managing security and system integrity. value proposition need for high reliability and integrity...
TRANSCRIPT
Managing Security and System IntegrityManaging Security and System Integrity
Value PropositionValue Proposition
Need for high reliability and integrity of information networks
Need for security at multiple levelsOperating systems, applications, network components, etc.
Increased risk and frequency ofDDOS attacks, worms, insider attacks, and outages from
accidental IT issues
Need for high reliability and integrity of information networks
Need for security at multiple levelsOperating systems, applications, network components, etc.
Increased risk and frequency ofDDOS attacks, worms, insider attacks, and outages from
accidental IT issues
Elevator PitchElevator Pitch
Tripwire is the data integrity assurance company.Our software assures the integrity of data by: Establishing a baseline of data in its desired state, Detecting and reporting any changes to the baseline, and Enabling rapid discovery and remediation when an
undesired change occurs.In this way, Tripwire establishes the foundation for data
security and ensures a safe, productive, and stable IT environment.
Tripwire is the data integrity assurance company.Our software assures the integrity of data by: Establishing a baseline of data in its desired state, Detecting and reporting any changes to the baseline, and Enabling rapid discovery and remediation when an
undesired change occurs.In this way, Tripwire establishes the foundation for data
security and ensures a safe, productive, and stable IT environment.
Situation TodaySituation Today
All servers are vulnerable to data integrity threats By both internal and external sources.
Configuration errors by new or inexperienced administrators
New service packs, application updates, patches, etc.
Notification only initiates the process Determination or Assessment account for most of the effort in repairing a
problem. Pin pointing your efforts is critical to getting back to a known good state quickly.
Perimeter defenses only solve part of the problem Can only tell you that you’ve been compromised.
Doesn’t tell what data has changed.
All servers are vulnerable to data integrity threats By both internal and external sources.
Configuration errors by new or inexperienced administrators
New service packs, application updates, patches, etc.
Notification only initiates the process Determination or Assessment account for most of the effort in repairing a
problem. Pin pointing your efforts is critical to getting back to a known good state quickly.
Perimeter defenses only solve part of the problem Can only tell you that you’ve been compromised.
Doesn’t tell what data has changed.
Firewall/networkFirewall/networkAuthentication/Authentication/Authorization/Authorization/AdministrationAdministration Log Analyzer/Log Analyzer/
Anti-virusAnti-virusData Data
IntegrityIntegrity
Tripwire in layered securityTripwire in layered security
EncryptionEncryption
Internet
Causes of System and Network DowntimeCauses of System and Network Downtime
Downtime due Downtime due to inside to inside
malicious actsmalicious acts
Downtime due Downtime due to outside to outside malicious actsmalicious acts
Downtime due to non-Downtime due to non-malicious eventsmalicious events
20%20% 5%5%
75%75%
Source: Tripwire Industry Research
Network Downtime: Causal Factors Network Downtime: Causal Factors Network and application downtime can result from a variety of factors. Based
on IDC research, the chart below provides an analysis of network downtime (i.e., complete failure, significant latency, or only partial availability) casual factors for organizations with greater than 1,000 employees. On average, the LAN experienced downtime between 2 – 3 hours per month, while the WAN experienced downtime of similar length. Causal factors include: (1) Environmental, (2) Operator Error, (3) Application Failures, and (4) Malicious Events. IDC analysis indicates fully 97% of network downtime is due to non-malicious events.
Network and application downtime can result from a variety of factors. Based on IDC research, the chart below provides an analysis of network downtime (i.e., complete failure, significant latency, or only partial availability) casual factors for organizations with greater than 1,000 employees. On average, the LAN experienced downtime between 2 – 3 hours per month, while the WAN experienced downtime of similar length. Causal factors include: (1) Environmental, (2) Operator Error, (3) Application Failures, and (4) Malicious Events. IDC analysis indicates fully 97% of network downtime is due to non-malicious events.
