How to evaluate open source solutions

Posted December 20, 2009 by Ali
Categories: Open Source Firewalls, Open Source IPS, Open Source Load Balancers, Open Source Routers, Open Source Web Application Firewalls

Tags: , , , , ,

One of the advantages of open source is the flexibility and low barrier to entry.  This also becomes a disadvantage as often there can be many similar solutions and it can become challenging for the user community to select one solution. 

This challenge can be overcome by having a methodology to evaluate and compare different solutions.  I will present to you a practical approach that I have developed and used.  If you choose to use it or adapt it, please let me know how it worked for you and how you adapted it to fit your needs.

There are a few published methods out there:

  1. Cap Gemini:  Open Source maturity model
  2. QSOS.org: Qualification and Selection of Open source Software
  3. OpenBRR: Open Business Readiness Rating

After looking at these and others,  I have customized a model that has worked for me.   I call it a Practical Open Source Maturity Model.

Practical Open Source Maturity Model

Product

  • Age/Maturity – Look at news reports and projects website for details on when the product was introduced, when it was available as a stable release, etc.
  • Momentum – Look at recent releases, number of articles in 3rd party news, number of community members, time line for releases and how well its been met in the past, etc.
  • Features – Yes, take a look at your technical requirements and how well the particular solution meets your needs.

Usability

  • Install – Read or speak with references on how their installs went. Check documentation for initial setup, config, 3rd party installation consulting services and backup/recovery procedures.
  • Usage – Research experiences with day-day operations. Check documentation availability for ongoing configuration, security patches, upgrade path, time line of until when support/development will continue for the particular product.
  • Support – How do you get support and assistance? Forums, paid subscription, 3rd party commercial support ?

Architecture

  • Modularity – Is the architectural technical design modular and easily extend able? What examples/references are there for extensions and customizations?
  • Standardized – Does the solution use standard protocols that inter-operate with other solutions and all users systems ? Are the standards used public and have multiple participants or a standards body ?
  • Development – Is there a strong development community that is responsive to the users ? Is there an established process for development, q/a and release ?

Thats the Practical Open Source Maturity Model.  Use it wisely, document everything and it will save you a lot of time, frustrations and serious downtime! 

In the future I will post my evaluations of Firewalls/Security Gateways, Network Monitoring & Management software, etc.

Do you have an evaluation model that you have used? How does it compare with the Practical Open Source Maturity Model ? Let us know!

Navigating the ‘crossroads’ with open source firewalls.

Posted November 21, 2009 by Ali
Categories: Open Source Firewalls

Tags: , , , , , , , , ,

Firewalls have been around in some form or another, from the early days of networks.  A typical firewall protects the ‘trusted’ internal network from those who are on the ‘untrusted’ outside.  Things have changed since the early days.  The exploits make it all the way to applications through open ports on the firewall.  Requirements to give access to partners, contractors, guests, and customers accessing self service portals, deem the notions of ‘trusted’ and ‘untrusted’  portions of the network useless.   Today we stand at a crossroad between installed legacy infrastructure, that does not satisfy even present day security needs, and emerging technologies.  Emerging technologies don’t focus on networks and hosts, but on protecting the ‘data’ and the ‘content’. Wisdom of the day is to let the traditional firewalls keep the riff-raff out by only allowing traffic to appropriate ip addresses and ports in, and let the more application specific techniques protect the ‘data’ and defend against application level denial of service attacks.

The cost of the switch from legacy to emerging technology will be large, but the balance is tipping such that the cost of not making the switch will be even larger. Open source can help with the costs by offering the emerging techniques developed by a community of cooperative experts.  OpenADC will allow network security experts to write cost effective traditional firewalls that face the internet, and application developers to write the application specific firewalls that sit just in front of the application, such that the two work in unison to provide best protection for the application.

In rest of the posts in this category, I will survey existing open source firewalls — both the traditional network level firewalls, and application specific ones. 

What has your experience been with open source firewalls?  Let me know in your comments.

Services anticipated on the Open Source Application Delivery Controller

Posted November 13, 2009 by mudit70
Categories: Application Delivery Controller

Tags: , , , , , , , , , , , ,

Traditionally when we think of application delivery controllers, and what goes on them, traditional services such as  those listed below come to mind.

1. Loadbalancers

2. SSL offload

3. XML offload

4. Asymmetric application acceleration

5. Traffic tracing

The openADC platform will allow developers from the user and consultant community to write services as they see fit, and whenever they need them.  With this in mind we look into the crystal ball and come up with this list of services we anticipate.  This is just a start, and we will keep adding to the list.  Here it is:

1) End to end transaction monitoring, which includes database and other back end transaction monitoring.

2) Data Leakage monitoring and enforcement.

3) Compliance related monitoring and enforcement.

4) Auto-encryption of sensitive information while it is being transmitted.

5) Application usage pattern discovery.

6)Application performance monitoring, proactive degradation sensors and alerts.

7) Web Application Firewalling.

8) Flexible programmable Deep Packet Inspection engine.

Open ADC is good news for service providers.

