the case for tripwire l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
PowerPoint Presentation
Download Presentation

Loading in 2 Seconds...

play fullscreen
1 / 14

- PowerPoint PPT Presentation


  • 257 Views
  • Uploaded on

The Case for Tripwire®. Nick Chodorow Sarah Kronk Jim Moriarty Chris Tartaglia. The DMZ at OurCompany. External, customer-facing websites sit in the DMZ Includes: DNS, mail, data and application servers. The DMZ and Risk. Internal Risk Botched migration of software

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about '' - ostinmannual


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
the case for tripwire

The Case for Tripwire®

Nick Chodorow

Sarah Kronk

Jim Moriarty

Chris Tartaglia

the dmz at ourcompany
The DMZ at OurCompany
  • External, customer-facing websites sit in the DMZ
    • Includes: DNS, mail, data and application servers
the dmz and risk
The DMZ and Risk
  • Internal Risk
    • Botched migration of software
    • Patch application gone awry
  • External Risk
    • DMZ is exposed to the Internet
    • Intruders could modify, remove, or add files to the servers resulting in a multitude of issues
what is
What is ?
  • The most popular host-based IDS for Linux
    • Also popular with Windows
  • Change monitoring and analysis tool
    • Establishes control over both authorized and unauthorized changes on servers
  • Provides enterprises with …
    • High availability
    • Compliance with regulations from internal and external policies
    • More effective systems security
what can do
What can do?
  • Detect
    • Provides change detection across network servers, routers, switchers, firewalls, ect.
    • Captures all changes (malicious and authorized)
  • Reconcile
    • Rapidly determines which files have been changed
  • Report
    • Audit Logs
    • Real-Time notification (e-mail)
cost of implementation
cost of implementation

* $24,000 for 25 servers

** $120/server and $1400/management station

*** implementation, familiarization, training, testing

management buy in
Management Buy-In
  • Problem
    • High initial cost and man-hours
    • Management not concerned with internal risk
  • What sold Management?
    • The ability to monitor the DMZ 24/7 from illicit activity … and then be able to recover quickly
deployment
Deployment
  • Initial deployment
    • One management station
    • Tripwire client running on 2 web servers and 1 data server
    • This deployment was a success
    • Full scale deployment followed
concerns
concerns
  • Too many false positives
    • Due to mis-configuration
    • Server group less likely to promptly address real issues
  • Do Tripwire vulnerabilities exist?
    • 2004 – Format String Vulnerability
      • When an e-mail report was created, a local user could execute arbitrary code that runs as the same rights as the user running the file check (usually root or sys admin)
    • 2001 – Symbolic link attack
      • On Linux and Unix, Tripwire opens insecure temporary files with predictable names in publicly-writable directories. Using a symbolic link attack, a local intruder may overwrite or create arbitrary files on machines running tripwire.
    • Others ?????
alternative ids products
Alternative IDS Products
  • Symantec IDS
    • “Only true real-time monitoring services in the Managed Security Services industry “
    • Host-Based
    • Centralized Console Management
      • Can view Network-Based IDS in same console
    • Price varies upon support
      • Different levels of service can be purchased
  • Why was Symantec IDS not chosen?
    • OurCompany already uses Symantec Anti-Virus … did not want a single vendor security solution
alternative ids products open source
Alternative IDS Products (Open Source)
  • Samhain -- http://www.la-samhna.de/samhain/
    • Host-Based
    • Centralized-Monitoring
    • Web-Based Management Console
    • Tamper Resistant
      • PGP-Signed database and configuration files
    • Terms under GNU General Public License
  • FCheck -- http://www.geocities.com/fcheck2000/fcheck.html
    • PERL script creates “snapshot” of system in known state
    • Monitors machines against “snapshot” and reports inconsistencies
    • Terms under GNU General Public License
alternative ids products open source13
Alternative IDS Products (Open Source)
  • AIDE -- http://sourceforge.net/projects/aide
    • Stands for Advanced Intrusion Detection Environment
    • Similar capabilities as Tripwire
    • Billed as a free replacement for Tripwire
    • Terms under GNU General Public License
  • Integrit -- http://sourceforge.net/projects/integrit
    • Simple, secure alternative to Tripwire and AIDE
    • Small memory footprint
    • Terms under GNU General Public License
  • Why NONE of these products were chosen?
    • Management at OurCompany does not consider Open Source an option at this time
    • No support plan available on these products