I’ve found that things that are free of charge are often not a good deal.
TANSTAAFL, or “There ain’t no such thing as a free lunch.” You’re always paying in some way. Maybe the piece of hardware is marked up more to cover the development cost of the “free” software that comes with it. Perhaps it’s the drug dealer model, where the first one is free to get you hooked. Sometimes you’re the product, and the “free” thing is spying on you with the hopes of making more money from ads or sales later. Certainly nearly every “free” web service is structured that way.
Beyond monetary cost, though, you paying for things with your time. “Free” things often fall into the “good enough” category, and “good enough” can be a trap. Best-of-breed products might cost money but you make that back in time saved, services delivered reliably, and higher efficiencies. Things that are merely “good enough” trade on your time, relying on humans to make up the difference. Sometimes they trade on your customers’ time, too, with downtime and complications in delivering services. In not doing the whole job they force you to buy something more, whether it’s more software to fill a gap or more hardware to make up for inefficient operations. Or, if you can escape buying something you often make up the difference with processes. These all cost time, money, and add unwelcome complexity.
Even worse, things that are “free” can have serious negative value. At best, a tool is another application you need to install, support, back up, and keep updated, just like your HR system or a web application. In fact, many “free” tools are built on the same components and need the same amount of effort. It might even need commercial software licenses for the operating system or SQL server. All of this is overhead and doesn’t move you or your organization forward.
The need for licenses is often skirted by delivering the software as a virtual appliance. Ask yourself what incentive the purveyor of a free tool has to patch it, to make sure it can be backed up and restored, and to configure it securely? All those things cut into their margins. I’ve scanned quite a few virtual appliances with security scanners, and the results are scary. If these “free” tools aren’t stealing your data outright they’re making it very easy for bad actors to do it to you.
People in the open source movement, when discussing free software, often have to delineate what kind of freedom they are talking about. “Free as in beer” meaning no charge, but the source code isn’t necessarily open. “Free as in speech” meaning that the source code is open. When it comes to the “free as in beer” tools we’ve been thinking about here I often use the term “free as in puppy.” That cute puppy dog you adopted from a friend is going to cost you thousands of dollars and hundreds of hours of your life, time you will never get back again. Are you sure you want to do that to yourself and your organization?
Your mission, from now until the end of your life, is to treat everything that’s “free” as if it’s a Trojan horse. If you can’t say no to something outright ask some questions:
- Can I call support for this product?
- Does it collect data? What does it collect? Where does it send that data? How does it secure the data in transit? Is the data anonymized? Who can see that data? Can I disable or block that without impacting the functionality?
- How do I patch it? Where is the documentation for patching? There are vulnerabilities discovered in every OS every week. When was the last patch release?
- What operating system does it run on? Do we have expertise in that operating system? Is that operating system still supported by the vendor?
- Does it need licenses of any sort to run? OS? SQL? Java? Remember you can’t run certain Java versions commercially anymore without a license. Are there license levels or limits to the “free-ness” of the product?
- How do I get to it? Web interface? Does it need Flash or Java? Can I install my own SSL certificate? Can it be restricted to TLS 1.2 or newer? What browsers does it support?
- Is the host-based firewall enabled? Is it configurable?
- Is the SSH server key generated at first boot so it is unique? Can we disable SSH?
- What other services run on this appliance?
- Can it send its logs to a SIEM? How? Does it support more than one target? Does this include the application logs?
- How does it do authentication? Are there password complexity guidelines?
- How do I back up the configuration? How do I restore it?
- Can I replicate it to a DR site? Are there latency requirements? Have you tested it across a WAN?
- What security guidelines does the product conform to? Is it PCI compliant? NIST 800-53? Does it implement the Center for Internet Security’s benchmarks?
- Do I have to use it as a virtual appliance, or can I install it on an OS that we installed and secured?
- Are there any other ways to achieve what this tool does? Are there other products or methods on the market? Is there a way to do this with the CLI? Are there Powershell modules? What SDKs are available, and for what languages?
- Will there be ROI for the time and effort invested here? This is a question for yourself and your own team.
“That’s a lot of questions,” you might think. But hey, there might be a lot of bad dudes in the belly of that wooden horse, too. Better find out before you bring them inside the walls.