 |
|
|
Unlike other host-based IDS systems we have tested, Tripwire for Servers is very specifically a File Integrity Assessment (FIA) product. Tripwire for Servers works by first creating a database of important system files - a �snapshot� of a computer system in a known secure state. The administrator can specify the directories and files that should be monitored, and the properties (last write time, file size, access permissions) for each of these that should be stored in the Tripwire database file. Once this �baseline� database is created, Tripwire can be used at regular intervals to compare the current state of the system with the information stored in the database. Any changes to the system outside of specified boundaries will be detected and reported. If these changes are valid, the administrator can update the baseline database with the new information. If malicious changes are found, appropriate steps can be taken. The Tripwire product line continues to expand, with the company now introducing Tripwire for Routers and Switches. More of a central management and configuration tool than a security product, this product is designed to reduce network downtime through immediate detection and notification of changes to Cisco routers and switches. The final product in the range is Tripwire for Web Pages, which extends Tripwire data and network integrity protection to Web pages hosted on Apache Web servers. It enables immediate remediation by automatically replacing altered Web page content with a customised notification page, instantly notifying the administrator, and logging all instances. Tripwire for Web Pages' data integrity features provides knowledge of exactly which Web pages were altered or modified on an organisation's Web site. The early versions of Tripwire consisted purely of a stand alone program that ran on a individual hosts, making centralised control of multiple hosts extremely difficult and time consuming. Now, although Tripwire for Servers can still be run in a similar standalone mode, the company has introduced central management software, that provides distributed agents and a central console to manage and report on multiple Tripwire clients. The distributed Tripwire architecture is made up of the following components: Tripwire for Servers software monitors file changes, verifies integrity, and notifies the administrator of any violations of stated security policy on network servers. Tripwire for Servers monitors all changes to file systems, and registry settings, regardless of whether they originated inside or outside of the organisation. Tripwire for Servers also identifies changes to system attributes including file size, access flags, write time, and so on. Tripwire for Servers monitors file content integrity together with 24 attributes on Windows NT:
It also monitors 14 attributes on UNIX systems:
The following registry attributes can also be monitored:
The Tripwire for Servers software engine conducts subsequent file checks, automatically comparing the state of the system with the baseline database. Any inconsistencies are reported to Tripwire Manager and to the host system�s log file. Reports can also be emailed to an administrator or written to the console, and SNMP traps are also supported. If a violation is actually an authorised change (such as installing an upgrade or new application), a user can update the database so changes no longer show up as violations. Tripwire for Servers uses a number of files to assess system security: Policy file � specifies how Tripwire software monitors the system. The policy file consists of a list of rules which specify system objects (directories, files, or registry objects) to monitor, and describe which changes to the objects should be reported and which ones can be ignored. Database file � �When Tripwire software is first installed, it uses the rules in the policy file to create a snapshot of the computer system in a known secure state. During an integrity check, the software compares this baseline database file against the current state of the system to determine if any changes have occurred. Report files � These record those changes detected during an integrity check that violate the rules in the policy file. Tripwire can be configured to e-mail all or part of a report file to administrators after an integrity check. Configuration file � Stores system-specific information that controls Tripwire operation, including the location of Tripwire files, and the parameters used for e-mail notification. Key file � The site and local key files store public and private keys used to sign Tripwire files cryptographically. To modify signed Tripwire files, it is necessary to provide the correct site or local pass phrase. Agent configuration file � Stores information that each machine uses to communicate with the Tripwire Manager Tripwire Manager is a cross-platform, Java-based management console that allows the administrator to manage all installations of Tripwire for Servers across an enterprise network from a single point. Tripwire Manager eliminates the need to monitor multiple discrete network platforms and point solutions manually, providing a seamless, secure way to remotely manage Tripwire for Servers functionality across an enterprise � even with multiple operating systems. From a central management console, Tripwire Manager enables the administrator to generate detailed reports, update the Tripwire database, create and distribute policy files, and schedule integrity checks. Any and all integrity violations are identified and communicated based on their level of severity. All communication between Tripwire for Server hosts and the central Tripwire Manager console is secured using Secured Sockets Layer (Open SSL) technology with 168-bit Triple-DES encryption. To protect against unauthorised modification, important files on each Tripwire for Server host are stored in a binary-encoded and signed