The Case for Tripwire® Nick Chodorow Sarah Kronk Jim Moriarty Chris Tartaglia

The DMZ at OurCompany  External, customer-facing websites sit in the DMZ Includes: DNS, mail, data and application servers

The DMZ and Risk  Internal Risk Botched migration of software Patch application gone awry  External Risk DMZ is exposed to the Internet Intruders could modify, remove, or add files to the servers resulting in a multitude of issues

Is the solution?

What is ?  The most popular host-based IDS for Linux Also popular with Windows  Change monitoring and analysis tool Establishes control over both authorized and unauthorized changes on servers  Provides enterprises with … High availability Compliance with regulations from internal and external policies More effective systems security

What can do?  Detect Provides change detection across network servers, routers, switchers, firewalls, ect. Captures all changes (malicious and authorized)  Reconcile Rapidly determines which files have been changed  Report Audit Logs Real-Time notification ( )

cost of implementation * $24,000 for 25 servers ** $120/server and $1400/management station *** implementation, familiarization, training, testing Year 1Year 2Year 3 Fixed Costs*$24,000$ 0 Maintenance Costs** $ 4,400 Labor Time*** 375 hours50 hours

Management Buy-In  Problem High initial cost and man-hours Management not concerned with internal risk  What sold Management? The ability to monitor the DMZ 24/7 from illicit activity … and then be able to recover quickly

Deployment  Initial deployment One management station Tripwire client running on 2 web servers and 1 data server This deployment was a success Full scale deployment followed

concerns  Too many false positives Due to mis-configuration Server group less likely to promptly address real issues  Do Tripwire vulnerabilities exist? 2004 – Format String Vulnerability  When an report was created, a local user could execute arbitrary code that runs as the same rights as the user running the file check (usually root or sys admin) 2001 – Symbolic link attack  On Linux and Unix, Tripwire opens insecure temporary files with predictable names in publicly-writable directories. Using a symbolic link attack, a local intruder may overwrite or create arbitrary files on machines running tripwire. Others ?????

Alternative IDS Products  Symantec IDS “Only true real-time monitoring services in the Managed Security Services industry “ Host-Based Centralized Console Management  Can view Network-Based IDS in same console Price varies upon support  Different levels of service can be purchased  Why was Symantec IDS not chosen? OurCompany already uses Symantec Anti-Virus … did not want a single vendor security solution

Alternative IDS Products (Open Source)  Samhain Host-Based Centralized-Monitoring Web-Based Management Console Tamper Resistant  PGP-Signed database and configuration files Terms under GNU General Public License  FCheck PERL script creates “snapshot” of system in known state Monitors machines against “snapshot” and reports inconsistencies Terms under GNU General Public License

Alternative IDS Products (Open Source)  AIDE Stands for Advanced Intrusion Detection Environment Similar capabilities as Tripwire Billed as a free replacement for Tripwire Terms under GNU General Public License  Integrit Simple, secure alternative to Tripwire and AIDE Small memory footprint Terms under GNU General Public License  Why NONE of these products were chosen? Management at OurCompany does not consider Open Source an option at this time No support plan available on these products

Questions ???