Open Source & Free Software At The 451 Group

When we talk about the model of open source and free software in the enterprise not being a zero-sum or all-or-nothing endeavor, we’re pointing not just to knowledge gained through our regular discussions with vendors, but also to our own experience. The 451 Group is not a large enterprise, but we share some of the same pain points as large enterprises: we have forward-facing servers, a complex intranet, geographically disparate offices and a highly mobile workforce.

In the interest of furthering the conversation about open source and free software, we thought we would share our experiences with a hybrid of open source, free and proprietary software. We don’t think we’re doing anything cutting edge, and that’s precisely the point: as an organization, The 451 Group has determined that the open source and free software it uses is stable, predictable, tested, supported, documented, updatable, secure and, if not enterprise class, certainly by any objective measure, business class software.

The 60 or so employees of 451 work at our offices in New York, London, Boston and San Francisco, plus telecommuters from around the country. Those employees almost exclusively run Windows, but there are some exceptions. I run Ubuntu (Breezy and Dapper) Linux on the desktop and maintain Gentoo and Engarde servers; Open Source Practice head Raven Zachary runs Mac OS X on an Intel dual core machine and Ubuntu, Fedora Core, and Windows under Parallels; Editorial Director Lee Bruno uses a Mac OS X Powerbook and our IT support staff run SUSE Linux on one of his two desktops – the other, his main work machine, runs Windows.

As an organization, 451 does not support the use of anything on the desktop other than Windows. That’s not to say that it’s not permitted (all those non-Windows users mentioned above are running company-owned machines), or that IT won’t offer unofficial help. But it does require that employees wishing to use a non-Windows OS are capable of doing it without hand-holding. Basically, we’ll let you run what you want so long as you don’t go crying to IT every time you want to type a letter or check your email.

On the desktops, most employees run Microsoft Office, and most also run Mozilla Firefox as the main browser. Gaim is used as a chat client, and several analysts use Thunderbird on Windows. Very few run Openoffice.org on Windows.

My desktop is the traditional Ubuntu Gnome environment; I run Sun Java 1.5 and use Jedit as my main text editor, plus Openoffice.org, Thunderbird mail, Firefox, Gaim and other typical Gnome apps.

Servers
Our servers run Red Hat Enterprise server and CentOS. Our main servers run LAMP stacks to run the 451 Group’s content management system. One of the most important the benefits of running LAMP on our systems is the fact that we are not stuck with any vendors to modify the code of our content management system.

The 451 Group’s in-house programmers develop and expand our site using PHP and store our content using the Open Source db servers MySQL and PostgreSQL. We’ve found that the configuration is very efficient, and runs without a hitch - our public website has been up and running for almost a year without a reboot on that machine. Our internal and forward-facing blogs are run on Wordpress, which was fast and easy to set up. Similarly our Calendaring system for internal scheduling runs on Plans, an open source application which runs on Windows and Linux.

We use PHP based H2desk help desk trouble-ticketing software from Heathco Software (Heathco also makes a seriously excellent PHP-based website search engine which I have used on several sites).

Email and Open Source
Our email server comprises Qmail, Courier-IMAP, Clamav and SpamAssassin. Prior to the migration to that platform, we used POP and sendmail for mail delivery, but that afforded us no central mail storage or management. We chose Qmail because it is reasonably secure, and fast compared to Sendmail. Support of maildir folders was a very important consideration in our selection of Qmail and Courier-IMAP (if you’re curious about some of the advantages of IMAP over POP, have a look at this).

Spam
When spam messages spiked at 120 per day per user, we selected spamassassin. While the out-of-the-box spamassassin configuration is okay, it was insufficient to stop the amount of spam we were receiving. We tweaked the SpamAssassin configuration, adding Vipul’s Razor, Distributed Checksum Clearinghouse and special spamassassin rules imported from Rules Emporium. The resulting combination cut our spam by 98%. The small amount of spam that still gets through gets manually added into a special mail folder, where Spam Assassin’s Bayesian analysis feature indexes and adds it to its database for future recognition. It is worth mentioning that, to date, no employee has reported a false positive, and we haven’t had to upgrade our existing setup which was installed a year ago.

Email virus scanning
All inbound email is scanned using a copy of Clam-AV which was compiled from source and configured for fast scanning. Contaminated messages are inoculated, labeled as having contained a virus, and users can delete or ignore them. Automatic updates are run hourly against the ClamAV servers for new virus definitions (Evgenny Kaspersky poked fun at me for this: ‘Ah, Clam,” he said. ‘We’ve been clean for a year,’ I said. ‘That you know about‘ he said.).

Some of this is hard to set up, but any business of this size simply must have someone capable of doing this. The cost of my not running MS Office, Adobe Acrobat and Photoshop alone could pay for someone to configure everything I’ve mentioned above, provided I installed everything myself and don’t ask for support. And the good part about this setup is that once it’s installed, it needn’t be touched, sometimes for years – except for patches and upgrades.

Security
With a highly mobile workforce, browsing the web and checking email from unsecured public networks necessitates either a VPN or, for us, tunneled connections and a Squid proxy. Freely available tools, like dsniff, tcp dump, ethereal and other network sniffers are routinely used by malicious folks of all skill levels to collect data like user names and passwords, URLs, text messages etc for fun or profit. To protect against this eavesdropping, we provide the capacity for remote users to create multiple tunnels for email - allowing analysts to connect to our servers from public wireless networks without sending passwords or messages in clear text. A connection is made to one of our servers where our OpenSSH server authenticates the user and allows them to login. On Windows machines we use Putty to create tcp tunnels to our mail server. Users don’t have shell privileges on the servers, which reduces the risk of maintaining this service.

Our mobile workers also need to enter important data into our content management system, via SSL. For other web traffic, we maintain a Squid open source proxy server to tunnel HTTP traffic and browse the web securely.

Remote Support
With such far-flung offices, remote tech support is a necessity. Open source applications and free software tools like Tight VNC tunneled through SSH have allowed The 451 Group to provide this.

Backup
We’ve tried to find open source methods to allow us to perform backups of laptop computers, but it’s been a challenge. Linux backup utilities can be complicated, but to be fair, Windows backup products come with challenges of their own. Eventually our programmers devised a fairly basic batch backup script which has effectively backed up machines without user intervention. Our NAS box runs a Linux kernel and SAMBA for NETBIOS.

PDF creation
In order to create Adobe Acrobat-formatted documents, we standardized on the open source PDF creator, a great tool that helps us print word documents or webpages and save the output to a PDF file. I use the standard *nix utility ps2pdf as well.

–Many thanks to 451’s Systems and IT Support Engineer Marco Maldonado for his extensive contribution to this post