - the larger ones also involve things like generating pretty reports for use in the CTO's bonus negotiations and suchlike.

    Finally, lots of the commercial products try to be competitive by doing everything at once, whereas the OSS tools tend to be more focused on specific functionality, following the traditional unix approach.

    Of course, all these points are generalisations and there are exceptions to them all, but that's what you get for asking such a general question.
  • by BigZaphod (12942) on Monday February 07, 2005 @03:38PM (#11599603) Homepage
    If I would have been drinking something when I read that, my screen would be soaked right now...
  • by latroM (652152) on Monday February 07, 2005 @03:39PM (#11599618) Homepage Journal
    I work as a penetration tester and recently started writing a whitepaper on the benefits of free, open-source security tools over commercial tools.

    What if some of the developers of those F/OSS packages are paid money to code free software? MySQL comes to mind when I think commercial free software, although it isn't related to the software you search. There has been always money to be made in free software business. Your question should be about free vs. non-free.

    Quoting RMS:``Free software'' does not mean ``non-commercial''. A free program must be available for commercial use, commercial development, and commercial distribution. Commercial development of free software is no longer unusual; such free commercial software is very important.
  • Yeah like you'd need to buy a man-in-the-middle software for your private company network.
  • by gelfling (6534) on Monday February 07, 2005 @04:07PM (#11599935) Homepage Journal
    If I recally the openSSH license had some really weird language in it that amounted to "There is a lot of code in this tool. I'm not sure of everything and there may very well be something in here that belongs to someone else. So if they come after you Mr. MegaCorp, don't ask me. It's not my problem."

    And that is a bigger problem for our lawyers then the efficacy of the tool itself.

    Otherwise, why must it be an either/or decision? Why can't you have a mix of open and commercial and achieve a balance of cost and effectiveness?

    Also consider the total lifecycle costs. A $30,000 appliance out of the box may be cheaper than an open source tool running on an 'extra' server you have laying around plus 250 hours/year of your time fucking with it. Sometime the best security is the security that makes the most rational sense for you to afford.
  • ... you're using tools you've developed yourself, as well as open source and commercial tools, all where they're appropriate.
  • Kismet is at www.kismetwireless.net [kismetwireless.net] not .org as the poster linked to.
  • I am a fan of opensource software, and would agree that in many places it is better then, or of equal quality to, commercial closed source software.

    The one place I do not agree is with wireless security monitoring. I have not seen any open source offering, or combination of offerings, that can hold a candle to Airmagnet [airmagnet.com]. I test various open source offerings as I hear about them, and to date have seen nothing with the power and flexibility Airmagnet provides. It was worth every penny we paid for it.

  • by catdevnull (531283) on Monday February 07, 2005 @04:49PM (#11600337)
    I was just wondering about that title "Penetration Tester [imdb.com]." Somehow, it seems to garner immediate respect.
  • Bad link (Score:3, Interesting)

    by parkrrrr (30782) on Monday February 07, 2005 @04:54PM (#11600375)
    Kismet can be found at http://www.kismetwireless.net/ ; the link above redirects to the no doubt appropriately-named wirelesscon.com.
  • There is a single commercial app that not only costs us a LOT of money, but is the single reason i keep a copy of windows installed on vmware.. This is webinspect, from spi dynamics.. An incredibly buggy app, also very bloated, slow, and very prone to false positives. Unfortunately, there is no opensource equivalent. I would very much like to get rid of this huge festering pile of crap, the developers of which tell me i must configure IE as the default browser in order to use the product (outrageous, how ca
  • Sure, some foreign government or well-funded industrial spy may use a $10,000 or $100,000 tool. Ditto for someone who has a cracked version of a commercial tool.

    It seems much more likely that the black-hat types are either going to use freely available tools, or will write their own custom jobs before they will submit to using some fancy point-and-click GUI that attempts to hide complexity from them (even if their employer provides it). It's dangerous to assume that no one will attack you with commercial t
  • by andrew71 (134546) on Monday February 07, 2005 @08:29PM (#11602582) Homepage

    I just received e-mail from Fyodor and had this bad bad news [nessus.org].

    Nobody mentioned that here.

    (and probably nobody will read that since I'm stuck at 0 :)
  • by neoThoth (125081) on Monday February 07, 2005 @09:37PM (#11602852) Homepage
    While the tool itself *is* still free Lightning has made a change in their pricing model regarding the plugins. [nessus.org]
    Check it out for yourselves, there are three feeds now. The main feed which used to be free is now on a seven day delay. While this doesn't affect a lot of the scanning efforts it is nice to know about the vulnerability that just came out.
    Often when a new serious vulnerabilty makes news a company would like to know how they are affected right away. Now they will have to wait 7 days!
    I don't think that there is anything wrong with this, I mean the developers at nessus (tenable lightning) have to eat too. But calling it free just seems sort of inaccurate now. Scanners without updated signatures work about as well as razors without the blades.
    A 'Direct Feed' is commercially available which entitles subscribers to the latest vulnerability checks. Customers who purchase a Lightning Console or NeWT Pro scanner receive access to this feed with their annual product maintenance.
    A 'Registered Feed' is available for free to the general public, but new plugins are added seven days after they are added to the 'Direct Feed'. To obtain access to the 'Registered Feed', users are required to enter contact information for tracking and also agree to Tenable's license agreement for the plugins.
    The 'GPL Feed' does not require registration, and includes plugins written by the user community. As manager of the Nessus project, Tenable continues to accept plugins written from the Nessus and NeWT user communities. Plugins accepted with a copyright under the GNU Public License will be distributed to the Direct, Registered and Public feeds at the same time.
    Pricing
    The access to the GPL feed and to the Registered Feed is free. Pricing for the 'Direct Feed' is based upon the number of Nessus or complimentary copies of NeWT in use within your organization, consultancy or service. The cost is $1200 per scanner per year. For more information, please contact Tenable's sales staff.
  • vuln scanners (Score:4, Interesting)

    by neoThoth (125081) on Monday February 07, 2005 @09:58PM (#11602976) Homepage
    With vulnerability scanning there are a few different aspects to consider. the most important feature of a scanner (aside from speed and accuracy) is the level of updates. An out of date scanner is only mildly better then no scanner at all. In this regard commercial software has some advantage for the consumers (IT organizations). It's not that they can blame anyone (as was mentioned in several posts) but there is someone to yell "hey! where the hell is my signature for Vuln XYZ?" With open source there isn't a guarentee that the signature will be made quickly enough. Even nessus (as I pointed out in another post here somewhere) has moved to a pay model for plugins because of the cost of keeping those signatures up to date.
    Now one can also take the Open Source approach here and write their OWN signatures but many companies just don't have the staff for that type of thing. The vulnerabilty details are so sparse these days (not so open disclosure rules) that recreating the actual exploit never mind finding a way to detect it remotely is beyond the skill of most teams in the limited timeframe that it's of vital importance. A team will have around 24-48 hours after a patch is released until some evil doer[s] have reverse engineered the patch and created an exploit out of it, slipped in a pre packaged payload and owned 3 out of your 7 class B segments. Sometimes less. I think the ISS worm last year was the record, something like > 20 hours from patch to worm [witty worm i think].
    Some intersting article [zdnet.com] on scanning here [64.233.161.104] and here [nwc.com]

    Just one other side note about the articles, Foundstone was purchased by McAfee last year so disregard those.

UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things. -- Doug Gwyn

Working...