Best of Open Source Awards 2013

Bossie Awards 2013: The best open source networking and security software

InfoWorld's top picks among open source tools for managing and securing networks, computers, and mobile devices

The best open source networking and security software

Don't trust that Wi-Fi hotspot? Open source has you covered. Don't trust the government? Open source has you covered there too. Our Bossie winners include a number of neat mobile apps that provide secure communications (end-to-end encrypted phone calls and text messaging) and allow you to browse the Web and send email without a trace. You'll also find top tools for managing passwords, creating VPNs, deploying network services, and troubleshooting those services when things go wrong.

Prey

The Prey Project is a device-tracking application that can keep an eye on your PC, tablet, or phone, regardless of where it wanders off to or with whom. Supporting Windows, OS X, Linux, Android, and iOS, this app tracks your device with pinpoint accuracy, using either the device's GPS or an associated Wi-Fi hotspot to zero in on its location.

If your smartphone is lost or stolen, simply send a text message to the device. For tablets or computers, use the Prey Project's cloud-based Control Panel to select the device as missing. The application can then take a screenshot of the active applications, turn on the camera to catch a thief's image, or fully lock down the device.

-- Victor R. Garza

Orbot

You're not paranoid if they're really out to get you. If they are, Orbot for the Android platform is the tool to use. Leveraging the Tor network to encrypt network traffic and bounce it over anonymous servers around the world, Orbot obfuscates your network data so that email, Web surfing (with companion app Orweb), and application traffic such as Twitter, Facebook, and Chat (with Gibberbot) are free from prying eyes. Other apps that are capable of using a proxy can use Orbot. New to the current Version 12 release: the use of Tor 0.2.4.16-rc and display of total data usage and upload/download speeds in the notification bar.

-- Victor R. Garza

FoxyProxy

Got the NSA on your tail? FoxyProxy is a VPN and HTTPS proxy service that can obfuscate your email and online surfing habits. Touting servers in 53 countries, FoxyProxy works with Firefox, Google Chrome, Safari, Opera, Internet Explorer, iOS, and Android, making your online habits a little more anonymous. Setting up an iPhone or an Android to use FoxyProxy is easy, but instead of proxy, it only allows for VPN connections from these devices. FoxyProxy leverages the fact that you'll be buying VPN/proxy server access from them directly.

-- Victor R. Garza

Onion Browser

Whereas FoxyProxy offers an iPhone VPN, Onion Browser kicks it up a notch and offers a true Tor experience from your iOS device, masking your browsing habits by sending your data around the world. Supporting Tor 0.2.4.14-alpha, Onion Browser creates an encrypted tunnel for your browsing session and obfuscates your phone's IP address. The handy New Identity button clears cache, history, and cookies and requests a new IP address in one step. Onion Browser also offers fallback search engines should DuckDuckGo.com (search engine sans tracking) go down. Downsides to surfing the DarkNet? Your surfing may be a bit slower.

-- Victor R. Garza

RedPhone & TextSecure

When I think of RedPhone, I'm reminded of the direct line to the Kremlin from the president's desk. RedPhone for Android establishes secure and encrypted cellular phone calls between you and another RedPhone-equipped device, but you don't have to be the president to use it.

Using RedPhone is straightforward. Just place a call with your phone's dialer or contacts application as you normally do, and if you're calling another RedPhone user, RedPhone will ask if you want to encrypt the call (RedPhone uses a Diffie-Helman key exchange).

TextSecure -- from the same company, WhisperSystems -- is an SMS/MMS client that encrypts text messages between two TextSecure users. TextSecure uses a derivitive of OTR (Off-the-Record) messaging using AES encryption. 

-- Victor R. Garza

KeePass

Just mention password management to users and watch their eyes fog over. While not sexy, password management can be the difference between losing data and keeping it safe. KeePass, a digital safe for passwords, stores all of your passwords in a single, encrypted vault with a master password or key file that unlocks them when you need them.

