When Purdue student Gene Kim and professor Gene Spafford teamed up to build the initial version of Tripwire back in 1992, little did they know their intrusion detection techniques would become industry standards for a $2.71 billion market in 2014, with growth estimates of $5.04 billion by 2019. Clearly the ever-rising threat of sophisticated cyber attacks and security breaches will only broaden the landscape for security solutions over time. Hackers are becoming increasingly clever; on top of this, vulnerabilities will keep surfacing and resurfacing in critical software components.
Take, for instance, the recently announced Ghost vulnerability. Previously fixed in 2013, the bug made a grand reappearance last month, sending linux administrators everywhere in a mad scramble to patch their GNU C Libraries (glibc). Security professionals must be vigilant and proactive in hardening their systems, but in many cases have only quick response time on their side for mitigating potential security breaches. To this end, intrusion detection and protection systems (IDPS) like Tripwire play a crucial role in providing requisite security awareness to IT staff for decreasing time-to-resolution during a crisis.
Tripwire and IDPS: The Basics
An IDPS serves three primary functions: it detects a potential intrusion, alerts IT staff of the event, and in many cases attempts to block or inoculate the attack. IDPS solutions come primarily in two forms: network-based and host-based systems. A network-based IDPS is usually a hardware appliance or device that monitors traffic and analyzes data packets for suspicious activity, while a host-based IDPS is software installed on a host machine that monitors local configuration information and application activity for irregularities.
Tripwire is a host-based IDPS. It runs data integrity checks on the host machine’s state and reports its findings to the user. To perform a diff between the two states, Tripwire first scans and stores initial information on each file as cryptographic hashes in a database (thereby eliminating the need to load the actual file contents). A security breach would ostensibly result in local files changing in size and contents--so if a difference in the stored hash value is detected upon scanning the files, an intrusion flag is raised and the user is notified.
This basic, underlying method for intrusion detection is common across all of Tripwire’s offerings, and indeed-- most competing IDPS offerings follow the same or similar approach. For this discussion, we will be comparing Tripwire Enterprise with the open-source version of Tripwire based on code originally contributed by the company back in 2000.
Tripwire Enterprise vs. Tripwire Open Source
Despite the eventual formation of Tripwire, Inc. as a for-profit venture in 1997, the free open source version of the IDPS is still alive and faring well today. Available for download on SourceForge, Open Source Tripwire is targeted at Linux distributions and must be compiled from source tarballs prior to installation. This, along with installation and configuration, obviously require some level of Linux administration skill. Tripwire currently doesn’t offer a free version of their IDPS for Windows platforms, so non-Unix/Linux users are out of luck in this regard.
In terms of features, Open Source Tripwire shares much of the basic IDPS functionality contained in its enterprise counterpart, like the ability to alert different users/groups based on the nature of the detected changes, assessing the level of seriousness of compromised file/directories, and syslog reporting, among others. Technical support and assistance is community-driven, as is expected with most free, open source offerings. Tripwire Open Source is an ideal security solution for small-scale use cases such monitoring a single Linux server or small Linux farm.
Tripwire Enterprise is geared towards large organizations with sizeable IT infrastructures in place. Unlike the free version, the enterprise offering is available for Windows, Linux, as well as other Unix variants such as Solaris and AIX. Technical support can be had via phone or email, and professional services is available on-call to assist in custom installations. Various other features abound in the enterprise version; for example, Tripwire Manager enables centralized management and reporting of multiple Tripwire installations.
In general, the IDPS requirements of larger corporate firms differ in that they need features such as multi-platform support, centralized control/reporting, advanced automation features, and professional support-- all which come standard with enterprise, but are noticeably absent in the open source version. Additionally, Tripwire Enterprise comes with bells and whistles targeted for corporate customers, such as out-of-the-box compliance policies for adherence to measures such as PCI and NIST.
$8K+ (1 server license)
Skill Required (install/use)
Basic admin/varies by OS
Intermediate Linux admin
Centralized control, reporting, automation, out-of-the-box compliance policies, and more
Basic monitoring capabilities
Standard phone/email support during business hours; Premier Support Customers can access support 24 hours/7 days a week
So for single or smaller Linux installations that require basic IDPS protection, Open Source Tripwire is a viable option-- especially for those with basic Linux administration skills that require minimal hand-holding in setup and configuration. For more advanced use cases that require multi-platform support, a direct line to technical assistance, centralized reporting, and other compliance and automation features, Tripwire Enterprise is the way to go.