RE: Sourcefire Acquired by Check Point Software

["Kyle Quest" <Kyle.Quest () networkengines com>]

> > This is really good news for Checkpoint competitors
> > [ because Checkpoint now will never be more than just "kinda pretty
> > good" ]
...
> Could we please stop the bullshit fear mongering and competitors
> mud-slinging?
>
> If anything, competitors should be afraid of the marriage of great
> technology (Snort) with a established, solid, and ubiquitous company.
> Snort will breeze some fresh wind into CP and raise the geek factor
> within CP back to a pre-1996 level.

As somebody who knows about architecting inline network security systems
(that don't suffer from the traditional limitations),
I based the previous statement on my experience and on solid understanding
of technical requirements to make a system that's not just good enough,
but something that can escape the inevitibility of false positives and
inability to handle various evasion techniques (Dave A. has some great 
evasion examples with Snort :-] ) that traditional IDSes 
like Snort drag along with them. 

Now let's imagine for a second that Checkpoint tries to build a system
using the technology they use now and Snort. How would it work? Would they
put together parts of Snort (and other stuff SourceFire has) with Application
Intelligence CP has? Would the Snort engine exist after a transformation
like that? Either way, I personally don't care if the Snort engine is open source
or closed.

According to the press releases that SourceFire and CheckPoint has 
(especially CheckPoint), they plan to put the existing CheckPoint
technology along side with the SourceFire/Snort technology and
expect to get greater results that either of those technologies
can produce separately (oversimplified math: 1+1=3). Unfortunately,
it doesn't work that way. If you run protocol anomaly checks and then
signature checks, you won't get a better result... you won't get fewer
false positives, etc. To get those expected results, those technologies
must be melted together and not simply put next to each other.

> And the bullshit about Snort being closed is just that... bullshit. 

I never made that statement and my gut feeling is that the Snort engine
will be open source for a long time... maybe even forever.

There's a possibility that the Snort engine could be made more modular,
so that preprocessors could be plugged in as binary modules. That way,
a lot of "special" functionality developed by CheckPoint now can
be kept closed.

There's also a good chance that new things are going to happen to the rules.
I don't know what it would be and I don't want to guess actually. But it
seems logical to expect something. An empty engine without anything to power
it is not very useful. It's especially true with vulnerability information.
That's one of the areas where most IDS/IPS vendors had their competitive advantage
(ISS is a good example here). I'm sure that there will be forces within CP
that will be pushing for that. 

> What should be of more concern to the community is that the Nessus
> source is being closed. 

It's amazing how Nessus and SourceFire [to a certain degree] (I'm talking 
about the Snort rules here) are complaining
about how unfair it is that somebody just takes their work and does
whatever they want with it... including repackaging and selling it.
Well, this is what GPL is all about! It's about providing source code
along with the product to the customers, so they have freedom
to enhance it and do whatever they want as long as they provide
the source code to their customers as well. GPL is not a good
license when you are trying to go commercial. It's that simple.
You can't just take the good things about it (from your perspective)
where you get a whole bunch of people contributing to your product
by introducing new functionality and debugging old features.

Nessus going closed source is only logical. There's nothing wrong
with it. It's a valid business decision. The "Open Source" marketing
machine took them as far as it could and now it's hurting them more
that it's benefiting them. A very logical move.

In the business world, giving things for free has always been a marketing
tool... to attract attention and new users... to make a name for itself...
to build a brand name. The open source model is just an extreme version
of it. It's not very well executed though by many companies... mostly
because those companies start from a community effort where they end up
providing the source code to the entire public even though they are not
really considered to be customers. Look at MontaVista Linux... to get ideas...

Kyle