KeePass keeps passwords encrypted while it is running so they are never in the clear. Lightweight and able to run off a USB stick without leaving any traces on the host machine, KeePass will run on Windows (and OS X, Linux, and BSD systems running Mono). KeePass can also generate strong passwords for you when you just can't think of Uj11@%5563Wnts_/sw23!

-- Victor R. Garza

OpenVPN

One of the simplest ways to secure private or personal information is simply not to use open Wi-Fi hotspots. If you must, then use a VPN. OpenVPN can create secure point-to-point or site-to-site connections for users and remote access locations; it works though proxy servers, NAT, and firewalls as well. OpenVPN clients are available for the major operating systems including iOS and Android.

OpenVPN can use either TCP or UDP, bypassing some common VPN roadblocks, and it supports hardware-based acceleration to improve performance. Authentication can be handled via preshared keys, certificates, or user name and password combination. SQL and LDAP database authentication can be accomplished with third-party plug-ins. Best of all, it's easy to roll your own OpenVPN VPN.

-- Victor R. Garza

@SSP

The Anti-Spam SMTP Proxy (@SSP) works in tandem with your SMTP server to provide encrypted transport, antispam measures, and virus scanning with almost no configuration required on your primary mail server. Although @SSP supports almost every form of spam filtering, it can be configured to use only the filtering methods you want. 

@SSP automatically whitelists addresses to which you send emails, so your contacts do not get accidentally blocked. It uses a "redlist" to prevent certain addresses from being added to the whitelist. Special addresses can be used as spam honeypots to help add to your spam database. You can use custom regular expressions to identify spam, and you can alter message headers or subject lines based on spam rating.

-- High Mobley

Scrollout F1

Essentially an email firewall, Scrollout F1 sits between the Internet and your email server, and it handles all the heavy lifting. It can be installed (as a complete Ubuntu or Debian ISO) and be running in a basic configuration in less than five minutes. Just give Scrollout the basic network info, the domain, and your email server address and you're good to go.

You can specify the countries that you work with and the aggressiveness of various filters (attachments, geography, URLs). You can block attachments with specific keywords and phrases in the body or attachment, and of course Scrollout will monitor message logs and graph message statistics. Scrollout also provides videos and excellent documentation to get you up and running fast.

-- Victor R. Garza

Zentyal Server

Zentyal Server is a Linux distribution with a helpful configuration interface that makes it easy to set up a full-featured small-business server. Zentyal is the glue that holds together a wide variety of open source software and makes it all manageable.

The distro includes server software for email; IM; VoIP; LDAP and RADIUS; file and print sharing; Active Directory; backups; Web and FTP; and shared calendar, tasks, and contacts. It can also sync with mobile devices. For networking services, Zentyal provides NAT routing, firewalling, QoS, DNS, DHCP, NTP (Network Time Protocol), VPN, intrusion detection, caching, Web proxying, and a captive portal system.

-- High Mobley

Elastix

Elastix is a CentOS-based distro with Asterisk and associated PBX and UC (Unified Communication) software preinstalled and well integrated. It includes a Web GUI for easy configuration of the Asterisk server and all of its extensions and components.

Elastix adds support for faxing, video phones, follow-me, UC integration of mobile phones and headsets via Bluetooth, extensive IM features, calendar and address book, LDAP integration, call recording, and pre-canned PBX reporting.

An additional module can help run a call center, including support for callback. Need high availability? The Elastix wiki has a how-to for setting up clustered Elastix servers to provide fail-over support.

-- High Mobley

ForgeRock

The ForgeRock Open Identity Stack is a Java-based identity and access management solution that combines centralized single sign-on, directory services, and workflow-driven provisioning. Founded by a group out of Sun Microsystems, ForgeRock's light footprint and data model differentiate it from the bloat of Oracle Identity Management.

ForgeRock's OSGI (Open Services Gateway Initiative) modularity means that components such as the reporting engine or Activiti process manager can be swapped out. The forward-looking stack also boasts RESTful underpinnings, support for OAuth2, quick starts for common patterns (like creating a SAML2 provider), and a reverse proxy gateway that extends policy enforcement to both legacy and Web apps.

