Home
Search
Login
<mosaic.cnfolio.com>
Technology Exploration Project – M591

TO BUY OR NOT TO BUY


R-Guard and OSSIM


Introduction
Data security is important to every system just as much as privacy is important to humans. A secure system means the system is secure from potential loss (by accidental deletion or overwriting of data) or corruption of data (by unauthorised access, accidental system failure or faulty drives on the system). This also applies to theft of data, as it imposes threat to the system.

A lot of measures are taken by different organisations to ensure that data stored on their systems are as secure as it could be. (e.g. use of anti-virus software, use of firewall etc.). These measures are taken as it not only protects sensitive/private data; it also ensures trust amongst users/clients of the organisation’s system.

R-Guard version 2.2 and Open Source Security Information Management (OSSIM) are the two data security systems that shall be compared and carefully analysed in this article. For ease of reading, the names R-Guard and OSSIM shall be used throughout this article.

The R-Guard uses a commercial licence, while OSSIM, as the name suggests, uses an Open source licence.
As the name Open source suggests, it refers to software (in the context of this article) that has its source code freely/openly available to members of the general public to freely edit without ‘restrictions’. (Wikipedia, Open Source, 2007). OSSIM makes use of this, and is free to download free of charge.
The R-Guard software on the other hand, although is available to download free of charge for a 30-day trial period, users of the software need to pay a fee ($39.99 USD) (R-tools technology, 2007a) after this 30-day trial period has expired.
This free-of-charge method versus the paying method will be later analysed in this article, to see whether it is cost effective to pay for data security software when there is one freely available.

Although the cost effectiveness of both products will be analysed, this article will also be comparing the technology used to implement both system, and will also provide an analysis on the ease of use of both systems.
This breakdown of both systems should help provide the reader with more details about both products (to help further the reader’s knowledge), i.e. act as a guide in helping the user understand how data is protected and secured with the use of these two systems.

The R-Guard software allows the user to use the access right control as a form of securing data. The user is not only given the right to control who has the right to files and programs, it also allows the user to give access rights/control for programs and applications on the system as well.

According to the OSSIM site (OSSIM, 2007a), the main goal of the software is Correlation, i.e. being able to see every event happening in every system at once in the same form, thereby providing the opportunity to monitor processes, prioritize events according to their occurrence, detect any threat to the system and to finally monitor any security events within the network (OSSIM, 2007a).

OSSIM general architecture is somewhat different to the R-Guard software as, it is an integration of open source products for security monitoring of a system. A generalised conclusion would be to say that OSSIM is a wide range of security measures, combined together to work as part of a fully functional system.



Technology used to implement each system

As mentioned earlier, R-Guard allows the issue of access rights to not only users of a system, but also to applications and processes. R-Guard uses a series of measures to implement its data security software. It provides an extension to the basic security measures already provided by Windows.
R-Guard makes use of a Data encryption system that keeps the files encrypted on the hard disk. It also gives the user of the system the ability to be able to trace and monitor files on the system, i.e. k now what application or process started was started by another user or system process, and know what actions was taken on the file or application accessed. The algorithm used is the AES (Advanced Encryption Standard) encryption algorithm with 256-bit key in the cipher block chaining mode (R-tools technology, 2007a).
There are four stages in a round of AES, they include;

1. The subBytes step
2. The shiftRows step,
3. The mixColumns step,
4. The addRoundKey step.

These steps are explained by the pictures given below (Wikipedia, Advanced Encryption Standard, 2007). The pictures are self explanatory.


aes1 aes2


aes3 aes4




The encryption key is generated from the user’s password using the MD5 (Message-Digest algorithm 5) algorithm. The MD5 algorithm is commonly used for verifying data integrity, although in the case of R-Guard, it is used as a mechanism for storing user’s password, with a form of reverse lookup database, thereby creating the key used in decrypting data (MD5 Security, n.d).
When the files are transferred, they are transferred from the remote storage in an encrypted form, and are not decrypted till they get to the host. Thereby, if any forms of attack were to occur on the way to the host, no harm or leakage of data will occur, as the data is still encrypted.

There is also an Audit system (which uses a binary audit format to save disk space) and a self-protecting system that eliminates any possible chance of a user or process removing trace of any unauthorised or dangerous access.