form. Tripwire database, policy, configuration, and (optionally) report files are protected with El Gamal asymmetric cryptography with a 1024-bit signature. The El Gamal signature process uses a paired set of keys�- one public and one private � which are generated and stored together in a key file. Two of these sets of keys, the site key file and the local key file, are used to protect important files. The site key is used to protect the policy and configuration files, which can be used across an entire site. The local key is used to protect database and (optionally) report files, which are specific to a particular system. To edit or replace a signed Tripwire file, it is necessary to provide the pass phrase (chosen during installation) for the key file used to sign the file. Tripwire software uses cryptographic signatures to prevent unauthorised writing of files, rather than reading of files. Only the public key is required to read files, and since the public key is available to all users, anyone can view these files. Installation is very straightforward, following the usual InstallShield route on Windows platforms. Unix installation is performed via script files. Now that it has been re-written as a Java application, Tripwire Manager is available on a wider range of platforms. It has been tested and approved on Windows NT4, Windows 2000, Solaris 7 and 8, and Red Hat Linux 7.0 and 7.1. Tripwire for Servers software is supported on Windows NT4, Windows 2000 Professional/Server/Advanced Server, Solaris (SPARC) 2.6, 7 and 8, IBM AIX 4.3, HP-UX 10.2 and 11.0, Linux (various distributions), Tru64 UNIX 4.0, and FreeBSD 4.2 and 4.3. For this test, we used Windows 2000 Advanced Server running on a Pentium III 800MHz processor with 256MB RAM for both the Tripwire Manager and each of the Tripwire for Servers installations. During installation the administrator is prompted for several important configuration parameters such as the mail protocol for e-mail reports, SNMP settings, and how to communicate with the Tripwire Manager console. The administrator must then provide site and local pass phrases, which are used to generate 1024-bit keys to encrypt and sign various Tripwire files. The site pass phrase protects the site key, which is used to cryptographically sign the main configuration, agent configuration and policy files. The local pass phrase protects the local key, which is used to sign database and, optionally, report files. Documentation is very good and is provided in both hard-copy and electronic (PDF) formats. The Installation Guide and Reference Guide are common to both the Tripwire Manager and Tripwire for Servers packages, whilst a product-specific User Guide is also included with each one. Tripwire for Servers also includes a couple of handy Quick Reference Cards (one each for Unix and Windows environments) which provide useful reference to common commands. For anyone used to the original command-line version of Tripwire, very little has changed. The software can still be driven from the command line if required (making it ideal for incorporation into batch file or shell script programs), and it is not difficult to do. Most, however, will prefer to control it via the Java-based GUI console provided by Tripwire Manager. The power behind Tripwire technology lies in its highly configurable policy language. Not only it is possible to define which files or directories to monitor, the administrator can also define the attributes of each object monitored. For example, it makes sense to monitor data integrity of a system binary file. It does not, however, make sense to monitor the contents of a log file � although it may be desirable to ensure that certain aspects of a log file (such as permissions or ownerships) are never altered. It is therefore possible to configure Tripwire for Servers to monitor only those things that should not change. The Tripwire policy language also allows objects to be grouped around easy-to-understand rule names and then prioritised based on relative �severity�. Grouping and prioritisation enables the administrator to focus on the most important changes first. The latest 2.4 release sees the policy language extended to provide object rule grouping with scoped blocks, enhanced Alternate Data Stream monitoring, and support for up to four cryptographic checksums, (CRC-32, MD5, SHA1, HAVAL).
Other improvements in 2.4 not directly related to policy files include the ability for Tripwire integrity checks to cross mount points on Unix systems, support for remote hosts for Event Log reporting on Windows systems, global e-mail notification, scanning of �in use� files, updating of policy file �snippets� instead of having to download the entire policy file for a minor change, and support for SNMP traps during integrity checks. Tripwire for Servers includes a pre-defined policy file for the platform on which it will run, enabling the administrator to quickly install and deploy a Tripwire solution. It is recommended, however, that this default policy file be replaced with a custom version as quickly as possible. Creating the policy file is the most time consuming part of Tripwire configuration and with the use of variables, rule arguments, stop points and conditional directives it can almost begin to resemble a programming language. There is no simple GUI interface within the Tripwire product to aid in creating policy files � it�s just you and the text editor - but the Reference Guide does include extensive material to guide you through the process. There is also a Web-based policy creation tool on the Tripwire Web site (see Figure 1) that guides the administrator through the various stages of generating a policy file that is customised for his or her own environment. The wizard-like interface prompts the administrator for important information such as the OS platform, which service packs are installed, which major software packages are installed, and so on.
