How & Why

A Cheapskate's Guide to Free Security Software

From an IT security guru and his peers across the country, plenty of products you can get your hands on for free, now that you know what to look for.

The following was one of our most popular 2008 articles; it ran online on Aug. 8.

EVERYBODY LIKES FREE. After interviewing a number of my colleagues in higher education, I've put together the following "shopping list" of some of the most popular free security software programs currently in use at colleges and universities across the country.

A Cheapskate's Guide to Free Security SoftwareNessus

Nessus, the world's leading vulnerability scanner, was my respondents' top choice. Here's what it does: Nessus starts by performing a port scan either with internal portscanners or an external scanner such as Nmap to find out which ports are open; then it attempts various attacks on the open ports. Nessus was created by Renaud Deraison in 1998, and until 2005 was open source software. The Nessus 3 engine, now based on proprietary code, is still available to everyone free of charge, but the cost of the plugins is a little more complicated. In 2008, Tenable Network Security, the company that owns the software, divided users into two categories: "home users" and "commercial users." For home users (which include personal and nonprofit users), Nessus launched HomeFeed to provide the plugins at no charge. For individuals and organizations that want to use Tenable's Nessus plugins commercially, the company created ProfessionalFeed, which provides subscribers the latest vulnerability and patch audits, configuration and content audits, and commercial support for an annual fee.

A Cheapskate's Guide to Free Security SoftwareNmap

Nmap, which stands for "Network Mapper," is a port scanner available for free under a GNU General Public License (GPL), and is used for network inventory, managing service upgrade schedules, and monitoring host or service uptime. It looks at raw IP packets to determine which hosts are available, what operating system they are running, which applications they are offering, and what types of packet filters/firewalls are in use-- and lots of other good stuff. Nmap is supported on the following operating systems: Linux, Microsoft Windows, FreeBSD, OpenBSD, Sun Solaris, SGI IRIX, Mac OS X, HP-UX, NetBSD, SunOS, and Amiga. Support for Nmap comes from the user community, which maintains the Nmap-hackers mailing list and the nmap-dev list.

A Cheapskate's Guide to Free Security SoftwareSnort

A perennial favorite, Snort is an open source intrusion prevention and detection system that uses a rule-driven language that combines signature-, protocol-, and anomaly-based inspection methods. Snort is commonly used in three ways: 1) as a packet sniffer similar to tcpdump; 2) as a packet logger; or 3) as a full real-time network intrusion detection and prevention system that can detect a variety of attacks and probes such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and OS fingerprinting attempts.

Snort was written by Martin Roesch in 1998 (the same year as Nessus) to be an open source "lightweight" intrusion detection system, in contrast to the commercially available systems. But that's no longer the case: Snort is now a mature, feature-rich system; it has become a de facto standard in intrusion detection and prevention, and a real "heavyweight."

The availability of plugins is important, since the software uses a modular rule-based architecture. Snort's parent company, Sourcefire, offers a free rules feed; rules are delayed five days from their commercial release. Additional sources of rules include Bleeding Edge Threats.

Yet, Snort wasn't the only free package in this space identified by respondents. OSSEC is an open source host-based intrusion detection system that runs on Linux, OpenBSD, FreeBSD, Mac OS X, Solaris, and Windows, among others. Bro is an open source Unix-based package that runs on commodity PC hardware, and was designed for use by Unix experts to be a research platform for intrusion detection and traffic analysis. It is not for someone looking for an "out of the box" solution. But, if you're looking for a product that is flexible and highly customizable, Bro is worth a look. Some sites run another IDS as their front-line defense and use Bro to verify the results and experiment with new strategies.

After these first three products, picks varied widely with no clear-cut leaders. Following are some of the packages that were in the running.

Antivirus/Malware

  • Adware scans a PC for spyware and adware, as well as removes trojans, dialers, and worms.
  • ClamAV is an open source antivirus software toolkit for Unix and Windows operating systems and is particularly useful for scanning e-mail. It is available from the same folks who own Snort.
  • Secunia Personal Software Inspector protects against Windows-based software vulnerabilities and is a version of Secunia's commercial product, available to private individuals for free.
  • SpyBot Search and Destroy detects and removes spyware from Windows-based systems.
  • Tripwire is one of the original file integrity checkers. Though the software originally was open source, the company now focuses on an enterprise configuration that is not free. However, a free Linux version can still be found at SourceForge, where there is also a free Tripwire replacement, AIDE, which runs on many Unix-based operating systems.
  • VirusTotal is a free online service that uses multiple antivirus engines to analyze submitted files for viruses, worms, trojans, and all kinds of malware. Encryption
  • Gnu Privacy Guard is an open source implementation of the famous PGP (Pretty Good Privacy) encryption program by Phil Zimmerman and runs on GNU/Linux, FreeBSD, Windows XP, and Mac OS X, among others.
  • TrueCrypt offers open source real-time disk encryption for Windows Vista/XP, Mac OS X, and Linux. Web Vulnerability Scanners
  • Nikto is an open source web server scanner which runs on any system that supports a basic PERL installation, including Windows, Mac OS X, and Linux; it performs comprehensive tests against web servers to locate vulnerabilities.
  • Paros Proxy is another program designed to evaluate the security of web applications.
  • OpenSSH provides secure encrypted communications between two untrusted hosts over an insecure network.

Firewalls, Packet Filters, and Other Tools

  • Argus is an open source system and network-monitoring tool with a well-designed web interface.
  • Autoruns reveals which programs are configured to run during system bootup or login on a Windows computer.
  • Iptables is the command line program enabling systems administrators to configure Linux packet filtering rulesets.
  • IPFilter runs on a variety of Unix operating systems and provides network address translation (NAT) or firewall services.
  • Microsoft Baseline Security Analyzer is a standalone security update and vulnerability assessment tool for Windows-based systems; it identifies common security configuration errors.
  • Netflow was originally developed to run on Cisco routers to collect IP traffic information, but is now available from other vendors under different names.
  • NetStumbler is a tool for Windows, allowing users to detect wireless local area networks using 802.11b, 802.11a, and 802.11g. MiniStumbler is the corresponding product for Windows CE.
  • Wireshark is the world's foremost network protocol analyzer. It runs on Windows, Linux, Mac OS X, Solaris, FreeBSD, and NetBSD, among others.
  • ZoneAlarm Firewall provides basic firewall functionality for Windows-based systems.

:: RelatedLinks ::
IT Struggling Over Security, Compliance
Cloud Computing to Bring Security App Shift, Report Says

comments powered by Disqus