Spotlight

A Cheapskate's Guide to Free Security Software

• By Doug Gale
• 08/08/08

Okay, lets admit it: Everybody likes free (well almost everybody, since there is a history of "free" products evolving into for-profit companies). To find out what products were popular in the higher education market place, I conducted a "scientific" survey asking a random selection (a handful of security officers in my address book) to identify their five favorite free security software packages. Based on five responses, here are the results. (In the interest of full disclosure, five responses cannot be represented as a "higher education" response.) Drum Roll. "May I have the envelope, please?"

1. Nessus
Nessus, the world's leading vulnerability scanner, was my respondents' top choice. What does it do? Nessus starts by doing a port scan either with internal portscanners or an external scanner such as NMAP to find out which ports are open and then tries various attacks on the open ports. Quoting from their product literature, Nessus features "high speed discovery, configuration auditing, asset profiling, sensitive data discovery and vulnerability analysis of your security posture. Nessus scanners can be distributed throughout an entire enterprise, inside DMZs, and across physically separate networks."

Nessus was created by Renaun Deraison in 1998 and until 2005 was open source software. The Nessus 3 engine, now based on proprietary code, is still available to everyone free of charge, but the cost of the plugins is a little more complicated.

In 2008, Tenable Network Security, the company that owns the software, divided users into two categories, "home users" and "commercial users." For home users, which includes personal and non-profit users, Nessus launched "Homefeed" to provide the plugins at no charge. For individuals and organizations that want to use Tenable's Nessus plugins commercially, they created "ProfessionalFeed" that provides subscribers the latest vulnerability and patch audits, configuration and content audits, and commercial support for an annual fee.

2. NMAP
NMAP, a port scanner, was up there with Nessus on my respondents' most popular list. NMAP, which stands for "Network Mapper," is available for free under a GNU General Public License (GPL) and is used for network inventory, managing service upgrade schedules, and monitoring host or service uptime. It looks at raw IP packets to determine what hosts are available, what operating system they are running, what applications they are offering, and what type of packet filters/firewalls are in use--and lots of other good stuff.

NMAP is supported on the Linux, Microsoft Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS, and Amiga operating systems. Support for NMAP comes from the user community, which maintains the Nmap-hackers mailing list and the nmap-dev list.

3. SNORT
SNORT, an intrusion detection system, is a perennial favorite. (If nothing else, you have to love their logo.) SNORT is an open source intrusion prevention and detection system that uses a rule-driven language that combines signature-, protocol-, and anomaly-based inspection methods. SNORT is commonly used in three ways:

1. A packet sniffer similar to tcpdump;
2. A packet logger; or
3. A full rea-time network intrusion detection and prevention system that can detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and OS fingerprinting attempts.

SNORT was written in 1998 (the same year as Nessus) by Martin Roesch to be an open source "lightweight" intrusion detection system in contrast to the commercially available systems. That's no longer the case. SNORT is now a mature, feature-rich system that has become a de facto standard in intrusion detection and prevention and a real "heavy weight."

The availability of plugins is important, since the software uses a modular rule-based architecture. SNORT's parent company, SourceFire, offers a free rules feed, which are delayed five days from their commercial release. Additional sources of rules include BleedingEdge Threats.

SNORT wasn't the only free package identified by respondents. OSSEC is an open source host-based intrusion detection that runs on Linux, OpenBSD, FreeBSD, Mac OS X, Solaris, and Windows, among others. BRO is an open source, Unix-based package that runs on commodity PC hardware and was designed for use by Unix experts to be a research platform for intrusion detection and traffic analysis. It is not for someone looking for an "out of the box" solution. But, if you're looking for a product that is flexible and highly customizable, this is worth a look. Some sites run another IDS as their front-line defense and use BRO to verify the results and experiment with new strategies.

Worthy of a Closer Look
After the first three, picks varied widely, with no clear-cut leaders. So here are some of the packages that were in the running.

Antivirus/Malware

• Adware scans a PC for spyware and adware as well as removing Trojans, dialers and worms.
• ClamAV is an open source antivirus software toolkit for Unix and Windows operating systems and is particularly useful for scanning email. It is available from the same folks that own SNORT.
• Secunia Personal Software Inspector protects against Windows-based software vulnerabilities and is a version of Secunia's commercial product that is available to private individuals for free.
• SpyBot Search and Destroy detects and removes spyware from Window's based systems.
• Tripwire is one of the original file integrity checkers. Originally open source software, the company now focuses on an enterprise configuration that is not free. A free Linux version can still be found at SourceForge where there is also a free Tripwire replacement, AIDE that runs on many Unix-based operating systems.
• VirusTotal is a free online service that uses multiple antivirus engines to analyze submitted files for viruses, worms, Trojans, and all kinds of malware.

Encryption

• TrueCrypt offers open source real time disk encryption for Windows Vista/XP, Mac OS X, and Linux.
• GnuPrivacyGuard is an open source implementation of the famous PGP (Pretty Good Privacy) encryption program by Phil Zimmerman and runs on GNU/Linux, Free BSD, Windows XP, and Mac OS X among others.

Web Vulnerability Scanners

• Nikto is an open source Web server scanner, which runs on any system that supports a basic PERL installation including Windows, Mac OS X, and Linux, performs comprehensive tests against Web servers to locate vulnerabilities.
• Paros Proxy is another program to evaluate the security of Web applications.
• OpenSSH (Open Secure Shell) provides secure encrypted communications between two untrusted hosts over an insecure network.

Firewalls, Packet Filters, and other Useful Tools

• Argus is an open source system and network-monitoring tool with a nice Web interface.
• Autoruns shows what programs are configured to run during system bootup or login on a Windows computer.
• iptables is the command line program for system administrators to configure Linux packet filtering rulesets.
• IPFilter runs on a variety of Unix operating systems and provides network address translation (NAT) or firewall services.
• Microsoft Baseline Security Analyzer is a standalone security update and vulnerability assessment tool for Windows-based systems that identifies common security configuration errors.
• Netflow was originally developed to run on Cisco routers for collecting IP traffic information but is now available from other vendors under different names.
• NetStumbler is a tool for Windows that allows you to detect Wireless Local Area Networks (WLANs) using 802.11b, 802.11a, and 802.11g. MiniStumbler is the corresponding product for Windows CE.
• Wire Shark is the world's foremost network protocol analyzer and runs on Windows, Linux, Mac OS X, Solaris, FreeBSD, and NetBSD, among others.
• ZoneAlarm Free Firewall provides basic firewall functionality for Windows-based systems.