Cha-Cha-Cha-Changes with Tripwire Enterprise 7

Auditing software can help IT get a handle on unwanted modifications to server and network infrastructure.

October 19, 2007

6 Min Read
Network Computing logo

The Upshot
Tripwire combines change auditing with configuration assessment to help IT maintain operational, regulatory and security compliance as well as reduce management costs and improve efficiency. Tripwire provides configuration assessment tests that map to defined industry standards, such as PCI, Center for Internet Security, Sarbanes-Oxley, COBIT and others.
Tripwire complements CMDBs because it can help keep the information stored in CMDBs relevant, especially in the data center. Tripwire both competes and integrates with systems from AlterPoint, BladeLogic, Opsware, Voyence and others. Midsize organizations may use Tripwire as a general-purpose change and configuration management system; in large enterprises it will play a more complementary role for change audits.
Tripwire provides significant configuration and compliance capabilities to organizations to help them manage and monitor infrastructure changes. The application is extremely flexible—meaning it could become complex if not managed correctly. Tripwire integrates with other CMDB systems and can be a valuable front-line data analysis tool for most any IT shop.
Tripwire Enterprise 7

Any good IT manager knows that unplanned change is a leading cause of network downtime, not to mention security and compliance problems. Tripwire Enterprise 7 is the most recent addition to the host of tools available to help IT drive change management—not the other way around.. Tripwire 7 detects all change across the network and server infrastructure. Unlike many rivals, it detects and analyzes changes to countless elements on both network and server environments. Examples we tested include registry settings, application configuration files on servers, databases table structure, and Cisco IOS changes.

Tripwire allows for the development of acceptance workflow and criteria and provides the ability to alert and take action if a change is detected. The product also has a number of prebuilt policy templates available for download that are a great way to jumpstart installation.

In addition to monitoring for changes, Tripwire can resolve potential issues by reconciling changes within its own application or calling external processes from other change- or patch-management tools. If the change was expected, you can promote the associated change version to the baseline. If an unexpected change is detected in a configuration file, you may be able to restore the configuration from the baseline, or opt to use your existing element manager, such as CiscoWorks, to update the device.

On the downside, Tripwire doesn't provide much guidance for IT to assess the severity of a change, which could mean a considerable amount of upfront work when configuring alarms. Tripwire may also duplicate some functions of other server and network management tools.Don't Fear Change

Tripwire monitors four device categories: Network nodes include routers, switches, firewalls or load balancers. File server devices represent servers and desktops running Windows, Unix or Linux. Directory server nodes represent LDAP or directory servers such as Microsoft Active Directory. A database device represents a single Oracle or MS SQL installation on a database server.

File server nodes require Tripwire's Enterprise Agent; other categories are scanned remotely. Some organizations won't be thrilled about running another agent on their applications—our own test server already had several running. That said, it's a relatively quiet piece of software, communicating with the Enterprise Server only if it detects a change.

Once your systems are monitored, you specify one or more rules that identify the monitored objects to be scanned, and assign a severity level. The severity level is a numeric value that indicates the importance of a detected change. The level assigned will completely depend on your organization. You can classify severity to indicate that something is out of regulatory compliance, or apply it to operational issues such as a missing security patch or poorly configured firewall or router.

On the one hand, this flexibility lets you customize the product to meet your operational concerns. On the other, it requires you to have a clear understanding of how the changes could impact your organization and what, specifically, you want to monitor. This may be daunting in a large environment. While Tripwire provides the tools to manage change severity, you need to determine your own processes and then use Tripwire to implement those policies. Be prepared to invest some time.RSVP

Tripwire also allows you to define responses to changes, such as a configuration roll-back if an error is detected. You can run any action as part of a version check that might include an e-mail or notification into an external system.

Tripwire records a monitored object's state at a specific point in time, which Tripwire calls an element version. For our testing, we created a baseline as an authoritative version of a monitored object. As we made changes, Tripwire Enterprise compared the baseline with the current state of the monitored object.

When Tripwire found a change, it stored a change version of the element. While this capability is great if you don't have any other change-control product, a better approach is to use a CMDB or inventory management system to store authoritative versions and configurations. While Tripwire can store versions, it is best suited for notifying operations of changes and exceptions to approved configurations.

The reporting capability is functional but could use more pizzazz. When you run a report, the application displays output in tables and graphs, but it would be great to use the reporting engine to pull in other policy-based information and create flashier reports. IT does have a lot of control over what will be displayed in reports, which can customize to suit the organization. You can also create a permanent record of reports and archive them in the Tripwire database or export output as an XML or PDF file, as well as scheduling reports and e-mailing them to specified recipients.If that's not enough, you can combine as many as eight reports in a dashboard. We were a little disappointed that the dashboard merely consolidated reports as opposed slicing and dicing the information in different ways. Only report types with graphic output can be added.

Have A Good Trip

Tripwire has added a lot of new features to version 7. The Configuration Assessment feature proactively assesses configuration settings and correlates them against internal or external policies. This assessment analyzes the state of your data center, correlating it against industry benchmarks and best practices or internal policies and standards. These out-of-the-box templates include mappings for PCI and Center for Internet Security (CIS) assessments, which are useful for all organizations.

Tripwire also integrates with leading CMDBs, including BMC Atrium, CA's CMDB, and HP's Universal CMDB, and supports CA Service Desk and the BMC Remedy AR System. Also added is support for virtualization, as Tripwire Enterprise 7 can run in VMware ESX partitions. Additional new features include more out-of-the-box reporting and coverage of multiple Linux platforms.

The enterprise server and reports license starts at $6,995—not a budget-buster for medium and large organizations. Desktop, database, network device and directory service monitoring licenses range from $95 to $1,295 per device. While these costs will add up quickly in large environments, unlike many policy and configuration management systems that require a hefty upfront investment, Tripwire allows you start small and grow the product as you see value.In extremely large environments, you will need some people power to get your arms around Tripwire, but the ability to manage your IT infrastructure will increase dramatically. If you have other CMDB or configuration and change management products in house, you may find overlapping functions with Tripwire, so take a close look. That said, most any IT operations group will benefit from Tripwire's capabilities to manage policies across the entire infrastructure.

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights