Bossie Awards 2012: The best open source networking and security software

Few will be surprised at the wealth of open source networking and security tools available. But you might be surprised at the range -- and at some of the new projects that are taking their place among the old favorites. While scores of established projects are still going strong, new networking and security challenges are spawning new projects with new approaches.

Open source firmware has become a staple of late-model routers, and DD-WRT is one of the most significant due to its inclusion at the factory in various commercial routers. Built for the Broadcom and Atheros chip sets, DD-WRT includes most of the functionality you'd expect from a router: wireless encryption, QoS, IPv6, port forwarding, UPNP, and so on. But it also bakes in functionalities like OpenVPN support, a hotspot portal, and AnchorFree anonymization that are normally available as cost-plus add-ons in other products.
-- Serdar Yegulalp

An extension for Mozilla Firefox and Google Chrome from the Electronic Frontier Foundation, HTTPS Everywhere creates a secure, encrypted tunnel between the Web browser and websites that support HTTPS but don't reliably establish HTTPS sessions. HTTPS Everywhere rewrites the URL requests (switching from HTTP to HTTPS) for about 3,500 of these sites, reducing the risk to drive-by wireless, man-in-the-middle, and other types of hijacking attacks. Why not promote good VPN whenever possible? Install this on your users' laptops, and boost your organization's security posture by proxy (pun intended).
-- Victor R. Garza

Full-disk encryption is a plug-and-play endeavor with TrueCrypt, which lets you scramble the contents of whole drives and entire operating systems, although the latter is for Windows only right now. Files can be made into containers for encrypted file systems, and it's even possible to nest encrypted volumes for greater security. Various encryption and hash algorithms are supported, as are security tokens and smart cards, along with hardware-accelerated AES encryption on systems where it's available. If you encrypt a whole system, TrueCrypt will generate a rescue disk for you -- be sure to keep that safe as well.
-- Serdar Yegulalp

An alternative to TrueCrypt, FreeOTFE provides many of the same features: encryption for whole drives or files that serve as virtual volume containers, security token and smart card support, and even obfuscated (nested) volumes. FreeOTFE has a broader range of encryption and hash options than TrueCrypt, and it can run in a portable mode that's more genuinely portable than TrueCrypt's portable version (although it requires disabling driver-signing in 64-bit Windows to be useful). FreeOTFE doesn't share TrueCrypt's ability to encrypt system volumes, though.
-- Serdar Yegulalp

Eraser is one of the best-known and most widely used tools for data erasure within Windows. Point it at a file or directory, and it will completely remove all traces of same -- not just the contents of the files themselves, but their directory entries and metadata. For files stored in NTFS, alternate data streams are also scrubbed. Free space on a given volume can be erased separately of the files on it; likewise, you can scrub the contents of the Recycle Bin without touching other files. Erasure actions can also be set up to run automatically via a scheduler. For total system wipedowns, use Darik's Boot and Nuke, which is included with recent versions of Eraser.
-- Serdar Yegulalp

Darik's Boot and Nuke, aka DBAN, is a self-contained solution for system wide data destruction -- a good thing when you want to ensure that a computer being retired from service doesn't have any sensitive data lingering on its disks. When booted, DBAN attempts to find all mountable drives in the system, then lets you wipe one or more via one of a number of wipe algorithms. The erasure methods range from a simple one-pass zeroing-out to the industrial-strength, 35-pass Gutmann wipe, with a few less stringent methods in between. DBAN can even erase multiple drives concurrently for those times when you have an eight-disk RAID array that needs scrubbing down.
-- Serdar Yegulalp

This Linux-based router and firewall system is designed to replace existing proprietary network devices -- such as Cisco's routers, for which the creators have even supplied detailed migration instructions -- with industry-standard x86/x64 hardware. The open source, noncommercial version of Vyatta is a minimal command-line edition; the commercial version adds a handy Web-based management GUI and dashboard. Those confident in their network skills can always stick with the open source version, which has a top-notch reputation as a building block for one's internal or external networks.
-- Serdar Yegulalp

An open source distributed virtual switch that stands shoulder to shoulder with those in vSphere 5 and Hyper-V 2012, Open vSwitch is used in Citrix XenServer and the Xen Cloud Platform, and it supports Xen, KVM, and VirtualBox. With advanced flow monitoring, vprobes, spans, QoS, and the ability to deploy as a virtual or physical appliance, Open vSwitch's features list is more impressive than some hardware switches! You'll find NetFlow, sFlow, 802.1ag, LACP, SPAN and RSPAN, QoS, several tunnel protocols, 802.1q VLAN tagging, OpenFlow support, and traffic control on a per-virtual-interface basis.
-- Brian Chee and High Mobley

