An eye opener on open source Internet security
"Although the IST programme-funded project ended in December 2002, the results of the evaluations still apply today", according to technical coordinator Ross Velentzas at Motorola. SECRETS looked at the open source toolkit for implementing the Secure Sockets Layer (SSL) provided by OpenSSL, and at the Free Secure Wide Area Network (FreeS/WAN) provided by IPSec over the Linux operating system. The results of both evaluations were mixed, highlighting the complications facing businesses and governments as they seek more cost-effective and efficient ways to ensure Internet security by turning to open source software instead of commercial systems. The pros and cons of open source security,"There are advantages and disadvantages with open source", notes project coordinator Antonis Ramfos at Intrasoft International. "Nonetheless, the SECRETS evaluations have served to convince us of its possibilities for providing Internet security." According to Ramfos, one of the key problems with open source software in general is that the organisations that develop the protocols often do not support them sufficiently afterwards. In addition there are compatibility issues due to a lack of standardisation. These were among the major problems SECRETS discovered with FreeS/WAN, which the project described as having insufficient support from its organisation and which had compatibility problems with other open source software. It also noted that the documentation provided by the organisation was incomplete and unorganised. IPSec ceased developing FreeS/WAN in March this year, although it expects the protocol to remain in use for some time and to continue to be adapted by users, much as the SECRETS project did for its trials. "We took the two protocols and customised them for four different scenarios, which we could then compare to commercial software", Velentzas explains. Protocols on trial,The trials tested the functionality of the protocols in four areas: secure e-commerce in the form of an e-tender application using OpenSSL; secure mobile communications over GPRS employing FreeS/WAN; network monitoring using OpenSSL; and a secure intelligent network infrastructure also using OpenSSL. Although the trials highlighted problems with the protocols that, as Velentzas says, would require a big breakthrough to solve, the project nonetheless concluded that their implementation is worth considering by commercial organisations and governments for integration into the software products they develop or use. The functionality offered, with respect to the underlying standards, is at an acceptable level to be used by commercial applications, the project states in its evaluation report. Notably, OpenSSL was pinpointed as a well-supported protocol that also has complete documentation from its organisation, making its employment by others considerably easier. It is clear that the commercial sector, and governments, should invest in using OpenSSL for implementing SSL functionality in the products that need it, the project states. Open source in action,The e-tender application using OpenSSL that was employed in the trials has been kept on the product portfolio of coordinating partner Intrasoft, Ramfos notes, while Motorola is continuing to support open source software in its applications as is Alcatel, another SECRETS partner. The other project participant was Solinet. All the partners are continuing to work with open source protocols for Internet security, which both Ramfos and Valentzas agree will be used more extensively in the future by the private and public sectors. Open source is picking up as a software system for secure applications, Ramfos explains. This is most noticeable in government because without open source software you do not know whats in your system. He notes that being able to look at the source code of programs, as open source allows users to do, is crucial to ensuring security. With commercial software that code is locked and kept secret. During the Cold War, for example, the Soviet Union bought a lot of commercial software from the United States. US intelligence, however, had put spies in the software so they could track what the Soviets were doing and Moscow knew nothing about it, the coordinator says. The same problem exists today for governments and corporations around the world, and that is why the use of open source is starting to become more widespread. In addition to the key security question more important now than ever with the use of the Internet open source also presents financial and operational benefits. Firstly, it is free to acquire and customise, and, secondly, it does not tie users down to a single provider. Governments especially do not want to be bound to a single company, Ramfos stresses. Contact:,Project coordinator ,Antonis Ramfos ,INTRASOFT International SA,,R&D Section Manager.,Tel: +30-210-6876482,Fax: +30-210-6876478,E-mail: antonis.ramfos@intrasoft-intl.com Technical coordinator ,Ross Velentzas,Applied Technology & Knowledge Engineering Group,Motorola - Global Telecommunications Solutions Sector,Thamesdown Drive ,Groundwell ,Swindon SN25 4XY ,United Kingdom ,Tel: +44-1793-565364,E-mail: s.velentzas@motorola.com Source: Based on information from SECRETSPublished by the IST Results service which gives you online news and analysis on the emerging results from Information Society Technologies research. The service reports on prototype products and services ready for commercialisation as well as work in progress and interim results with significant potential for exploitation,
Countries
Greece, United Kingdom