Saturday, October 08, 2005

Thoughts on the Week's Security News

This was a busy week for me; I spent all week teaching (and all last week preparing) a private Network Security Operations class in California. I just flew back from LAX to Dulles this morning and I get on another plane tomorrow afternoon. I'm speaking in San Jose at a Cisco event, and then teaching a second private NSO class again next week.

I've been tracking all of the week's security news. Thank you to those who thought I may have missed something. I didn't want to commit any thoughts to the blog without taking some time to ponder various events. Obviously the biggest news of the week was Checkpoint's $225 million acquisition of Sourcefire.

In short, I didn't see that coming. I have doubts about the future of Snort being a free product, let alone open source. I don't see anyone making the case to the board of a publicly traded company that part of that company's work is going to be given away for free, especially after spending $225 million for it.

You may have seen how Checkpoint is treating users of the free version of Zonealarm, which was purchased by Checkpoint two years ago for $225 million. Sure, the basic Zonealarm firewall is still free, but Checkpoint will not provide a patch for a new security problem. Checkpoint claims the problem has low severity even though proof of concept code exists. To quote John LaCour, director of security services: "It is a theoretical attack that we don't see used in the real world." Great. That rationale has certainly stood the test of time (not).

However, I do not fault Sourcefire at all for being purchased. I never faulted them for the way they handled the new rules licensing, either. The amount of manpower and resources they devote to Snort is incredible, so I am happy to see them be rewarded. I am just not sure Checkpoint is the right fit, at least from where I stand. What are your thoughts?


Anonymous said...

There's a thing I don't understand: if Snort engine is GPL, is it possible for Sourcefire to revert this and turn Snort into a non-GPL product?

Would it be possible to fork Snort codebase at this moment?

John Ward said...

IANAL, but my understanding of this (limited since most of this came from /. gripes about the Nessus change) is that if the license for future versions of Snort changes developers can go back to a previous GPL version and fork from there. However it is very unlikely that they will close source it due to any contributions made from outside developers having to close source their portion, or something like that.

Of course, since IANAL, I may be misinterpreting it...

Martin Roesch said...

As I've said in other places, the intent is to keep Snort open and free and it's been expressed by both Gil Shwed (Check Point CEO) and myself. I continue to believe that developing the engine in an open manner is beneficial to both the users and the company for reasons that extend beyond IP. It may be relatively expensive to develop with the resources that we put into it, but the goodwill that it generates more than offsets those costs it in my opinion.

Anyway, I guess the best thing for everyone to do is wait and see, my intentions have been stated publicly and unless things change drastically that's the way it's going to work.

As far as the GPL is concerned, as with Nessus people are free to fork the last public release and carry it forward under a GPL license if they don't like the direction of the project at any time.

esteban said...

If snort does eventually get closed it would be the start of an interesting trend. Nessus just closed out. It's definitely wait and see. Checkpoint could do some very interesting things now.

I could see a snort fork from the last GPL release take a very active life of it's own.

Anonymous said...

Snort - R.I.P.

Anonymous said...

bye snort. thanks for the memories.

John Ward said...

I am glad that Marty has reinforced his stance. It is good to know that he is standing by the project teams commitment, and most of us never questioned his commitment to the project that he brought to life. Without the hard work that the Snort team have put into Snort, the community would not be where it is. Since Snort is a model FOSS project, the community is just a little worried they will lose a valuable tool.

I for one do not question the Sourcefire teams stance on this issue, I do share concern over Checkpoints. While the CEO says one thing, Checkpoint seems to be a company who has no problem trampling the stakeholders to appease the shareholders. A perfect example of this is with Zonealarm. Post-Checkpoint acquisition, the "free" Zonealarm went to crap, even though Checkpoint did keep it free. Another issue that concerns me with public companies, all it takes is one person with an agenda to sway the stockholders into trying to maximize profit. If we are lucky, Checkpoint will go the road of a socially responsible company and go beyond the requirement of their shareholders to continue Sourcefires practice of contributing to the community.

