• United States

Mix-and-match open source for corporate networks

May 01, 20065 mins
ApacheEnterprise ApplicationsLinux

Approach raises key question: Is it appropriate for enterprise use?

Some say open source software is not worth using. Some say it will save the world. Setting aside the religious hype, open source software raises a serious technical question: Is it appropriate for enterprise use?

Some say open source software is not worth using. Some say it infringes on patents. Some say it will save the world.

Setting aside the religious hype, open source software raises a serious technical question: Is it appropriate for enterprise use?

The OSS InteropLabs Initiative explores this query. During InteropLabs‘ HotStage event in early April, the team assembled a group of components to show how a substantial enterprise could use open source software to run its IT infrastructure.

The scenario is this: A large corporation with its purely open source network acquires a smaller company, which then has to migrate from being a pure Microsoft shop to interoperating with the open source network of its new parent. This fictitious enterprise requires the network services of any growing company: departmental communications, file storage, e-mail, VoIP telephony and a network infrastructure to support users.

Four racks of HP Proliant DL320 1U servers and assorted appliances were configured to represent a typical network topology. A server farm of Red Hat Fedora Core 4 servers and a mix of other Linux platforms, including several IBM/Lenovo laptop clients and network appliances based on open source software from Vyatta and Force10, supported the applications and services running across the network.

Those services included OpenXchange (from for e-mail and calendaring, Samba (from for file and print sharing, Asterisk for VoIP telephony, and Apache for Web-based services.

Also in the network were OpenLDAP ( for directory services, Bind and DHCPD (from the Internet Systems Consortium, for naming and IP address management, FreeRADIUS ( for authentication, Cerebrum ( for identity management and Xorp (, Bird ( and Quagga ( for routing.

For media streaming, the team tapped Icecast ( and VideoLAN ( open source wares. Implementation was not without its hard-fought glitches, but this was a fully functional corporate network, right down to its YUM server ( used for managing patches and updates.

Overall, anyone observing this network being built from the ground up and tested for demonstration purposes would see it has the same protocols and services a commercially based equivalent would. The functionality is similar. The reliability is acceptable, as long as care is taken about what features and performance parameters are set up.

The price is reasonable (assuming money is spent on commercial releases and service, because the software is free), and the security is comparable to that of commercial products.

When people compare open source with proprietary software for enterprise use, the question usually boils down to, “Is OSS good enough?” Historically, this is a fair question. For example, Samba 4 is on the verge of achieving the level of functionality that Active Directory has, in terms of managing users, accessing post-NT authentication capabilities and functioning in an Active Directory-based infrastructure.

Open source software can be considered a viable alternative to closed source only if products are under active development, picking up new features at a reasonable rate and being regularly maintained to address security and interoperability. In last year’s InteropLabs demonstration, there were issues with , authentication and Active Directory integration.

In general, our testing shows that this year’s open source products are better – in terms of reliability and sophistication – than the wares we demonstrated last year. Many of the components selected this year, including OpenXchange, Fedora, PAM for assisting in -based client authentication, OpenLDAP and the software routers have been upgraded to offer better interoperability.

As an example of where open source very well may be ahead of the commercial curve, we can point to the Cerebrum identity-management project. Developed mainly in Norway, this code lets you centrally control Active Directory users while maintaining consistency with PAM-based Linux user access, LDAP and RADIUS-based authentication. Cerebrum uses a Postgres or Oracle database as the central identity store.

The software is extensible in that it can deploy information to LDAP and Active Directory (via a Win32-native bridge) and to conventional Linux/Unix infrastructure components, such as /etc/passwd and /etc/sudoers. It includes a security strategy – the various Cerebrum components communicate over a secure Remote Procedure Call mechanism, and there are guidelines for using keys and passwords in a secure manner.

For now Cerebrum is useful in supporting groups of users. Because it can be used to deploy policy information, it’s also the sort of tool you’ll need when you upgrade your switch fabric to and you suddenly need a virtual LAN destination and policy for each user.

Open source software continues to show improvement, and there continue to be examples of its practical application. In some areas it might lag behind in quality or features, compared with a commercial equivalent, but there are many examples where it’s at least good enough when compared for reliability, maintenance or features. And there are some areas, such as identity management, where advanced tools offer insight into what future commercial offerings might provide.

The InteropLabs initiative shows that open source software security, reliability and features are at or near the level needed to make it enterprise-ready.

Rodney Thayer is a private network security consultant in Mountain View, California. His practice includes exploit analysis, architecting secure networks, and cryptography. His background is in the development and deployment of network security devices, having participated in the development of various implementations of IPsec, SSL (TLS), and digital certificate systems. He has also worked in the area of security network management. He can be reached at

More from this author