June 2008

Q. I can understand how small businesses and startups can benefit from the no-licensing costs associated with open source software (OSS). Can you provide an example of a business reason for using OSS other than the licensing cost of the software?

A. Here is an example that occurred during a time when worm outbreaks were just starting to hit organizations hard. Some organizations were already receiving feedback as traffic caused by computer worms was causing networks to fail, and failing is the worst form of feedback.

At Bell Canada, our large internal network was running well. Being a carrier, the internal network was very well connected. Having many experts within the company to design and build the network, it was configured to withstand very heavy usage and to handle some types of failure modes gracefully. Considering the many worms of the time, the network did very well at isolating the mischievous traffic to the periphery of the network.

Bell has systems to monitor many different aspects of the network and its attached computers. With such a robust network and high degree of network isolation, however, there was not enough information to track worm propagation in detail. At least not in the detail expected by the executives who wished to identify and track the extent of worm propagation and incident management effectiveness using metrics and reporting that business people could understand.

There were vendors who had monitoring solutions which could provide the metrics, but they would be expensive. In a large organization like Bell Canada, the expense itself was not an issue and the procurement process started almost immediately. In a large organization, however, the procurement process does not get completed overnight. The investment needed for the additional monitoring was going to be significant as this large network has tens of thousands of nodes and hundreds of physical locations. Accordingly, procedures had to be followed, including the need for technology studies for specifications, assessments, a proper bidding process, architecture, design and operational reviews.

Enter open source software (OSS), an old computer, a motivated systems administrator, and some teamwork. A plan was developed to build a darknet. The Bell incident response process had already been initiated due to the industry recognition of this particular worm outbreak, even though Bell had no indications of problems internally. A subcommittee was established, network configuration changes were made, operational processes outlined, and a single server was configured with some OSS.

Within a day, statistically significant reporting was established on a near real time basis which met the immediate incident management metric and reporting needs. The executives and incident management groups were confident that the magnitude of impact was now understood, and that the effectiveness of the remediation efforts could be tracked.

The darknet was successful at the general reporting required, and actually became the primary source of detailed information needed for the remediation team to identify and correct the individual network nodes. Further, the darknet's detailed reporting produced the information needed to identify that, in some instances, the vendor provided patch was unsuccessful in removing the vulnerabilities. For some situations Bell has significant influence, so when Bell discovers a failed patch it may actually expedite a proper solution for a much larger community.

The OSS had the functionality necessary to meet 90% of the immediate goals "out-of-the-box". The open logging formats and well documented utilities allowed for quick adaptation to the business need. The secure-by-default, transparent and understandable configuration, and ecological diversity from the main devices being monitored, gave confidence that the system would not be affected by the malware traffic it was monitoring.

For the technical reader, the tracking server was setup using an OpenBSD server for collecting network information, native tcpdump and Perl for extracting and reporting on logs, native syslog's ability to launch programs and nbtstat to collect near real time information about hostnames and userids. O'Reilly's Perl Cookbook facilitated the creation of much of the glue. These tools, plus the co-ordination with the network operations group, were all that was needed to setup the darknet, a blackhole where packets go in but nothing leaves but information.

Share this article:

Cite this article:

Rate This Content: 
No votes have been cast yet. Have your say!