At the end of the process, the policy file is downloaded and can be deployed to all Tripwire for Server hosts via the Tripwire Manager console. Whilst this goes a long way towards simplifying the process, there is still quite a bit of work involved in fine tuning the policy file to eliminate a lot of the �noise� generated by the default settings. The database file is at the centre of the integrity assessment strategy. When the Tripwire software is first installed, the rules in the policy file are used to create a �snapshot� of a computer system in a known secure state. Then, during subsequent integrity checks, this �baseline� database is compared against the current state of the system to determine what, if any, changes have occurred. Considering the amount of work that is being performed, Tripwire turns in an impressive performance during integrity checks, taking 4-5 minutes to perform the database initialisation and around 6-8 minutes to perform subsequent integrity checks using the default policies out of the box. During these operations, it should be noted that CPU utilisation peaked at 100 per cent for minutes at a time (hovering around 60-70 per cent for the bulk of the operation). However, since Tripwire is not intended to be a real-time monitoring product, the CPU utilisation and speed of integrity checks and baseline generation is not often an issue, and is obviously always going to be dependent on the host machine on which the software is installed. If a policy violation is detected during the integrity checks, it is identified and described in a violation report, which is sent via e-mail or syslog to an administrator (SNMP traps can also be raised), or viewed on-screen in a text editor. If the violation is actually an authorised change (such as the installation of a new application or a software upgrade), the administrator can instruct Tripwire to update the database with the change so it no longer triggers a violation. Such updates are performed incrementally and do not necessitate a regeneration of the baseline database.
This cycle of policy definition � integrity check � evaluate�� update can be repeated as often as is required to refine the policy file to suit a particular environment. This is a nice feature of Tripwire � it is not necessary to get the policy file 100 per cent correct at the first try, and it is always preferable to include too much in there and remove unwanted �violations� during the update phase, than to include too little and risk missing something. Various other command line utilities are also available, enabling the administrator to print signed and encrypted database and report files, edit the various configuration files, and so on. What is difficult with the command-line-only version of Tripwire is to ensure that all machines across the network have a consistent security policy applied, and consolidating and assessing multiple reports for different machines. These issues have been addressed via the Tripwire Manager software, and for the latest release, this has been completely redeveloped in Java. As well as offering the same capabilities as the previous Windows-based application, the new Java console provides enhanced scalability features through support for multiple consoles, and different console �roles� (such as management or monitoring only) All of the files used for integrity assessment are located on the individual Tripwire for Servers hosts, each machine storing a customised copy of each of the main Tripwire files. These files can be edited from the Tripwire Manager, or from the individual host machines. In stark contrast to the stand alone command-line-only Tripwire, the Tripwire Manager console provides an intuitive, easy-to-use, Java-based graphical interface for controlling a distributed Tripwire implementation. In addition to the standard Toolbar and Status bars, the console contains a number of specialised windows that can be can hidden, moved, or resized to customise the appearance of the Tripwire Manager console and make the information easier to digest.
