• No results found

Open Source Security: Opportunity or Oxymoron?

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Open Source Security: Opportunity or Oxymoron?"

Copied!
16
0
0

Loading.... (view fulltext now)

Download now ( 16 Page )

Full text

(1)

Open Source Security:

Opportunity or Oxymoron?

by George Lawton

Presented by Eduard Kuziner

(2)

Outline

1. What is Open Source ?

2. Open Source Pros and Cons

3. Current Projects

4. Concerns and Challenges

5. Conclusions

(3)

What is Open Source ?

“Open Source” and “Free” software

http://www.opensource.org

http://www.fsf.org/philosophy/free-sw.html

``Free software'' is a matter of liberty, not price. To understand the concept, you should think of ``free'' as in ``free speech,'' not as in ``free

beer'‘ - Free Software

Foundation

The freedom to:

1. run the program for any purpose

2. study how the program works, and adapt it to your needs (Access to the source code is a precondition)

3. redistribute copies

(4)

Open Source Security’s Pros And Cons

Cost

<<<

Quality

<=

(

h

Support

==<

s

Other issues

<<=

(5)

Current Open Source Projects

ü Kerberos

ü Snort

ü Snare

ü Tripwire

ü Nessus

ü Saint

ü Netfilter and iptables

ü T.Rex

(6)

Kerberos

Kerberos is a

network authentication protocol

.

It is designed to provide strong authentication for client/server applications by using secret-key cryptography. After a client and server has used Kerberos to prove their identity, they can also encrypt all of their communications to assure privacy and data integrity.

Kerberos was developed by the MIT and released in 1987. It has since matured into a standard managed by the Internet Engineering Task Force’s Common Authentication Technology Working Group.

(7)

Snort

Snort is a lightweight network-intrusion-detection system, capable of performing real-time traffic analysis and packet logging on IP networks.

Released in 1998, it helps detect potential intrusions by performing protocol analysis of packets, as well as content searching and matching and can detect various intrusions and probes, such as buffer overflows, stealth port scans, and common-gateway-interface attacks.

It can be used as a straight packet sniffer, a packet logger, or as a full blown network intrusion detection system.

(8)

Snare

Snare is a host-based intrusion-detection system for

Linux systems.

It uses dynamically loadable modular technology to interact with the Linux kernel at

runtime.

By using only the modules

necessary for a task, Snare reduces the

burden on the host system.

(9)

Tripwire

Tripwire is an

intrusion-detection system

. The

program monitors key attributes of files that should not

change, including binary signature, size, expected

change of size, etc.

Tripwire Academic Source version developed by Gene

Kim has been downloaded more than a million times

since its 1992 release.

Tripwire Inc. later reengineered Tripwire from scratch as

a commercial closed source program.

(Free Linux version is available)

(10)

Nessus

2. NASL (Nessus Attack Scripting Language) a language for security tests (security checks can also be written in C)

3. Complete and exportable reports (ASCII text, LaTeX, HTML)

4. Up-to-date security vulnerability database (updated on a daily basis)

5. Smart service recognition (does not blindly believe that the target respects the assigned port numbers)

6. Full SSL support

7. Non-destructive (optional)

http://www.nessus.org

Nessus is a

vulnerability scanner

for remotely auditing a Web site’s security.

1. Plug-in architecture (allows easily add your own tests)

(11)

Saint

The Security Administrators Integrated Network Tool (Saint) is a

vulnerability scanner

(Unix/Linux)

Based on a specific configuration, the policy engine determines whether and to what

extent Saint can scan a set of hosts. The target acquisition subsystem creates a list of probing test attacks to run on hosts. The data acquisition subsystem collects facts about the probe’s results.

Using a rule base, the inference engine processes the facts while data is being collected and generates new target hosts, probes, and facts. The results subsystem takes the collected data and displays it as a hyperspace that users can work with via a browser.

The Saint Corp. gives away older versions of the scanner, but sells the latest release.

(12)

Netfilter and iptables

The netfilter/iptables project is the Linux 2.4.x / 2.5.x firewalling subsystem. It delivers the functionality of packet filtering (stateless or stateful), all different kinds of NAT (Network Address Translation) and packet

mangling.

Netfilter lets users track callback functions associated with a network intrusion, thereby recognizing that an attack is occurring. The iptables system lets users define actions the system should take when it detects an attack.

http://www.netfilter.org

or

(13)

T.Rex

T.Rex is an open source firewall that Freemont Avenue Software released in 2000. Main features include:

ü Access Control and Authentication ü Network Address Translation (NAT) ü Fault Tolerant High Availability (99.999%)

ü Hardware assisted VPN ü Content Filtering

ü GUI Administration tool supporting multiple firewalls ü Granular access control

ü Integrated Web Caching

(14)

PGP

PGP® or Pretty Good Privacy® is a powerful cryptographic product family that allows secure exchange of messages, and to secure files, disk volumes and network connections with both privacy and strong authentication. It also includes PGPnet - a VPN client for secure peer-to-peer IP-based network connections and Self-Decrypting Archives (SDAs).

MIT distributes PGP Freeware without cost for personal use in cooperation with Philip Zimmermann, the original author of PGP, Network Associates, and with RSA Security.

http://web.mit.edu/network/pgp.html

GnuPG is a complete and free replacement for PGP.

http://www.gnupg.org

The PGPi project is a non-profit initiative, whose purpose is to make PGP freely and legally available worldwide.

(15)

Concerns and Challenges

ü Fear of open source

ü Fear of backdoors

ü Performance certifications

ü Ease of use and management

(16)

Conclusions

ü Open source security software is expected to become more

common due to changing situation of the Internet and security, but its commercial and government use will probably remain limited (projected sales growth from 1% of all security products revenue in 2002 to 2% 2007)

ü The question about pros and cons of open source is still open ü A promising application of source security software is its use in dedicated hardware, such as security appliances for securing fast network connections

ü The paper provides informative overview of available open

source security software and discusses related issues and trends, but does not attempt to analyze them in depth

References

Download now ( PDF - 16 Page - 671.66 KB )

Related documents

Growth of organic dye crystals : morphology and polymorphism

The molecular structure is shown in Figure 2.1, the bulk crystal structures of the rhombic and needle-shaped polymorphs at room temperature were determined based on single crystal

PRAIA DO FORTE. Market Research report UK Market

Franklin Oliveira, comes over to Britain in February 1998, he will have the opportunity to discuss business terms with senior figures within British Tour Operators with a view

Encountering Urban Space Live at The Floating Cinema

Events like those held by The Floating Cinema extend the spectacular elements of film exhibition beyond the screen and in doing so bring cinema’s ways of seeing to bear on

Servant Leadership and Affective Commitment to Change in Manufacturing Organizations

The significance of this study was the potential to improve business practices by providing information manufacturing leaders might use regarding how employee- perceived FLM

Chapter 13 Section 3

5.5 The contractor shall refer to DHA cases determined on review to support allegations of fraud/ abuse that meet the threshold as stated in Section C of the contract or cases with

White Rose Research Online URL for this paper: Version: Accepted Version

While in-depth exploration of the secondary tools identified was beyond the scope of the current review, further exploration of the properties of the tools used to capture

Abstract. Basics of FRAME. Introduction. Fundamentals of FRAME: A Tutorial for Building Applications

If, at any time, the user types in their name in the Input Field (and presses either the button or the RETURN key), the text in the Extended Text Entry changes to add their

A new motivation and perspective on teaching simulation and design:

The motivation for teaching this course was to introduce students to some of the practical aspects of plant operation, to familiarize students with operator training simulators, and