Using Snort, Nessus and Tripwire for network security

Why pay a proprietary vendor a ton of money for a security application you can get for little or no money?

Maybe you think open source doesn't have the chops for network security. Sure, you're using Apache, Tomcat, MySQL and other open source applications in mission-critical situations. You're using open source network management tools, like Nagios or OpenNMS, the latter of which is a complete enterprise network management solution. None of this worries you, but you don't feel comfortable using open source tools for IT security.

Wake up and smell the coffee!

Even better, wake up and look at the applications. In this tip, I will discuss the pros and cons of the open source security tools that work on the Red Hat Enterprise Linux 4.0 (RHEL4) platform. These include Snort (intrusion detection), Nessus (security scanning software) and Tripwire (host-based operating system intrusion detection).

Tripwire

My favorite tool is Tripwire, which is used for your Linux (or Unix) hosts to monitor changes that might be made on your system. Everyone knows the old hacking trick regarding copying over phony versions of commands, like passwd or ls, in an effort to hijack your system. Trojan Horses, look out, because Tripwire will not allow this!

Not all changes are done for devious purposes, and Tripwire will even help pinpoint accidental changes. The way Tripwire works is that it compares files and directories against a database of file locations, dates they were modified and other types of data. This database will contain your baseline, which is a snapshot of your directory structure at a given point in time. You need to run this baseline snapshot, before the system is at risk, for it to really work. Essentially, it will always compare your system to a baseline and report back any modifications, additions or deletions.

There is a commercial version of the product and also the open source product, and I have used the latter for years. The open source version is really meant for monitoring a small number of servers where centralized control and reporting is not needed really necessary. The two commercial versions, Tripwire for Servers and Tripwire Enterprise, have centralized management tools, with detailed reporting.

Tripwire Enterprise can respond to audit changes across Linux, Unix and Windows and even your desktops. The company has more than 4,500 commercial customers and its solutions are recognized by many of the leading security, auditing and compliance certification organizations.

While Tripwire is not officially supported by Red Hat, it does run on RHEL4, and the Tripwire Web site lists RHEL4 as a supported commercial platform. Red Hat acknowledges that Tripwire as the most popular host-based IDS for Linux, but took out support in 2001 because of inactivity in the upstream development. I don't see this as a problem with Tripwire, because it works.

Snort

SNORT is an awesome open source network intrusion prevention and detection system. It combines the benefits of signature-, protocol- and anomaly-based inspection methods.

Snort is probably the most widely-deployed intrusion detection and prevention technology in existence. It has developed through the years into a mature, feature-rich technology which has essentially become a standard in intrusion detection and prevention.

Unfortunately, the Sourcefire-provided RPMs do not install on RHEL4 systems without using third-party tools. You can build your own RPMs. The procedure works fine, though it is not for the gun-shy. Alternatively, you can also download some RPM packages here.

Nessus

No open source security article can be written without talking about Nessus. It is in use in more than 75,000 unique organizations worldwide. Its scanners can be distributed throughout an entire enterprise, inside DMZs and across physically separate networks, and includes more then 9,000 types of vulnerability checks. They can also be made available for ad-hoc scanning, daily scans and quick-response audits.

What's great about Nessus is that, unlike traditional network security scanners which focus more on the services listening on the network, Nessus also focuses on the local hosts. It can even determine whether there are missing patches, whether they are running Windows, Unix or RHEL4. And yes, it will run on RHEL4.

These are just a few of the great open source security products available. (Don't forget the granddaddy of them all, Bastille Linux.) Don't ever rule out open source, even for security. Especially for security!

About the author:
Ken Milberg is the founder of Unix-Linux Solutions. He is also a board member of Unigroup of NY, the oldest Unix users group in NYC. Ken regularly answers user questions on Unix and Linux interoperability issues as a site expert on SearchOpenSource.com.