Tripwire's Enterprise 5.0
Price: Server, $3,999; $595 per agent; $125 per agentless device
Poor change management and operator error leave systems vulnerable to attack—and can bring them down as surely as any hacker. Effective change control is also critical to the increasingly stringent demands of secu-rity audits and regulatory compliance.
Tripwire Enterprise 5.0 helps organizations take control of their networks, improving compliance, availability and security, and constantly monitoring servers and network devices (firewalls, routers and switches) through a combination of agent and agentless detection. Information is fed back to the Tripwire Enterprise Server and displayed in near real-time on a Web-based dashboard, and can also be used to generate reports on changes to monitored nodes.
Detected changes, whether by operators, applications (such as patch management tools) or attackers, may be modifications to files and their content, configuration settings or system status. Notably, Tripwire Enterprise 5.0 doesn't monitor Windows registry changes or SQL databases, but the company says it's adding those checks shortly.
Changes can be correlated to who was logged in at the time the change was made, making use of information from AAA servers (such as RADIUS and TACACS+) and audit logs. Tripwire Enterprise comes with generic LDAP support and works with Active Directory.
The bulk of tasks performed with Tripwire Enterprise are baselining (recording the known good state of any given node) and reconciliation. Any changes are flagged and processed according to configurable rules, typically related to alerting (on the console, e-mailing a security manager or sending an SNMP trap). Tripwire Enterprise can also take action, such as automated reconciliation, including working with the Remedy AR system to manage change control. In the case of manual reconciliation, changes are reviewed in the console and can be accepted as part of the new baseline; denials force devices, OSes and apps to revert to their most recent trusted baselines.
Users familiar with Outlook will feel right at home, with a sidebar for quick access to common tasks, a tree view showing the nodes under management, and a main window to view, modify and delete data. Nodes are objects in the enterprise, typically routers, switches, firewalls, load balancers, and Unix and Windows systems, and are grouped by function, geography or business requirements.
The latest version of Tripwire Enterprise goes beyond its predecessors, Tripwire for Servers and Tripwire for Network Devices. It's now able to monitor and manage 10,000 servers and 100,000 network devices simultaneously through a single console. (Tripwire for Servers is still available as a separate product.)
Tripwire Enterprise provides robust reporting with 13 different standard reports and a dashboard that presents up-to-the-minute graphical indicators of system compliance.
Organizations have no choice but to enforce rigorous change control, for their own security and for audits and regulatory compliance. The costs can add up quickly, but Tripwire Enterprise is designed for large organizations that need to monitor thousands of devices. Those that have tried to accomplish this with combinations of manual processes and free tools will quickly see the value of this robust and easy-to-implement product.
This product review originally appeared in the July 2005 issue of Information Security magazine.