Tripwire's commercial product (based on an open source project of the same name) offers a configuration control solution that helps users find and fix problems as they occur.

by Jeff Goldman [January 14, 2009]

Tripwire, Inc., founded back in 1997, has evolved significantly over the years—the company's first product offering, Tripwire for Servers, was focused on change auditing in the server environment, while Tripwire Enterprise, first released in 2004, is designed to monitor not just servers but also databases, network devices, applications, middleware, and more.

Steve Hall, Tripwire director of products, says Tripwire Enterprise now does much more than simply monitor for changes. "We've added the ability to do configuration assessment—to proactively assess and validate the state of your IT infrastructure and the state of your system, and compare that existing state against a known and trusted state," he says.

That can include benchmarks and standards, Hall says, from a wide range of sources such as CIS, NIST, DISA, and others. "We've essentially built these best practices templates into Tripwire Enterprise to allow customers to very easily compare their systems against these best practices and identify where weaknesses exist," he says.

Tripwire One Main Place 101 SW Main St., Ste. 1500 Portland, OR 972045 Voice: (800) 874-7947 E-mail (U.S.): sales@tripwire.com

In addition, Hall says, Tripwire Remediation Advisor provides step-by-step instructions on resolving any issues that do appear. "Within the product, we essentially say, 'Here's where the red popped up, and here's the three steps you need to take to fix that problem,' and then we empower the customer to go off and manually do that," he says.

The Tripwire product line is based on the Open Source Tripwire project—but Hall says the functionality of the commercial offering now reaches far beyond that of the open source project. "We are the best of breed solution out there, and we continue to think long term in terms of how else we can add strategic value to our customer base," he says.

Proactive functionality
The idea, Hall says, is to do much more than just tell you when you're sick. "We're proactive in giving you some guidance on how to get yourself feeling better—and then we're going to tell you any time it deviates from that state by identifying what changed, when did it change, who changed it, etc., and giving you visibility not only to the changes, but to those changes that have the most critical aspects to them," he says.

Hall says the reporting functionality that's offered within Tripwire Enterprise is extensive. "We have over 50 out-of-the-box reports now—these are customizable reports and dashboards that customers can use," he says. "You can use them, switch them around, and change the settings: it's a very simple interface."

Still, Hall notes that Tripwire Enterprise's functionality is distinct from that of a standard intrusion detection system: while an IDS looks for vulnerabilities, Tripwire is monitoring for configuration changes on a more basic level. "So a lot of times we see customers that are using this in conjunction with some of the other tools or other solutions that they have in house, such as an IDS technology," he says.

While the company still sells the original Tripwire for Servers product, Hall says it's now offered mostly to meet the certification requirements of the government sector. "We are Common Criteria certified on Tripwire for Servers, and because Tripwire Enterprise itself is not certified yet, Tripwire for Servers ends up being the default standard," he says.

Pricing for Tripwire Enterprise includes one cost for the central console, then additional pricing per agent. "We are agentless within the network device and virtualization platforms, and agents everywhere else. What we see is customers deploying to their most critical systems first, and then exploring ways that they can expand," Hall says.

Virtualization, visibility, and velocity
The latest version of the product is Tripwire Enterprise 7.5V—with the V, Hall says, standing for virtualization, visibility and velocity. "We've made a big push into the virtualization security and compliance space by integrating with VMware's VirtualCenter or vCenter and having auto-discovery of your virtual infrastructure elements within Tripwire Enterprise," he says.

The need for velocity, Hall says, is tied in directly with support for virtualization. "With the dynamic nature of virtualization, things are popping up and down, going off and online constantly, because it's so easy to use, and what used to take two days now takes two minutes to do. So Tripwire added a lot of capabilities and functionality to look at the settings of the VMware infrastructure," he says.

Tripwire Enterprise 7.5V also adds a widget-based home page to the interface. "You have the ability to share up-to-the-minute information: it could be, 'Tell me the PCI status of my Windows 2003 servers,' 'Tell me how my overall security posture has changed from last week to this week,' 'Tell me how I compare to my security policies for NIST compliance'—it's entirely customizable," Hall says.

The idea, Hall says, is to make management of the system as simple as possible. "It makes it much more actionable, and really eliminates the need for daily or weekly reporting," he says. "It gives people access, right up to the minute, of the information that they need to get at in a timely way—it takes out all the extraneous information and makes it more proactive."

And that's really the aim, Hall says, of the Tripwire offering in general. "It's not just about what's changed," he says. "It's also about saying, 'What's wrong in my environment, what is my security and compliance posture—and help me get to the root of making this more manageable and easy and relevant; and then help me fix it.'"

— End

Online Resources:
   Intrusion Detection Systems Directory
   IDS Quick Reference Chart

Related articles:
	[Dec. 24, 2001]	White Paper: Reducing Network Security Risk
	[Sept. 25, 2001]	Physical Security Augments Logical Security
	[July 11, 2001]	ISP-Planet Survey: MSSPs