Dailydave mailing list archives
RE: Sourcefire Acquired by Check Point Software
From: "Kyle Quest" <Kyle.Quest () networkengines com>
Date: Fri, 7 Oct 2005 22:13:32 -0400
This is really good news for Checkpoint competitors [ because Checkpoint now will never be more than just "kinda pretty good" ]
...
Could we please stop the bullshit fear mongering and competitors mud-slinging? If anything, competitors should be afraid of the marriage of great technology (Snort) with a established, solid, and ubiquitous company. Snort will breeze some fresh wind into CP and raise the geek factor within CP back to a pre-1996 level.
As somebody who knows about architecting inline network security systems (that don't suffer from the traditional limitations), I based the previous statement on my experience and on solid understanding of technical requirements to make a system that's not just good enough, but something that can escape the inevitibility of false positives and inability to handle various evasion techniques (Dave A. has some great evasion examples with Snort :-] ) that traditional IDSes like Snort drag along with them. Now let's imagine for a second that Checkpoint tries to build a system using the technology they use now and Snort. How would it work? Would they put together parts of Snort (and other stuff SourceFire has) with Application Intelligence CP has? Would the Snort engine exist after a transformation like that? Either way, I personally don't care if the Snort engine is open source or closed. According to the press releases that SourceFire and CheckPoint has (especially CheckPoint), they plan to put the existing CheckPoint technology along side with the SourceFire/Snort technology and expect to get greater results that either of those technologies can produce separately (oversimplified math: 1+1=3). Unfortunately, it doesn't work that way. If you run protocol anomaly checks and then signature checks, you won't get a better result... you won't get fewer false positives, etc. To get those expected results, those technologies must be melted together and not simply put next to each other.
And the bullshit about Snort being closed is just that... bullshit.
I never made that statement and my gut feeling is that the Snort engine will be open source for a long time... maybe even forever. There's a possibility that the Snort engine could be made more modular, so that preprocessors could be plugged in as binary modules. That way, a lot of "special" functionality developed by CheckPoint now can be kept closed. There's also a good chance that new things are going to happen to the rules. I don't know what it would be and I don't want to guess actually. But it seems logical to expect something. An empty engine without anything to power it is not very useful. It's especially true with vulnerability information. That's one of the areas where most IDS/IPS vendors had their competitive advantage (ISS is a good example here). I'm sure that there will be forces within CP that will be pushing for that.
What should be of more concern to the community is that the Nessus source is being closed.
It's amazing how Nessus and SourceFire [to a certain degree] (I'm talking about the Snort rules here) are complaining about how unfair it is that somebody just takes their work and does whatever they want with it... including repackaging and selling it. Well, this is what GPL is all about! It's about providing source code along with the product to the customers, so they have freedom to enhance it and do whatever they want as long as they provide the source code to their customers as well. GPL is not a good license when you are trying to go commercial. It's that simple. You can't just take the good things about it (from your perspective) where you get a whole bunch of people contributing to your product by introducing new functionality and debugging old features. Nessus going closed source is only logical. There's nothing wrong with it. It's a valid business decision. The "Open Source" marketing machine took them as far as it could and now it's hurting them more that it's benefiting them. A very logical move. In the business world, giving things for free has always been a marketing tool... to attract attention and new users... to make a name for itself... to build a brand name. The open source model is just an extreme version of it. It's not very well executed though by many companies... mostly because those companies start from a community effort where they end up providing the source code to the entire public even though they are not really considered to be customers. Look at MontaVista Linux... to get ideas... Kyle
Current thread:
- Sourcefire Acquired by Check Point Software Jose Ribeiro Junior (Oct 06)
- Re: Sourcefire Acquired by Check Point Software Johnathan Norman (Oct 06)
- RE: Sourcefire Acquired by Check Point Software Sash (Oct 07)
- <Possible follow-ups>
- RE: Sourcefire Acquired by Check Point Software Kyle Quest (Oct 06)
- RE: Sourcefire Acquired by Check Point Software Frank Knobbe (Oct 07)
- RE: Sourcefire Acquired by Check Point Software Ron Gula (Oct 07)
- RE: Sourcefire Acquired by Check Point Software Frank Knobbe (Oct 07)
- Re: Sourcefire Acquired by Check Point Software Renaud Deraison (Oct 07)
- RE: Sourcefire Acquired by Check Point Software Frank Knobbe (Oct 07)
- RE: Sourcefire Acquired by Check Point Software Frank Knobbe (Oct 07)
- RE: Sourcefire Acquired by Check Point Software Cedric Blancher (Oct 08)
- RE: Sourcefire Acquired by Check Point Software Frank Knobbe (Oct 08)
- Re: Sourcefire Acquired by Check Point Software Renaud Deraison (Oct 08)
- Re: Sourcefire Acquired by Check Point Software Frank Knobbe (Oct 09)
- Re: Sourcefire Acquired by Check Point Software Renaud Deraison (Oct 09)
- RE: Sourcefire Acquired by Check Point Software Dave Korn (Oct 20)
- Re: Nmap/Nessus copyright Fyodor (Oct 20)
- RE: Nmap/Nessus copyright C. Church (Oct 20)