October 1, 2002

Guardian Digital succeeding with Open Source security products

Author: JT Smith

-By Daniel P. Dern -

One on-going question for the Open Source community remains, can companies
make a business go of Open Source-based products and services?

One company able to answer yes is
Guardian Digital, Inc.,
which, according to its Web site, is a "full-service Open Source security company ...
focused on the intelligent growth of Open Source security solutions
for Linux, including the Guardian Digital Linux Lockbox, a secure turnkey
e-business server and the secure Linux distribution
EnGarde."

EnGarde includes an Open Source Web management system, a built-in gateway firewall,
integrated intrusion detection, and the ability to create and manage Web, DNS, and
mail domains for an entire organization. According to Guardian CEO Dave Wreski,
once EnGarde Linux has been installed, "within 15 to 20 minutes,
you can configure a Web site or server to provide standard, secure web functions like
SSL, port 80 functions, route email, DNS and the raw foundation for an ID device."

Guardian offers both a free version -- EnGarde Secure Linux, Community Edition -- and a purchased version --
EnGarde Secure Professional -- of
its Linux distribution. The Professional version includes more support, including enhanced hardware support, and the option to subscribe to the Guardian Digital
Secure Network service, which provides point-and-click updates.
The free version has fewer features and less support.

Guardian Digital also owns and maintains LinuxSecurity.com, a security
news and information resource for the Linux and Open Source communities. Formed
in early 1999, the company has fewer than 20 employees at present.

To find out more about this Open Source success, I recently interviewed
CEO Wreski. (Note, Wreski was profiled in
NewsForge about a year ago, by Dan Berkes, in

Battening down the hatches with Guardian Digital's Dave Wreski
.) What follows is a mix-down from two phone interviews and some email.

NewsForge: Since Guardian is privately held, you don't have to state revenues.
What can you say in terms of the business?

Wreski: We are earning a living. A lot is due to the Open Source model --
the services we're able to provide are in conjunction with the software
we've developed in association with the work of thousands of programmers
across the world.

Much of our revenue is based on services surrounding our
software. More and more of our customers want us to help them with
modifications to the software. These customers acknowledge that as the
architects, we are best positioned to accomplish customizations.

Another example of a service that we offer is the Guardian Digital Secure Network.
Guardian Digital regularly monitors a wide array of security
sources, trends in hacker activity, and vulnerabilities that potentially
may infiltrate the EnGarde system. When possible compromises are detected,
Guardian Digital alerts our customers to download system updates. They are
then able to apply the updates with a few clicks in their Web browser.

However, while Guardian Digital is making a living, up-front software
sales are not the answer to profitability. Guardian Digital continues to look for ways
to create longer-term value in the market through deeper relationships
with our customers and more extensive packaging of services.

NewsForge: Where are your customers?

Wreski: We have a distributor in every corner of the world, and
have sold our software to every country with a PC in it.
We have probably close to 30 resellers or distributors.

NewsForge: Who is EnGarde meant for?

Wreski: It's good for organizations with more than five to seven people,
due to the price point, or for companies who want to publish their own Web site,
versus going to an ISP and sacrificing functionality. We can provide a
pre-configured server, or just the shrink-wrapped box.

Our software also is suitable for use in small and medium enterprises, as
well as larger organizations with more demanding security and performance needs.

NewsForge: What do you see as the marketplace for EnGarde?

Wreski: EnGarde is a solution for two particular problems --
a) for people/companies looking to get on the 'Net quickly and securely,
without the concern that it's Linux -- they don't necessarily care what's
under the hood, they just care that it works -- and
b) for companies who want to use this as the basis for secure products.

NewsForge: Any particular larger/big-name customers you can tell us about?

There's Piedmont Natural Gas, the second largest natural gas company on the United States East Coast -- we have worked closely with Piedmont to provide them with servers, software, and services to support their 670,000 customers.

And Implex Corporation. They make and sell orthopedic implant devices. They
asked us to propose, develop, and implement a complete secure Internet
presence for their corporate office and multiple branch offices. We were able to
implement the system using entirely Open Source tools, working within tight budget
considerations. We also did a network intrusion detection system designed specifically
for their environment, and also did DNS and email services for their corporate users,
corporate firewalling, and internal protection using proxy services ... and
we do network monitoring for suspicious activity.

Other users ... Sony Electronics Group's travel planning group is using it to get a
segment of their network securely on the 'Net, so they can do travel arrangements.
This happened after having been called in to recover from a network compromise
they experienced.

We're also used at universities and colleges, and at many large organizations
throughout the world.