Causal Factors of Network Downtime
19%
39%
39%
3%
Environmental Failures
OperatorErrors
ApplicationFalures
MaliciousEvents
Benefits of Data Integrity AssuranceBenefits of Data Integrity Assurance
Data Integrity Assurance benefits your company by: Establishing a Foundation for Data Security Lowering Costs Maximizing System Uptime Providing Increased Control and StabilityIn a rapidly changing, highly unpredictable
environment, Tripwire is the only way of knowing, for certain, that your data is safe and your systems remain uncompromised.
Data Integrity Assurance benefits your company by: Establishing a Foundation for Data Security Lowering Costs Maximizing System Uptime Providing Increased Control and StabilityIn a rapidly changing, highly unpredictable
environment, Tripwire is the only way of knowing, for certain, that your data is safe and your systems remain uncompromised.
Who Recommends Tripwire?Who Recommends Tripwire?
The NSA 60 Minute Network Security Guidepublished by the National Security Agency
The CERT® Guide to System and Network Security Practices written by Julia H. Allen
State of the Practice of Intrusion Detection Technologiesby CERT Coordination
Computer Security Handbook Windows 2000 Security Handbook System Administration, Networking and Security (SANS) Institute Practical Unix and Internet Security Handbook for Computer Security Incident Response Teams
The NSA 60 Minute Network Security Guidepublished by the National Security Agency
The CERT® Guide to System and Network Security Practices written by Julia H. Allen
State of the Practice of Intrusion Detection Technologiesby CERT Coordination
Computer Security Handbook Windows 2000 Security Handbook System Administration, Networking and Security (SANS) Institute Practical Unix and Internet Security Handbook for Computer Security Incident Response Teams
What is Data Integrity ?What is Data Integrity ?
Assuring that the object (files, systems registry) and infrastructure items (server data, Web page content, router configurations etc.) remain in a desired good state.
Deviations from the desired state are identified via an integrity check.
Alerts will be generated and routed to the appropriate parties, and other software systems, enabling rapid recovery.
Assuring that the object (files, systems registry) and infrastructure items (server data, Web page content, router configurations etc.) remain in a desired good state.
Deviations from the desired state are identified via an integrity check.
Alerts will be generated and routed to the appropriate parties, and other software systems, enabling rapid recovery.
Maximizing IT Security and ReliabilityMaximizing IT Security and Reliability
Challenge:Challenge: SecuritySecurityMy job is
on the line due to data security issues
Goal:Goal:MaximizeMaximize
ROIROI
Tripwire sets Tripwire sets the foundation the foundation for an effective for an effective security security strategystrategy
Challenge:Challenge:
DiscoveryDiscovery
Challenge:Challenge:
AuditAuditChallenge:Challenge: ControlControl
Challenge:Challenge:
ResourcesResources
Challenge:Challenge:
ConfidenceConfidence
Something’s wrong.And, we don’t know what or where to start
Tripwire Tripwire pinpoints exact pinpoints exact changes, changes, allowing for rapid allowing for rapid remediationremediation
I have to comply with internal and external requirements and regulations
Tripwire provides Tripwire provides a tamper-proof a tamper-proof record of system record of system status, with audit status, with audit trail of changestrail of changes
I have to be able to document and explaineverything I do to my
systemsTripwire detects all Tripwire detects all
changes to systems changes to systems and provides a and provides a framework for framework for
documentationdocumentation
I’m expected to scale capacity
and maintain service levels with
fewer people & a lower budget
Tripwire Tripwire increases staff increases staff
productivity and productivity and leverages leverages
existing IT existing IT investmentinvestment
I need to know that my systems
can be trusted and demonstrate
that to others
Tripwire Tripwire ensures trust by ensures trust by
verifying and verifying and confirming that confirming that
systems are in a systems are in a known good known good
statestate
Where will you deploy Tripwire?Where will you deploy Tripwire?
Enterprise integrity at each and every point….
Web/E-commerce Servers
DNS Servers
Application Servers
Firewalls
File and Print Servers
Database Servers
Email Servers
How Does Tripwire Work?How Does Tripwire Work?
