Thoughts on the Week's Security News
This was a busy week for me; I spent all week teaching (and all last week preparing) a private Network Security Operations class in California. I just flew back from LAX to Dulles this morning and I get on another plane tomorrow afternoon. I'm speaking in San Jose at a Cisco event, and then teaching a second private NSO class again next week.
I've been tracking all of the week's security news. Thank you to those who thought I may have missed something. I didn't want to commit any thoughts to the blog without taking some time to ponder various events. Obviously the biggest news of the week was Checkpoint's $225 million acquisition of Sourcefire.
In short, I didn't see that coming. I have doubts about the future of Snort being a free product, let alone open source. I don't see anyone making the case to the board of a publicly traded company that part of that company's work is going to be given away for free, especially after spending $225 million for it.
You may have seen how Checkpoint is treating users of the free version of Zonealarm, which was purchased by Checkpoint two years ago for $225 million. Sure, the basic Zonealarm firewall is still free, but Checkpoint will not provide a patch for a new security problem. Checkpoint claims the problem has low severity even though proof of concept code exists. To quote John LaCour, director of security services: "It is a theoretical attack that we don't see used in the real world." Great. That rationale has certainly stood the test of time (not).
However, I do not fault Sourcefire at all for being purchased. I never faulted them for the way they handled the new rules licensing, either. The amount of manpower and resources they devote to Snort is incredible, so I am happy to see them be rewarded. I am just not sure Checkpoint is the right fit, at least from where I stand. What are your thoughts?
I've been tracking all of the week's security news. Thank you to those who thought I may have missed something. I didn't want to commit any thoughts to the blog without taking some time to ponder various events. Obviously the biggest news of the week was Checkpoint's $225 million acquisition of Sourcefire.
In short, I didn't see that coming. I have doubts about the future of Snort being a free product, let alone open source. I don't see anyone making the case to the board of a publicly traded company that part of that company's work is going to be given away for free, especially after spending $225 million for it.
You may have seen how Checkpoint is treating users of the free version of Zonealarm, which was purchased by Checkpoint two years ago for $225 million. Sure, the basic Zonealarm firewall is still free, but Checkpoint will not provide a patch for a new security problem. Checkpoint claims the problem has low severity even though proof of concept code exists. To quote John LaCour, director of security services: "It is a theoretical attack that we don't see used in the real world." Great. That rationale has certainly stood the test of time (not).
However, I do not fault Sourcefire at all for being purchased. I never faulted them for the way they handled the new rules licensing, either. The amount of manpower and resources they devote to Snort is incredible, so I am happy to see them be rewarded. I am just not sure Checkpoint is the right fit, at least from where I stand. What are your thoughts?
Comments
Would it be possible to fork Snort codebase at this moment?
Of course, since IANAL, I may be misinterpreting it...
Anyway, I guess the best thing for everyone to do is wait and see, my intentions have been stated publicly and unless things change drastically that's the way it's going to work.
As far as the GPL is concerned, as with Nessus people are free to fork the last public release and carry it forward under a GPL license if they don't like the direction of the project at any time.
I could see a snort fork from the last GPL release take a very active life of it's own.
I for one do not question the Sourcefire teams stance on this issue, I do share concern over Checkpoints. While the CEO says one thing, Checkpoint seems to be a company who has no problem trampling the stakeholders to appease the shareholders. A perfect example of this is with Zonealarm. Post-Checkpoint acquisition, the "free" Zonealarm went to crap, even though Checkpoint did keep it free. Another issue that concerns me with public companies, all it takes is one person with an agenda to sway the stockholders into trying to maximize profit. If we are lucky, Checkpoint will go the road of a socially responsible company and go beyond the requirement of their shareholders to continue Sourcefires practice of contributing to the community.
As stated, we will just have to wait and see. I personally don't believe that now is the time to cry that the sky is falling. If Checkpoints commitment to Snort and the security community as a whole is strong, then this will be a good thing in the long run, and a good example that FOSS and the companies that embrace it are a viable business model. Otherwise, as has been pointed out, the beauty of FOSS is that it can be forked, and assuming no rediculous patent suits come up, the parties involved can go their separate ways.
I've got an internal 12-node FOSS SNORT deployment, and it's great and all, but it is used as another tool in the arsenal, I've not employed any of Richard's methodologies because I've just been too busy, but it's a great book by the way!
Check Point's current push is management/logging consolidation. They've got their Connectra, Intraspect, EDGE, and Firewall modules now all writing to a common log database. They've built Eventia, which is a correlation engine that sifts through this ginormous database looking for anomalies.
I've had discussions with our local CHKP SE, and we have theorized about a version of SPLAT (Secure Platform, Check Point's linux appliance distro) that will load SNORT and centralize logging to the same common database... which would be cool.
I would LOVE to see Check Point integrate snort rules in Smart Defense, so I could grab an open source sig off of BleedingSnort.com and deploy it to our firewalls for real-time blocking of new threats. For the unaware, SmartDefense is sold as a subscription service with dynamic rule updates that blocks things like P2P applications, IM, worms, malformed http requests, CIFS vulnerabilities, web server host masking, etc... It's basically a signature engine for the application level of the firewall. The problem is, today is October 10th, and the last time an update was offered for SmartDefense was September 27, and I think updates equate to roughly once a month. So, I'm paying 10K/year for monthly updates? WTF?
Anyway, I'm pretty stoked about the future possibilities...
-john
However, I'm not thrilled about this for a different reason. I'm currently in the market for commercial gigabit sensors and am currently evaluating SourceFire, ISS, and others. I don't like Checkpoint as a company. Besides the reasons Richard lists, I have a problem with the nickel-and-dime-you-to-death pricing and licensing model of Checkpoint products. I won't buy anything from Checkpoint, period. This is unfortunate as I really liked the SourceFire sensors.
I do not forsee good things.
I have started contemplating Sourcefire products after having personally used Snort for years, especially in conjunctions with SANS certs, and in small projects, but I totally agree with a paid approach, when it comes to large scale projects, where one needs professional services and/or support.
Having said all of the above, Sourcefire products "inside" Checkpoint will only increase the costs, so alternative IDS will probably be my target. In any case - Snort is a great product, Marty is a genius, and he deserves financial rewarding in appreciation for his work. I am pretty sure they will find people capable to put their money where their blog is (like john, the earlier poster) ;)