Open Source Science Journal Vol. 2, No.

2, 2010

Open Source Security Tools

Mihai DOINEA
Academy of Economic Studies, Bucharest, Romania
mihai.doinea@ie.ase.ro

Abstract: This paper is trying to provide a better understanding about how open
source community enriched the wealth of Information System and even developed the Internet
as it is today. The paper gradually presents the main aspects of open source software and
highlights the security issues that are part of this major concept. After identifying the main
categories of tools for security implementation, some conclusive examples and how they are
used in practice are presented.

Keywords: security, open source tools, implementation examples, network, sniffers.

1. Security in Open Source

Open Source Software is a major part of the Information System community and we
can say that, without this area, the Internet would not even exist today in this form as we
know it. The open source programs are found in every area of computer software, starting
with applications for entertainment and reaching the business domain.
The security field is also enriched in open source applications which are attending all
possible aspects of it. Some of categories in which open source security tools have been
developed are:
• networking like network analyzers;
• intrusion detection systems;
• software developing tools;
• databases and data protection.
The open source market has even programs that are comparable in performance and
efficiency with the commercial products.
Open source began together with development of the UNIX platform which was
invented by Bell Labs, a research division of AT&T. From than ever since, open source
software spread into each corner of information system, and to any kind of operating system,
not only UNIX or Linux.
The most efficient areas in which open source is growing is the academic world with
thousands and thousands of researchers and students that are willing to further explorer the
potential of IT under the most common and protective software license known as General
Public License, GPL developed by Free Software Foundation. Two of the benefits of these
licenses are:
• users can develop existing software without the fear of legal woes;
• users developed software is safe under the GPL and no other can use it in its benefits.
After this software revolution, as it can be called, open source concept grew little by
little in the arms of academia or research institutions until the Internet put its hands to work.
When Internet exploded in the early 1990s, open source followed because of the creation of
means for sharing information much easier which is World Wide Web, the three W.
Security as other aspect of IS, came as a necessity [1] of confidentiality, integrity and
availability fallowed by the others characteristics that some applications need it. The CIA

131
Open Source Science Journal Vol. 2, No. 2, 2010

triangle can also be constructed from open source tolls that are covering much of the security
area known today by malicious users.
Even if we are speaking of international organizations or home stand users we can
conclude that the main goals of information security can be achieved by means of open source
security tools, with some exceptions about the way that these open source tools are creating
legal effects with respect to the organization’s outcomes. But if we are talking only about
individuals that aren’t concern about making profit, existing open source security tools could
very well satisfy all their needs in terms of CIA:
• confidentiality – the characteristic that allows data reading only to authorized
personnel;
• integrity – the characteristic that helps determining possible unwanted attempts of data
alteration;
• availability – the characteristic of making the software available whenever is needed
for processing.
These goals of information security include all the risks and vulnerabilities that are
tested by malicious users in their fight for:
• accessing undeserved resources for personal advantages;
• destroying or altering data;
• blocking the access to other information systems.
When adventuring in this realm full of threats, here is how FBI [2] is classifying the
nature of these unwanted events:
• Fraud and Related Activity in Connection with Access Devices;
• Fraud and Related Activity in Connection with Computers;
• Communication Lines, Stations, or Systems;
• Wire and Electronic Communications Interception and Interception of Oral
Communications;
• Stored Wire and Electronic Communications and Transactional Records Access;
• Recording of Dialing, Routing, Addressing, and Signaling Information.
The chart from figure 1 depicts the figures which reveal the trend of cyber crimes
events experienced in Australia Business Organizations as percentage of the survey.

Fig. 1. Cyber-crimes incidents by type [3]

132
Open Source Science Journal Vol. 2, No. 2, 2010

In the following picture is illustrated how Australian Business Corporations are using
security tools for preventing unwanted cyber-crimes. This study has been made on 3658
respondents by Australian Businesses Assessment of Computer User Security, ABACUS.

