Watch Out For Security Freeware GotchasWatch Out For Security Freeware Gotchas

Do a search on Google for "security freeware," and you'll get two million results. Security freeware is pretty popular. The price is right and everyone needs more security. What's the catch?

I download, install, evaluate, and critique security freeware fairly often. I recommend and use free tools routinely, and I'm amazed at how complete, well maintained and stable some of them are.

But just because software is free doesn't exempt it from the requirements of paid software. Folks who write security tools should practice secure coding. Authors of security freeware should be accessible and accountable for the product they provide; in security-speak, the software should have readily identifiable, non-repudiable origins. Folks who make security software available should have competent, security-savvy staff to support and maintain it.

And the term "free" should be used without encumbrance. Trial-ware is not the same as free-ware, Adware should never be advertised as security freeware. Spyware advertised as security software is evil incarnate.

If these controls were scrupulously applied, Google searches would return considerably fewer than two million results. But those controls aren't always applied, so if you are considering security freeware, remember the five Ws.

Who wrote the software? Can you identify and trust the developer? Has the software undergone sufficient testing to determine it is both functional and stable? Is the work original, or has the author ignored copyrights and incorporated other people's code into his work? Can you trust the download site? Does the download site have the right to distribute the freeware?

Open source code is particularly problematic. Open source is great—if the person distributing the code does, in fact, have the intellectual property rights to distribute it. Code that's labelled as "open source" might contain proprietary code that the distributor does not have the rights to. Using that code can create trouble down the road for organizations.

To protect themselves, users should only download open source code from the major open source distribution sites, such as SourceForge. The names and contact information for SourceForge project administrators and developers are publicly available. The same is true for the many contributors to a brilliant LAN analyzer, Ethereal; the enormously popular Nmap and Nessus scanners; and the Snort intrusion detection system. A signature file often accompanies source and executables, to confirm that the version is authentic.

With commercial security software, we typically consider the company's reputation and public record with regard to vulnerabilities reported, accountability, willingness and timeliness to provide hot fixes and patches. With freeware, we should consider the reputation and pedigree of the authors, the commitment of the authors and community to test, maintain and improve freeware. The organizations I mentioned above all score well here.

What does the software do? Do some homework. Identify the security function or service you need. Hunt down candidates and compare. Is the software what it claims to be? What else do does the software really do? Does the software do all that it claims to do?

Another "W": What does the software cost—really? Is it really freeware? Is it free of advertising and tracking technology? Is it fully functional, or is it trialware disguised as freeware for the sake of increasing popularity on search engines?

Some freeware is only free for non-commercial use; that's obviously going to be a problem for for-profit business users.

When should you use security freeware? There's more to consider than cost when investigating freeware. Freeware often performs functions that are not available from commercial products. Many commercial security products began as open source, freeware and research projects. These include popular intrusion detection systems (ISS, Cisco, SourceFire), firewalls (Gauntlet), patch management technology (Shavlik), and more.

Other security freeware fills gaps that commercial products aren't addressing. Freeware web and firewall log analysis tools, for example, are often agnostic as to log record formats. They can help administrators parse and analyze log records collected from security systems in multi-vendor shops. Freeware forensic toolkits—CD-bootable operating systems with a veritable arsenal of analysis and recovery utilities—are good examples of solutions that have few commercial counterparts. The licensing on these forensic toolkits, which enable users to distribute them across the entire operation, motivates even large organizations to investigate freeware.

Why are you choosing freeware over commercial ware? Often, freeware is adopted by organizations that believe they can invest time rather than money. IT staff time is expensive, but in too many companies, it's perceived as money already spent, and not easily measured. Before your organization scratches that $5,000 commercial software package off the budget, be certain you won't be sacrificing more operations and development time than you can afford.

Generally, organizations should weigh operational complexity, ability to scale, and completeness of product against cost of purchase when choosing freeware over commercial ware. Freeware generally comes with no warranty, service, and no guarantee of continued availability, updates, patches, and enhancements. Free antivirus software may be fine for home users and even small business, but imagine the issues a large organization might encounter if it were to deploy antivirus freeware on a large scale, only to find that no new antivirus definitions are forthcoming.

Freeware systems often do not scale to large populations, large networks, etc. They may use flat files instead of database software. They don't typically include administration hierarchies (levels of accessibility based on authentication). Logging and reporting functions are generally less robust than commercial security products (unless, of course, the freeware is specifically designed for logging and reporting).

Where do you intend to use security freeware? One of the most practical ways to apply security freeware is to perform auditing and forensics. A wealth of freeware is available for these purposes. Many of these evolved from attacker tools. Some are absolutely dreadful hacks, while others have been scrubbed, polished and hammered into highly useful tools.

Look to legitimate sources, including security companies like @stake, Foundstone and others, who offer free versions of software they have developed and acquired over time in the course of building their portfolio of managed and consulting security services. Some security freeware—file system integrity checkers, IDS/IPS, log and network analysis—can also serve growing organizations. In general, the security freeware I've found most useful are for individual use: vulnerability scanners, web auditing tools, LAN analyzers (sniffers) and monitoring tool. The best of breed among these tools can be configured to run in batch mode or as a scheduled process and can thus run as complementary security services to commercial security software.

When you download calendar, screensaver, calculator, or HTML editing freeware, you're wise to set your expectations low, and be pleasantly surprised if they are exceeded. With security freeware, you must set your expectations high. Be careful how and what you compromise when choosing security freeware. You'll get more than you paid for, and hopefully will avoid getting more than you bargained for.

Dave Piscitello is founder of Core Competence, and advises and consults on security and broadband access for service providers and big business. He is an advisory board member of Foundstone, Watchguard Technologies and CoRadiant, and has authored books and numerous articles on internetworking and security. Contact Dave at [email protected].