In addition to being a full-featured Asterisk PBX server, Elastix provides basic UC capabilities, such as support for LDAP, follow-me, an integrated calendar, Web conferencing, a click-to-dial phone book, integration with CRM services (SugarCRM and vTiger), and the Openfire IM server, which supports groups and common protocols like Jabber, MSN, Yahoo Messenger, GTalk, and ICQ. Elastix started life as a call reporting interface for Asterisk, so it's no surprise that it provides call detail reporting, billing and consumption data, channel usage, and IM server usage. The Elastix project has also added support for A2Billing, making it suitable for use in a VoIP provider network or in enterprises where IT must show each department's use of IT resources.
-- High Mobley

The ASSP (Anti-Spam SMTP Proxy Server) is what Barracuda antispam firewalls want to be when they grow up. ASSP includes implementations of such popular spam prevention methods as whitelisting, graylisting, SPF, DNS blacklists, and integration with ClamAV and FileScan. ASSP also adds weighted regular expression filtering, damping, word stemming in the Bayesian filtering analysis, and support for SenderBase, transparent proxying, and plug-ins to tap OCR of attachments for filtering. The integration of all these features into one SMTP proxy server makes the job of the mail server admin much easier than trying to glue a bunch of individual tools together on top of a standard SMTP server.
-- High Mobley

An open source video camera monitoring system, iSpy is designed to work with smaller installations -- it's suitable for use in homes and remote offices. iSpy can perform motion detection to trigger alerts and save recordings for evidence. Conversely, iSpy can also detect a lack of motion. You could have it watch an automated piece of equipment in a factory or an electricity-generating windmill, and alert you whenever the machine stops working. Because iSpy also monitors audio, you can configure it to alert based on noise detection in addition to motion detection. One of the newest plug-ins for iSpy performs license plate recognition, alerting you based on a preconfigured list of license plate numbers.
-- High Mobley

OpenNMS is the network monitoring and management software you use if you have a lot of stuff and need something highly customizable. More flexible, more customizable, and more enterprise-ready than most of its competitors, it is also the most open source. The only downside is that it's more difficult to install on average. However, if you need to monitor and manage everything and anything on the network, this is probably the best tool under the sun, open source or not.
-- Andrew Oliver

WhatsUp Gold seems to be everywhere these days -- including in many places where I should be seeing Cacti instead. Yes, the venerable front end to the RRDtool data logging system is still running strong. Presenting the familiar MRTG-like interface, Cacti can tell you whether your links are up or down, display your network's throughput, and alert on any problems. Don't get me wrong, WhatsUp Gold is a fine tool with in-depth monitoring capabilities, but if all you want is a picture of your network in broad strokes, save yourself a few grand and download Cacti instead. And be sure to check out CactiPhone, a free Web GUI to Cacti for the iPhone and Android.
-- Victor R. Garza

Any serious network troubleshooter has a good network protocol analyzer in his toolkit. Wireshark is a network traffic sniffer and analyzer that rivals even the best commercial analyzers. Traffic can be captured, logged, filtered, and analyzed down to the contents of individual packets, with detailed information about each protocol and network device. There's even an entire submenu of stats and analysis just for telephony protocols. Our favorite feature is the ability to follow a network conversation between two hosts, allowing you to troubleshoot one issue buried in all the captured traffic of an entire network.
-- High Mobley and Serdar Yegulalp

If you've been in InfoSec for more than a week, you know Snort is still the best open source intrusion detection and prevention system out there. Using rules to detect both signature and anomaly-based attacks, Snort is deployed worldwide as a first line of defense. There are tons of add-ons for Snort to manage rule sets, generate reports, and produce graphs. While Snort is available for Windows platforms, deploying on Linux keeps Snort running fast, like a greased pig.
-- Victor R. Garza

Akin to a Security Information and Event Management system, Sagan is a log monitoring system that can write back to a Snort database and correlate log events flagged by Sagan rules with Snort events. Sagan also works with other network and security devices that generate SNMP traps, output syslog, or other log formats. If you're familiar with the rule language from Snort or Suricata, you'll feel at home with Sagan. While Sagan doesn't need Snort to run effectively, Sagan was designed with Snort in mind. They make good security monitoring partners, displaying security events of concern in a single console.
-- Victor R. Garza

