Open source software for perimeter defense - Security

Computer Technology Review, August, 2003 by Elizabeth M. Ferrarini

Hard Parameters

Security

* Proprietary: Security products based on Microsoft's Windows have earned a reputation for weak security. Nothing compels a vendor to announce vulnerabilities in its software, unless a virus epidemic breaks out.

* Open Source: Since things get posted on a mailing list, project development teams can't hide any security vulnerabilities in the software. Developers respond quickly to bugs and to quick fixes; however, there's nothing to stop a contributing developer from becoming hostile and writing damaging code.

The U.S. federal government has given open source security software a boost. Top programmers at the National Security Agency have made public a security-enhanced version of the core Linux OS. The U.S. Dept. of Defense is funding a number of projects aimed at making open source software more secure. Since this research rapidly enters the public domain, it amounts to free research and development for commercial open source security companies.

Features

* Proprietary: These vendors develop features along strict marketing lines based on customers' demands. Failure to do so could result in sales lost to another vendor.

Open Source: These developers like the challenge of developing highly advanced technical products. As innovators, they concentrate on new tools no one has thought of yet, or improved versions of existing ones. Their products can be loaded with neat features not found in proprietary products.

Acquisition Price

* Proprietary: Products from these vendors tend to be expensive.

* Open Source: These products are usually free. A product from a commercial open source vendor might be less than a comparable product from a proprietary vendor.

Performance

* Proprietary: If you want really good performance, you can expect to pay for it, especially if it's a Windows-based product.

* Open Source: Given the speed of Linux mad developers' attention to technical details, you'll get good performance from these products.

Certifications

* Proprietary: These vendors like to have their products certified by recognized security organizations such as the U.S. National Institute of Standards and Technology's Federal Information Processing Standards.

* Open Source: Typically, these products don't come with certification credentials from industry-recognized sources. However, since thousands of developers can test a particular product for months, you might consider this activity an unofficial form of certification.

Conclusion

Your can simplify your job of selecting security software by sticking to the four basics, considering the six technologies for good perimeter security, and weighing the differences between proprietary products and open source products.

Elizabeth M. Ferrarini is an IT consultant from Boston, Mass. Reach her at iswve@aol.com.