Sourcefire White Paper

And Its Role in the Security Model

www.sourcefire.com June 2002 Sourcefire, Inc. 7095 Samuel Morse Drive Suite 100 Columbia, MD 21046 410.290.1616 | 410.290.0024 TABLE OF CONTENTS

Table of Contents ...... 2 Open Source Software: OSS...... 3 What is OSS?...... 3 History...... 4 Opinions on OSS...... 4 Arguments in favor of OSS ...... 5 Security, Stability, and Cost ...... 5 Standards, Immediacy, and Lack of Restrictions...... 7 Arguments Against OSS...... 7 Status Quo and Security...... 8 Poor Packaging and Support ...... 9 The Sourcefire Solution ...... 9 Summary ...... 10 OPEN SOURCE SOFTWARE: OSS

The current interest in open source software (OSS) is a phenomenon borne of the Internet. The Internet allows open source proponents to harness the worldwide expertise of thousands of enthusiasts and bring them together in a single project to provide free, quality software. They do this out of altruism for the open source concept, to demonstrate their skills, and out of a zeal for solving difficult problems.

A few years ago, open source software was considered to be of interest to low budget markets (such as education, health, university laboratories) only. This is no longer true. Some of the more successful open source applications include:

4 Linux, now running on some 20% of the world’s servers 4 Snort, an Intrusion Detection System that outperforms commercial products in independent tests1 4 Apache, which runs over 60% of the world's web servers 4 Perl, which is the engine behind most of the ‘live content’ on the World Wide Web 4 BIND, the software that provides the DNS (domain name service) for the entire Internet 4 Sendmail, the most important and widely used email transport software on the Internet. Open source software still generates heated debate. There are those who claim it is insecure, unsupported and threatens the very existence of the legitimate software industry. And there are others who claim that it signifies the way of the future: more secure, more stable, less costly, and more honest software.

This paper seeks to explain the strengths and weaknesses of Open Source Software, and to show how Sourcefire leverages the open source Snort technology to provide superior enterprise intrusion detection systems.

What is OSS?

Open Source Software is software that is supplied with full source code. But it is much more. The key is in the Distribution License – this is what defines whether or not software is open source. There are many licenses that claim to be ‘open source’ – but it is generally held that conformance to the nine guiding principles defined by the Open Source Initiative (OSI)2 are the test. These, in brief, are:

1. Free Distribution: anyone can distribute or redistribute the software 2. Inclusive Of Source Code: the program must include source code, and must allow distribution in source code as well as compiled form. 3. Derived Works: the license must allow modifications and derived works, and must allow them to be distributed under the same terms as the license of the original software. 4. Integrity Of Original Source Code: the integrity of the author’s original code may be maintained by requiring that that derived works must be distributed as a ‘patch’ and carry a different name or version number from the original software. 5. No Discrimination Against Persons or Groups: the license must not discriminate against any person or group of persons. 6. No Discrimination Against Fields of Endeavor: the license may not restrict the manner in which the software is used 7. Distribution of License: the rights attached to a program automatically apply to everyone to whom the program is redistributed 8. License Must Not Be Specific to a Product: the rights attached to the program must not depend on the program's being part of a particular software distribution.

1 “Configured correctly, it also turns in a performance every bit the equal of (and often superior to) commercial products costing many thousands of pounds.” Intrusion Detection Systems – Group Test (Edition 2); an NSS Group Report. 2 http://www.opensource.org/docs/definition.html

The basic principle is that users must be provided with, or have easy access to, the source code of the software; and be allowed to modify that code for their own and other peoples’ use. Of the various licenses available, the most popular is the Free Software Foundation’s (FSF) Gnu General Public License3 (usually just called the GPL) first developed by Richard Stallman.

History

Some people claim that the concept of ‘free’ (‘libre’ rather than ‘gratis’; free speech rather than free beer) software, where users are free to modify the source code for themselves, was developed by Richard Stallman back in the late ‘70s. It is probably more accurate to say that Stallman codified the idea of free software in an attempt to prevent it disappearing – it had always been the norm.

Stallman, a ‘hacker’ at MIT, was accustomed to modifying the source code of donated software to better suit the needs of MIT. This was standard practice at MIT and most other institutions. Until, that is, Xerox donated a new laser printer. It was excellent, but had a few problems. Stallman’s usual approach in such circumstances was to modify the code himself – but in this instance he found that there was no source code. And when he asked for it, he was refused.

