Presentation on theme: "The Case for Tripwire® Nick Chodorow Sarah Kronk Jim Moriarty Chris Tartaglia."— Presentation transcript:
The Case for Tripwire® Nick Chodorow Sarah Kronk Jim Moriarty Chris Tartaglia
The DMZ at OurCompany External, customer-facing websites sit in the DMZ Includes: DNS, mail, data and application servers
The DMZ and Risk Internal Risk Botched migration of software Patch application gone awry External Risk DMZ is exposed to the Internet Intruders could modify, remove, or add files to the servers resulting in a multitude of issues
Is the solution?
What is ? The most popular host-based IDS for Linux Also popular with Windows Change monitoring and analysis tool Establishes control over both authorized and unauthorized changes on servers Provides enterprises with … High availability Compliance with regulations from internal and external policies More effective systems security
What can do? Detect Provides change detection across network servers, routers, switchers, firewalls, ect. Captures all changes (malicious and authorized) Reconcile Rapidly determines which files have been changed Report Audit Logs Real-Time notification ( )
cost of implementation * $24,000 for 25 servers ** $120/server and $1400/management station *** implementation, familiarization, training, testing Year 1Year 2Year 3 Fixed Costs*$24,000$ 0 Maintenance Costs** $ 4,400 Labor Time*** 375 hours50 hours
Management Buy-In Problem High initial cost and man-hours Management not concerned with internal risk What sold Management? The ability to monitor the DMZ 24/7 from illicit activity … and then be able to recover quickly
Deployment Initial deployment One management station Tripwire client running on 2 web servers and 1 data server This deployment was a success Full scale deployment followed
concerns Too many false positives Due to mis-configuration Server group less likely to promptly address real issues Do Tripwire vulnerabilities exist? 2004 – Format String Vulnerability When an report was created, a local user could execute arbitrary code that runs as the same rights as the user running the file check (usually root or sys admin) 2001 – Symbolic link attack On Linux and Unix, Tripwire opens insecure temporary files with predictable names in publicly-writable directories. Using a symbolic link attack, a local intruder may overwrite or create arbitrary files on machines running tripwire. Others ?????
Alternative IDS Products Symantec IDS “Only true real-time monitoring services in the Managed Security Services industry “ Host-Based Centralized Console Management Can view Network-Based IDS in same console Price varies upon support Different levels of service can be purchased Why was Symantec IDS not chosen? OurCompany already uses Symantec Anti-Virus … did not want a single vendor security solution
Alternative IDS Products (Open Source) Samhain -- Host-Based Centralized-Monitoring Web-Based Management Console Tamper Resistant PGP-Signed database and configuration files Terms under GNU General Public License FCheck -- PERL script creates “snapshot” of system in known state Monitors machines against “snapshot” and reports inconsistencies Terms under GNU General Public License
Alternative IDS Products (Open Source) AIDE -- Stands for Advanced Intrusion Detection Environment Similar capabilities as Tripwire Billed as a free replacement for Tripwire Terms under GNU General Public License Integrit -- Simple, secure alternative to Tripwire and AIDE Small memory footprint Terms under GNU General Public License Why NONE of these products were chosen? Management at OurCompany does not consider Open Source an option at this time No support plan available on these products