Our software also supports a vast number of hardware devices, including
IBM eServers, Dell rack servers, as well as on our pre-configured server
appliances for customers that want an immediate Web presence. We provide
educational and non-profit discount pricing, and many institutions across
the world have taken advantage of our secure software platform to conduct
research experiments, or to build their Internet presence.

We also work with partners like Rainbow eSecurity -- we support their hardware accelerator for SSL operations,
so organizations can on lower end hardware meet the demand of
a large scale ecommerce site or Web server).

And since we introduced the free Community version, which has less
support, services or enterprise features, we've recorded tens of thousands
of downloads -- plus free availability we can't track.

NewsForge: Are you seeing an increase of downloads of the Professional
versus the free version?

Wreski: Yes. As we introduce additional products and services, even the type of audience we have has changed. A lot of people migrate
from Microsoft due to their new licensing program, [Licensing 6.0]
or because they don't have the time and knowledge to do the security effort
required to be on the 'Net today.

Initially our product was geared towards Linux people who had
the knowledge to put together a Web server. Now, the management
tools we offer, and improved security -- and press
visibility -- gave us more audience.

[PR guy chimes in]: So this is no longer seen as just a Linux thing.

Wreski: It's a solution to a particular problem -- people that need to get on
the Internet securely and don't otherwise have the resources to
do that. For defense in depth, you need to be both proactive and reactive,
consistently. With downsizing, and people not having single purpose
roles, nobody has the time to learn all the individual vulnerabilities
for Windows, Linux, applications, etc. They just want to get on line, securely.

NewsForge: What's Guardian's revenue split between products and services?

Wreski: About 35% product, 65% services.

NewsForge: How much of the services revenue comes from customers for your own products, versus consulting, education, policy review, monitoring, etc.?

Wreski: The vast majority is surrounding our own software. We do some managed security in our own data center, for people looking for a secure
place to call home, and for customers who need to get on the 'Net
but don't have any IT staff. For example, we have organizations
who have purchased, say, three, four or five servers,
we manage and provide support for.

NewsForge: Do Linux and the Open Source aspects make "making a living" easier, harder, different?

Wreski: Easier, definitely. If it wasn't for the Open Source nature of
everything we do, if we had to tackle this using proprietary software. It
would be cost-prohibitive.

NewsForge: Is any of your stuff proprietary/closed?

Wreski: Anything we do is completely Open Source under GPL or other qualified Open Source, but we also resell closed-source products such as anti-virus packages.

NewsForge: Does Guardian sell non-Open Source software? Do you have
in-house tools you don't make available as Open Source?

Wreski: We have a suite of security tools we've put together that help organizations verify that their security policy is being upheld, and a number of tools we maintain internally for troubleshooting, performance tuning, primarily for development and for security testing.

We believe wholeheartedly in the Open Source model.
Our engineers use development tools from existing Open Source projects and
will continue to submit changes to their origins for inclusion in future
versions.

Everything we develop is released under an Open Source license.
However, we do have some proprietary tools that we have created to assist us
in development, customization and trouble shooting.

NewsForge: Are your customers usually already using Linux/ Open Source, or are you often having to also make the concept pitch for Open Source?

Wreski: About 17% of the people that download our Community version
have no Linux experience.

For corporate customers, a good portion of them get the product installed and
get online, but have one question or more about issues that someone with
Linux experience would have understood or known how to handle.
So I suspect a lot of our professional user base does not have Linux experience.

And that sector appears to be growing -- partly due to the Microsoft licensing change,
and the imperative to maintain a secure presence on the 'Net today.
People understand that security is a prime concern. And though Microsoft is
making an effort to be secure, organizations need to make a decision now.

NewsForge: What's the cost-comparison between EnGarde and a Microsoft solution?

Wreski: Our software is $549 to start, for the professional version,
with support, etc. And the EnGarde WorkGroup suite (Windows file and print
sharing, VPN, web mail and other intranet), is $50 total. Plus $219 a year
for the Guardian Digital Secure Network for updates [Per CPU/"box" -- cheaper
as a customer has more boxes, or through resellers]. So that comes to
about $800 for corporate email, file and print services.

For a Microsoft solution, you'd need the server operating system (2000 or NT),
plus user licenses for each user to get on the net, share files, etc.
That's probably about $800 plus $30 per user, just for the core file and print
capabilities -- that doesn't include corporate mail (Microsoft Exchange), Web mail,
or firewalling.

We include basic gateway firewalling, what you'd expect for a cable modem.
It's not a replacement for a full firewall like a Checkpoint server
or Nokia firewall.