Remote Tripwire for Server hosts are registered with Tripwire Manager in the Machine List window. Details of registered machines are shown there along with information such as current status (connected, busy, idle, etc.), latest task accomplished, operating systems, and so on. An icon against each machine in the list also reflects its current state:
The Quick Status window displays pie charts summarising the states of the registered machines, and the Output window displays various messages generated by Tripwire operations, including information about current jobs, the beginning and completion of tasks, and any errors that are encountered during normal operation. The contents of this window are also recorded in a log file for later reference. � The Action Bar is a iconised menu bar that provides easy access to commonly-performed operations (all of which can also be accessed through the Action menu, or by right-clicking the Machine List). Typical of the available tasks on the Action Bar are the Edit Configuration File and Edit Policy File options. The latter retrieves the policy file from a registered host and presents it in the main console window for editing. Integrity checks can be triggered from this menu, and it is also possible to create a schedule for regular unattended runs (scheduled operation is much more flexible in the latest release). Once created, configuration, policy and schedule files can be distributed to all machines under the control of Tripwire Manager, to ensure that integrity checks are run regularly and corporate policies are enforced right across an enterprise network. Once files have been distributed, all integrity checks and other tasks are run transparently on the remote machines in the background via the Tripwire for Servers service or daemon. Following a successful run, violations can be viewed immediately at the console (text-based reports can also be e-mailed to the administrator direct from each machine as the integrity check is completed) and remote databases can be updated to remove false alarms from future runs. Once an integrity check has been completed on a remote machine, the Report Viewer can be used to retrieve the Tripwire report and display it at the console. Four tabs are available within the Report Viewer window: Report, Objects, Violations and Summary. On selecting the Report tab, a tri-pane display appears (Main Window, Objects Window and Details Window) with the left hand pane (the Main Window) containing a root node for each report file, with a list of the violations and errors encountered during an integrity check. Selecting an item in the Report tree displays all of the child items in the Objects Window. By double-clicking an item in the Objects Window, it is possible to �drill down� to see more details. Selecting an individual violation brings up further information in the Detail Window. Two records are displayed for comparison for each violation. The first record is the original �baseline� of the network object (file, directory, or registry setting) from the Tripwire database, and the second shows the new values with a warning icon to highlight the fields that have changed. The Objects tab displays all open reports by the object (directory, file or registry object) that was violated, and is useful for detecting patterns of violations across a network of machines. The Summary tab displays a chart of the number and severity of violations in all open reports. Selecting the Violations tab, displays rule violations for all reports that are open in the Report Tree window. Each entry lists:
Reports can be sorted on any of the column headings, and can also be searched or filtered to home in on violations that are of particular interest. Summary results can also be displayed graphically if required.
New features for version 2.4 include the aforementioned Objects and Summary tabs in the Report Viewer, report exporting to XML, CSV, or text, improved syslog support (now up to three levels of reporting), and support for SNMP traps. Tripwire is the only product we have tested in our labs that concentrates totally on File Integrity Assessment (FIA) as an approach to intrusion detection. Whereas this might not be the most proactive means of detecting intruders, it does provide a level of protection against previously unknown attacks that most IDS� cannot offer. Because there is little point in gaining unauthorised access to a computer system without adding, removing or changing files, Tripwire will generally be able to provide notification and evidence that some form of intrusion has taken place, no matter how new or �stealthy� the initial exploit used to gain access. Tripwire can also be used in a wide range of applications outside of the field of intrusion detection. For example: System and Policy Compliance � Ensure that systems meet corporate IT standards by monitoring system files for any changes. By comparing machines to a baseline database generated from an ideal system, it is possible to detect potential security holes or configuration problems. System Lockdown � Verify that no new, unauthorised software has been installed on a system. Once a machine has been �locked down�, Tripwire software can monitor that system for unauthorised software or applications. Damage Assessment and Recovery � Tripwire can be used to assist in assessing the damage in the event of a successful attack. An administrator can use the reported violations as a list of files to repair or replace. Forensics � Tripwire reports can be used to establish a chain of evidence necessary to prosecute offenders after an attack has occurred. Previous releases of the product took it out of the realms of the �hard-to-use Unix-based product� and provided broad cross-platform support and an extremely useful, graphical, central console making distributed management very much easier. The latest release has built on this with the redevelopment of the Tripwire Manager console as a Java applet, providing a much broader range of cross-platform support for the console itself. It should also be noted that, unlike many Java applications we have evaluated, Tripwire Manager remains as fast and usable as the original Windows application. Policy creation and fine tuning are still unlikely to be undertaken by the novice, but the new Web-based policy creation tool is a huge step in the right direction. Hopefully, future versions will see this tool actually integrated into the Tripwire Manager interface. In general, however, Tripwire proved itself to be easy to deploy, easy to configure (apart from the policy files) and easy to manage on a day-to-day basis. Well worth considering if you require the ultimate in FIA technology. Whilst Tripwire might not serve as your only intrusion detection product, it should be considered an essential element of any comprehensive intrusion detection implementation. Company name:
Tripwire Inc. UK Distribution:
Click here
to return to the Tripwire for Servers 2.4.2Questionnaire�
|
 |
Send mail to webmaster
with questions or�
|