Fig. 2. Security Tools Classification [4]

From the previous studies can be observed that the tools are synchronized with the
threats so for the first category of threats, infections with viruses, trojans and worms the main
tool used is the antivirus software and so on.
Although in the recent past period a drop in the number of victims of cyber crime
attacks has been recorded, from 66% in 2007 to 60% in the period of August 2008 and July
2009, the number of attacks has experienced a significant increase than the previous year as
shown in a complex study made by [5]. In the top ten cybercrimes committed on the net of
this survey we found the following data:

Table 1. Cybercrimes (net) figures

Cybercrime Occurrences
Virus, trojans, worms 53%
Spyware 41%
Phishing 38%
Unauthorized access 35%
Unintentional exposure of sensitive 34%
information
Illegal generation of spam mail 32%
Denial of Service (DoS) attacks 27%
Financial Fraud 26%
Theft of Intellectual Property 22%
Theft of Personal Identity 20%

133
Open Source Science Journal Vol. 2, No. 2, 2010

Note that all of these cybercrimes presented above and others may not have been
reported in any way even if they had cause lots of operational or financial losses because of
their negative impact upon the image of the organization.

2. Tools for Security Implementation

For achieving a trusted level of security both, organizations and stand alone users,
must have all the security pieces assembled in a perfect synchronization for getting the most
efficient and secure level for their systems. The tools with which can be achieved such a level
of security are:
• operating system;
• security software;
• security hardware;
• policy procedures.
In what follows, we will discuss what are called open source security tools, basically
software programs developed by the open source community for helping users and
organization to gain the fight against existing threats.
An open source configuration of the above mentioned can be build it from scratch
using an open source operating system like Linux configured to satisfy the expected security
needs and other open source security software for all the following categories:
• open source for security analysis and management;
• intrusion and detection open source systems for monitoring security layer;
• open source for security assessment: vulnerabilities scanners for database,
authentication protocols, firewall weaknesses and others;
• open source security diagnose software;
• open source for networking: firewalls, port scanners, network sniffers, network
communication and remote access;
• open source software for wireless communication;
• security open source software for emails and spam;
• cryptographic open source software for files and data.
Open source tools for managing network communication flow are an essential part of
the process of strengthening the security layer. The network connections are the main entry of
undesired threats against our systems. For establishing network connections one may use
different protocols which defines how network packets should be changed between hosts,
basically the manner how connections are implemented. There are several protocols used by
several types of typologies which define the network structure. All the tools for restricting the
network communication flow access are protocol based working and analyze the in and out
data for deciding who’s allowed or not.
Firewalls, commonly are intercepting network packets addressed to the system on
which they are installed and based on the protocols from different connection layers and some
predefined rules, are filtering data, in this way protecting the entire system.
The following picture presents how the TCP/IP protocol initializes a connection
between two computers.

134
Open Source Science Journal Vol. 2, No. 2, 2010

Fig. 3. Three way handshake protocol

If any of these three steps aren’t completed then the connection is not established. In
this example a firewall program installed on B will check whether or not the first packet that
was received comply with its predefined rules so restricting the outbound communication by
not responding to the SYN packets. In this way firewall can block all the packets for a
specified protocol, but deeper rules can be even further applied at port level. By using port
scanners specialized software, vulnerable ports in the system can be identified and blocked.
Security assessment by scanning vulnerabilities [6] inside the system is another
important aspect that should be carefully treated. Vulnerabilities scanning software are useful
when trying to understand the integrity of an application by taking into account its security
holes. For this fact, the vulnerabilities are identified starting from the application layer of the
implemented network protocol. Here is a list of what possible attacks can exploit to a system
if it is improperly secured:
• exploiting weaknesses of routers, firewalls, web servers, mail servers and other
dedicated servers;
• buffer overflows attacks for getting access to the system;
• database level by exploiting the weaknesses of programs when communicating with
databases; SQL injections, URL impersonation;
Intrusion detection systems are meant to add another plus to the security level after the
system was enforced with firewalls and scanned for possible opened ports. Those kinds of
systems are acting at a much lower level than the other protective tools and their role is to
analyze and search for patterns that may correspond to malicious code like worms, trojans or
viruses into the packets that are received from the network or by checking the bit of integrity
if there is such a bit or error correction codes or other form of checking the integrity of data
transmitted to see if there were any changes across the network channel revealing in this way
a possible attack.
Open source tools for security analysis and management are the result of all the
security tools that are gathering data about the security events. All the data gathered can’t be
analyzed as it is, specialized software for interpreting and managing it must be used for
efficient results.
Another important aspect is given by the confidentiality characteristic which must
exist as a security measure for vital information. This is also achieved by a wide range of
open source encryption software which allows information to run freely outside the
boundaries of a secured network without the thought that it can be intercepted and visualized.
The encryption methods have grown in number and strength providing utility for every kind
of task that an application can demand.

135
Open Source Science Journal Vol. 2, No. 2, 2010

We can conclude that in some layers of the OSI model, open source security tools
were developed. The OSI model has its only OSI Security model defined and analyzed in
detail in [7]. Follow is presented a diagram with all the possible security tools that can be used
for each layer of the OSI Model.

3. Application examples

From the presented types of open source security tools in the previous chapter, the
network sniffers are the tools that are doing their job right in the middle of the battle as they
are permanent watchers who are listening the network for packets with suspicious behavior.
The sniffers are acting on the lower levels of OSI Reference Model, which is physical and
data layer as depicted in figure 5. For each layer of the OSI Model a set of functionalities for
implementing security are presented in [7].

Fig. 4. OSI Model [8]

136
Open Source Science Journal Vol. 2, No. 2, 2010

Fig. 5. OSI Level [8]

For the fact that they are working at low level, sniffers are designed for a particular
type of network. The Ethernet network is the most common since the Internet has developed
on its back. For this reason the following open source sniffer presented is developed to work
only on Ethernet networks. What needs to be known when using sniffer software is:
• checking whether the sniffer used can capture the network traffic which is intended to
be monitored;
• if used in organizations, a security policy must declare how, when and where it should
be used;
• using filters for narrowing the captured packets making it so the analyze more
efficient;
• another important aspect is to have an image of the analyzed network as based for
further comparisons.
Before starting effectively and capturing network stream we must first understand
how exactly the packets are constructed at the TCP/IP based protocol of which performance is
measured closely in [9]. Figure 6 will depict the TCP and IP header of a packet received from
the network.

137
Open Source Science Journal Vol. 2, No. 2, 2010

Fig. 6. IP and TCP header datagram [10]

Now with these headers presented, the Wireshark Open Source network analyzer is
used for giving some examples of how this kind of tools can be useful.
First, it must be checked if it is legal to listen on the network given by the installed
adapters. Corporate policies or applicable law might prevent this from being possible. In this
case a home network is used for the example.
If the sniffer can be used, then all what can prevent from actually listening are the
access privileges of the operating system. So, for being able to capture packets the users
should have an account with access privileges or administrator privileges.
We start by choosing the network interface from which we want to capture packets
found in the menu Capture/Interfaces, CTRL+I shortcut. This network interface is given by
each network board in the system and is identified by a unique identifier which contains the
manufacturer specification and a unique id.

Fig. 7. Wireshark interfaces

After choosing the interface we must than establish what kind of capture we want to
do depending on the packets destination field:
• inbound and outbound traffic for the computer on which Wireshark is installed;
• inbound and outbound traffic destined for other machines by switching on the
promiscuous mode.

138
Open Source Science Journal Vol. 2, No. 2, 2010

The first scenario is just at several clicks away from the moment the program is
started and doesn’t matter where the computer is situated in the network.
The second one must take into consideration the network topology; either there are
switches or hubs installed. If there is a shared network then the position doesn’t matter since
all the information reaches each computer in the network so the Wireshark could capture all
the traffic across. If switches are present then the packets can’t be seen even if the program is
in the promiscuous mode. Here comes the Man In The Middle attack [11] in which the
listening computer impersonates the one from who wants to capture the packets by modifying
the ARP cache of the router or switch.
For an easy analysis on the data captured from the network, filters can be used to
minimize the information size. For example a filter for capturing only TCP and UDP HTTP
traffic on the port 80 looks like the one in figure 8.

Fig. 8. TCP or UDP HTTP filter

For the filter presented in figure 8, the traffic generated by a HTTP request to load the
Google web page is depicted in the following picture.

Fig. 9. Google webpage load

In the picture 10 the packet number 14 is presented with the IP header selected, and
after it the TCP header coming. The packet 14 is a received packet.

