5 Tripwire Enterprise Misconfigurations to Avoid
Configuration management is vitally important as part of a sound cybersecurity strategy. We have previously published how patching alone is not enough, as that does not alter a system’s customized configuration. Misconfigurations can be as damaging to security as a deliberate attack on a system. As the manufacturer of Tripwire Enterprise (TE), we thought that it would be prudent to help our readers learn about some of the more important configuration pitfalls to avoid in order to get the most value out of the TE product.
Open ports on a firewall
With many products that use agents to communicate, various ports must be open to make sure that the traffic flows freely. Of course, many system administrators may want to seal off all unnecessary ports. This is generally a good practice to prevent an attacker from exploiting those open avenues. However, the TE designers have made great efforts to make sure that the ports they use do not correspond to known exploit avenues. Not only do these specific ports need to be open on the firewall to allow free communications between the TE and Axon agents, but those ports must also be open on the local system firewalls, such as Linux and Windows firewalls in order to ensure smooth communications.
Incorrect hardware parameters
Prior to virtualized environments, hardware specifications were fairly easy to manage. For example, early versions of TE required 8 GB of RAM in order to install and run. It also required a specific CPU configuration. Virtualization has introduced magnificent flexibility with hardware requirements; however, that can also introduce a problem when an administrator assigns a dynamic RAM configuration. If the product requires a specific RAM configuration in order to run, this dynamic setup can create problems. This is not unique to TE. Most product installation and operation configurations need to meet specifications in order to operate efficiently.
Back-end database maintenance
TE supports Oracle, MS SQL, and MySQL. The TE manual is very specific about database creation. If some parameters are not enabled or are set incorrectly, then the application will malfunction. Along with that, if the recommended maintenance is not configured correctly, a database can grow too large, jeopardizing disk space. There has been a small revamp in the TE installation guide that has the specifics about the expectations for the maintenance.
Rule sets must be specific
When we cybersecurity professionals install a new system, it is very natural to turn on every feature. We do this as if we are test-driving a new car. We want to see what the system is capable of. Unlike an automobile, turning on everything in a security system is similar to turning on every vacuum cleaner in an appliance store; they will suck in everything, and they will also produce more noise than value.
We at Tripwire fully understand this urge to test out the system in this way, and we know that the TE system can certainly handle the load. However, we also recognize that it is not the best way to derive the information that can improve security. With millions of pieces of information being ingested into the system, the database can grow unwieldy in a very short time, and it is impossible to find useful information in all of that data. To better serve our customers, we offer services such as Professional Services and Resident Engineer Engagements to help our customers set the appropriate configuration for their environment, creating more signal and less noise.
Importing SSL certificates
When we speak about secure communications, most folks would assume that we are referring to conversations between people. To cybersecurity professionals, secure communications includes devices. Much like the security that takes place over the internet, device security relies on the Secure Sockets Layer (SSL) protocol. These are controlled by digital certificates. With TE, importing the correct certificate is the key to the correct functioning of the product.
The problem of getting the right SSL certificate is more of an administrative challenge than a technical one. In most organizations, the team that generates the internal SSL certificates will create one that often serves the general purpose for a given application, but this will not work well with TE. Since TE is an enterprise system, it needs a root certificate in order for the system to function to its full ability in the environment. This is an important point that should be emphasized in the pre-deployment meetings in an organization. For the smoothest implementation, advanced planning can make TE work perfectly from the start.
All systems rely on good configurations to run efficiently. Just as no enterprise system is plug-and-play, no system will work at its best if it is run at full capacity. It will neither serve its purpose, or its consumer. Tripwire Enterprise can bring an exceptional level of security to an organization, but to derive the most benefits, it needs to be configured for optimal performance. We are here to help you get the most out of your TE implementation.