The story, excellently told by Sam Williams4, describes the shock felt by Stallman. To him, this was a betrayal of the brotherhood of hackers, where everybody shared code for the good of everybody else. This single event started the chain of events that led Stallman to develop the original GNU General Public License, starting in 1985 and publishing Version 1.0 of the GPL in 1989. The preamble included: “The General Public License is designed to make sure that you have the freedom to give away or sell copies of free software, that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things.” This was and is the cornerstone of open source software.

The point of this story, and one that needs to be made, is that open source software is not a new concept challenging the hegemony of the mighty software companies, but a bastion of what its supporters would claim to be the old, true path. Historically, it is the proprietary software companies who are the usurpers – not the followers of OSS. It is only the name, ‘open source’ that is relatively new. This emerged, along with the Open Source Initiative, in early 1998 – largely as a reaction to Netscape’s announcement that it would give away the code to its browser.

Opinions on OSS

Over the years there have been numerous studies, reports and analyses on open source software. The ‘wake up call’ probably came from Eric Raymond’s book, “The Cathedral and the Bazaar”5. Raymond was writing about the success of the Bazaar, the anarchic worldwide community of hackers, in developing Linux in the face of the Cathedral (the giant proprietary software companies). His arguments and conclusions brought some of the major computer companies on board with OSS. He wrote: Perhaps in the end the open-source culture will triumph not because cooperation is morally right or software “hoarding” is morally wrong (assuming you believe the latter, which neither Linus nor I do), but simply because the closed-source world cannot win an evolutionary arms race with open-source communities that can put orders of magnitude more skilled time into a problem.

3 GNU General Public License: http://www.fsf.org/licenses/gpl.html 4 Free as in Freedom: Richard Stallman's Crusade for Free Software, by Sam Williams, http://www.faifzilla.org/intro.html 5Eric Raymond’s The Cathedral and the Bazaar can be found online at http://tuxedo.org/~esr/writings/cathedral-bazaar/cathedral-bazaar/

White Paper - 4 ©Sourcefire, Inc. 6/2002 All rights reserved. One thing can be certain: the giant software companies began to take OSS very, very seriously. Just how seriously can be seen in the ‘Halloween documents’. These are documents (originally leaked on October 31, 1998) from an internal Microsoft study conducted in August 1998 examining open source software in general and Linux in particular.

4 “OSS poses a direct, short-term revenue and platform threat to Microsoft, particularly in server space. Additionally, the intrinsic parallelism and free idea exchange in OSS has benefits that are not replicable with our current licensing model and therefore present a long term developer mindshare threat.” 4 “Recent case studies (the Internet) provide very dramatic evidence ... that commercial quality can be achieved / exceeded by OSS projects” 4 “...to understand how to compete against OSS, we must target a process rather than a company.” 4 “OSS is long-term credible ... FUD [Fear, Uncertainty and Doubt] tactics can not be used to combat it.” 4 “Linux and other OSS advocates are making a progressively more credible argument that OSS software is at least as robust – if not more – than commercial alternatives. The Internet provides an ideal, high-visibility showcase for the OSS world.” 4 “Linux has been deployed in mission critical, commercial environments with an excellent pool of public testimonials. ... Linux outperforms many other UNIXes ... Linux is on track to eventually own the x86 UNIX market.” Microsoft has agreed that the documents are genuine, but denied that they indicate any form of policy. What they do show, however, is just how seriously parts of the Redmond giant take the OSS paradigm.

It wasn’t just companies that had begun to take OSS seriously. The European Council held in Lisbon on March 23- 24, 2000 set the ambitious objective for Europe to become the most competitive and dynamic economy in the world. An Action Plan6 was published at the Feira European Council, June 19-20, 2000. One of the difficulties in establishing widespread e-commerce in Europe was recognized to be security concerns. The Action Plan recommends a number of steps to take, including the need to “Promote the development and deployment of open source software security platforms for effective plug and play.” And again, where the Action Plan recognizes the need to develop ‘Government Online’, the recommendation is to “Promote the use of open source software in the public sector and e-government best practice through exchange of experiences across the Union.” Open source software lies at the heart of official EU software policy.