As stated, we will just have to wait and see. I personally don't believe that now is the time to cry that the sky is falling. If Checkpoints commitment to Snort and the security community as a whole is strong, then this will be a good thing in the long run, and a good example that FOSS and the companies that embrace it are a viable business model. Otherwise, as has been pointed out, the beauty of FOSS is that it can be forked, and assuming no rediculous patent suits come up, the parties involved can go their separate ways.

Anonymous said...

I for one believe this is a Good Thing(tm) for us, the Sourcefire/Check Point customer... We've been a Sourcefire customer for about 3 years and a Check Point customer since our company's inception, so about 6 years... Marty's been to our site, and I've had dinner in the past with Jerry Ungerman (CHKP Chairman) as well as met with several techs from Israel. OK, I'm done name dropping, but I wanted to set the stage for how heavily we are into both companies.

I've got an internal 12-node FOSS SNORT deployment, and it's great and all, but it is used as another tool in the arsenal, I've not employed any of Richard's methodologies because I've just been too busy, but it's a great book by the way!

Check Point's current push is management/logging consolidation. They've got their Connectra, Intraspect, EDGE, and Firewall modules now all writing to a common log database. They've built Eventia, which is a correlation engine that sifts through this ginormous database looking for anomalies.

I've had discussions with our local CHKP SE, and we have theorized about a version of SPLAT (Secure Platform, Check Point's linux appliance distro) that will load SNORT and centralize logging to the same common database... which would be cool.

I would LOVE to see Check Point integrate snort rules in Smart Defense, so I could grab an open source sig off of and deploy it to our firewalls for real-time blocking of new threats. For the unaware, SmartDefense is sold as a subscription service with dynamic rule updates that blocks things like P2P applications, IM, worms, malformed http requests, CIFS vulnerabilities, web server host masking, etc... It's basically a signature engine for the application level of the firewall. The problem is, today is October 10th, and the last time an update was offered for SmartDefense was September 27, and I think updates equate to roughly once a month. So, I'm paying 10K/year for monthly updates? WTF?

Anyway, I'm pretty stoked about the future possibilities...


Joe said...

I recommend we not be hasty and jump overboard about the unsubstantiated fear of the demise of open source snort. This was a business decision for the Sourefire business. I don't believe it will affect the open-source version of Snort as some fear. Snort is a success because of the development team that created snort. From what I hear, they are not going away.

However, I'm not thrilled about this for a different reason. I'm currently in the market for commercial gigabit sensors and am currently evaluating SourceFire, ISS, and others. I don't like Checkpoint as a company. Besides the reasons Richard lists, I have a problem with the nickel-and-dime-you-to-death pricing and licensing model of Checkpoint products. I won't buy anything from Checkpoint, period. This is unfortunate as I really liked the SourceFire sensors.

Anonymous said...

When I was consulting w/ a small consulting company a few years back, we were a reseller and implementer for Checkpoint, as well as other companies, including Cisco. Checkpoint was the only company that did not provide us w/ a free copy of their product (FW-1 & NG) for testing purposes. They wanted us to pay for it, on top of the fees we were already paying.

I do not forsee good things.

Anonymous said...

We have had Checkpoint products deployed throughout the world, including US. Due to pricing issues, we started removing them a year ago, and replacing them with Netscreen (now Juniper) products, and we have been very happy with those.

I have started contemplating Sourcefire products after having personally used Snort for years, especially in conjunctions with SANS certs, and in small projects, but I totally agree with a paid approach, when it comes to large scale projects, where one needs professional services and/or support.

Having said all of the above, Sourcefire products "inside" Checkpoint will only increase the costs, so alternative IDS will probably be my target. In any case - Snort is a great product, Marty is a genius, and he deserves financial rewarding in appreciation for his work. I am pretty sure they will find people capable to put their money where their blog is (like john, the earlier poster) ;)