The Case for Tripwire®

1. The Case for Tripwire® Nick Chodorow Sarah Kronk Jim Moriarty Chris Tartaglia

2. The DMZ at OurCompany • External, customer-facing websites sit in the DMZ • Includes: DNS, mail, data and application servers

3. The DMZ and Risk • Internal Risk • Botched migration of software • Patch application gone awry • External Risk • DMZ is exposed to the Internet • Intruders could modify, remove, or add files to the servers resulting in a multitude of issues

4. Is the solution?

5. What is ? • The most popular host-based IDS for Linux • Also popular with Windows • Change monitoring and analysis tool • Establishes control over both authorized and unauthorized changes on servers • Provides enterprises with … • High availability • Compliance with regulations from internal and external policies • More effective systems security

6. What can do? • Detect • Provides change detection across network servers, routers, switchers, firewalls, ect. • Captures all changes (malicious and authorized) • Reconcile • Rapidly determines which files have been changed • Report • Audit Logs • Real-Time notification (e-mail)

7. cost of implementation * $24,000 for 25 servers ** $120/server and $1400/management station *** implementation, familiarization, training, testing

8. Management Buy-In • Problem • High initial cost and man-hours • Management not concerned with internal risk • What sold Management? • The ability to monitor the DMZ 24/7 from illicit activity … and then be able to recover quickly

9. Deployment • Initial deployment • One management station • Tripwire client running on 2 web servers and 1 data server • This deployment was a success • Full scale deployment followed

10. concerns • Too many false positives • Due to mis-configuration • Server group less likely to promptly address real issues • Do Tripwire vulnerabilities exist? • 2004 – Format String Vulnerability • When an e-mail report was created, a local user could execute arbitrary code that runs as the same rights as the user running the file check (usually root or sys admin) • 2001 – Symbolic link attack • On Linux and Unix, Tripwire opens insecure temporary files with predictable names in publicly-writable directories. Using a symbolic link attack, a local intruder may overwrite or create arbitrary files on machines running tripwire. • Others ?????

11. Alternative IDS Products • Symantec IDS • “Only true real-time monitoring services in the Managed Security Services industry “ • Host-Based • Centralized Console Management • Can view Network-Based IDS in same console • Price varies upon support • Different levels of service can be purchased • Why was Symantec IDS not chosen? • OurCompany already uses Symantec Anti-Virus … did not want a single vendor security solution

12. Alternative IDS Products (Open Source) • Samhain -- http://www.la-samhna.de/samhain/ • Host-Based • Centralized-Monitoring • Web-Based Management Console • Tamper Resistant • PGP-Signed database and configuration files • Terms under GNU General Public License • FCheck -- http://www.geocities.com/fcheck2000/fcheck.html • PERL script creates “snapshot” of system in known state • Monitors machines against “snapshot” and reports inconsistencies • Terms under GNU General Public License

13. Alternative IDS Products (Open Source) • AIDE -- http://sourceforge.net/projects/aide • Stands for Advanced Intrusion Detection Environment • Similar capabilities as Tripwire • Billed as a free replacement for Tripwire • Terms under GNU General Public License • Integrit -- http://sourceforge.net/projects/integrit • Simple, secure alternative to Tripwire and AIDE • Small memory footprint • Terms under GNU General Public License • Why NONE of these products were chosen? • Management at OurCompany does not consider Open Source an option at this time • No support plan available on these products

14. Questions ???