Posted October 21, 2009 by mudit70
Categories: Application Delivery Controller

Tags: , , , ,

Service providers have been locked in to the feature set offered by vendors as they try to satisfy varied needs of different customers.  With an open source application delivery platform, they are able to monetize their knowledge of specific customer needs, by easily writing services that will run on the multi-service and multi-tenant platform.  For starters, offering same services that are offered by current ADC product vendors, becomes much easier on the Open ADC platform due to the following reasons:

1. Capital expense goes through the roof  as Service Providers deploy stand alone ADCs, from current vendors, for each customer.  Open ADC platform allows them to deploy a soft ADC per customer, or deploy multiple customers on Open ADC running on specialized hardware with total isolation amongst customers.  This cuts the cost of running the environment tremendously, increasing service provider’s margins.

2. Service providers are able to sell ‘On Demand services’ with Open ADC. For example, if a customer needs SSL encryption offload during peak selling time for an e-commerce application, and not at other times, this need can be easily met with Soft Open ADC.  Meeting  this need with current ADC products is not possible as the service provider has to buy physical hardware for offering services.

3. Service providers can easily up sell new services.  If a customers’ services are deployed on an Open ADC platform, adding another service in the ‘service chain’ for that customer does not cost much.  Therefore, service providers can offer services on a trial basis, as they look for new revenue streams.

4. Service providers will have more services to offer as independent developers will write niche services for specific customer segments.

Why do we need an Open Source Application Delivery Controller?

Posted October 18, 2009 by mudit70
Categories: Application Delivery Controller

Tags: , , , ,

Organizations of all sizes deploying ‘Applications’ which allow their members to complete business work flows, are spending a lot of money on network services.  They face several challenges as they depend on network services solutions from established vendors in the space.  Many of these challenges are addressed by an Open ADC platform as discussed below.

1. Vendors can not produce special features for disparate specific needs of all organizations.

Many organizations have very specific needs, but it is not profitable for vendors to consider their features, as vendors try to address the needs of the general market.  No body is at fault here as vendors have to consider the cost of developing a feature against revenue potential. Niche portion of the market can not yield enough revenue to justify developing the feature.  However the organizations do have a real need.  Where do they go to get their needs met?  Open ADC comes to the rescue!  Smaller independent teams will emerge and will write services on the Open ADC platform to service the niche market.

2. Users end up paying for what they don’t need.

Several users end up paying for features they don’t use since network services products are delivered as a bundle.  Many pay for performance they don’t need as vendors supply fixed form factors.  Once again, Open ADC comes to the rescue, as users will be able to deploy only the services they want on the platform.  Furthermore, Open ADC platform will give them the choice to deploy their services in a virtual machine or on a standalone system or an ATCA chassis with acceleration technology.

What is an Open Source Application Delivery Controller Platform?

Posted October 18, 2009 by mudit70
Categories: Application Delivery Controller

Tags: , , , , , , ,
OpenADC will provide an open source multi-service, multi-tenant application delivery controller platform. Community of developers can write cool services that the user community needs, with a much lower barrier to entry, thus monetizing their niche knowledge. Developers don’t have to worry about the low level packet processing, but can focus on the logic of their services.  The Open ADC platform will take care of the low level packet processing and optimizations.  The platform will be able to host services from independent developers and optimally apply logic of each service to packets of every session.
User community, responsible for application delivery, can deploy the OpenADC platform, and with mouse clicks deploy only services they need. User community no longer needs to pay high premiums for features they don’t use or performance they don’t need.

Introducing the concept of an Application Delivery Controller

Posted October 15, 2009 by mudit70
Categories: Application Delivery Controller

Tags: , ,

Every IT professional knows that all the work they do is focussed on keeping  business applications running well, such that users are able to perform business work flows.  If revenue generating applications malfunction, the enterprise loses customers to their competition.  How many times have you gone on to purchase an item from a different vendor, because the initial vendor’s web based ordering site was responding too slowly?  Backend applications must also work well in order for the enterprise to be competitive. So, in the new brave world of IT is all about ‘application delivery’.

In order to keep applications running smoothly, IT teams use various tools to perform several important functions.  These include use of network services that help to secure applications and optimize their performance, as well as monitoring systems which help with proactive alerts or reactive debugging activity.  Examples of some of the popular network services related to security are ‘firewall’, ‘web application firewall’, ‘intrusion detection and prevention system’, ‘encryption and decryption system’ etc.  For performance optimization, the well known examples are ‘load balancer’, ‘web cache’, ‘compression’ etc.  Examples of emerging services that help secure, optimize and visualize application include use of deep packet inspection across multiple packets to mitigate data leakage, defend against application semantic based attacks, offer quality of service based on application communication characteristics etc.

An application delivery controller is a system that can host many of the services required by an application.  This system can be implemented as software that runs on any general purpose hardware, or as a device specially built to run the services software.

In the posts that follow, I will discuss several aspects of ‘application delivery controllers (adc) ‘ including the ever changing definition that the vendor community imposes.  I will define an ‘adc’ from the user or the customer’s point of view.  My hope is that the discussion that follows will clarify the concept of an ADC, allow user community to state what services they would like to see implemented, and charge the vendor community to deliver relevant and appropriate features.