Lock down your servers

Keeping tabs on who’s doing what to the enterprise network is a crucial part of an IT manager’s job. The reason is obvious: In addition to threats provided by ill-behaved applications, there are problems with employees installing pirated software, worms getting in, rogue employees trying to break into files they shouldn’t see, and the occasional hacker trying to create havoc.

While intrusion-detection products promise to keep an eye on the network assets, their capabilities are limited. And, for the most part, they aren’t designed to protect against random acts of dumbness carried out by your employees.

The two change-detection applications reviewed here are designed to notice when something important changes on a system you’re monitoring. Both will alert the network manager to additions, deletions, or changes to files on the system; produce reports explaining what happened and by whom it was done; and if set up appropriately, reverse a change as soon as it’s made. The manner in which the Tripwire and Pedestal Software solutions perform these tasks varies somewhat, but when you get right down to it, they perform nearly identical functions. The major differences are the cost, the platforms they support, and how well they work.

Resisting Change

The Tripwire solution consists of two separate products. Tripwire for Servers is the product that actually installs on the servers and monitors them for changes. The changes are reported to the Tripwire Manager, which displays them to the network manager. Tripwire points out that you really only need Tripwire for Servers if you already have an SNMP management application that you’re using to keep tabs on your network. The company also has plug-ins for the Hewlett-Packard OpenView and IBM Tivoli management frameworks.

Installing Tripwire for Servers is straightforward, but it requires inserting the CD into each server — a tedious process if you have hundreds or even dozens of servers to monitor. For major installations, you can create an installation template that will make the process easier.

Once it’s up and running, Tripwire for Servers makes periodic integrity checks of the machine on which it’s installed. You can set the frequency of these checks, but be aware that each one takes a minute or so, and during that time, the machine shares its CPU cycles between Tripwire and whatever else it’s supposed to be doing. So it might not be a good idea to run Tripwire during the busiest part of your day.

The first time it runs, Tripwire creates a baseline configuration for each server, which it can update as needed. It uses this baseline to compare against later checks of each server to see what changed. The changes are reported in both graphical and text form on the Tripwire Manager screen. The graphical display makes it easy to see whether there are changes to the machines you’re monitoring, and the details are flagged by icons that indicate the type of change and the severity.

I tested Tripwire’s ability to pick up on changes I made by creating new folders and files in Windows’ Program Files and System 32 directories. I also ran Windows Update and installed a couple of new programs. Tripwire picked up the changes when the next integrity check was run, and flagged them. Adding the changes to the baseline required a couple of clicks.

Because of the graphical nature of the interface, it’s possible to monitor Tripwire without spending your time staring at the screen. In addition, Tripwire can send out SNMP alerts and e-mail alerts, and you can even be notified on your cell phone or pager. You can choose whether to have a very terse summary (great for pagers), or a longer description (good for e-mail).

Tripwire was a solid performer in my tests. It found every change I made and reported it accurately. Management was reasonably easy, although the process isn’t the most user-friendly on the planet. The installation is inconvenient, although it functions as advertised, and it is possible to automate some facets of the installation for large enterprises.

Real-Time Reality

Pedestal Software makes a lot of fuss about its product’s ability to operate in real time. The idea is that you’re alerted to events in your enterprise as they’re happening, rather than having to wait for a scheduled check. Otherwise, Pedestal’s Intact performs basically the same functions as Tripwire but supports fewer platforms.

Intact promises easier setup (important in large enterprises with hundreds of servers), but that only proves true in limited situations. If you happen to have a network that’s still running NetBIOS (unlikely in today’s security-conscious organizations), then you can use Intact’s management console to remotely install the agents on your servers. Of course, if you are using an IP-only network, remote installation won’t work. Sadly, the Intact installer isn’t smart enough to know whether or not you’re running NetBIOS, so it offers the remote installation regardless. You’re required to know that you shouldn’t say yes when asked.

Similar glitches showed up throughout my testing of Intact. The product ships with MySQL, but the documentation makes no mention that it’s not the preferred database. Intact also lets you create invalid database names and setting changes when administering MySQL, even though you’ve told it that the database you’re using is the one provided. I also found no mention of the required settings for Microsoft SQL Server when I moved to that database. Consequently, SQL Server would not function properly with Intact.

Overall, Intact’s documentation is incomplete and inaccurate in many places, making it impossible to run and administer the package without recourse to tech support.

Once I got Intact running, I put the much-hyped real-time operation to the test. It turns out that what’s monitored in real time is the event log on the remote machine, and because the event log doesn’t record most changes, such as creating new directories or adding programs, most of the risks aren’t actually reported in real time. The only notification you get on the console is a list of events of all classifications. There’s no evaluation of the severity of the event, so the only way you can tell whether something important has happened is to read every entry. And with the real-time monitoring, lots of minor events show up, which will keep you busy but provide little value in terms of keeping an eye on your system.

Because the real-time operation depends on the Windows event log, any number of things can happen that you won’t know about. The folders and files I created in the Program Files and System32 directories, for example, never showed up until I ran a scheduled check. This means that I could have placed just about anything in those directories, including a worm, a virus, or spyware, and it wouldn’t have shown up on the real-time reports unless it triggered an event.

The result is an application that provides lots of not very useful information but manages to overlook potentially important items. Worse, even when it does alert you, you still have to know where to look. Fortunately, Intact does allow you to use SNMP alerts and e-mail alerts. In addition, it works with SNMP management frameworks, so you don’t have to depend on the included manager.

Intact’s periodic updates (which are similar to Tripwire’s integrity checks) did find the changes I made. Unfortunately, the vast majority of changes found by Intact seemed to be changes it generated itself, meaning that I had to search through a flood of items to find four changes that could have been significant.

Probably more serious are Intact’s difficulties with Microsoft SQL Server. I installed the product according to instructions (I had a company engineer on hand to help), and initially it worked fine. However, by the next day, I had received a flood of SQL errors on the console screen alerting me to the fact that the database could not be reached. A call to tech support revealed that I would have to shut down and restart the machine that contained the console and SQL Server. The reason? Apparently SQL Server had timed out and closed the database connection because I hadn’t adjusted its time-out setting. Why Pedestal Software didn’t either configure Intact’s timing to work with the default settings of SQL Server or at least reveal the need to make changes in the documentation remains a mystery.

Neither of these products is an example of the finest software available, but at least Tripwire’s product works as advertised. Unless you need Tripwire Manager, Tripwire isn’t much more expensive than Intact, and you get a more mature, more reliable product with documentation that reflects reality and tools that work as they should.