Tripwire Agents for IOS/PIX/CatOS?

Answered Question

My client is installing Tripwire, and they've got the Solaris agents done and are now looking at my Network devices.


Does anyone have any experience with this? I can't find any useful information on the web about how these "agents" work. I'm almost expecting an agent that lives on a server and logs in to get the latest configuration, rather than a process running on the box itself. However, if this IS a process that runs on the hardware platform, is it supported by Cisco, or will the first thing I hear from tech support be "De-install that Tripwire agent and see if the problem goes away."?

Correct Answer by chris.glanville about 8 years 8 months ago

I'm assuming you mean Tripwire Enterprise.


Tripwire supports an "agent-less" node. This is how they handle most network devices I believe. The TE (frontend) server has an agent installed on it and it initiates the connections and sends commands.


Tripwire calls them COVR rules (Command Output Validation Rule). Essentially a ssh session is opened and then a "sh run" is sent and then parsed using a regex. You can also use the regex to do search and replace of certain config lines (like uptime). Something I've seen when implementing MARS is that there is a max login banner being size. I haven't ran into this with Tripwire but if your connections are failing, try shrinking your login banner.


I would highly recommend using SSH and SCP. You can set it up to use TFTP too, but if you have SSH enabled on the device, it's just cleaner. Also, make sure you use variables for the login credentials. Tripwire really got that one right (unlike MARS). You can create global username and password variables and then pull them in for the credentials when creating the node. That means you set (or reset) the username/password in 1 place instead of 500.


Make sure your client has licenses for network nodes. You can't interchange network and server nodes. Also, make sure you get the network device rules from Tripwire.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Farrukh Haroon Fri, 08/08/2008 - 05:58
User Badges:
  • Red, 2250 points or more

No I'm sure nothing runs on the Cisco box itself.


Regards


Farrukh

Correct Answer
chris.glanville Tue, 08/12/2008 - 21:29
User Badges:

I'm assuming you mean Tripwire Enterprise.


Tripwire supports an "agent-less" node. This is how they handle most network devices I believe. The TE (frontend) server has an agent installed on it and it initiates the connections and sends commands.


Tripwire calls them COVR rules (Command Output Validation Rule). Essentially a ssh session is opened and then a "sh run" is sent and then parsed using a regex. You can also use the regex to do search and replace of certain config lines (like uptime). Something I've seen when implementing MARS is that there is a max login banner being size. I haven't ran into this with Tripwire but if your connections are failing, try shrinking your login banner.


I would highly recommend using SSH and SCP. You can set it up to use TFTP too, but if you have SSH enabled on the device, it's just cleaner. Also, make sure you use variables for the login credentials. Tripwire really got that one right (unlike MARS). You can create global username and password variables and then pull them in for the credentials when creating the node. That means you set (or reset) the username/password in 1 place instead of 500.


Make sure your client has licenses for network nodes. You can't interchange network and server nodes. Also, make sure you get the network device rules from Tripwire.

matt_nels Wed, 08/13/2008 - 08:12
User Badges:

Chris's description is spot on. All the real work is done on the Tripwire server itself not on the router/device. It yanks the configuration and audits it for changes.

Actions

This Discussion