TRIP WIRE INTRUSION DETECTION SYSYTEM
CONTENT Basically this presentation contains, • What is TripWire? • How does TripWire work? • Where is TripWire used? • Tripwire for network devices.+ • Tripwire for servers • How do you install and use TripWire? • What is the benefit of TripWire? • What are the chances of TripWire? • Final word on TripWire.
What is TripWire? • Reliable intrusion detection system. • Tool that checks to see what changes have been made in your system. • Pinpoints, notifies, determines the nature, and provides information on the changes on how to manage the change. • Mainly monitors the key attributes(like binary signature, size and other related data) of your files. • Changes are compared to the established good baseline. • Security is compromised, if there is no control over the various operations taking place. • Security not only means protecting your system against various attacks but also means taking quick and decisive actions when your system is attacked.
Elements of tripwire • A tripwire database • A policy file
First, a baseline database is created storing the original attributes like binary values in registry. • If the host computer is intruded, the intruder changes these values to go undetected. • The TripWire software constantly checks the system logs to check if any unauthorized changes were made. • If so, then it reports to the user. • User can then undo those changes to revert the system back to the original state.
Where is TripWire used? • Tripwire for Servers(TS) is software used by servers. • Can be installed on any server that needs to be monitored for any changes. • Typical servers include mail servers, web servers, firewalls, transaction server, development server. • It is also used for Host Based Intrusion Detection System(HIDS) and also for Network Intrusion Detection System(NIDS). • It is used for network devices like routers, switches, firewall, etc. • If any of these devices are tampered with, it can lead to huge losses for the Organization that supports the network.
TRIPWIRE FOR NETWORK DEVICES • Tripwire for network devices maintains a log of all significant actions including adding and deleting nodes, rules, tasks and user accounts. • Automatic notification of changes to your routers, switches and firewalls. • Automatic restoration of critical network devices. • Heterogeneous support for today’s most commonly used network devices.
User authentication levels • “Monitors” are allowed only to monitor the application. They cannot make changes to Tripwire for Network Devices or to the devices that the software monitors. • “Users” can make changes to Tripwire for Network Devices, such as add routers, switches. Groups, tasks, etc., but they cannot make changes to the devices it monitors. • “Powerusers” can make changes to the software and to the devices it monitors. • “Administrator” can perform all actions, plus delete violations and log messages as well as add, delete, or modify user accounts
Tripwire for servers • For the tripwire for server’s software to work two important things should be present –the policy file and the database. • The Tripwire for server’s software conducts subsequent file checks automatically comparing the state of system with the baseline database. • Any inconsistencies are reported to the Tripwire manger and to the host system log file. • Reports can also be emailed to an administrator.
There are two types of Tripwire Manager • Active Tripwire Manager • Passive Tripwire Manager • This active Tripwire Manager gives a user the ability to update the database, schedule integrity checks, update and distribute policy and configuration files and view integrity reports. • The passive mode only allows to view the status of the machines and integrity reports.
How do you install and use TripWire? • Install Tripwire and customize the policy file. • Initialize the Tripwire database. • Run a Tripwire integrity check. • Examine the Tripwire report file. • Take appropriate security measures. • Update the Tripwire database file. • Update the Tripwire policy file.
What is the benefit of TripWire? • Increase security Immediately detects and pinpoints unauthorized change. • Instill Accountability Tripwire identifies and reports the sources of change. • Gain Visibility Tripwire software provides a centralized view of changes across the enterprise infrastructure and supports multiple devices from multiple vendors. • Ensure Availability Tripwire software reduces troubleshooting time, enabling rapid discovery and recovery. Enables the fastest possible restoration back to a desired, good state.
What are the chances of TripWire? • The main attractive feature of this system is that the software generates a report about which file has been violated, when the file has been violated and also what information in the files have been changed. • If properly used it also helps to detect who made the changes. • Proper implementation of the system must be done with a full time manager and crisis management department.
Where did I get this Information? • www.tripwire.com • www.iec.com • www.itpaper.com • www.google.com (Search for Tripwire)
ADVANTAGES • Increase security Immediately detects and pinpoints unauthorized change. • Instill Accountability Tripwire identifies and reports the sources of change. • Gain Visibility Tripwire software provides a centralized view of changes across the enterprise infrastructure and supports multiple devices from multiple vendors. • Ensure Availability Tripwire software reduces troubleshooting time, enabling rapid discovery and recovery. Enables the fastest possible restoration back to a desired, good state.
DRAWBACKS • Ineffective when applied to frequently changing files. • higher learning curve to install, edit, and maintain the software • Cost Effective
APPLICATIONS • Tripwire for Servers(used as software). • Tripwire for Host Based Intrusion Detection System (HIDS) and also for Network Based Intrusion Detection System (NIDS). • Tripwire for Network Devices like Routers, Switches etc.