Fee versus free, how do the two compare when it comes to intrusion detection? Specifically, how does the open source Advanced Intrusion Detection Environment (AIDE)—commonly referred to as the free Tripwire replacement—stack up against Tripwire Enterprise, the longstanding leader in this category?
Portland-based Tripwire also offers an open source version of its flagship intrusion detection/protection (IDPS) and security configuration management (SCM) platform named—appropriately enough—Tripwire Open Source. For this comparison we'll be comparing the flagship IDPS/SCM platform with its enterprise bells and whistles (and enterprise price tag to boot) to the minimalist, highly popular AIDE offering.
Tripwire Enterprise shares much of its basic IDPS functionality with Tripwire Open Source—different users/group alerts based on detected change type, compromised file/directory severity assessment, and syslog reporting, among others. However, the platform is geared for large organizations with sizeable IT infrastructures; this is manifest in advanced features and capabilities such as support for Windows and a variety of *nix flavors, centralized management and reporting of multiple Tripwire installations, and out-of-the-box policies for adherence to compliance measures such as PCI and NIST, among others. Vulnerability management (Tripwire IP360) and log intelligence (Tripwire Log Center) add-ons round out the the platform's capabilities, at a cost.
The Tripwire Enterprise UI. Source: softwareasia.com.
AIDE was created in 2010 as a Tripwire replacement for baseline control, change detection, and rootkit detection. Using regular expression (regex) rules detailed in configuration files, it creates a database for validating the integrity of files. The tool is strictly command-line (CLI) driven and scheduled/triggered via cron to run system scans for detecting changes in directories and files to be monitored.
The AIDE interface. Source: theurbanpenguin / YouTube.com.
Side-by-Side Scoring: Tripwire vs. AIDE
1. Capability Set
Under the hood, both offerings create cryptographic hashes of critical system files, store the values in a database, and reference the data store for reporting and other purposes. Overall, Tripwire posseses more robust monitoring and compliance features as well as advanced capabilities at a cost (e.g., cloud-based scanning, compliance assessment, and more). Simple yet powerful, AIDE is certainly the more barebones of the two offerings.
2. Ease of Use
Tripwire offers an enterprise GUI console for visual management while AIDE is strictly CLI-based. That said, Tripwire is notoriously difficult to configure/tune and maintain—especially when it comes to managing policies and customizations. Aside from its lack of a visual interface, AIDE's plain-text configuration files and database make it fairly straightfoward to manage for those with a decent grasp of the command line and regex.
3. Community Support
Tripwire doesn't provide/host any product forums or community portals—only white papers and case studies off its corporate website. Enterprise users are therefore relegated to Reddit or StackExchange for answers. In contrast, AIDE users have several community support resources at their disposal: Aid-devel (current/future AIDE development), the AIDE mailing list, and more. Check out its full range of community support resources on its SourceForge page.
4. Release Rate
Tripwire's release rate is difficult to ascertain from its website—Enterprise is currently on version 8.5, while its open source version hasn't been updated since 2013. Despite being less opaque when it comes to releases, AIDE is at version 0.16 with a 6-year delta between the current and previous stable release (0.15.1 / September 10, 2010).
5. Pricing and Support
Tripwire Enterprise's pricing is even less opaque than its release rate—notwithstanding, the solution is by any measure prohibitively expensive for non-enteprise shops and SMBs. Additionally, opting for components and add-ons such as cloud-based monitoring and compliance management will make deploying the platform a costly endeavor. Paid-for support options and professional services are available from the vendor. AIDE is a free, open-source offering with support options available from the project's SourceForge page.
6. API and Extensibility
As stated on the Tripwire website, “scripts and third-party software can use Tripwire Enterprise's SOAP API or command line interface to invoke functionality, including integrity checks, change reconciliation, version promotion, and report generation.” AIDE offers no API out-of-the-box, though—as an open source solution—it can be extended by modifying the source code directly
7. 3rd Party Integrations
Tripwire integrates with various third-party systems, from change and incident management systems to SIEM solutions (e.g., ServiceNow, Splunk, and Lastline, to name a few). Unfortunately, AIDE offers no third-party integrations out-of-the-box.
8. Companies that Use It
As a longstanding leader in enterprise IDPS/SCM solutions, Tripwire boasts a long and illustrious customer list that includes many of the world's most recognizable brands and Fortune 500s. As a Linux-only tool, AIDE is a popular free option for small/single deployments—that said, it's unknown how many or which prominent organizations are using it for intrusion detection.
9. Learning Curve
Both solutions have a steep learning curve in store for non-advanced users; in the case of Tripwire, proper set up/configuration, tuning, and policy refinement is not for the technologically faint-of-heart. Similarly, AIDE requires moderate proficiency with Linux, the CLI, and other shell-based tools.
Tripwire scores an average 694 CSTAR score—similarly, AIDE's SourceForge page also nets a mediocre 608 CSTAR score. Lack of HTTP strict transport Security, disabled DNSSEC, and server header information leakage are ailments that plague both websites' perimeter security.
Scoreboard and Summary
|Ease of Use|
|Pricing and Support|
|API and Extensibility|
|3rd Party Integrations|
|Companies that Use It|
|Total||3.2 out of 5||3 out of 5|
While its true that traditional cybersecurity solutions like endpoint protection tools and IDPS platforms cannot provide comprehensive protection in and of themselves, they nonetheless comprise a critical layer of an enterprise's layered continuous security framework. UpGuard's resilience platform gives organizations the ability to validate that all IT assets in their environments—Tripwire/AIDE deployments, security devices, switches, IoT devices, web apps, and more—are configured optimally and free from vulnerabilities. Try UpGuard today, it's free for the first 10 nodes.
Monitoring tools have come a long way since the early days of Big Brother. Today's solutions have evolved into powerful software troubleshooting and performance analytics platforms capable of deconstructing and analyzing the entire application stack—infrastructure up—for bugs and issues.
As perimeter-based cyber protection falls to the wayside, a new breed of continuous security solutions are emerging that combine traditional endpoint protection with newer technologies like security information and event management (SIEM) and crowdsourced threat intelligence.