How to get Microsoft-esque security with Open Source software
I was duly impressed with the recent ComputerWorld article about how Microsoft fends off 100,000 attacks per month. That is a lot of attacks! The article doesn't mention what Microsoft has spent on security, but my guess is: More than your company's revenues. So what is a poor company to do? Like wine, it is easy find a good bottle of $30 wine, the challenge is finding a good bottle of $8 wine (and were talking magnum). Luckily, thanks to open source software and the many tools built into Linux, even the stingiest of companies can have good security.
It also occurred to me that we have already configured and tested most of these packages with our two-factor authentication system, which is much, much less expensive than smart cards.
I will take each element of the Microsoft security architecture and try to find a less expensive, often free, replacement. In addition to smart-cards, Microsoft uses firewalls, IDS//IPS, Network Access Quarantine Control (NAQC), VPN, strong passwords, webmail and IM and Sharepoint for remote users. There are excellent choices in every area, except for NAQC. If anyone knows of a product or solution I'm missing, please add it in the comments.
Firewall, IPS, VPN, Antispam.
This was easy: Iptables, Snort, Nessus, Tripwire, OpenVPN and Spamassassin, just for starters. There are lot of strong network protection tools in the Linux world. The Computerworld article really focused on 'letting the good guys in' in a scalable way, not 'keeping the bad guys out'. I will note that OpenVPN is fast and easy to configure and supports PAM authentication. That will make your choice of two-factor authentication easier.
Email & IM without VPN
To avoid the VPN getting bogged down, Microsoft remote users can log into Exchange and IM without being on the VPN. It's a little unclear from the article whether or not Microsoft uses two-factor authentication for these services, but I assume they do. So much critical information passes over e-mail these days that it would be silly to have these services outside the VPN without strong authentication, if you require strong authentication for the VPN. Luckily for our purposes, we can easily deploy Squirrelmail over https with two-factor authentication using saslauth, cyrus and imapproxy (more details here: http://www.wikidsystems.com/howtos/two_factor_webmail/. It is also surprisingly easy to configure a number of IM servers for PAM authentication, such as Wildfire
Extranet sites
The section on setting up extranets was particularly interesting:
Microsoft IT has set up several SharePoint sites as secure password-protected extranets. More accurately, what Microsoft IT did was empower employees to set up their own SharePoint sites as intranets or extranets, depending on the target audience and sensitivity of the material, and post their own content.So perhaps Microsoft is not using two-factor authentication for their extranets? Perhaps it is prohibitively expensive to deploy smart-cards to non-employees? I'm guessing that the policy is content that is shared with partners has to be password-protected and internal content must be protected by two-factor authentication. It is tough to do an apples-to-apples comparison, but I think it is safe to assume that you could provide similar functionality with a number of various open source solutions, such as Plone, Mambo, Drupal, etc. In particular, Plone has proven itself to be very secure and has a robust, built-in access control system that can be managed by folder. You can also easily allow file sharing via secure copy, using WinSCP for example.
Two-factor authentication
Smart-cards are definitely only for the well-off. I could be wrong, but I think they have only been implemented by governments, oil companies and near monopolies. Microsoft claims a cost of (https://www.microsoft.com/technet/itshowcase/content/smartcrd.mspx) $70 per user for each smart card to start, plus a loss rate of 1.5% per user per month at $26 per re-issuance or (if my math is correct 71,000 employees * 1.5% * 26) $27,690 per month or $332,280 per year after an upfront investment of $4,970,000. I suspect it takes some scale to get to that number. WiKID's commercial two-factor authentication system starts at only $25 per user per year, and of course, the open source version is free.
It is interesting that the article does not mention Microsoft using Terminal Services. I think remote desktop is an excellent solution if done securely, so I will add to our solution FreeNX. It is very fast and tunneled through SSH for security. It supports PAM, so strong authentication is not a problem. It is supports remote X as well as VNC and RDP. You could argue that using remote desktop encrypted with SSH is as secure as using a VPN with quarantine capabilities. It certainly is going to be faster for the end user.
To sum up, here is an open source configuration comparable to the Microsoft infrastructure:
- Defense: IPTables, Nessus, Snort, Tripwire
- VPN: OpenVPN
- Email & IM: Squirrelmail with https and two-factor authentication through PAM. A jabber server such as Wildfire or jabberd for IM.
- Extranet sites: A CMS system such as Plone. File sharing via WinSCP & Putty
- Remote Desktop – As a bonus we throw in remote desktop access secured by two-factor authentication and SSH encryption.
To be fair, most companies don't need the scalability that Microsoft needs and much of what is impressive about what they have done is based on scale. This post does not address that, but I'm convinced that these open source solutions will scale extremely well.
- Category(s)
- Information Security
- Open Source
- The URL to Trackback this entry is:
- http://www.wikidsystems.com/WiKIDBlog/how-to-get-microsoft-esque-security-with-open-source-software/tbping
Digg this!
