Keeping system configurations intact and free from unauthorised modifications can be a tedious task at best but is essential to ensure the integrity of critical servers. Tripwire is devoted to this job and Tripwire for Network Devices (TND) does a fine job of keeping switch and router configuration files safe from wandering fingers, malicious minds or just plain meddling users. Servers get the same high levels of protection, as Tripwire for Servers (TS) monitors each system for changes. It takes a backup of key files allowing them to be swiftly restored to their original condition if required. TS uses the same procedures as TND by taking a snapshot of system files and storing them in a local database. You can specify which files, folders and registry keys TS is to monitor. You aren't limited to system data either, as you can include any filename or directory in the scanning process. TS then uses the snapshot as a baseline to determine if any changes have been made. If it spots anything untoward it can alert administrators and advise them on what changes were made and also who made them. For the latter, TS can report on the user name of the offender, give details of their IP address, hostname and even the program used to make the changes. Snapshot
TS uses policy files that contain information about the files and keys to be monitored and the responses it should make if changes are found. It provides a report on its findings. If you don't like the changes made you can swiftly restore a file, or key, back to its original state using this snapshot. If the modifications are acceptable you can ask TS to create a new baseline with these changes included. Not just anyone can play with TS. It offers some impressive security features by encrypting policy, configuration, database and report files - so you'll need to know multiple passphrases to use the software. TS can be run as a standalone application on each system. However, this will swiftly become tedious for larger sites as all configuration and monitoring is via the command prompt. Even the policy files start out at text files that must be manually edited. We strongly recommend stumping up the extra cash for the Tripwire Manager component as this will make your life a lot easier. Each monitored server will require an extra TS agent installed to be accessed by the Manager but it will allow you to keep an eye on all systems and deploy policies from a central location. Smart feature
The graphical interface makes policy creation far more pleasant as you can remotely view each server's file system and pick and choose which items you want to monitor. Each instance is added to a policy as a rule. A smart feature is the option to assign various actions to each rule, such as e-mailing a member of the support staff if a particular file has been changed. Once you're happy with your policy you then distribute it to selected systems. When this is completed you will need to update the local database, although all this can be carried out easily from the Manager console. Once completed you can run integrity checks on each server. The Manager provides a clear indication of the action with a large pie chart showing which systems are currently being checked, those that are receiving new policies or having their database updated, and those that are idle. A chart below also offers a bar graph showing if any violations have been detected. If there are, you can select a system, choose the Report option and see what triggered the Tripwire alert. Checks can be run manually at any time but the Manager provides scheduling tools so you can run these daily, weekly or monthly, or at any interval you choose. We were impressed with Tripwire for Network Devices and the same applies to Tripwire for Servers. Change management is normally viewed as a luxury only enterprises can afford. While this software doesn't come cheap, it brings these tools to the smaller business that needs to ensure critical systems aren't tampered with.

OUR VERDICT

Tripwire for Servers is in the enviable position of having little, if any competition, as few network management products offer this type of protection for servers. Deployment will be a problem on large networks and administrators may be tempted (as we were) to use the same passphrase for every system to reduce the workload.