230 likes | 392 Views
Managing Security and System Integrity. Value Proposition . Need for high reliability and integrity of information networks Need for security at multiple levels Operating systems, applications, network components, etc. Increased risk and frequency of
E N D
Value Proposition • Need for high reliability and integrity of information networks • Need for security at multiple levels • Operating systems, applications, network components, etc. • Increased risk and frequency of • DDOS attacks, worms, insider attacks, and outages from accidental IT issues
Elevator Pitch Tripwire is the data integrity assurance company. Our software assures the integrity of data by: • Establishing a baseline of data in its desired state, • Detecting and reporting any changes to the baseline, and • Enabling rapid discovery and remediation when an undesired change occurs. In this way, Tripwire establishes the foundation for data security and ensures a safe, productive, and stable IT environment.
Situation Today • All servers are vulnerable to data integrity threats • By both internal and external sources. • Configuration errors by new or inexperienced administrators • New service packs, application updates, patches, etc. • Notification only initiates the process • Determination or Assessment account for most of the effort in repairing a problem. Pin pointing your efforts is critical to getting back to a known good state quickly. • Perimeter defenses only solve part of the problem • Can only tell you that you’ve been compromised. • Doesn’t tell what data has changed.
Tripwire in layered security Authentication/ Authorization/ Administration Firewall/network Encryption Log Analyzer/ Anti-virus Data Integrity Internet
Causes of System and Network Downtime 20% 5% Downtime due to inside malicious acts Downtime due to outside malicious acts Downtime due to non-malicious events 75% Source: Tripwire Industry Research
Network Downtime: Causal Factors • Network and application downtime can result from a variety of factors. Based on IDC research, the chart below provides an analysis of network downtime (i.e., complete failure, significant latency, or only partial availability) casual factors for organizations with greater than 1,000 employees. On average, the LAN experienced downtime between 2 – 3 hours per month, while the WAN experienced downtime of similar length. Causal factors include: (1) Environmental, (2) Operator Error, (3) Application Failures, and (4) Malicious Events. IDC analysis indicates fully 97% of network downtime is due to non-malicious events.
Benefits of Data Integrity Assurance Data Integrity Assurance benefits your company by: • Establishing a Foundation for Data Security • Lowering Costs • Maximizing System Uptime • Providing Increased Control and Stability In a rapidly changing, highly unpredictable environment, Tripwire is the only way of knowing, for certain, that your data is safe and your systems remain uncompromised.
Who Recommends Tripwire? • The NSA 60 Minute Network Security Guidepublished by the National Security Agency • The CERT® Guide to System and Network Security Practices written by Julia H. Allen • State of the Practice of Intrusion Detection Technologiesby CERT Coordination • Computer Security Handbook • Windows 2000 Security Handbook • System Administration, Networking and Security (SANS) Institute • Practical Unix and Internet Security • Handbook for Computer Security Incident Response Teams
What is Data Integrity ? • Assuring that the object (files, systems registry) and infrastructure items (server data, Web page content, router configurations etc.) remain in a desired good state. • Deviations from the desired state are identified via an integrity check. • Alerts will be generated and routed to the appropriate parties, and other software systems, enabling rapid recovery.
