Intrusion Detection: Ain't No Flyswatter Big Enough

What do you do when somebody breaks into one of your organization's servers? When waving your hands wildly doesn't help, you'll need an intrusion detection plan.

The Tripwire of today bears little resemblance to the program developed at Purdue. For starters, the program runs on both Windows and Unix. It has a management console that allows many systems under Tripwire to be centrally administrated. It has a policy language that allows you to specify which files can be changed and which need to remain the same. There is even a reporting engine and an automatic alert notification system. In many ways, these changes mirror the changes that the whole computing industry has undergone during the same time period.

But the basic premise of Tripwire is still strong: It's impossible to run a reliable computing system when you don't know which software (and other configuration) files are being changed.Curbing Unauthorized AccessOn the other hand, as Kim told me in a recent interview, he and Spafford didn't understand the extent of what's now called the "change management" problem when they invented Tripwire back in the 1980s. Although the primary motivation for creating Tripwire was to detect intrusions, the real value in the business world, Kim says, has been in detecting unauthorized changes from authorized personnel. Although at times these might be from malicious employees bent on harming the company, more often they are well-intentioned or accidental changes from employees who were simply trying to do their jobs.

I have to agree with Kim. I've seen mission-critical servers shut down because a file was accidentally created in a critical directory or because an undocumented configuration file got overwritten by what was supposed to be a "minor" upgrade. And the complexity of change management is only complicated by the inability of most operating systems to track precisely what happens when a patch or upgrade is applied.

These are some of the reasons that Tripwire's new marketing focus isn't security against hackers as much as the general problem of operational continuity and change management. Tripwire is increasingly being positioned as a tool both to detect unauthorized changes to configuration files and programs, as well as to verify that the proposed or required changes actually get made.

And for these reasons, most Tripwire users have stopped storing their databases on removable floppy disks or CD-ROMs; although, these days you can get nearly the same security by storing the database over a LAN on another computer. The security isn't quite as good, because there is always a chance that the bad guys will break into the computer that stores your Tripwire database. Nevertheless, many system administrators are happy to make this compromise in the interest of convenience.