OSSIM consists mainly of a database host; a server for hosting correlation, qualification and risk assessment engine; N agent hosts that collects all the required information from the different devices on the system; a control daemon for tying some parts together and for general maintenance. The frontend is web based, thereby providing the opportunity to control and monitor different parts of the system. (OSSIM, 2007a).
OSSIM integrates network monitoring, security, correlation and qualification (Source Forge, OSSIM, 2007). With the integration of these units, the user is given the ability to have control over every part of their system. The software makes use of the integration of Snort, Acid/Base, MRTG, NTOP, Nagios, NMAP, Nessus and RRDTool.

Snort is an intrusion detection and prevention software, which can be used to detect attacks to a network, sniff packets (for anything suspicious), traffic analysis and a lot more (Snort, About Snort, 2007). Snort is also used for cross correlation.
Nessus is a vulnerability scanner that can be used for checking sensitive data and for detect just how a vulnerable a system is to attacks (Tenable Network security, Nessus, 2007). The Nessus software is also used for cross correlation which is an important part of the OSSIM system.
NTOP is used for network monitoring and profiling. It works by building a network information database which can then be used for anomaly detection.
Anomaly detection is detected using spade, RRD aberrant-behaviour, arpwatch, pads and p0f.

Two host Ids are also included in the OSSIM suite for detecting and fortifying different operating systems. They help to collect real time data on file operations using digital checksums, port operations, user operations and program operations (OSSIM, 2007b). The two host ids include:
1. Snare (to monitor Windows machines)
2. Osiris (to monitor UNIX and Window machines).

Each event happening in the system is sent to the OSSIM management server and stored in a database.
As mentioned earlier, correlation is an important objective of the OSSIM software as it helps to fight against false-positives. The objectives of correlation in the OSSIM software is to develop patterns for detecting known and unknown parts of the system, provide a configurable inference machine which can be used to describe complex patterns and in general, providing a wider visibility of the system (OSSIM, 2007a).
There are three correlation types that are used in the OSSIM software;
1. Logical correlation
2. Cross correlation
3. Inventory correlation

Logical correlation allows the user/administrator to create a set of rules to join events to match a new pattern (OSSIM, 2007b).
Cross correlation allows the crossing of information from the vulnerability scanner (with the use of Nessus) for prioritization of events to check whether there is a vulnerability to an attack or not (OSSIM, 2007b).
Inventory correlation checks if an attack affects a certain operating system, and if the operating system is not active during this attack, the event is discarded (OSSIM, 2007b).
A known method used for correlation is Heuristic algorithm in which accumulated events are used to check the overall security state of the system.

OSSIM also makes use of a risk assessment technique that is performed on every single event happening in the system. There are three parameters used in the risk assessment, they include:
1. The value of the asset
2. Level of threat
3. The reliability or probability of the event occurring

A risk metrics dashboard displays all the known risks for each object on the network imposing a risk.

A more generalised architecture of OSSIM is shown below (OSSIM, 2007a)

archy


From the general overview of the different components making up each of the software, OSSIM seem to be made up of complex units. R-Guard seems to be more of a ‘straight-forward’ system, and does not appear to be as complex as OSSIM.
The reason why OSSIM could appear to be more complex is because it is made up of different software being integrated into one system. Although R-Guard may appear to have different processes making it up as well, it is more of carefully broken down processes of a system, while OSSIM is more of different applications/systems trying to act as one system.
This integration of several open source products by OSSIM could be seen as an advantage as it allows a variety of different components and security measures to be taken from several inventors (incorporating the phrase “two heads are better than one”), thereby providing the system with the ability to perform more operations (which means it can be used for a wider variety of functions) and increasing the chances of improvement to the system.
However, this incorporation of different products and services in one for OSSIM could also be seen as a disadvantage (“too many cooks spoil the soup”), as it appears that the suite is trying to perform too many operations at once, thereby losing its main objective. R-Guard gets more of an advantage from this factor, as it only focuses on one major aspect of data security, which means that it can continue on that, and improve it, while with OSSIM, certain aspects of the system may suffer, due to concentration on other parts of the system.

