And Its Role in the Security Model www.sourcefire.com June 2002 Sourcefire, Inc. 7095 Samuel Morse Drive Suite 100 Columbia, MD 21046 410.290.1616 | 410.290.0024 TABLE OF CONTENTS Table of Contents ............................................................................................................2 Open Source Software: OSS...........................................................................................3 What is OSS?..........................................................................................................................3 History.....................................................................................................................................4 Opinions on OSS.....................................................................................................................4 Arguments in favor of OSS ......................................................................................................5 Security, Stability, and Cost .......................................................................................................................5 Standards, Immediacy, and Lack of Restrictions......................................................................................7 Arguments Against OSS..........................................................................................................7 Status Quo and Security.............................................................................................................................8 Poor Packaging and Support .....................................................................................................................9 The Sourcefire Solution ...........................................................................................................9 Summary .......................................................................................................................10 OPEN SOURCE SOFTWARE: OSS The current interest in open source software (OSS) is a phenomenon borne of the Internet. The Internet allows open source proponents to harness the worldwide expertise of thousands of enthusiasts and bring them together in a single project to provide free, quality software. They do this out of altruism for the open source concept, to demonstrate their skills, and out of a zeal for solving difficult problems. A few years ago, open source software was considered to be of interest to low budget markets (such as education, health, university laboratories) only. This is no longer true. Some of the more successful open source applications include: 4 Linux, now running on some 20% of the world’s servers 4 Snort, an Intrusion Detection System that outperforms commercial products in independent tests1 4 Apache, which runs over 60% of the world's web servers 4 Perl, which is the engine behind most of the ‘live content’ on the World Wide Web 4 BIND, the software that provides the DNS (domain name service) for the entire Internet 4 Sendmail, the most important and widely used email transport software on the Internet. Open source software still generates heated debate. There are those who claim it is insecure, unsupported and threatens the very existence of the legitimate software industry. And there are others who claim that it signifies the way of the future: more secure, more stable, less costly, and more honest software. This paper seeks to explain the strengths and weaknesses of Open Source Software, and to show how Sourcefire leverages the open source Snort technology to provide superior enterprise intrusion detection systems. What is OSS? Open Source Software is software that is supplied with full source code. But it is much more. The key is in the Distribution License – this is what defines whether or not software is open source. There are many licenses that claim to be ‘open source’ – but it is generally held that conformance to the nine guiding principles defined by the Open Source Initiative (OSI)2 are the test. These, in brief, are: 1. Free Distribution: anyone can distribute or redistribute the software 2. Inclusive Of Source Code: the program must include source code, and must allow distribution in source code as well as compiled form. 3. Derived Works: the license must allow modifications and derived works, and must allow them to be distributed under the same terms as the license of the original software. 4. Integrity Of Original Source Code: the integrity of the author’s original code may be maintained by requiring that that derived works must be distributed as a ‘patch’ and carry a different name or version number from the original software. 5. No Discrimination Against Persons or Groups: the license must not discriminate against any person or group of persons. 6. No Discrimination Against Fields of Endeavor: the license may not restrict the manner in which the software is used 7. Distribution of License: the rights attached to a program automatically apply to everyone to whom the program is redistributed 8. License Must Not Be Specific to a Product: the rights attached to the program must not depend on the program's being part of a particular software distribution. 1 “Configured correctly, it also turns in a performance every bit the equal of (and often superior to) commercial products costing many thousands of pounds.” Intrusion Detection Systems – Group Test (Edition 2); an NSS Group Report. 2 http://www.opensource.org/docs/definition.html White Paper - 3 ©Sourcefire, Inc. 6/2002 All rights reserved. 9. The License Must Not Restrict Other Software: the license must not impose restrictions on other software distributed with it. The basic principle is that users must be provided with, or have easy access to, the source code of the software; and be allowed to modify that code for their own and other peoples’ use. Of the various licenses available, the most popular is the Free Software Foundation’s (FSF) Gnu General Public License3 (usually just called the GPL) first developed by Richard Stallman. History Some people claim that the concept of ‘free’ (‘libre’ rather than ‘gratis’; free speech rather than free beer) software, where users are free to modify the source code for themselves, was developed by Richard Stallman back in the late ‘70s. It is probably more accurate to say that Stallman codified the idea of free software in an attempt to prevent it disappearing – it had always been the norm. Stallman, a ‘hacker’ at MIT, was accustomed to modifying the source code of donated software to better suit the needs of MIT. This was standard practice at MIT and most other institutions. Until, that is, Xerox donated a new laser printer. It was excellent, but had a few problems. Stallman’s usual approach in such circumstances was to modify the code himself – but in this instance he found that there was no source code. And when he asked for it, he was refused. The story, excellently told by Sam Williams4, describes the shock felt by Stallman. To him, this was a betrayal of the brotherhood of hackers, where everybody shared code for the good of everybody else. This single event started the chain of events that led Stallman to develop the original GNU General Public License, starting in 1985 and publishing Version 1.0 of the GPL in 1989. The preamble included: “The General Public License is designed to make sure that you have the freedom to give away or sell copies of free software, that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things.” This was and is the cornerstone of open source software. The point of this story, and one that needs to be made, is that open source software is not a new concept challenging the hegemony of the mighty software companies, but a bastion of what its supporters would claim to be the old, true path. Historically, it is the proprietary software companies who are the usurpers – not the followers of OSS. It is only the name, ‘open source’ that is relatively new. This emerged, along with the Open Source Initiative, in early 1998 – largely as a reaction to Netscape’s announcement that it would give away the code to its browser. Opinions on OSS Over the years there have been numerous studies, reports and analyses on open source software. The ‘wake up call’ probably came from Eric Raymond’s book, “The Cathedral and the Bazaar”5. Raymond was writing about the success of the Bazaar, the anarchic worldwide community of hackers, in developing Linux in the face of the Cathedral (the giant proprietary software companies). His arguments and conclusions brought some of the major computer companies on board with OSS. He wrote: Perhaps in the end the open-source culture will triumph not because cooperation is morally right or software “hoarding” is morally wrong (assuming you believe the latter, which neither Linus nor I do), but simply because the closed-source world cannot win an evolutionary arms race with open-source communities that can put orders of magnitude more skilled time into a problem. 3 GNU General Public License: http://www.fsf.org/licenses/gpl.html 4 Free as in Freedom: Richard Stallman's Crusade for Free Software, by Sam Williams, http://www.faifzilla.org/intro.html 5Eric Raymond’s The Cathedral and the Bazaar can be found online at http://tuxedo.org/~esr/writings/cathedral-bazaar/cathedral-bazaar/ White Paper - 4 ©Sourcefire, Inc. 6/2002 All rights reserved. One thing can be certain: the giant software companies began to take OSS very, very seriously.