Tripwire for Servers V2.4.2

Brief product description
Tripwire is a file integrity product, the software runs on a individual system, these are usually servers or systems where file integrity assurance is critical.� Tripwire works by digitally signing critical files and attributes (user selectable via a policy file), with the first occurrence being called the baseline.� Subsequently when Tripwire is run a report is generated that outlines �differences� between the current state of files/attributes� and the previous state.

Architecture
Tripwire as run on a individual system is a command line capability, to provide better management of a large number of systems installed with Tripwire a capability called HQManager is available.� HQManager is a graphical interface that talks to Tripwire enabled systems via a �connector�, this provides a encrypted link for reporting / managing Tripwire on target systems.� HQManager is currently a WindowsNT facility, but will be available as a Unix capability Q1 2001. HQManager interacts with up to 250 Tripwire enabled systems

At what layer of the protocol stack is the product working?
Not Applicable, i.e. independent

Documentation
Full manual set plus on-line help re: commands.� HQManager also has integrated Help.

What are the minimum/recommended console OS and hardware requirements? Is a dedicated machine required/recommended? Will it work on Windows 2000?
No requirements as it runs on target system.

What are the minimum/recommended agent OS and hardware requirements? Is a dedicated machine required/recommended? Will it work on Windows 2000?
Tripwire is Independent of OS

What components are installed on a detector
Tripwire is an application that is independent of any other service.� It is scheduled via AT or CRON and does not affect any part of the OS.

Which network types are supported
Not relevant

Any specific recommendations for monitoring Gigabit networks with your product?
Not relevant

Which OS platforms are actively monitored?
Solaris, Windows NT, HP-UX, Linux, AIX, W2000 (Professional now, Server Q1 2001), SGI and Compaq

Can sensors/detectors be deployed and configured initially from a central console?
No

Once deployed and configured, can sensors/detectors be managed from a central console?
Yes, by using HQManager

Authentication between console and engines � Is it available? What algorithm/key lengths?
Yes, Each Tripwire has a local Pass phrase, plus there is a site Pass phrase.

Secure logon for policy management?
Physical access is required to either Tripwire system or HQManager.� Security is handled by local system e.g. Unix needs Root, NT required Admin privileges.

How are policies distributed to engines?
HQManager sends configuration information via encrypted link

How are policy changes handled? Will the central console detect which agents are using a changed policy and redeploy automatically, or does the administrator have to do this manually?
Manual

How many attack signatures?
Not Applicable

Can the administrator define custom attack signatures?
Not Applicable

How are new attack signatures obtained and deployed?�
Not Applicable

Frequency of signature updates? Provide dates of all updates in the last year.
Not Applicable

What infrastructure do you have behind the signature update process (i.e. dedicated team of engineers? How many? Does it have a name?)
Not Applicable

Can one signature update file be downloaded to the local network and used to update all IDS engines from a central location, or is it necessary to initiate a live connection to the Internet download server for each engine?
Not Applicable

Can signature updates be scheduled and fully automated?
Not Applicable

What network protocols are analysed?
Not Applicable

What application-level protocols are analysed?
Not Applicable

Can the product perform protocol decodes?
Not Applicable

Can the product perform session recording on suspect sessions?
Not Applicable

Block/tear down session?
Not Applicable

Ability to monitor user-defined connections (i.e. report on an FTP connection to a specific server?)
Not Applicable

Monitor changes in critical system files?
Tripwire monitors all files, a �Policy File� can be tuned to include / exclude files.� It also signs files with a variety of signatures to detect tampering.

Monitor changes in user-defined files?
As above.

Monitor changes in Registry?
Tripwire monitors Registry for changes / tampering

Monitor unauthorised access to files?
Tripwire monitors ALL access to files, it is up to administrator to identify unauthorised

Monitor administrator activity (creation of new users, etc)?
Not Applicable

Monitor excessive failed logins?
Not Applicable

List any other resources/locations that are monitored.
N/A

Track successful logins, monitoring subsequent file activity, etc?
Not Applicable

Detect network-level packet based attacks?
Not Applicable

Detect all types of port scans (full connect, SYN stealth, FIN stealth, UDP)?
Not Applicable

Detect and report on nmap OS fingerprinting?
Not Applicable

Perform packet reassembly? Resistance to known IDS evasion techniques?
Not Applicable

Reconfigure firewall? If so, which firewall(s) and how?
Not Applicable

Option to record everything for �forensic� investigation? Where is this data stored? How is it secured from tampering?
Tripwire records the status of system by snapshot system at regular intervals, the signatures of files / registry are stored in an encrypted form to protect them from tampering.

Reporting from engine to console - range of action/alert options (detail these)
E-Mail, SNMP to be added Q1 20001

What provision is made for temporary communications interruption between detector and console? Where are alerts stored? Is the repository secure?
Not Applicable

Can alerts be reported to the central console in real time without the use of third party software? How easy is it to filter and extract individual events?
Not Applicable

Does the software offer advice on preventative action to ensure the attack does not happen again?
Not Applicable

Integration with other scanning/IDS products?
Other IDS products � such as CyberSafe Centrax � can call Tripwire to perform integrity scans in response to alerts

Log file maintenance � automatic rotation, archiving, reporting from archived logs, etc.
Basically the only output is the reports, normal archiving is applicable

Management reporting � range of reports/custom reports/how easy is it to filter and extract detail? Different reports for technicians and management/end users?
Various reports can be scheduled for different times e.g. a Full check can be done daily, but critical database file can be done hourly.� Various policy files can be created

Report management � can they be scheduled for automatic production? Can they be e-mailed to administrators or published straight to a Web site?
Tripwire operates by scheduling a update, the exact time is determined by user (AT or Cron).� The administrator is notified by E-mail if attention is required

What are the limitations and restrictions on enterprise-wide alerting and reporting? Can reports consolidate output from every 1) server, 2) detector
Reports can be consolidated across multiple

Define custom reports?
Reports are generated as a result of the Policy File, thus to get specific information into a report the PF is tuned.

How is it licensed? How is the license enforced?
By platform, currently no enforcement

Click here to return to the Tripwire for Servers 2.4.2 Review
Click here to return to the IDS Index Section