Using Snort, Nessus and Tripwire for network security

Why pay a proprietary vendor a ton of money for a security application you can get for little or no money?

Maybe you think open source doesn't have the chops for network security. Sure, you're using Apache, Tomcat, MySQL and other open source applications in mission-critical situations. You're using open source network management tools, like Nagios or OpenNMS, the latter of which is a complete enterprise network management solution. None of this worries you, but you don't feel comfortable using open source tools for IT security.

Wake up and smell the coffee!

Even better, wake up and look at the applications. In this tip, I will discuss the pros and cons of the open source security tools that work on the Red Hat Enterprise Linux 4.0 (RHEL4) platform. These include Snort (intrusion detection), Nessus (security scanning software) and Tripwire (host-based operating system intrusion detection).

Tripwire

My favorite tool is Tripwire, which is used for your Linux (or Unix) hosts to monitor changes that might be made on your system. Everyone knows the old hacking trick regarding copying over phony versions of commands, like passwd or ls, in an effort to hijack your system. Trojan Horses, look out, because Tripwire will not allow this!

Not all changes are done for devious purposes, and Tripwire will even help pinpoint accidental changes. The way Tripwire works is that it compares files and directories against a database of file locations, dates they were modified and other types of data. This database will contain your baseline, which is a snapshot of your directory structure at a given point in time. You need to run this baseline snapshot, before the system is at risk, for it to really work. Essentially, it will always compare your system to a baseline and report back any modifications, additions or deletions.

There is a commercial version of the product and also the open source product, and I have used the latter for years. The open source version is really meant for monitoring a small number of servers where centralized control and reporting is not needed really necessary. The two commercial versions, Tripwire for Servers and Tripwire Enterprise, have centralized management tools, with detailed reporting.

Tripwire Enterprise can respond to audit changes across Linux, Unix and Windows and even your desktops. The company has more than 4,500 commercial customers and its solutions are recognized by many of the leading security, auditing and compliance certification organizations.

While Tripwire is not officially supported by Red Hat, it does run on RHEL4, and the Tripwire Web site lists RHEL4 as a supported commercial platform. Red Hat acknowledges that Tripwire as the most popular host-based IDS for Linux, but took out support in 2001 because of inactivity in the upstream development. I don't see this as a problem with Tripwire, because it works.

Snort

Snort is an awesome open source network intrusion prevention and detection system. It combines the benefits of signature-, protocol- and anomaly-based inspection methods.

Snort is probably the most widely-deployed intrusion detection and prevention technology in existence. It has developed through the years into a mature, feature-rich technology which has essentially become a standard in intrusion detection and prevention.

Unfortunately, the Sourcefire-provided RPMs do not install on RHEL4 systems without using third-party tools. You can build your own RPMs. The procedure works fine, though it is not for the gun-shy. Alternatively, you can also download some RPM packages here.

Nessus

No open source security article can be written without talking about Nessus. It is in use in more than 75,000 unique organizations worldwide. Its scanners can be distributed throughout an entire enterprise, inside DMZs and across physically separate networks, and includes more then 9,000 types of vulnerability checks. They can also be made available for ad-hoc scanning, daily scans and quick-response audits.

What's great about Nessus is that, unlike traditional network security scanners which focus more on the services listening on the network, Nessus also focuses on the local hosts. It can even determine whether there are missing patches, whether they are running Windows, Unix or RHEL4. And yes, it will run on RHEL4.

These are just a few of the great open source security products available. (Don't forget the granddaddy of them all, Bastille Linux.) Don't ever rule out open source, even for security. Especially for security!

About the author:
Ken Milberg is the founder of Unix-Linux Solutions. He is also a board member of Unigroup of NY, the oldest Unix users group in NYC. Ken regularly answers user questions on Unix and Linux interoperability issues as a site expert on SearchOpenSource.com.

Rate this Tip To rate tips, you must be a member of SearchNetworking.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Engineering Recovering domain controllers after a server disk failure Recovering from a server disk failure: The shortcomings of NTBCKUP Enabling Windows Vista's Network Mapping feature on domain networks Prevent unauthorized USB devices with software restriction policies, third-party apps How to subnet: Subnetting calculations and shortcuts Using Windows Vista group policy to prevent unauthorized USB device use ISDN implementation: Part 3 -- Cisco router ISDN configuration Troubleshoot network problems with Network Monitor Disabling IPv6 in Windows Vista -- Pros and cons Cleaning up: Managing Windows networks using scripts, part 2 Network Security Products How to configure Windows Server 2008 advanced firewall MMC snap-in How to retrieve passwords from locked laptops How to interpret test scan results to assess network vulnerability What commands allow network traffic to pass through PIX firewalls? For an SMB firewall, what features should I look at? Creating Remote Access and Site-to-Site VPNs with ISA Firewalls: from 'The Best Damn Firewall Book Period, Second Edition' What should I know before implementing a packet sniffer? Remote access security management software is a time saver for network administrators Will WPA2-PSK keep wireless networks safe from war drivers? How to train Intrusion detection systems (IDS) Network Security How to configure Windows Server 2008 advanced firewall MMC snap-in Security across network boundaries with Secure Mobile Architecture USB storage devices: Two ways to stop the threat to network security Network security: Using unified threat management (UTM) Network security: Empower users without endangering IT Network analysis -- Enhancing security assessments VPN security: Hiding in plain sight, using network encryption OSI: Securing the Stack, Layer 8 -- Social engineering and security policy Anti-spam protocols help reduce spam NAC -- Strengthening your SSL VPN RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Nessus  (SearchNetworking.com) network analyzer  (SearchNetworking.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.