Arguments in favor of OSS

There are many, many arguments in favor of the use of open source software. A few of the more important ones include:

4 OSS is more secure 4 OSS is more stable 4 OSS is less costly 4 OSS is more likely to conform to standards 4 There is an immediacy to the use and modification of OSS 4 There are few, if any, restrictions on the use of OSS

Security, Stability, and Cost

A study undertaken for the EU and published in June 20017 concluded that OSS is likely to be more rather than less secure than proprietary software:

6 http://europa.eu.int/information_society/eeurope/action_plan/pdf/actionplan_en.pdf. This document also provides eight ‘OSS myths / Dissipating some of the FUD effect’, six OSS risks, and 11 facts (reasons for using OSS in the Public Sector). It is a document worth reading. 7Study into the use of Open Source Software in the Public Sector; Part 3, The Open Source Market Structure, for the EU, June 2001

White Paper - 5 ©Sourcefire, Inc. 6/2002 All rights reserved. The availability of the source code and the right to modify is also a very important factor. This is not only because of a real intention to modify the software, but also because OSS contains less “black boxes”. Understanding how the system works is a cornerstone of public sector requirements in terms of transparency. No software (OSS or other) will probably ever be 100% secure, but at least with OSS you will have no (or less) backdoor(s), no electronic spy that may be totally hidden somewhere in the software. This is an interesting comment, and is probably a reference to Microsoft. At the end of August '99, Andrew Fernandes, a Canadian cryptographer with a small consultancy called Cryptonym Corporation, was debugging one of his own programs following the release of NT4 Service Pack 5. It had long been known that Windows has two crypto keys. The one obviously belongs to Microsoft itself, and is there to ensure Windows can load CryptoAPI services in conformance with US export laws. But what of the second?

Well, Fernandes found, by accident, that an MS programmer had forgotten to remove the symbolic label identifying the second key. And the name of this second key? NSAKEY.

Microsoft has vehemently denied that this second key has anything to do with the US National Security Agency – but the problem is this: is the NSAKEY a secret NSA key for 'covert' purposes? This is hard to believe; yet the key exists. There will forever be the hint of suspicion that back doors are hidden deep within the code of proprietary software.

The EU report is making the point that it is much harder to hide a backdoor within open source code than it is for some nameless, faceless programmer to do so, with or without the company’s knowledge, in proprietary compiled software. Microsoft has, of course, had more than its fair share of criticisms over security. It was possibly to try and counter the bad press that Bill Gates issued his famous security memorandum of mid January 2002. Speaking to Microsoft employees, he declared, “When we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box.”

Most security experts did not take it too seriously. Bruce Schneier commented in his February CRYPTO-GRAM: “In addition to making its protocols and interfaces public, we suggest that Microsoft consider making its entire source code public. We're not advocating that Microsoft make its products open source, but if they really want to impress everyone about their newfound security religion, they will make their code available for inspection.” Schneier clearly believes that source code open for inspection will be more secure than closed source code. This is perhaps not surprising since Schneier is a cryptographer, and the entire cryptographic community is united in the need for cryptographic algorithms to be fully published and tested by peers over time. The view is that you cannot trust what you cannot see.

Stability is another concern - bugs happen. That’s life. They’re inevitable and exist in all software – and they cause systems to crash. The only solution is to find the bugs and fix them.

In the proprietary software world, there is little incentive to find and fix – most programmers are already moved on to the next project. And even where there are programmers still working on the code, fixes come in their supervisors’ priorities – not yours. But in the OSS world, thousands of competent programmers with a genuine interest in the software vie with each other to be the first to find and fix bugs in new releases. The result is software that is simply more stable than closed source software.

The community of users helps drive the cost of maintenance down as well. It has been said many times that the ‘free’ in free software is free as in ‘free speech’, not ‘free beer’. There is no guarantee that there is no charge for OSS – indeed, there often is a fee for third party packaged and presented OSS. Nevertheless, OSS is invariably less expensive than its closed source competitors; and is often, at least in its ‘vanilla’ version, free of all cost other than that of downloading it from the Internet.

White Paper - 6 ©Sourcefire, Inc. 6/2002 All rights reserved. Standards, Immediacy, and Lack of Restrictions OSS almost always conforms more closely to international standards than does proprietary software. Proprietary software companies have a need to maximize their profits – and an easy way to do this is to lock customers in to their own products. PKI is a perfect example. All the major megalithic PKI vendors wanted to dominate the market. So, instead of developing universal standards and ensuring compatibility between different suppliers from the outset, they developed their own standards and competed. As a result, PKI has simply stagnated, and has possibly even died, over the last five years.

