|
|
|
|
|
|
| ISP Resources |
| ISP-Lists ISP Glossary ISP News The List ISPCON Events Free Newsletters |
|
|
|
||
| internet.commerce | ||
|
Partner With Us |
Intrusion
Detection Systems:
Tripwire
Like the name implies, Tripwire alerts you when changes
are made to key data. It's a basic tool that has a lot of applications,
both for security and for network maintenance.
[August 6, 2002] |
 |
Dwayne Melancon is Tripwire, Inc.'s Vice President for Marketing, Customer Support, and Services. As he explains it, the idea behind the company's offering is pretty simple. Start with a baseline of the data on a particular server or device—then monitor it. "From there, we can let you know where things have changed—in as much detail as you want," Melancon said.
Melancon is quick to explain that, while Tripwire
for Servers can perform some functions of intrusion detection, it
wasn't designed as an IDS. "From the beginning, we've looked at data as
an asset that needs to be monitored to understand how it changes," he
said. "The bulk of our customers use us for a combination of security,
configuration management, and change control."
|
Tripwire
|
 |
As an example, Melancon notes, one Tripwire customer is a large wireless service provider. In the case of an outage, Tripwire lets them act more quickly than they otherwise could. "The first thing they'll do is see if there's a scheduled downtime event that would account for this," he said. "If not, the next thing they do is run a remote Tripwire scan on all the systems that service that area."
If a system turns up red on the Tripwire scan, they can quickly drill down to assess the situation in more detail. "We're step zero in their diagnosis process," Melancon said. "Once they drill down into a system, they can tell very quickly what's changed."
Checking up on intruders
The technology behind Tripwire for Servers dates back to the early '90s,
when the software was first developed at Purdue University by Gene Kim,
now the company's chief technology officer, and Dr. Eugene Spafford, who
was Kim's faculty advisor at the time. They released an early version
of the software for free on the Internet—and within the first few
years, Melancon says, over a million people downloaded it.
In 1997, realizing that the product just might be commercially viable, Kim joined with Wyatt Starnes, now the company's chief executive officer, to found Tripwire, Inc. The first commercial release was made available in early 1998, and the company now boasts over 2,200 enterprise customers worldwide. The original version remains available for free as the Academic Source Release.
Melancon explains that many customers deploy Tripwire for Servers alongside traditional IDS products. "One of the limitations of a lot of intrusion detection systems is that, if they miss something, you can't tell what the impact was," he said. "We don't really care what the attack vector was: we just look at the results, at the changes to the data, and see what actual damage took place."
Tripwire can also be used to keep an eye on other security products to make sure they aren't compromised. Commands can be tied to specific violations—for example, the firewall can be shut down if a certain file changes—or the software can simply provide an alert. "If somebody comes in and puts something suspicious in an ISS system directory, then we'll notice it and be able to tell you," Melancon said.
For a data center, Melancon notes, this kind of protection can be a great asset. "Let's say they're managing a box, and customers have access to the box as well," he said. "They'll say, 'We'll only honor our SLA if you don't change files in certain areas.' Then they can tell if the customer's done that and say, 'This was down because you did something prohibited by your SLA, so we don't owe you for the downtime.'"
Similarly, a webhosting company could monitor for specific undesirable files, or file types, being hosted on their servers. "We actually have a case study of an ISP in Europe where somebody had hacked into their system and used it to put up a pirated warez site, and they didn't realize it for quite some time," Melancon said.
Red light, green light
Tripwire
Manager provides a centralized graphical interface from which to manage
all installations of Tripwire for Servers throughout an enterprise. "It
gives you a red light/green light status at each one of the systems—and when something turns red, you can drill down and find out what happened,"
Melancon said.
Pricing starts at $6,995 per license for Tripwire Manager, and $595 per license for Tripwire for Servers, with volume discounts available. A Check Point Edition is also available, with the ability to send alerts directly into the Check Point Log Viewer, for $695 per license.
Aberdeen Group research director Eric Hemmendinger says Tripwire for Servers offers a unique value proposition. "I'm not sure that I've ever heard of another product that performs the same function, and certainly not in the same way," he said. "These guys are often lumped into intrusion detection, but the technology approach is entirely different."
Unlike intrusion detection systems, he notes, Tripwire won't create a flood of false positives. "If you use it to monitor information that's expected to change on an ongoing basis, it's going to be awfully busy triggering alarms—but that's not what it's intended for," he said. "If you choose your targeted information appropriately, you can be reasonably sure that when Tripwire tells you something's going on, it's for real."
Like Melancon, Hemmendinger notes that Tripwire can provide information that most intrusion detection systems can't. "This isn't going to tell you if somebody has gotten into your server: it's only going to tell you whether they've changed things," he said. "The worst scenario that a company can have is they've been breached and they can't figure out whether anything's been changed—which an IDS will not necessarily tell them. This will."
— End
Online Resources:
Intrusion
Detection Systems Directory
IDS
Quick Reference Chart
| Related articles: | ||
| [Dec. 24, 2001] | White Paper: Reducing Network Security Risk | |
| [Sept. 25, 2001] | Physical Security Augments Logical Security | |
| [July 11, 2001] | ISP-Planet Survey: MSSPs | |
|
|
|
| Best of ISP-Planet | ||
|---|---|---|
|
ISP-Planet
Guide
ISP-Planet's Principal Studies Directories:
Q2 2008 Top U.S. ISPs by Subscriber (Updated 08/29/2008)
ISP-Planet's Blogroll | ||
ISP-Planet's
RSS feed
