Archive for the ‘Open Source Firewalls’ category

How to evaluate open source solutions

December 20, 2009

One of the advantages of open source is the flexibility and low barrier to entry.  This also becomes a disadvantage as often there can be many similar solutions and it can become challenging for the user community to select one solution. 

This challenge can be overcome by having a methodology to evaluate and compare different solutions.  I will present to you a practical approach that I have developed and used.  If you choose to use it or adapt it, please let me know how it worked for you and how you adapted it to fit your needs.

There are a few published methods out there:

  1. Cap Gemini:  Open Source maturity model
  2. QSOS.org: Qualification and Selection of Open source Software
  3. OpenBRR: Open Business Readiness Rating

After looking at these and others,  I have customized a model that has worked for me.   I call it a Practical Open Source Maturity Model.

Practical Open Source Maturity Model

Product

  • Age/Maturity – Look at news reports and projects website for details on when the product was introduced, when it was available as a stable release, etc.
  • Momentum – Look at recent releases, number of articles in 3rd party news, number of community members, time line for releases and how well its been met in the past, etc.
  • Features – Yes, take a look at your technical requirements and how well the particular solution meets your needs.

Usability

  • Install – Read or speak with references on how their installs went. Check documentation for initial setup, config, 3rd party installation consulting services and backup/recovery procedures.
  • Usage – Research experiences with day-day operations. Check documentation availability for ongoing configuration, security patches, upgrade path, time line of until when support/development will continue for the particular product.
  • Support – How do you get support and assistance? Forums, paid subscription, 3rd party commercial support ?

Architecture

  • Modularity – Is the architectural technical design modular and easily extend able? What examples/references are there for extensions and customizations?
  • Standardized – Does the solution use standard protocols that inter-operate with other solutions and all users systems ? Are the standards used public and have multiple participants or a standards body ?
  • Development – Is there a strong development community that is responsive to the users ? Is there an established process for development, q/a and release ?

Thats the Practical Open Source Maturity Model.  Use it wisely, document everything and it will save you a lot of time, frustrations and serious downtime! 

In the future I will post my evaluations of Firewalls/Security Gateways, Network Monitoring & Management software, etc.

Do you have an evaluation model that you have used? How does it compare with the Practical Open Source Maturity Model ? Let us know!

Navigating the ‘crossroads’ with open source firewalls.

November 21, 2009

Firewalls have been around in some form or another, from the early days of networks.  A typical firewall protects the ‘trusted’ internal network from those who are on the ‘untrusted’ outside.  Things have changed since the early days.  The exploits make it all the way to applications through open ports on the firewall.  Requirements to give access to partners, contractors, guests, and customers accessing self service portals, deem the notions of ‘trusted’ and ‘untrusted’  portions of the network useless.   Today we stand at a crossroad between installed legacy infrastructure, that does not satisfy even present day security needs, and emerging technologies.  Emerging technologies don’t focus on networks and hosts, but on protecting the ‘data’ and the ‘content’. Wisdom of the day is to let the traditional firewalls keep the riff-raff out by only allowing traffic to appropriate ip addresses and ports in, and let the more application specific techniques protect the ‘data’ and defend against application level denial of service attacks.

The cost of the switch from legacy to emerging technology will be large, but the balance is tipping such that the cost of not making the switch will be even larger. Open source can help with the costs by offering the emerging techniques developed by a community of cooperative experts.  OpenADC will allow network security experts to write cost effective traditional firewalls that face the internet, and application developers to write the application specific firewalls that sit just in front of the application, such that the two work in unison to provide best protection for the application.

In rest of the posts in this category, I will survey existing open source firewalls — both the traditional network level firewalls, and application specific ones. 

What has your experience been with open source firewalls?  Let me know in your comments.