The deployment of IIML's information security infrastructure was completed, and the project completion was signed-off with Bangalore Labs on November 5, 2001. Problems started surfacing at the end of December 2001. Performance of the firewall deteriorated, and there were frequent network disconnects with the firewall server. Since all the internal and external traffic was being routed through the firewall, the users started noticing an increase
in the Web traffic response time. Some users who used services such as remote login (Telnet) to outside computer systems were not able to do so, because of the policies incorporated in the firewall. Complaints started pouring in at the help desk of the Computer Center. Even though the consultants at Bangalore Labs were in constant touch with the IIML Computer Center and were coming up with some solutions, the problems persisted. At this stage, there were the following three issues regarding the security infrastructure project that raised alarms for IIML:
Would the OSS components withstand the rigor of the operational environment? Would OSS really reduce the total cost of ownership?
Does outsourcing security management lead to compromises?
Has the deployment of the security infrastructure reduced the functionality of the services?
Repeated attempts by the security consultants at Bangalore Labs and the support team at Astero, Germany, could not provide a permanent solution to the decreasing performance and throughput of the Firewall. In early January 2002, Astero released the new version of its Firewall, which had bug fixes for some of the problems, including the high swap usage problem experienced at the IIML site.
Open-source software movement believes in producing a product that can be tested by millions around the world. There are user forums such as those available at http://www.snort.org, where the worldwide user community shares its experiences and problems. Solutions for trouble-shooting or enabling a new feature, which is not mentioned in the documentation, can be found out through these forums almost instantaneously. However, since these are technology intensive, it is normally impossible for non-experts to fix problems, as pointed out in Gill (2002). Having the source code did not really help IIML, as the Computer Center staff was unable to make changes to the code and patch up the bugs. They had to depend on SSP, who in turn depended on the vendor and the user community to solve the problems. It took time to find a solution, in contrast to what the advocates of OSS point out.
Even though Bangalore Labs sent the new version of the firewall to IIML under the contract agreement without any additional fees, the trend in the freeware market throws up uncertainties for IIML. The ideological purity of the open-source software business is being diluted as start-ups build proprietary products on top of an open source solution. For example, Sistina, which developed an open source file system that multiple computers can share, changed course in August 2001, switched to a closed-source license for the newer versions of its Global File System (Shankland, 2001). Shankland (2001) also points out that many other companies have followed a similar path, becoming increasingly protective of their intellectual property. Astero, which started improving the security features of Linux when it started the product development on Astero Firewall, also has developed additional components that are integrated into the firewall. The firewall code is supported under the GNU public license. However, the Web interface for managing the firewall and other components, such as "Up2Date" services, which provides updates on bug fixes and new releases, are not provided as part of the licensing agreement. Astero charges about $4,000 for commercial use of its Firewall software and an annual renewal fee of $1,000 for 500 active Internet Protocol (IP) addresses. The migration of freeware software to commercial proprietary software will affect the total cost of ownership of the security infrastructure of organizations, especially those in developing countries that have limited budgets for security management.
Since the maintenance of the security infrastructure had been outsourced, IIML had to depend on the SSP for solving any problem that cropped up. The consultants at Bangalore Labs and even in some cases the vendor of the firewall were given access permission to log in to the Firewall through the VPN connection to look at the trouble spots and analyze the system logs. Does this not leave the security infrastructure of IIML completely exposed to SSPs and the vendors?
Some are of the opinion that since open-source software does not hide the source code, it is inherently vulnerable. But Swift (2001) says, "Security through obscurity is a common misconception" (p. 30). In practice, attackers do not need to know the source code to find vulnerabilities. Hence, the movement on "security through transparency" gained attention and the widespread deployment of open-source software. Security experts tend to agree that computers are less prone to hacking and virus when running open-source software like Linux and Apache Web server. However, once the security management is outsourced, even though an open-source software solution is implemented, it opens up vulnerabilities and "back doors" for the SSPs who install and configure the security components. While for an educational institution such as IIML, security threats from SSPs may be minimal, for a business organization it is certainly a matter of utmost concern.
Mr. Mohapatra, manager of the Computer Center at IIML, is exploring whether the security and email administrators can be sent for security training programs to develop in-house expertise so that some of the common problems can be internally solved, instead of being referred to the SSP. High-profile hacking incidents last year are serving to spur the focus on security training initiatives by organizations. For example, USAA plans to spend 10% of its IT training budget to enhance its security policy training (Dash, 2002). While it is possible for USAA to spend a sizable budget for security training, small and medium-sized organizations with limited budgets for security will have to think twice before embarking on such an expensive exercise.
Even though the IIML security policy developed by the security team was circulated among the user community for comments and suggestions, some services that have multiple vulnerabilities such as video and audio chats (ISS, 2002) had to be stopped. This proved to be a deterrent for some faculty who do collaborative teaching and research with other institutions around the world. Also, IIML students were not able to participate fully in some global virtual team projects because of the non-usability of certain technologies. Thus, the comprehensive information security infrastructure, while protecting IIML, restricts the flexibility of service offerings.