Open source security software can allow value-added resellers (VARs) to solve a customer's problem with little or no upfront cost for the software. However, there are some very important questions that need to be asked and answered honestly before any open source security solution deployment is considered.
First, keep in mind that "open source" does not necessarily indicate a lack of commercial or community support. Some open source security software developers offer free support while others offer fee-based support – some are flat-fee based and others charge on a per-incident basis.
It is important to thoroughly explore the options available to the customer, as there are companies that provide installation and support for open source security software. In fact, this represents a great opportunity for VARs that have the right expertise.
Second, consider the criticality of the service being provided by the solution. Should an issue arise, there is a big difference in business impact of an in-line firewall or IPS product versus an out-of-band IDS or vulnerability assessment product.
Third, what will the customer do if the licensing model changes and the product is no longer available free of charge, or support/development is halted?
Lastly, consider the platform upon which the open source security solution will be deployed. With the advent of virtualization, the availability of complete virtual appliances and the ability to re-use older hardware are additional compelling reasons to consider open source security software.
Investing in the right portfolio of open source products can be a fantastic way to manage security investments and focus dwindling budget allocations on things that matter most.
For VARs, it's all about managing expectations, risk and budget -- open source or otherwise.
This was first published in December 2007