SSL
TripwireManagerEmail
Syslog
SNMP
1. Take digital snapshot of existing files 2. Take a second
digital snapshot later in time to compare
3. Any integrity violations are reported
in various formats
Supported PlatformsSupported Platforms Tripwire Manager
Solaris 7 & 8
Microsoft Windows NT 4.0 - Workstation, Serer, Enterprise Server
Windows 2000 -Professional, Server and Advanced Server
Tripwire for ServersSolaris (Sparc) 2.6-7, 8
Microsoft Windows NT 4.0 - Workstation, Serer, Enterprise Server
Windows 2000 -Professional, Server and Advanced Server
Windows XP
HP-UX 10.2, 11.0, 11i
Compaq Tru64 UNIX 4.0F, 4.0G, 5.0A, 5.1 and 5.1A
IBM AIX 4.3, 4.3.3
FreeBSD 4.3
Linux – Various distributions, kernel 2.2 and 2.4
Tripwire ManagerSolaris 7 & 8
Microsoft Windows NT 4.0 - Workstation, Serer, Enterprise Server
Windows 2000 -Professional, Server and Advanced Server
Tripwire for ServersSolaris (Sparc) 2.6-7, 8
Microsoft Windows NT 4.0 - Workstation, Serer, Enterprise Server
Windows 2000 -Professional, Server and Advanced Server
Windows XP
HP-UX 10.2, 11.0, 11i
Compaq Tru64 UNIX 4.0F, 4.0G, 5.0A, 5.1 and 5.1A
IBM AIX 4.3, 4.3.3
FreeBSD 4.3
Linux – Various distributions, kernel 2.2 and 2.4
Tripwire Protects ItselfEl Gamal 1024-bit asymmetric cryptography
Four message-digest algorithms used to insure data integrityMD5 Haval SHA/SHSCRC 32
Authentication and Encryption Between Manager and ServerAll data transmission uses SSL (Secure Socket Layer)168 Triple DES Encryption
Built On Strong Security TechnologyBuilt On Strong Security Technology
What does Tripwire Monitor?
Permissions Inode number Number of links (i.e. inode
reference count) User ID of owner Group ID of owner File type File size File is expected to grow Device number of the disk on
which the inode is stored
Permissions Inode number Number of links (i.e. inode
reference count) User ID of owner Group ID of owner File type File size File is expected to grow Device number of the disk on
which the inode is stored
Device number of the device to which the inode points.
Number of blocks allocated Access timestamp Modification timestamp Inode creation / modification
timestamp CRC-32 hash of the data MD5 hash of the data SHA hash of the data HAVAL hash of the data
Device number of the device to which the inode points.
Number of blocks allocated Access timestamp Modification timestamp Inode creation / modification
timestamp CRC-32 hash of the data MD5 hash of the data SHA hash of the data HAVAL hash of the data
Unix File System
What does Tripwire Monitor?What does Tripwire Monitor?
Archive flag Read only flag Hidden flag Offline flag Temporary flag System flag Directory flag Last access time Last write time Create time File size
Archive flag Read only flag Hidden flag Offline flag Temporary flag System flag Directory flag Last access time Last write time Create time File size
MS-DOS 8.3 name NTFS Compressed flag NTFS Owner SID NTFS Group SID NTFS DACL NTFS SACL Security descriptor control Size of security descriptor for this object 0 to 4 hashes of the default data stream Number of NTFS data streams 0 to 4 hashes of non-default data streams
MS-DOS 8.3 name NTFS Compressed flag NTFS Owner SID NTFS Group SID NTFS DACL NTFS SACL Security descriptor control Size of security descriptor for this object 0 to 4 hashes of the default data stream Number of NTFS data streams 0 to 4 hashes of non-default data streams
Windows NT/2000 File System
What does Tripwire Monitor?What does Tripwire Monitor?
