Security Freeware: More or Less than you paid for?
Originally published in Security Pipeline,
reprinted courtesy of CMP Technology and 
BEFORE YOU DOWNLOAD,
check the Rogue Spyware List
This page uses style sheets created by Ruthsarian Labs
Security Freeware: More or Less than you paid for?
Visit the security tools section at SecurityFocus, SourceForge, SecurityWizardry, or any of two million Google results returned for a search of "security freeware" and you'll find everything from scanners, LAN analyzers, network mapping and network forensic tools to firewalls, vulnerability assessment software, IDS, and log analysis tools. The price is right and everyone needs more security. What's the catch?
I download, install, evaluate, and critique security freeware fairly often. I recommend and use a number of these, routinely, and I'm amazed at how complete, well maintained and stable some of the applications are. The phrase security freeware, however,is too often abused, and like the entire freeware space, is in danger of becoming an oxymoron. Security software should be secure software. Folks who write it should be familiar with and practice secure coding. They should be accessible and accountable for the product they provide: in security-speak, they should be readily identifiable, non-repudiable origins. Folks who make security software available should have competent, security-savvy staff to support and maintain it. And the term "free" should be used without encumbrance. Trial-ware is not the same as free-ware, Adware should never be advertised as security freeware. Spyware advertised as security software is evil incarnate.
If these controls were scrupulously applied, Google searches would return considerably fewer than two million results. Such controls are absent, so if you are considering security freeware, remember the five Ws.
Who wrote the software? Can you identify and trust the developer? Has the software undergone sufficient testing to determine it is both functional and stable? Is the work original (or has the author ignored copyrights and incorporated open source into his work? Can you trust the download site? Does the download site have the right to (re)distribute the freeware? Open source or freeware may have been copied onto other sites without permission or license to distribute.
Open source and community projects do a commendable job here. The names and contact information for SourceForge project administrators and developers are publicly available. The same is true for the many contributors to Ethereal, a brilliant LAN analyzer, and the enormously popular Nmap and Nessus scanners, and the Snort intrusion detection system. A signature file often accompanies source and executables, to confirm that the version is authentic. With commercial security software, we typically consider the company's reputation and public record with regard to vulnerabilities reported, accountability, willingness and timeliness to provide hot fixes and patches. With freeware, you should consider the reputation and pedigree of the authors, the commitment of the authors and community to test, maintain and improve freeware. The organizations I mentioned above all score well here.
What does the software do? Do some homework. Identify the security function or service you need. Hunt down candidates and compare. Is the software what it claims to be? What else do does the software really do? Does the software do all that it claims to do? Is it really freeware? Is it "free" of advertising and tracking technology? Is it fully functional or trial ware disguised as freeware for the sake of increasing popularity on search engines? A final and important consideration for commercial organizations is whether the software is free for non-commercial use only.
When should you use security freeware? There's more to consider than cost when investigating freeware. Freeware often performs functions that are not available from commercial products. Many commercial security products began as research projects, open source and freeware, including popular intrusion detection systems (ISS, Cisco, SourceFire), firewalls (Gauntlet), patch management (Shavlik), and more. Other security freeware fills gaps that commercial products aren't addressing. Freeware web and firewall log analysis tools, for example, are often log record format agnostic and help administrators parse, and analyze log records collected from security systems in multi-vendor shops. Freeware forensic toolkits - CD-bootable operating systems with a veritable arsenal of analysis and recovery utilities - are good examples of solutions that have few commercial counterparts. Even if commercial forensic toolkits were available, the license enabling you to distribute them across your entire operation motivates even large organizations to investigate freeware.
Why are you choosing freeware over commercial ware? Often, freeware is adopted by organizations that believe they can invest time rather than money. IT staff time costs, but in too many companies, it's perceived as money already spent, and not easily measured, whereas commercial software is a budget line item. Before your organizations scratches that $5000 commercial software package off the budget, be certain you won't be sacrificing more operations and development time than you can afford.
Generally, organizations should weigh operational complexity, ability to scale, and completeness of product against cost of purchase when choosing freeware over commercial ware. Freeware generally comes with no warranty, service, and no guarantee of continued availability, updates, patches, and enhancements. Free antivirus software may be fine for home users and even small business, but imagine the issues an organization might encounter if it were to deploy antivirus freeware on a large scale, only to find that no new antivirus definitions are forthcoming. While exceptions exist, freeware systems do not scale to large populations, large networks, etc. They may use flat files instead of database software. They don't typically include administration hierarchies (levels of accessibility based on authentication). Logging and reporting functions are generally less robust than commercial security products (unless this is the purpose of the security freeware, of course). Especially for "core business" security applications - firewalls, antivirus, authentication servers, and VPN - there's a lot to distinguish even really well conceived freeware from conceived-for-enterprise security software.
Where do you intend to use security freeware? One of the most practical ways to apply security freeware is to perform auditing and forensics. A wealth of freeware is available for these purposes. Many of these evolved from attacker tools. Some are absolutely dreadful hacks, while others have been scrubbed, polished and hammered into highly useful tools. Look again to legitimate sources, including security companies like @stake, Foundstone and others, who offer free versions of software they have developed and acquired over time in the course of building their portfolio of managed and consulting security services. Some security freeware - file system integrity checkers, IDS/IPS, log and network analysis - can also serve growing organizations. In general, the security freeware I've found most useful are "for individual use": auditing tools, manual or easily scripted analysis tools, and monitoring tools where "eyeballing" can be factored into an operational practice.
When you download calendar, screensaver, calculator, or HTML editing freeware, you're wise to set your expectations low, and be pleasantly surprised if they are exceeded. With security freeware, you must set your expectations high. Be careful how and what you compromise when choosing security freeware. You'll get more than you paid for, and hopefully will avoid getting more than you bargained for.