The technologies used for data security in both systems are very different. R-Guard uses a form of encryption algorithm to protect information in the system. With the form of security used on both systems, R-Guard looks to be more focused on protecting the actual folders and files in a network, while OSSIM appears to be more about protecting the network itself from intrusion and attacks. Metaphorically, it could be said that R-Guard is protecting the contents of a building, while OSSIM is protecting the building itself.

Cost

As already discussed earlier in the article, OSSIM is free of charge to install, however, for certain parts of the system (e.g. Nessus), although is free of charge, for support and updated vulnerability checks, users are required to pay a subscription fee of $1200 per year.
R-Guard requires a payment of $39.99 for the license; this includes any renewals or support for the system.
At first glance, it may appear that the OSSIM system is the cheaper option, but this is only true, if no support for the system was to be considered. When in looking in terms of price of purchasing and installing both systems, clearly OSSIM is the better option, however, when looking in terms of cost of maintenance, then R-Guard is the better option.

A user or organisation considering both systems, might be misled by the price tag of OSSIM, only to later discover the true cost of maintaining and keeping the system up to date. However, this is just a general cost overview; a more detailed breakdown is provided as follows.

According to the Volume licensing section on the R-tools technology site (R-Tools technology, 2007b), the purchase of the R-Guard corporate License allows the installation of the software on one workstation or server, which can only be used per user; although may be transferred to another user’s PC with the license, but the software may not be installed on more than one PC at the same time.
This statement raises a question for large organisations, with more than one server in their network; does it mean that multiple licenses must be purchased, in order for the R-Guard software to be used within the organisation?
Also, another requirement of the R-Guard software is that it should only be installed and used by an advanced Windows user, which means that training might be required for staffs in an organisation to fully utilise the software, thereby adding to the maintenance cost of the software.

With the OSSIM software, as it is a variety of open source products integrated together, it becomes quite complex. For example, a user with limited knowledge on some of the integrated software on OSSIM, might not be able to use the software, therefore, like the R-Guard software, training is also required.
However, the sort of training required for the OSSIM software might be quite complex, as the user not only need to be trained in using just one software (like the R-Guard), the user will need to gain considerable knowledge of the different aspect of the OSSIM software (e.g. network traffic, packet analysis etc.).

In terms of cost of maintenance of both systems, an advanced programmer might be employed by an organisation to ensure that the system is in good working condition, and monitor the system. As with any employee of an organisation, this programmer (or programmers depending on the volume of the system), will be paid a certain amount. The cost of a programmer to maintain an R-Guard software should be less than that of the OSSIM software. This is because, with the R-Guard software, the programmer only needs to be an expert with the software itself, whereas with the OSSSIM software, the programmer might need to be familiar with the variety of the other software components that make up the suite (or the organisation might need to employ more programmers who are knowledgeable with each software component).

In conclusion, it might be easier to say that the R-Guard software is easier to maintain than the OSSIM software.


The known and potential weakness of each system

An obvious weakness with the R-Guard software will be the fact that the license has to be paid for. However, as explained earlier in the article about cost, it has been shown that this could be an advantage over the OSSIM software.
A major weakness in a system that is meant primarily for data security will be, when a secure data starts becoming insecure and prone to threats due to the security instability of a system (or network).

With the encryption method use for R-Guard, AES (advanced Encryption Standard); the attacks on it have been side channel attacks that attack the implementation of cipher on the system, which leads to leakage of data. A known attack on the AES is the cache timing attack (Bernstein, J., 2005, Cache timing attacks on AES). Although this attack was quite simple timing attack, it is believed that a more complex version of this attack will allow the retrieval of AES keys from data.
Also the R-Guard encryption system, allows the user to enter only once at Windows logon (R-tools technology, 2007a). Although this might be seen as an advantage for TOTFE (True On The Fly Encryption), it could be a potential weakness for the system, as continuous verification is not being carried out on the system.
Another potential weakness of the R-Guard software is that as encrypted files are stored on the hard disk, if there is any damage to the hard disk, then the encrypted files becomes useless bits of data.
As R-Guard is an extension on the Windows security system, it means that the use of the software is restricted to Windows platform only. This is a major disadvantage as some organisations are now employing the use of Linux or Mac operated systems.

