427 Botnet fm qxd

“Secure” in the context of Tripwire signatures is a comparative term,
however. In recent years a number of flaws in MD5 have been discussed that
bring into question its continuing fitness for some applications. Although
snefru is theoretically vulnerable to differential cryptanalysis, the attack is cur-
rently still considered practically infeasible.
If a subsequent snapshot comparison with the stored signature indicates
that the file has been altered or replaced, this might give you your first
warning of an attack. However, you can also use this facility, in tandem with
other measures such as firewall logs and other system logs, to investigate and
analyze a known breach or infection.
T
IP
Why would you use a commercial product when there’s an open source
equivalent? Open-source products don’t usually give you timely profes-
sional support (at any rate, not for free); there are plenty of gurus and
other users you can ask, but you don’t have 24/7 help desks and service-
level agreements to fall back on. Don’t underestimate the importance
of a proper contract: In many environments, the inability to transfer risk
to a supplier is a deal breaker. Value-adds for a commercial product can
include centralized administration, enhanced reporting facilities, and
integration with other applications. In this case, the range of platforms
and devices that need to be covered might also determine a preference
for Tripwire for Servers or Tripwire Enterprise over the open-source ver-
sions. On the other hand, if you don’t need all the value-added bit and
are able and prepared to do the hands-on geek stuff, an open-source
application may do very well.
Clearly,Tripwire detects intrusion. It doesn’t, by itself, prevent it. Its pur-
pose is to alert you to a breach that has already taken place and assist in ana-
lyzing the extent of that breach. Irrespective of the version of Tripwire you
use, when you initialize the database by taking your first directory snapshot,
you need the file system to be intact and clean. If it’s already been compro-
mised,Tripwire is of very little use to you. Ideally, the system should just have
been installed (what we used to call a “day-zero” installation, before the term
zero-day
became popular as a description of something more sinister).

Download 6,98 Mb.

Do'stlaringiz bilan baham: