Security software firm Tripwire plans Linux push

Tripwire is carving out an early leadership position in detection security software, which takes snapshots of critical computer files and sounds the alarm when files change. By noting a change, the software flags the possible presence of an intruder. It's currently available for computers running Windows, Linux and several varieties of Unix.

But this year, the company is embarking on a strategy--to be kicked off next week at the RSA computer security conference--called "Tripwire everywhere," said chief executive Wyatt Starnes. The company will start by spreading its software beyond those operating systems to protect database software, network equipment such as routers and even an entire network.

The company also plans to capitalize on the increasing number of computers running Linux, a rapidly spreading clone of the powerful and network-friendly Unix operating system and a target of some computer attacks.

Next week at the annual RSA security confab, Tripwire will unveil new management software to help companies ease the current headache of monitoring hundreds of computers, Starnes said.

Tripwire is in a good position, said Security Focus analyst Elias Levy. "They are definitely first to market," he said. The company's products are useful, though only one of several tools an administrator needs to protect a system.

Brokerage Charles Schwab and online auction firm eBay both employ Tripwire software for their computer networks, a source familiar with the companies' security said.

Starnes quickly recognizes that detecting when files have been altered is only part of computer security. The first line of defense, "firewall" software to block intruders, is important. But firewalls are still vulnerable, and they don't protect against attacks from inside the company or mistakes from misguided administrators.

Linux is another growth opportunity for Tripwire, he said. Sellers of Linux software are sensitive about the perception that Linux is a good target for computer intrusions. "There is a fear that the perception of this vulnerability could impede their marketplace," Starnes said.

The open-source nature of Linux, in which anyone may scrutinize the operating system's basic instructions, is a "double-edged sword," Starnes said. While it makes it easier for developers to find and fix vulnerabilities without having to wait for a company to do so, it also makes it easier for attackers to analyze the operating system for weaknesses.

Indeed, Linux machines were a particular target for people looking to take over computers to be employed in attacks launched with the Tribe Flood Network and Trinoo software.

"A couple years ago, Linux had more security problems than most other systems," Levy said. "Today, there's a much better job keeping up and patching holes."

The security problem with Linux, and with Unix in general, is that it is designed to be controlled over the network, Levy said. Windows NT, which "ships with very (few) applications that you can use remotely," hasn't been as subject to this problem, though the arrival of more remote administration tools and software such as Back Orifice are changing that situation as well, Levy said.

Adding management software, which lets an administrator monitor computers over a network, reduces the security promise of Tripwire, Levy said. A compromised computer could send a fake all's-well signal, lulling the administrator into thinking a computer was unaltered.

But overall, some security is better than none, and remote administration of Tripwire likely will enable more widespread use, Levy said.

Tripwire, based in Portland, Ore., grew from 17 to 75 employees in 1999, Starnes said. The first version of its product, for Sun Microsystems' machines running the Solaris version of Unix, shipped in October 1998, and versions for Linux, Windows NT and other versions of Unix followed in early 1999.

Ironically, Tripwire's main competition is an earlier incarnation of its own software, Starnes said. The software began as a programming project in 1992 by Gene Kim, a Purdue University graduate student under the tutelage of Gene Spafford and today Tripwire's chief technology officer.

The older software, which still is freely available for Unix machines, is installed on an estimated 150,000 to 350,000 computers, Starnes said. However, that version stores the snapshot of the protected files in open format, and indeed there have been cases where hackers have erased their tracks by creating a new snapshot after compromising a computer.

The commercial version Tripwire, though, encrypts the snapshot, making it much harder to change a system without being detected, Starnes said.

Tripwire's expansion plans begin by extending the software so it runs on special-purpose computers called "routers," which shuttle data across the Internet and smaller networks. A version of Tripwire for Cisco's router product is aimed for a release in the second quarter, Starnes said. Tripwire for other types of network equipment such as proxy servers, firewalls and gateways also are in the works, he said.

Software to protect databases, starting with that from Oracle, will be released in the second half of the year, he said. The actual data stored in databases changes very frequently and is therefore hard to track, but other parts of the database, such as the description of who's allowed to make changes, is relatively unchanging.

Also in the second quarter, there will be a version that will accommodate Windows 2000, he said.

A new edition of the Tripwire management software will debut midway through this year, enabling the Tripwire administration tools to become a module of existing management software such as IBM's Tivoli, Computer Associate's Unicenter or Hewlett-Packard's OpenView, Starnes said.