The strength of the OSSIM system might be its potential downfall, i.e. the integration of different Open source products. As it is made up of different products, the malfunction of one of the products might mean affect the general function of the system.
The use of open source products also means that support for the product is limited. For example, if an organisation was to employ the use of OSSIM, and a fault occurred with attack detection (using Snort); the main source of support will be online, which means searching through numerous web pages (e.g. FAQs, Forum discussions etc.) to find a solution to the problem. However in the case of the R-Guard software, there is a contact phone line and e-mail for enquiries and technical issues regarding the product. Although this problem could be resolved by employing an experienced programmer or technician, with considerable knowledge of the OSSIM software (but cost needs to be considered).

Another disadvantage of the integration of the products is the ease of detection of fault in the system; i.e. if a fault occurs in the system, it might prove to be quite difficult to detect what part of the system is causing the problem. This problem can also be resolved by having periodic checks and maintenance on the system.


Another problem with the use of these two systems is that, they have both been designed for use by large organisations (this can be seen from the complexity of both systems, the amount for license, amount for regular support of the system, in the case of OSSIM), it means it will not be cost effective for individual use (for example a student, except for research purposes), and most of the features provided by both systems, might seem irrelevant for single/individual use.

According to an interview with a group of students (Personal communication, November 12, 2007), a more complex system appears to be a safer mechanism for data security. Although the OSSIM software was not tested against the R-Guard software (due to time constraints, and the complexity of both systems), it was perceived that the OSSIM software would be a better option for data security.

Conclusion
Both systems have their similarities and differences. They are both solutions to regard the problem of data security. However, both systems have gone about achieving their objectives through different routes.

Although they are both designed for use in large organisations, R-Guard seems to be more suited for smaller organisations than the OSSIM software. As the OSSIM software can perform a variety of more operations (i.e. network analysis, packet analysis, network security etc.), larger organisations can benefit more and make fuller/complete use of the system.

It is quite unusual to discover that the more complex system, OSSIM, is the software that is freely available to use, while a more simplified software, R-Guard, a license has to be purchased.

The choice of the data security software could be dependent on what the purpose of the organisation’s network is to be. With the R-Guard software, it deals directly with system security and protecting data across the network. While OSSIM, deals with the general security infrastructure of the network, i.e. dealing with network traffics, packet analysis, data security etc.




References

Bernstein, J. Daniel. (2005).Cache timing attacks on AES. [Electronic version]. Retrieved 12th November 2007 from,
http://cr.yp.to/antiforgery/cachetiming-20050414.pdf


MD5 Security. (n.d.). Everything You Need To Know About MD5 Cryptography. Retrieved 11th November 2007 from,
http://www.md5security.com/

OSSIM. (2007b). Retrieved 11th November 2007 from,
http://www.ossim.com/home.php

OSSIM. (2007a). General System Description. Retrieved 8th November 2007 from, http://www.ossim.net/whatis.php

R-Tools technology. (2007a). R-Guard Data security software. Retrieved 8th November 2007 from,
http://www.data-security-software.com/

R-Tools technology. (2005). R-Guard Data security software User Manual. Retrieved 9th November 2007 from,
http://www.r-tt.com/downloads/rguard.pdf

R-Tools technology. (2007b). Volume Licensing. Retrieved 12th November 2007 from,
http://www.r-tt.com/VolumeLicensing.shtml

Shareup. (2007). R-Guard Download. Retrieved 9th November 2007 from,
http://www.shareup.com/R-Guard-download-20851.html

Snort. (2007). About Snort. Retrieved 11th November 2007 from,
http://www.snort.org/about_snort/

Source Forge. (2007). OSSIM. Retrieved 11th November 2007 from,
http://sourceforge.net/projects/os-sim/

Wikipedia. (2007). Advanced Encryption Standard. Retrieved 11th November 2007 from,
http://en.wikipedia.org/wiki/Advanced_Encryption_Standard

Wikipedia. (2007). Data Corruption. Retrieved 8th November 2007 from,
http://en.wikipedia.org/wiki/Data_corruption

Wikipedia. (2007). Open source. Retrieved 8th November 2007 from,
http://en.wikipedia.org/wiki/Open_source
Page revised 2007-11-27 09:31 • ©2012 University of Portsmouth • This website uses wikkawiki.org software.