Maximizing IT Security and Reliability Tripwire ensures trust by verifying and confirming that systems are in a known good state Challenge: Security Tripwire sets the foundation for an effective security strategy Challenge: Confidence I need to know that my systems can be trusted and demonstrate that to others My job is on the line due to data security issues Challenge: Resources Challenge: Discovery I’m expected to scale capacity and maintain service levels with fewer people & a lower budget Goal: Maximize ROI Something’s wrong. And, we don’t know what or where to start Tripwire increases staff productivity and leverages existing IT investment Tripwire pinpoints exact changes, allowing for rapid remediation I have to be able to document and explain everything I do to my systems I have to comply with internal and external requirements and regulations Tripwire detects all changes to systems and provides a framework for documentation Tripwire provides a tamper-proof record of system status, with audit trail of changes Challenge: Control Challenge: Audit
Where will you deploy Tripwire? • Enterprise integrity at each and every point…. • Web/E-commerce Servers • DNS Servers • Application Servers • Firewalls • File and Print Servers • Database Servers • Email Servers
Tripwire Manager Email Syslog SNMP How Does Tripwire Work? 1. Take digital snapshot of existing files 2. Take a second digital snapshot later in time to compare 3. Any integrity violations are reported in various formats SSL
Supported Platforms Tripwire Manager Solaris 7 & 8 Microsoft Windows NT 4.0 - Workstation, Serer, Enterprise Server Windows 2000 -Professional, Server and Advanced Server Tripwire for Servers Solaris (Sparc) 2.6-7, 8 Microsoft Windows NT 4.0 - Workstation, Serer, Enterprise Server Windows 2000 -Professional, Server and Advanced Server Windows XP HP-UX 10.2, 11.0, 11i Compaq Tru64 UNIX 4.0F, 4.0G, 5.0A, 5.1 and 5.1A IBM AIX 4.3, 4.3.3 FreeBSD 4.3 Linux – Various distributions, kernel 2.2 and 2.4
Built On Strong Security Technology • Tripwire Protects Itself • El Gamal 1024-bit asymmetric cryptography • Four message-digest algorithms used to insure data integrity • MD5 • Haval • SHA/SHS • CRC 32 • Authentication and Encryption Between Manager and Server • All data transmission uses SSL (Secure Socket Layer) • 168 Triple DES Encryption
Permissions Inode number Number of links (i.e. inode reference count) User ID of owner Group ID of owner File type File size File is expected to grow Device number of the disk on which the inode is stored Device number of the device to which the inode points. Number of blocks allocated Access timestamp Modification timestamp Inode creation / modification timestamp CRC-32 hash of the data MD5 hash of the data SHA hash of the data HAVAL hash of the data What does Tripwire Monitor? Unix File System
Archive flag Read only flag Hidden flag Offline flag Temporary flag System flag Directory flag Last access time Last write time Create time File size MS-DOS 8.3 name NTFS Compressed flag NTFS Owner SID NTFS Group SID NTFS DACL NTFS SACL Security descriptor control Size of security descriptor for this object 0 to 4 hashes of the default data stream Number of NTFS data streams 0 to 4 hashes of non-default data streams What does Tripwire Monitor? Windows NT/2000 File System
Registry type: key or value Owner SID Group SID DACL SACL Name of class Number of subkeys Maximum length of subkey name Maximum length of classname Number of values Maximum length of the value name Maximum length of data for any value in the key Security descriptor control Size of security descriptor Last write time Registry type: key or value Type of value data Length of value data CRC-32 hash of the value data MD5 hash of the value data SHA hash of the value data HAVAL hash of the value data What does Tripwire Monitor? Windows NT/2000 Registry
Tripwire Manager • Powerful, easy-to-use software for managing up to 2500 Tripwire for Servers installations • Centralized management and easy distribution of policies • See changes over your entire enterprise by object, violation type or group • Centralized analysis allows you to: • Quickly assess which systems have been changed • Correlate changes across multiple systems
Tripwire ManagerCommands Reports Data SSL SSL SSL SSL Tripwire for Servers UNIX Tripwire for Servers NT/2000 Tripwire for Servers UNIX Tripwire for Servers NT/2000 Tripwire Manager 3.0 Tripwire Manager Features: NT or UNIX • Centralized reporting • Centralized policy management • Edit & distribute configuration file • Edit & distribute policy file • Execute manual integrity checks • Update Tripwire database • Centralized scheduling Tripwire Manager Architecture
Multiple Tripwire Managers monitoring the same set of Tripwire for Servers Active Tripwire Manager has complete management control Passive Tripwire Manger has view only control Active control is passed when Tripwire Manager is shut down Can have only one active connection for each TFS Tripwire Manager Active Tripwire Manager Passive Tripwire for Servers Tripwire for Servers Tripwire for Servers Tripwire for Servers Active vs. Passive Tripwire Managers
Key Benefits of Tripwire • Faster discovery and diagnosis problems • Results in faster remediation and less down time • Augments other security and systems management • Helps you maximize the effectiveness of your IT investments • Identifies changes, regardless of source or intent • Doesn’t rely on known patterns or signatures • Detects accidental and malicious changes • Peace of mind • Helps you know which systems you can trust, and which ones you can’t
In Summary • Tripwire… • Is the foundation for an effective security strategy and assures the integrity of data wherever it resides across your network. • Gives you control over your IT infrastructure by quickly pinpointing areas of change to enable fast, effective remediation. • Is the standard for data integrity assurance and the trusted choice in 92 countries around the world.