139
Open Source Science Journal Vol. 2, No. 2, 2010

Fig. 10. HTTP packet

The presented packet contains the following data for the IP datagram as presented in
figure 6:
• IP version: 4 – the first byte from selection, value 4;
• Header Length, IHL – the following value 5;
• Type of Service following with 0x00;
• Total Length – two bytes with value 00 28, meaning 40;
• Identification – 2 bytes, value 70 ff;
• Flags – 1 byte, value 40;
• Fragment offset: 2 bytes;
• Time to live: 1 byte, value 80;
• Protocol: 1 byte, value 06, meaning TCP;
• Header checksum: 2 bytes, value 35bo;
• Source: 4 bytes, value 917403c3, the IP address of the receiver;
• Destination: the last 4 bytes, colored in black, the sender’s IP.
The TCP datagram of the packet number 14 contains the following information:
• Source port: the first two bytes, value 0667;
• Destination port: 2 bytes length, value 0050, meaning HTTP port 80;
• Sequence number: 4 bytes long;
• Acknowledgement number: 4 bytes long;
• Header length, flags and windows size: a total of 4 bytes long;
• Checksum: 2 bytes, value da81;
• Padding: 2 bytes for padding left to complete the checksum if the segment contains an
odd number of headers.
This was a brief example of using an open source sniffer to capture live stream from
the network. The possibilities are endless and a wide range of filter combinations can be
created for allowing us to scan the whole range of forms in which malicious content could
enter in our system.

4. Application analysis

With the open source sniffer software an analysis has been made upon a network
traffic data captured in a time frame of more than 100 seconds, exactly 104.602 seconds,
capturing a number of more than 50 thousands packets with a throughput larger than 40 MB,
as presented in figure 11.

140
Open Source Science Journal Vol. 2, No. 2, 2010

Fig. 11. Captured Traffic Information

Along the communication process, a number of errors have occurred, as the one listed
below and also in the picture 12, altering the overall quality of the network communication:
• packets lost – error caused by the packets that haven’t reached the destination;
• more than two packets – error suggesting that more than two identical packets has
been found, and the received order of packets hasn’t been respected;
• checksum error – error providing information about a possible mismatch between the
data sent and the data received, meaning that the data has been altered in the
communication process.

Fig. 12. Statistics about the quality of the communication process

The evaluation of data has determined more than one network picks over the TCP and
UDP protocol which is presented in figure 13. The red line is representing the UDP traffic
against the black one which is the TCP traffic which is presented in a larger granularity and
whose largest network pick is underlined with yellow.

Fig. 13. UDP and TCP bytes/second chart

To determine what was the cause of such pick in the UDP traffic, all the IP headers of
the packets received will be visualized in a timely fashion. The period when the network pick
is starting, around the second 50, is found to have some important amount of traffic which

141
Open Source Science Journal Vol. 2, No. 2, 2010

determined the overall low level of network bandwidth. As it can be seen in the table
illustrated in figure 14, with yellow are marked the records who are showing a high
communication traffic starting exactly when the UDP histogram from figure 13 showed the
network pick and ending approximately after 28 seconds, just when the pick from the UDP
histogram is going down, around the second 80.

Fig. 14. IP datagram showing the network fluctuation

A more detailed analysis can be done upon those packets if the network traffic is
filtered upon the UDP packets, revealing exactly who, when and what it was doing in that
moment, as it can be seen in figure 15.

Fig. 15. UDP traffic around the network pick

This kind of behavior could be caused by viruses which are making connections and
sending lots of packages over the network with personal data from the computer or just for
trying to reach other destination and affecting other systems.
A deep understanding of the network premises and how such a tool is working at
different levels could help users easily identify and act in different situation which can be
caused by security breaches in the systems.
Fortunately, this time it was just a simulation and the UDP connection pick was due to
a transfer of data between multiple users.
Besides the UDP network fluctuation, the TCP traffic recorded as well a high point in
the interval in which the open source sniffer recorded the data. Around the second 45, a high
value of TCP traffic can be also visualized in figure 13. Following the TCP stream, a
communication link was found with one of the Youtube’s server, playing a multimedia
content which explained the high TCP traffic in that period, as illustrated in figure 16.