Del.ico.us
Google
Yahoo bookmarks
Reddit
Spurl
Simpy
And point taken. I should have a disclaimer on the blog that these are mostly half-baked thoughts meant to provoke. I think though that in depth analysis would show that the TCO differences would be driven by the existing administrator's skill sets. If you know linux, it will be cheaper. If you know MS, it will be cheaper.
Also, most of these packages will run on Windows, right? So it's a question of, say Plone vs Sharepoint.
Trying to compare SquirrelMail to Outlook over RPC/HTTPS is just insane. Hell Squirrelmail vs Outlook Web Access isn't even close to the same thing. If you are on the Windows stack, Microsoft solutions work just as well for small business as it does at scale.
I know both Linux and Windows. We use both in our network. And I can say without quarrel that a deployment, including TCO, of Small Business Server 2003 is MUCH more effective than a custom built Linux box, ESPECIALLY if you use Microsoft technology in the office such as Outlook, Sharepoint, SQL Server and Exchange together.
I remember using this argument when I was in the grass roots movement for Linux years ago. Why fret about all the insecurities and problems with Windows when there were open source counterparts. But the reality is... there ISN'T a heterogeneous solution like what Microsoft offers. Find a REAL replacement for Exchange. And Sharepoint. And Office. And .NET. All tied together. It doesn't exist. Yes great technology like Mono, Apache and PostgreSQL exist, but in the greater scope of things in a business trying to leverage their IT resources as an asset and not a burden... its much easier AND cheaper to deploy a Windows solution with SBS2003 than Linux. And MUCH easier to maintain.
Adding two-factor authentication (2FA) on either solution makes total sense. And you can indeed deploy strong authentication in small business environments for under $100 a user. The trick is finding the right solution for your needs. If you are going to deploy the solution, you have to weigh the 2FA server against its agents. If you want just a web based strong authentication server (SAS), your choice will be different than a solution that works with Windows logon, IIS/Apache agents and PAM modules. Now I know WiKID is in the business of 2FA, but I don't think its very balanced to recommend open source blindly with telling the whole story. You still need a SEPERATE 2FA server if you want to leverage your Windows network. Instead... why doesn't WiKID build agents for those Windows networks? Example: Why tunnel over SSH when you can simply use the secure comms in RDP with a strong authentication logon agent? Eliminates the need for another port to be opened through the firewall that's not needed. If you use Microsoft's ISA Server you can even proxy filter the Active Directory Logon credentials in a way so an adversary won't even GET to the real resources until authenticating via AD at the firewall. Guess what, you can't do that in an open source environment. Even with Samba, you cannot leverage your AD infrastructure for security policy enforcement at the firewall (be it iptables, ipf or what have you).
It's all about using the right tool for the right job. You typically have interesting and relevant content on your blog. However I gotta call you on your comparison of the Microsoft infrastructure vs open source. It's not a practical comparision in the REAL world of SMB networks, and really is inaccurate in the definitions of what the technologies offer the business.
You can indeed use ISA with RADIUS to meet perimeter authentication needs. My point about the second SAS is the fact that if you want to use a logon graphical identification and authentication (GINA) module, you would have to purchase a different solution. That same GINA will work across all workstations and terminal servers, and can offer desktop level logon protection as required. When controlling a trust boundary (in this case an untrusted remote client accessing the trusted desktop via RDP) it makes sense to force 2FA at that choke point... aka the desktop logon. Although you could (and should) control session access at the firewall, infosec best practices dictates that you should also do it there.
You might be right that we need a post about deploying SBS. Since the premium version of SBS COMES with ISA for free... there is a lot the server has to offer. Maybe over the holidays I will have some time to do just that. Can't make any promises though.
Keep up the good work. And Happy Holidays.
Way to call me out! And I'm glad to hear you are a regular reader. As you probably have inferred from previous posts, I definitely prefer to toss out a half-baked idea for discussion rather than wait for the souffle to rise. Primarily, because I am one slow thinker.
In this case, while I didn't use the words TCO, I used the phrase "what is a poor company to do?". Perhaps I should have said, "what should a company using linux do?".
Not sure I follow this: "You still need a SEPERATE 2FA server if you want to leverage your Windows network. Instead... why doesn't WiKID build agents for those Windows networks?" Why not use ISA and Radius? Yes, you have a separate server, but it certainly doesn't need to be a big one. Perhaps we need a post on how to set up a MS-esque security infrastructure using SBS as a basis?
Nick
(cross-posted to Dana's blog here: http://silverstr.ufies.org/blog/archives/000987.html
In other words, it's not a real world comparison.
Oh, I should have read your last paragraph... I was too eager to comment :-)
Still, I think my point is valid in that it invalidates (ahem) the argument, other than for 5-10 people shops.