The Case for Tripwire

1
The Case for Tripwire

• Nick Chodorow
• Sarah Kronk
• Jim Moriarty
• Chris Tartaglia

2
The DMZ at OurCompany

• External, customer-facing websites sit in the DMZ
• Includes DNS, mail, data and application servers

3
The DMZ and Risk

• Internal Risk
• Botched migration of software
• Patch application gone awry
• External Risk
• DMZ is exposed to the Internet
• Intruders could modify, remove, or add files to
  the servers resulting in a multitude of issues

4
Is the solution?
5
What is ?

• The most popular host-based IDS for Linux
• Also popular with Windows
• Change monitoring and analysis tool
• Establishes control over both authorized and
  unauthorized changes on servers
• Provides enterprises with
• High availability
• Compliance with regulations from internal and
  external policies
• More effective systems security

6
What can do?

• Detect
• Provides change detection across network servers,
  routers, switchers, firewalls, ect.
• Captures all changes (malicious and authorized)
• Reconcile
• Rapidly determines which files have been changed
• Report
• Audit Logs
• Real-Time notification (e-mail)

7
cost of implementation
Year 1 Year 2 Year 3
Fixed Costs 24,000 0 0
Maintenance Costs 4,400 4,400 4,400
Labor Time 375 hours 50 hours 50 hours

• 24,000 for 25 servers
• 120/server and 1400/management station
• implementation, familiarization, training,
  testing

8
Management Buy-In

• Problem
• High initial cost and man-hours
• Management not concerned with internal risk
• What sold Management?
• The ability to monitor the DMZ 24/7 from illicit
  activity and then be able to recover quickly

9
Deployment

• Initial deployment
• One management station
• Tripwire client running on 2 web servers and 1
  data server
• This deployment was a success
• Full scale deployment followed

10
concerns

• Too many false positives
• Due to mis-configuration
• Server group less likely to promptly address
  real issues
• Do Tripwire vulnerabilities exist?
• 2004 Format String Vulnerability
• When an e-mail report was created, a local user
  could execute arbitrary code that runs as the
  same rights as the user running the file check
  (usually root or sys admin)
• 2001 Symbolic link attack
• On Linux and Unix, Tripwire opens insecure
  temporary files with predictable names in
  publicly-writable directories. Using a symbolic
  link attack, a local intruder may overwrite or
  create arbitrary files on machines running
  tripwire.
• Others ?????

11
Alternative IDS Products

• Symantec IDS
• Only true real-time monitoring services in the
  Managed Security Services industry
• Host-Based
• Centralized Console Management
• Can view Network-Based IDS in same console
• Price varies upon support
• Different levels of service can be purchased
• Why was Symantec IDS not chosen?
• OurCompany already uses Symantec Anti-Virus did
  not want a single vendor security solution

12
Alternative IDS Products (Open Source)

• Samhain -- http//www.la-samhna.de/samhain/
• Host-Based
• Centralized-Monitoring
• Web-Based Management Console
• Tamper Resistant
• PGP-Signed database and configuration files
• Terms under GNU General Public License
• FCheck -- http//www.geocities.com/fcheck2000/fche
  ck.html
• PERL script creates snapshot of system in known
  state
• Monitors machines against snapshot and reports
  inconsistencies
• Terms under GNU General Public License

13
Alternative IDS Products (Open Source)

• AIDE -- http//sourceforge.net/projects/aide
• Stands for Advanced Intrusion Detection
  Environment
• Similar capabilities as Tripwire
• Billed as a free replacement for Tripwire
• Terms under GNU General Public License
• Integrit -- http//sourceforge.net/projects/integr
  it
• Simple, secure alternative to Tripwire and AIDE
• Small memory footprint
• Terms under GNU General Public License
• Why NONE of these products were chosen?
• Management at OurCompany does not consider Open
  Source an option at this time
• No support plan available on these products

14
Questions ???