Mention 'open source security tools' and the first words that come to mind are Nmap and Nessus. Of course, Nessus is no longer open source. Its open source offshoot OpenVAS, has failed to acquire the same levels of popularity. Apart from Nmap and Nessus, Metasploit is probably one of the more popular offerings available on the open source security block.

Among enterprise security solutions, Snort might just lay claim to being the most successful Intrusion Detection/Prevention System in the market. Snort not only competes with the best commercial products (marked in the visionary and leader quadrant by Gartner), but also serves as the inspiration for many of these commercial competitors.

Other open source security solutions that compete against commercial products are SWATCH (for log analysis), antivirus software Clam AV and anti-spam software Spam Assassin. The latter is not only used extensively by e-mail hosting providers, but is also rumored to be the engine powering some commercial products.

Another popular open source tool is PCI DSS. This includes new features such as parallel text matching, credit card number detection, support for content injection, automated rule updates, scripting, etc.

In addition to such established open source players, there are also some interesting open source products gaining ground. The Open Source SIM (OSSIM) is a fairly effective security event and incident management solution combining a host of other open source tools such as Snort, Nagios, Arpwatch, as well as Nessus. Another interesting open-source solution is Open DLP, which has just been announced. The OpenDLP website says that the solution is a free, open source, agent-based, centrally-managed and massively distributable DLP tool released under the GPL.

Pros and Cons

1. Reduced cost: Remember free software refers to 'free'—as in 'free speech,' and not as in 'free CD.' Open source products may not incur an immediate cost in terms of procurement (downloading). However, there are installation, configuration and maintenance costs involved. These costs also apply to commercial security products—but open source products are significantly cheaper.
   
2. More eyes: The more popular open source products benefit from the contributions of the open source community and become more robust with time. This becomes a positivefeedback cycle—fueled by the popularity of the product, there is more input from coders and testers around the world, and the number of security bugs is reduced.
   On the other hand, an increasingly dangerous trend is that companies that once produced open source products might close down. Nessus is an infamous example here. The recent purchase of Metasploit by Rapid 7 has ominous portends for penetration testers.
   
3. Support: With open source, there is rarely a channel partner or value-added reseller (VAR) community present.
   For support, you are largely dependent on hiring your own resources, local system/network integration or on software development companies that understand open source. This is arguably the biggest downside of open source products—you are largely on your own. If your administrator happens to be an open source aficionado, you’re lucky. If not, you will face strong levels of resistance leading to eventual failure.
   
4. Product upgrades: Most open source products do not come with well-defined product roadmaps. If they do, the next significant release could either take a lot of time or may never come through. With their R&D budgets, most commercial products bring out significant upgrades sooner than open source products. Products such as Snort have also come up with upgrades and vulnerability detection signature releases much faster than their commercial competitors. This is also true for Nmap and Metasploit—the vibrancy of the developer community ensures that the product moves along very well.

Adopting open source security solutions

Open source is an excellent option where the following factors exist:

• Where the product is fairly well-established. Snort, Nmap, Metasploit, Wireshark, ClamAV, SpamAssassin, Nagios come to mind as products having a long history of reliability and sizable user, developer, and support communities.
  
• Where the product largely fulfils regulatory requirements. ModSecurity and OSSIM could be excellent alternatives to expensive commercial solutions.
  
• Where support is reliable. If your team of administrators is fairly well-versed with open source and possess a reasonable level of passion, they would work doubly hard to make sure that the open source alternative succeeds.

So the next time you’re evaluating the next new shiny appliance to introduce into your security architecture, it just might make sense to give the open source alternative a fair evaluation as well!

As told to Srikanth RP