Conformance to standards is liberating. It means that you can choose other software on the basis that it is the best rather than because it works with what you’ve already got. OSS will usually give you this option.

The right to receive the source code, and the right to modify that code, is key to the success of the OSS paradigm. Let’s say that you have purchased software from a closed source supplier. It’s good, but it would be even better if it would only…

Well, you can tell the developer. And then you have to wait. Eventually you may get what you want – but more likely, unless you are a major international corporation or it’s a small vendor very dependant on sales to your company, nothing will ever happen.

In the OSS paradigm you get to make the changes yourself. And if you don’t have the resources to do so, you can suggest it on one of the support mailing lists. If it’s a good idea, it’s quite likely that someone else will do it for you - - sooner rather than later. It’s not strictly true to say that there are no restrictions on the use of open source software – but the restrictions are there to prevent the introduction of new restrictions. For example, an open source license would probably allow you to modify the source code, but then prevent you from distributing the modified code with new restrictions. The intention of the open source license is to define ‘open source’ and to maintain ‘open source’.

Compare this to what can happen in the proprietary software paradigm. Microsoft not only has a very restrictive license, it is able to, and does, change those conditions after they have been accepted. “The quarterly Product Use Rights (PUR8) provides the latest use rights for Microsoft products under the volume licensing programs,” it says on its site.

In February 2002 InfoWorld published an article by Ed Foster that illustrated the subtle ways in which the use of the PUR can alter retrogressively the terms of the license9. In this instance, the article points out that a user “found the Internet-Based Services Components paragraph that said in part, ‘You acknowledge and agree that Microsoft may automatically check the version of the Product and/or its components that you are utilizing and may provide upgrades or fixes to the Product that will be automatically downloaded to your Workstation Computer.’”

The implications of this are worth considering. After purchasing the software, the terms have been altered without your agreement to the effect that you have agreed that the vendor may access your computers at will.

This behavior would be impossible with genuine open source software.

Arguments Against OSS

There are three main arguments against the use of OSS software:

4 It can upset the status quo and market equilibrium, and threatens intellectual-property rights 4 Open source is open to tampering, and is therefore not secure 4 It is neither well packaged nor well supported

8 http://www.microsoft.com/licensing/downloads/PUR.pdf 9 http://www.infoworld.com/articles/op/xml/02/02/11/020211opfoster.xml

This is a strange argument; but it has been used. On May 22, 2002, the Washington Post reported that Microsoft “is aggressively lobbying the Pentagon to squelch its growing use of freely distributed computer software and switch to proprietary systems…”10 Although Microsoft denied urging a ban on OSS, it did admit that there had been discussions with the Pentagon. “Our goal is to resolve difficult issues that are driving a wedge between the commercial and free software models,” said Microsoft. Apparently the arguments are not likely to be accepted: A report prepared by Mitre Corporation for the DoD in early May concluded, according to the Washington Post, “that open source often results in more secure, less expensive applications and that, if anything, its use should be expanded.”

The strongest argument here against OSS is that its use in conjunction with proprietary software could impinge on the intellectual rights of the proprietary software developer. This takes the concept of intellectual property a step too far – it implies that if you own application code, then you also own the output of that application. If this were true, then that fact should be made absolutely clear to all users before they purchase the software – in which case we would see a mass migration away from Windows and into Linux.

This argument does not bear scrutiny.

Security has already been discussed under the section that demonstrates that OSS is more secure than proprietary software. The same Washington Post article comments: “Microsoft also said open-source software is inherently less secure because the code is available for the world to examine for flaws, making it possible for hackers or criminals to exploit them. Proprietary software, the company argued, is more secure because of its closed nature.” This flies in the face of the Mitre report, and virtually every other independent analysis.

Furthermore, the NSA itself seems to have embraced the OSS concept – it is working to add additional security to Linux. “Currently, we can only support the x86 architecture and have only been able to test it on Red Hat distributions. Nonetheless, we feel we have presented a good starting point to bring valuable security features to Linux. We are looking forward to building upon this work with the Linux community. “Security-enhanced Linux is being released under the same terms and conditions as the original sources. The release includes documentation and source code for both the system and some system utilities that were modified to make use of the new features. Participation with comments, constructive criticism, and/or improvements is welcome.”11 In a 2001 report for Red Hat, TruSecure described OSS security as the security of ‘many eyeballs’: “The principle is simple, yet powerful – the more people who have access to the source code and can employ their expertise to examine it, the fewer secrets are embedded in the code and the harder it is to compromise that code by hiding backdoors, bugs or other security-threatening code in it.”