-- James R. Borck

Maltego

Like a cyber cop on a cyber stakeout, Maltego monitors the comings and goings on your network, determines the relationships among people and resources, and displays a visual representation of these interconnections. Maltego Teeth takes Maltego a step further, from passive data collector to active data gathering tool (especially when fully leveraging Metasploit Integration).

Maltego Teeth can leverage vulnerable servers, crack passwords, and utilize SQL injection to determine possible injection points into a server. Note that the community version of Maltego has a number of restrictions including being limited to noncommercial use. It's well worth springing for the commercial version, for all the information you'll receive in the end.

-- Victor R. Garza

WURFL

With the prevalence of BYOD in the enterprise, detecting which devices are connecting to your internal and external networks is a must. WURFL (Wireless Universal Resource FiLe) is a device description repository that maps HTTP request headers to a specific HTTP client, be it a desktop computer, smartphone, or even a SmartTV. WURFL's device detection provides analytics of Web device access and a simple API to create mobile sites and applications tailored to the needs of the HTTP client. These same capabilities can be leveraged to help you prevent certain sorts of devices from straying where they don't belong.

-- Victor R. Garza

Kali Linux

Spawned from the trusty BackTrack Live CD, Kali Linux is a Linux distro built-from the ground up to be an all-in-one attack and penetration toolkit. Kali Linux has more than 300 penetration-testing and security-auditing programs wrapped in a hard-candy Linux. All the tools in BackTrack were reviewed for functionality and overlap and pared down to the best and most useful.

Kali continues BackTrack's extensive wireless hardware and USB device support; it supports ARM hardware as well. Kali is completely customizable all the way down to the kernel, so you can tweak it to your specific attack and penetration needs. Beware though, this toolkit was not designed to be used by those unfamiliar with Linux.

-- Victor R. Garza

Angry IP Scanner

As much as network admins are reticent to admit it, ping is the most commonly used tool in anyone's network management toolkit. Next on that list might be Angry IP Scanner (aka ipscan). A very lightweight tool supporting Linux, OS X, and Windows, ipscan leverages Java to run without an installer, and it's multithreaded for snappy performance.

ipscan first pings a host to see if it's available. Then it can resolve a host name, determine the MAC address, check open ports, see if a Web service is running, and display Windows NetBIOS information. Scan results can be saved in TXT, CSV, or XML formats. If you know Java, you can customize ipscan by writing a plug-in.

-- Victor R. Garza

Wireshark

Wireshark is the standard application for capturing and displaying Ethernet packets. The Windows version comes with WinPcap, a low-level packet capture library capable of grabbing Ethernet data from a wide range of wired and wireless network devices. Wireshark works in both a real-time mode, which displays packets as seen on the selected interface, or in a playback mode for data previously captured.

Version 1.10 arrived this year with many enhancement along with support for the latest operating systems. Packet views are faster, USB and Bluetooth support has been improved, Tshark (Terminal-based Wireshark) has been enhanced, and the Bitcoin protocol is now supported. Lots of security and other bug fixes make this invaluable network troubleshooting tool even more priceless.

-- Paul Ferrill

OpenWrt & DD-WRT

When Linksys released its firmware as open source in 2003 for the WRT54G-series router/wireless access point, numerous open source projects followed. Ten years later, OpenWrt and DD-WRT offer improved firmware that can supercharge old wireless gateways (Linksys, Netgear, Belkin) or turn a $50 consumer access point into an enterprise device.

These upgrades come with command-line interface, Web GUI, VPN, many wireless versions, and features such as mesh, WDS, OLSR, 802.11s, and BATMAN (Better Approach to Mobile Adhoc Networking). You can download bandwidth monitoring options, captive portal options, IDSes, QoS, Samba, Telnet, SSH, IPv6, and so on. OpenWrt has been the more active project, with more frequent updates and more add-ons, but both are quite excellent and have strong followings.

-- Joseph Roth