142
Open Source Science Journal Vol. 2, No. 2, 2010

Fig. 16. Followed TCP stream

The open source sniffers have the role to capture huge amounts of network traffic, but
not being able also to analyze it. For this reason other tools can be used for interpreting in a
profound manner, what sniffers have recorded.
Deeper analyzes can be done upon the traffic with such kind of tools, because in
millions of packets recorded, not even an experimented user can see and search the causes
which are affecting the network, implicitly the system.

5. Conclusions

The open source area is full of software developed by official communities or even
anonymous developers who are trying to promote their thinking and induce users to make use
of these tools. Security is an important aspect and for this reason developers have focused on
developing a wide range of tools for helping users cope with all the threats outside their
systems.
Unfortunately, not all security problems can be solved by means of open source tools
even if software programs were written for all the security fields known. The one important
impediment is the law implications and if the security policy of certain organizations comes in
contradiction with this kind of actions, for this reason they couldn’t be used.

Acknowledgements

This article is a result of the project „Doctoral Programme and PhD Students in the
education research and innovation triangle”. This project is co funded by European Social
Fund through The Sectorial Operational Program for Human Resources Development 2007-
2013, coordinated by The Bucharest Academy of Economic Studies (project no. 7832,
“Doctoral Programme and PhD Students in the education research and innovation triangle,
DOCECI”).

References

[1] V. V. Patriciu and I. Bica, Semnaturi electronice si securitate informatica, All Printing
House, Bucharest, 2006.

143
Open Source Science Journal Vol. 2, No. 2, 2010

[2] FBI Computer Crime Frauds, Computer Crime Legal Resources, [Online]:
http://www.justice.gov/criminal/cybercrime/cclaws.html

[3] Ohio Super Computer Center, Network Forensics, [Online]: http://www.osc.edu/

education/si/projects/forensics/index.shtml

[4] K. Richards, The Australian business assessment of computer user security: a national
survey, 2009, Research and public policy series no. 102. Canberra: Australian Institute of
Criminology, [Online]: http://www.aic.gov.au/publications/rpp/102/index.html

[5] CSO magazine in cooperation with the U.S. Secret Service, Software Engineering Institute
CERT Program at Carnegie Mellon University and Deloitte, 2010 Cybersecurity watch
survey: cybercrime increasing faster than some company defenses, 2010, [Online]:
http://www.csoonline.com/documents/pdfs/2010CyberSecurityResults.pdf

[6] I. Ivan and M. Doinea, “Vulnerability optimization in distributed applications,” Economic

Growth and E.U. extension process International Conference, ASE, Bucharest, 2008.

[7] T. Stergiou, M. S. Leeson and R. J. Green, “An alternative architectural framework to the
OSI security model,” Computers & Security Journal, Vol. 23, No. 2, 2004, pp. 137-153.

[8] Wikipedia Source, OSI Model, [Online], http://en.wikipedia.org/wiki/OSI

[9] X. Y. Wu, S. Kumar and S. J. Park, “Measurement and performance issues of transport
protocols over 10 Gbps high-speed optical networks,” Computer Networks Journal, Vol. 54,
No. 3, 2010, pp. 475-488.

[10] RFC Editor, TCP/IP Protocol, [Online], http://www.rfc-editor.org

[11] V. V. Patriciu and I. Bica, Securitatea comerŃului electronic, All Printing House,
Bucharest, 2001.

[12] I. Ivan and C. Boja, Practica optimizării aplicaŃiilor informatice, ASE Printing House,
Bucharest, 2007, 483 pg.

Author

Mihai DOINEA received a PhD scholarship from the Academy of

Economic Studies, Bucharest, Romania in Economic Informatics at the UvA
Research Center. He has a master diploma in Informatics Security (2006).
He is also a lecturer assistant and he teaches data structures and advanced
programming languages at the Academy of Economic Studies. He published
more than 20 articles in collaboration or as single author and co-published
two books in his area of interest. His research interests are given as follows:
informatics security, distributed applications, optimization criteria, databases, artificial
intelligence, information management, security policies, mobile devices, networking and
wireless communication.

144