Closed source, conversely, relies more on the concept of ‘security by obscurity’ – a concept that is largely discredited by security experts on the simple basis that you cannot know if something has already been compromised. Remember that the programmers had hidden a back door in MS FrontPage, and that this went unnoticed for four years – unnoticed, that is, except by the cracker world who discovered and used it. “Had the source code been open to all users, this vulnerability would most likely have been discovered quickly and a fix distributed before any damaged was caused,” concluded TruSecure.

Again, the suggestion that open source software is less secure than proprietary software simply does not bear scrutiny.

10 http://www.washingtonpost.com/wp-dyn/articles/A60050-2002May22.html 11 http://www.nsa.gov/selinux/index.html

White Paper - 8 ©Sourcefire, Inc. 6/2002 All rights reserved. Poor Packaging and Support Like the curate’s egg, this argument is good in parts. When software is developed by hundreds of the world’s best programmers from all round the world – who do you turn to when you need support?

Consider the main open source applications we have mentioned: Linux, Snort, Sendmail, Perl, BIND and Apache.

Sendmail, Perl, BIND and Apache are not what one would normally describe as ‘business applications’. They are specialist applications more generally used by specialists. But nevertheless, they are well supported. Support comes from the user community itself. Internet mailing lists and newsgroups allow both users and developers to discuss new ideas and solve existing problems in an ongoing manner. And unlike support for proprietary software, this is free.

Linux is a bit different. It is now mainstream business software. The route from ‘darling of the geeks’ to a preferred OS of businessmen could not have been achieved without the more visible support of companies like Red Hat, Caldera, and the other major Linux distributors. These companies provide the visible point of understandable reference that businessmen require.

Snort is worth considering in more detail. It is an open source Intrusion Detection System with an excellent reputation and excellent performance. In an independent test12, the authors commented that “Snort is such a fine product – and make no mistake, it is a fine product.” But they also point out the anomaly inherent in open source software: even if the capital cost is little or nothing, the running costs can be expensive. “On its own,” says the report, “Snort is a fairly raw tool, and requires quite a supporting cast… It is essentially a ‘roll your own’ solution which is likely to be beyond the capabilities of those organizations which do not have a reasonable level of in-house expertise in the black arts (of the operating system).

“But,” it continues, “for anyone who has that expertise – or who is happy to pay to acquire it from someone else – the overall Snort experience is likely to be a positive one.” This is the one big problem with the basic open source paradigm: it produces the finest possible software, but the average businessman will have difficulty running it. We have an open source product that, in these tests, “astounded us by demonstrating 100 percent detection rates across the board in our ‘real world’ tests,” while at the same time it is denied to the general commercial market because it is so ‘raw’.

The Sourcefire Solution

It is to solve this anomaly that Marty Roesch, the original and lead developer of Snort, founded the company Sourcefire. Sourcefire is taking Snort to the business masses. It is turning vanilla roll your own Snort into an easy- to-use (cue the new GUI), out-of-the box ready-to-run appliance, with pre-optimized and hardened hardware and OS. It provides full documentation, customer support and training, guaranteed updates and pre-written rules; and a new proprietary and scalable database that has been described as ‘fast as hell!”

Sourcefire combines the very best of the open source paradigm (the best possible code) with the best of the commercial world (presentation and packaging in its widest sense). And it is taking Snort into new territories – the larger enterprise market.

12 Intrusion Detection Systems – Group Test (Edition 2); an NSS Group Report.

It is important to remember that the open source software debate/war is not a war between free software and Microsoft. It is a battle between two contradictory software paradigms: open source and closed source. Microsoft figures extensively in this report not because it is ‘the enemy’ (it isn’t), but because it is the single largest exemplar of the closed source paradigm.

Which paradigm will win? Well, there is room for both. The main problem is that proprietary software companies often have shareholders – and shareholders demand ever-increasing profits. Proprietary software companies fight to increase their market share – and this is under threat from open source software. The arguments in favor of open source are undeniable, irrefutable and inexorable. There is little doubt that OSS will alter the balance of software terms over the next decade, regardless of what the proprietary suppliers do.