Registry type: key or value Owner SID Group SID DACL SACL Name of class Number of subkeys Maximum length of subkey name Maximum length of classname Number of values Maximum length of the value name
Registry type: key or value Owner SID Group SID DACL SACL Name of class Number of subkeys Maximum length of subkey name Maximum length of classname Number of values Maximum length of the value name
Maximum length of data for any value in the key
Security descriptor control Size of security descriptor Last write time Registry type: key or value Type of value data Length of value data CRC-32 hash of the value data MD5 hash of the value data SHA hash of the value data HAVAL hash of the value data
Maximum length of data for any value in the key
Security descriptor control Size of security descriptor Last write time Registry type: key or value Type of value data Length of value data CRC-32 hash of the value data MD5 hash of the value data SHA hash of the value data HAVAL hash of the value data
Windows NT/2000 Registry
Tripwire ManagerTripwire Manager
Powerful, easy-to-use software for managing up to 2500 Tripwire for Servers installations
Centralized management and easy distribution of policies
See changes over your entire enterprise by object, violation type or group
Centralized analysis allows you to:Quickly assess which systems have been changed Correlate changes across multiple systems
Powerful, easy-to-use software for managing up to 2500 Tripwire for Servers installations
Centralized management and easy distribution of policies
See changes over your entire enterprise by object, violation type or group
Centralized analysis allows you to:Quickly assess which systems have been changed Correlate changes across multiple systems
Tripwire Manager 3.0Tripwire Manager 3.0
Tripwire Manager Tripwire Manager Features:Features:
Tripwire Manager ArchitectureTripwire Manager Architecture
NT or UNIXNT or UNIX
Tripwire for Tripwire for ServersServersNT/2000NT/2000 Tripwire for Tripwire for
ServersServersNT/2000NT/2000
Tripwire for Tripwire for ServersServersUNIXUNIX
Tripwire for Tripwire for ServersServersUNIXUNIX
Tripwire ManagerTripwire ManagerCommandsCommands
SSL
SSL SSLSSL
Reports Reports DataData
Centralized reporting
Centralized policy management
Edit & distribute configuration file
Edit & distribute policy file
Execute manual integrity checks
Update Tripwire database
Centralized scheduling
Centralized reporting
Centralized policy management
Edit & distribute configuration file
Edit & distribute policy file
Execute manual integrity checks
Update Tripwire database
Centralized scheduling
Active vs. Passive Tripwire ManagersActive vs. Passive Tripwire Managers
TripwireManagerActive
Tripwire for ServersTripwire for Servers
Tripwire for Servers
Tripwire for Servers
TripwireManagerPassive
Multiple Tripwire Managers monitoring the same set of Tripwire for Servers
Active Tripwire Manager has complete management control
Passive Tripwire Manger has view only control
Active control is passed when Tripwire Manager is shut down
Can have only one active connection for each TFS
Multiple Tripwire Managers monitoring the same set of Tripwire for Servers
Active Tripwire Manager has complete management control
Passive Tripwire Manger has view only control
Active control is passed when Tripwire Manager is shut down
Can have only one active connection for each TFS
Key Benefits of TripwireKey Benefits of Tripwire
Faster discovery and diagnosis problemsResults in faster remediation and less down time
Augments other security and systems managementHelps you maximize the effectiveness of your IT investments
Identifies changes, regardless of source or intentDoesn’t rely on known patterns or signaturesDetects accidental and malicious changes
Peace of mindHelps you know which systems you can trust, and which ones
you can’t
Faster discovery and diagnosis problemsResults in faster remediation and less down time
Augments other security and systems managementHelps you maximize the effectiveness of your IT investments
Identifies changes, regardless of source or intentDoesn’t rely on known patterns or signaturesDetects accidental and malicious changes
Peace of mindHelps you know which systems you can trust, and which ones
you can’t
In SummaryIn Summary
Tripwire…- Is the foundation for an effective security strategy and
assures the integrity of data wherever it resides across your network.
- Gives you control over your IT infrastructure by quickly pinpointing areas of change to enable fast, effective remediation.
- Is the standard for data integrity assurance and the trusted choice in 92 countries around the world.
Tripwire…- Is the foundation for an effective security strategy and
assures the integrity of data wherever it resides across your network.
- Gives you control over your IT infrastructure by quickly pinpointing areas of change to enable fast, effective remediation.
- Is the standard for data integrity assurance and the trusted choice in 92 countries around the world.