Linux snares security tool

[InfoSec News <isn () c4i org>]

http://www.zdnet.com/zdnn/stories/news/0,4586,2822782,00.html

By Nicole Bellamy
ZDNet Australia 
November 6, 2001 5:46 PM PT
 
InterSect Alliance says it has developed the first integrated security
auditing and event logging subsystem for the open source Linux
operating system, beating much larger organizations to the punch.
 
Its new tool, Snare (System iNtrusion Analysis and Reporting
Environment) has been developed with a goal of reducing the cost of
entry into system auditing and host-based intrusion detection for
system managers, simplifying the process of configuration, reducing
resource requirements and providing meaningful reporting to end-users.

According to Leigh Purdie, director and principal security consultant,
this is the first release of code for a host-based intrusion detection
system, although there have been inroads made into the development of
source code to address network-based intrusion detection.

The two systems differ in that while a network-based intrusion
detection tool enables the user to determine when an intrusion is
being attempted, the host-based system allows the user to identify
when an intrusion has been successful.

Purdie believes that the lack of the Snare code has hindered the
adoption of Linux into widespread use by organizations in Australia.
By releasing Snare as open-source software, he hopes this will "set
Linux on the path towards acceptance by organizations."

The Snare auditing subsystem is designed to "enhance an organizations
ability to detect suspicious activity by monitoring system and user
actions", as stated in its release report.

Given the current debate surrounding staff-monitoring, Purdie was
quick to point out that InterSect Alliance is not responsible, nor
accountable for, any privacy infringements occuring as a result of
organizations using this system. However, the company does intend to
provide privacy recommendations to organizations as a part of its
training on the product.

"Privacy is critical in a lot of institutions. When we provide
solutions we recommend one of the things they (organizations)
implement is staff contact; to let staff know what is happening, why
it's happening, what data is being used for," said Purdie.

Snare fills Linux security void

The lack of integrated security features--perceived or actual--has
long been a barrier to widespread Linux adoption.

According to an InterSect Alliance report, "the lack of host-based
intrusion detection in the form of an auditing system, has been cited
in the past by organizations as a significant contributor to the
decision to choose alternative operating systems over Linux in
operational roles."

InterSect Alliance decided to pursue the Snare project as a means of
addressing this shortcoming and therefore boost Linux' appeal.

While working on similar tools for other operating systems, such as
Sun's Solaris and Microsoft's Windows NT--all of which contained an
audit collection subsystem--the company realized the lack of this
feature in Linux, and "thought something was missing," according to
Purdie.

What followed was eight months of effort and "not having a life", said
George Cora, director and principal security consultant.

While eight months seems minimal in software development terms, Purdie
maintains that Snare is actually the culmination of ten year's work
into the host-based intrusion detection system, added to a combined
total of more than twenty year's experience in security for the
directors.

The short time to market can also be attributed to three other
factors, according to Cora: "We have the programming skills, we have a
small company that is not bureaucratic, and we put aside the
established OSes (operating systems) and started from scratch."

He also maintains that the presence of the open-source community
allowed them a shorter development time.

InterSect Alliance does not have the infrastructure in place to
distribute Snare commercially, but by using the open-source community,
it was able to release the software quickly, to a widespread audience.

Cora believes that releasing Snare as open source should also lead to
a faster uptake of the product itself.

"If we had tried to commercialize this [rather than releasing as
open-source software], people would be less eager to use it due to the
cost of entry associated with it," Cora said.

This lowered cost of entry is the ingredient that will ensure much of
the product's success. Already InterSect Alliance has received
pre-release queries from local--and global--organizations.
 


-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.