Developed by the Department of Homeland Security's Directorate for Science and Technology HOST program (Homeland Open Security Technology) and by the Navy's Space and Naval Warfare Systems Command, among others, Suricata is an IDS/IPS designed with modern threats and modern hardware in mind. You'll find a multithreaded flow engine, high-speed IP address matching, Layer 7 protocol detection on any port, and the ability to detect file types in an HTTP stream regardless of extension. Also based on rulesets (like Snort), Suricata now has TLS support and is working with hardware supporting 10Gb Ethernet (10GbE) for fast packet capture and network monitoring and surveillance.
-- Victor R. Garza

What were you expecting -- complicated? Simplicity is always better, a philosophy pushed forward with the Snorby charting interface for Snort, Suricata, and Sagan. This crisp and clean Ruby on Rails application makes vast amounts of data clear and concise with an uncomplicated dashboard for monitoring, searching, and classifying security events on your network.
-- Victor R. Garza

Nmap belongs in the toolbox of every network administrator. The popular network security scanner can run a number of different analyses on a remote host and produce detailed reports about open ports, running services, and even educated guesses about the OS in use. The command-line version of the program can be used as-is or in conjunction with a graphics front end. Newly released Nmap 6 brings an expanded scripting engine for automation, full IPv6 support, faster scanning performance, and a new ping-on-steroids Nping tool.
-- Serdar Yegulalp

The granddaddy of all tools for attack and penetration testing, Metasploit provides a comprehensive environment for finding vulnerabilities on your network, creating attacks that exploit those vulnerabilities, and automating launches of those attacks against virtually any host and port on your network. Think of it as an IDE and test suite for criminal masterminds. You can use Metasploit to write Trojan horses and rootkits, crack networks, and even exploit live user sessions. The honest goal: finding vulnerable machines to fix and shoring up your network against threats.
-- Victor R. Garza

Still the best single toolkit in all of information security, BackTrack -- a Linux distro you can boot in its entirety from a Live DVD or thumb drive -- includes a ton of security tools. Whether you need a wireless hacking toolkit, utilities for digital forensics, or an on-the-go pen-testing suite, you need look no further than BackTrack.
-- Victor R. Garza

A collection of tools for Web application security testing, the free Burp Suite bundles a spider to crawl your site and identify dead links and submission forms, a proxy to facilitate man-in-the-middle attacks and watch traffic as it flows from your browser to the target site, and a penetration tool that can perform customized attacks based on vulnerabilities found with the spider and proxy. It's a tightly integrated and extremely useful set of tools for discovering security weaknesses in websites.
-- Victor R. Garza

Developed for the Department of Defense Cyber Crime Center for use in forensics investigation, dc3dd is a straightforward disk imaging utility run from the command line. Nice features of this very lightweight and spartan tool include a job progress display and the ability to split output files into chunks. Just be careful when typing in those commands -- one slip could result in wiping out all the data on the original source disk. Once your disk image is created, working with the image in a virtual environment like VirtualBox or VMware Workstation is a logical next step.
-- Victor R. Garza

When you need a good password cracker, you really need it, and you need it now. That's why you need Ophcrack in your toolkit. Based on rainbow tables (precomputed hash tables), Ophcrack cracks Windows LM or NTLM hashes and spits out passwords 14 alphanumeric characters or smaller. (The company behind the project, Objectif Sécurité, sells Rainbow Tables for longer hashes.) When I need a single Windows hash cracked, I just paste it into Objectif's online demo, which then spits the decrypted password back to me. Instant gratification!
-- Victor R. Garza

Back in the day, when hapless users locked themselves out of their machines, I'd pull out my trusty John the Ripper CD and go to work. While there are a number of other password crackers available, every network admin has used John the Ripper at one time or another. JTR is supported by the venerable Rapid7 (of Metasploit fame), and it has more recently been updated with a performance increase in cracking DES-based hashes. The "community enhanced" version can crack ZIP, RAR, PDF, and Microsoft Office passwords, among others.
-- Victor R. Garza

For those who want to establish secure communications with third parties, the PGP standard has long been a popular way to do it. GnuPG provides a whole suite of PGP tools for encryption, decryption, key management, and message signing. Support is included for a whole bevy of common and uncommon encryption algorithms, and a plug-in architecture allows future algorithms to be added transparently. The Windows build of the suite includes integration for Microsoft Outlook and even a tiny email client (Claws Mail) with native GnuPG support.
-- Serdar Yegulalp

Java runs on more than three billion devices worldwide -- yes, that's billion with a "b" -- so by statistics alone, insecure Java code must be everywhere. FindBugs uses static analysis (sans code execution) to check compiled Java (class or JAR) for bugs (patterns in bytecode that are consistent with coding errors), including bugs that can be used to exploit Java applications for malicious intent. FindBugs also has a nice plug-in architecture that can be used to extend bug detection and integrate with bug tracking systems.
-- Victor R. Garza