The real differentiator is the preparation and installation to
get configured and online -- you can be up, and transferring user accounts
and sharing files with Windows clients within an hour or two.
Versus with Windows, to get online, it's a six-hour time
differential to apply the system updates, make it secure,
begin configuring it.

NewsForge: What kind of difference does using Linux/Open Source seem to
make in the products you sell?

Wreski: Consistency and reliability are some of our most important functions.

Configuring off-the-shelf Linux or Windows, it's important to note
that you have to start with a secure foundation, which requires a
significant effort and often isn't possible. You then have to go
through configuring files, by hand, and maintain that level of security
throughout the server's life cycle.

Ours is engineered to be secure, so there isn't that initial configuration
that needs to be done.

E.g., if you build a Web server today from an off-the-shelf Linux distro,
you would go through the whole administrative process and have to remember,
months later, when you want to do another Web site, what you'd done. With EnGarde,
you can use our web management tools and know it'll generate a secure
site for you.

NewsForge: What Linux is EnGarde built on?

Wreski: We have in fact engineered EnGarde from the ground up using
best-of-breed tools from numerous sources. It's compatible with Red Hat
in that we use RPM. We use some of the networking from Debian. Even
the kernel has been specially configured to enhance security. We've made
changes to improve security all the way from the kernel up. We've done
auditing on some of the tools, so we've skirted many of the security
vulnerabilities that have afflicted other Linux distros. The principle
of "least privilege" is pervasive throughout its entire design.

NewsForge: Do you feel you have competition from BSDs and other Linuxes?

Wreski: We have a great deal of respect for the level of security
that OpenBSD has acquired through their auditing and community participation,
but we've added corporate support and ease of management and enterprise
services on top of our Linux.

Microsoft is a competitor, in Internet and connectivity space.
And for web services, Red Hat. I'm not sure there's any competition
from the security and ease of management space.

NewsForge: Does Open Source make it easier to spot and fix bugs?

Wreski: Yes. If it wasn't for the Open Source nature of our business model,
I don't believe we'd be doing as well. We're in constant communication with
our customers, many who applied for our beta tester work with the development team.

NewsForge: Do you see culture shock from some customers?

Wreski: It's an interesting paradigm shift for [many of] them, when
they call somebody looking for support, they know they're speaking to the people who
architected the code and have the answers ... and they can walk through
the code together, e.g., "when I went through this object I was able to
trace it back to here."

A lot of organizations simply don't care what's under the
hood. Even organizations that are very security conscious, they know
it's Linux at the core, and that the source is available, and the differences that
makes, but they also understand it solves their particular problem,
and the other solutions don't -- and that's what matters most.

NewsForge: What kind of security problems are we talking about, for example?

Wreski: EnGarde prevents a number of DoS (Denial of Service) attacks,
prevents privilege escalation, information leaks. For example,
the average user can't discover information about the system that they
don't know to do their job, e.g., a Web admin doesn't need to know how
the DNS server is configured.

We've removed or not added or found alternatives to programs that have a
poor security history, such as in SNMP -- think back to the March/April 2002
CERT advisory
on problems with the SNMP daemon. We have our own routines, so we avoided
that whole problem, which had rippled through the industry.

We've addressed buffer overflows, we beat HP and other organizations
with their secure Linux offerings. Regarding problems like Klez, we'll be announcing
things for corporate mail security, virus scanning, unauthorized mail.

We're dealing with repelling hacker attacks. We're working on
reducing the threat, mitigating risk. To restrict unauthorized
connections, and give better control, we'll be introducing a proxy and
IDS (Intrusion Detection System), to monitor traffic as it goes in and out,
act as a choke, and act as a central point for administrators
to concentrate their efforts on.

NewsForge: Are you seeing increasing demands for security such as
Guardian provides? Any sense of how much that is to increased
use of the 'Net, increased level of (or awareness of)
"cyberthreats" (DDoS, viruses, etc.)

Wreski: Over the past several months we have seen the economy downturn
affect organizations, as administrator's no longer serve single roles
within, but are required to perform functions they may not necessarily
have the time to allocate to them that they deserve. EnGarde allows
these administrators to build a secure site and know that it will remain
as secure as possible with little effort.

NewsForge: Where do new sales come from? New sites, or conversions?

Wreski: It's tough to say. Many have been using Linux and were hacked,
They're ready to let us secure it. Maybe thirty per cent are Microsoft shops
ready to try something else.

Daniel P. Dern is a freelance technology writer.
Most recently he was executive editor of Byte.com. His Web site
is www.dern.com.

Category:

  • Security
Click Here!