How good can free be? Or perhaps a more fitting question is whether free can be good enough for securing one’s enterprise against current and future threats. To answer this, we’ll be comparing the popular open source host-based intrusion detection system (HIDS) OSSEC with commercial offering Tripwire Enterprise to find out if that pretty penny spent can indeed lead to a stronger security posture.
In a previous post, we compared Tripwire Open Source vs. OSSEC. Both are free, open source HIDS solutions—they collect and store information regarding a system’s files, configurations, and other critical data as a reference point for future validation. If changes are detected (malicious or otherwise), the proper IT staff are notified and actions are taken to stop and/or remediate the breach. Tripwire Enterprise shares the same core technology as its open source counterpart, but offers an additional suite of tools to address the needs of large organizations. As we’ll soon find out, this suite—along with some other bells and whistles—are what differentiate Tripwire Enterprise from OSSEC.
OSSEC
As a free, open source HIDS, OSSEC is actively used by many universities, non-profits, and government institutions for securing IT infrastructures. The solution has been implemented in many corporate data centers and over the years has proved itself a competent and cost-effective enterprise HIDS option. Developed by Daniel Cid and made public in 2004, the project has changed hands multiple times over its life: first, when it was acquired in 2008 by Third Brigade, and again when Trend Micro acquired Third Brigade in 2009. Trend Micro discontinued commercial support for OSSEC in 2014; as it stands, paid-for OSSEC support is limited to a few 3rd parties providers. That said, the product continues to be actively maintained and updated by a large user and developer community.
OSSEC runs on all major OS platforms: Linux, Windows (agent only), most Unix flavors, and Mac OS. It can be deployed in standalone mode in addition to the standard server-agent setup—albeit, the latter is necessary to fully tap into the project’s breadth of features. The server and agents communicate securely on UDP port 1514 via messages encrypted using the Blowfish algorithm and compressed using zlib. Check out the OSSEC features page for a full list of OSSEC features.
OSSEC consists of the following components:
- Main Application: the central manager for monitoring and receiving information from agents, syslog, databases and even agentless devices. It also stores the file integrity database and the log and event files. It must be installed on Linux, Solaris, BSD, or MacOS – no Windows support is available.
- OSSEC Agent: small programs installed on the nodes to be monitored. In a server-agent setup it collects and sends real-time information to the OSSEC server about the state of the node on which it’s installed. There is also a special Windows agent that runs only in the server-agent mode.
- Web Interface: the GUI for managing tasks and monitoring functions. Unfortunately, OSSEC's well-developed GUI does work on Windows platforms.
OSSEC also has an advanced log analysis engine that can analyze logs from multiple devices in several different formats such as FTP servers (ftpd, pure-ftpd), databases (PostgreSQL, MySQL), web servers (Apache, IIS, Zeus), mail servers (imapd, Postfix, Sendmail, Exchange, vpopmail), firewalls (iptables, Windows firewall, Cisco PIX, ASA) and even some competing NIDS solutions (Cisco IOS, Snort IDS) and Windows event logs.
Despite its perks, OSSEC has some notable drawbacks. Transitioning to newer versions of the platform can be difficult, as any previously defined rules are overwritten by default values upon upgrading. This means that existing rules must be exported and re-imported after the upgrade, with no telling what may occur while the system is temporarily using default rules. Miscoordination with pre-shared keys can also be problematic-- OSSEC’s client and server communicate via a Blowfish-encrypted channel, and occasionally—key sharing is initiated prior to the creation of said channel, which can make for a frustrating experience.
Tripwire Enterprise
Tripwire has its origins in a 1992 project by Purdue University graduate student Gene Kim and his professor Dr. Eugene Spafford. Since then, many of the techniques pioneered by the duo have become de facto standards for IDPS solutions at large. In addition to its core IDPS functionality, Tripwire Enterprise features multi-platform support, centralized control and reporting, a master-agent configuration mode, advanced automation features, and professional commercial support from parent company Tripwire Inc.
As mentioned previously, Tripwire is available as both an open source offering and a full-fledged enterprise version—check out Tripwire Open Source vs. Tripwire Enterprise to learn more about the differences between the two. The underlying technology shared by both employs agents to monitor systems and detect/report any unauthorized changes to files and directories. It first creates a baseline of all files in an encrypted file (encryption protects it from malware tampering) then monitors the files for changes, including permissions, internal file changes, and timestamp details. Cryptographic hashes are employed to detect changes in a file without storing its entire contents in the database. While useful for detecting intrusions after they’ve occurred, Tripwire can also serve many other purposes, such as integrity assurance, change management and policy compliance.
Tripwire Enterprise is geared towards large organizations with sizeable IT infrastructures in place. To this end, various features and accompanying solutions have been integrated with the platform to offer comprehensive enterprise coverage. For example, Tripwire Manager enables centralized management and reporting of multiple Tripwire installations. Additionally, Tripwire Enterprise comes with various other bells and whistles targeted for corporate customers, such as out-of-the-box compliance policies for adherence to measures such as PCI and NIST. Technical support can be had via phone or email, with professional services is available on-call to assist in custom installations.
Summary
OSSEC and Tripwire Enterprise both offer competent enterprise protection, but require different approaches to bolstering one’s security posture against current and future threats. OSSEC is generally more extensible and can work more easily with other 3rd-party tools (e.g., SIEM, NIDS, malware detection tools), while Tripwire Enterprise exists in its own ecosystem of complementary solutions to address gaps in the security pipeline. For example, Tripwire 360 augments the flagship offering with vulnerability management, while Tripwire WebApp360 provides web application and vulnerability scanning. Of course, these features come at a significant price tag, but for deep-pocketed organizations looking to buy into an ecosystem of solutions with commercial support, Tripwire Enterprise may be a desirable option. On the other hand, OSSEC users— unlike Tripwire customers—are not subject to vendor lock-in. Subsequently, they have more latitude to integrate OSSEC with other packages for creating a comprehensive security toolchain.
References
http://www.iraj.in/journal/journal_file/journal_pdf/3-27-139087836726-32.pdf
https://www.ossec.net/docs/manual/non-technical-overview.html
