Network IPS Buyer's Guide: Sourcefire
Sourcefire 3D Sensors and Defense Center build on the Snort engine to deliver next-generation IPS.
As the threat landscape evolved, Network Intrusion Detection and Prevention Systems (NIDS / NIPS) became an enterprise best practice to spot and automatically block network-borne attacks. In this edition of Enterprise Networking Planet's NIPS buyer's guide, we examine capabilities and features offered by Sourcefire, the company behind the popular open source Snort engine.
Starting with Snort
Snort was one of the first systems to focus on network intrusion detection. Released in 1998 by Sourcefire founder Martin Roesch, Snort has evolved into a mature NIPS with an extensive community-generated and tested rule set. Sourcefire claims that Snort--downloaded over 4 million times--is the most widely-deployed IPS in the world. The principle behind Snort's open source approach: Many eyeballs can help to detect and respond more effectively to a wide variety of threats experienced by organizations across the globe.
Sourcefire not only distributes and supports Snort--it builds on this foundation to deliver extremely successful commercial NIPS products. But why do customers that prefer a commercial NIPS choose a product based on Snort? According to Sourcefire Director of Marketing Steve Piper, "What's different about us is that our rules are open--Snort is its own ecosystem, with more than 400,000 registered users. Snort is used by more organizations on planet earth than any other IPS technology, so it is easier to hire Snort talent."
In addition, Piper said Sourcefire's Vulnerability Research Team (VRT) has taken the spot vacated by ISS X-Force. By monitoring over 150 public and private threat feeds, Snort and ClamAV community posts, industry disclosure advanced notifications, and over 20K malware samples per day, VRT works to continuously improve Sourcefire's coverage and effectiveness. "We have dozens of researchers who consider it their mission in life to provide timely coverage and best in class protection against zero-day threats," he said.
Deploying Sourcefire 3D Sensors
Sourcefire engineers have parlayed the Snort engine and VRT threat intelligence into a portfolio of commercial products which the company refers to as "Next Generation IPS."
Every Sourcefire NIPS installation starts by deploying 3D Sensors in desired locations throughout the network to be protected. Sourcefire sells a range of ICSA-certified 3D Sensor appliances which run identical software on purpose-built platforms sized to meet varied needs. At the low end, the 3D500 inspects traffic at speeds up to 5 Mbps. At the high end, the 3D9900 delivers 10 Gbps of line-speed inspection. A Virtual 3D Appliance can also handle up to 500 Mbps, running on VMware or Xen. According to Senior Field Marketing Manager Jason Wright, Sourcefire's sweet spot is around 1-2Gbps--delivered by 3D3500 and 3D4500 Sensors.
"Most customers deploy 3D Sensors at the perimeter, behind the firewall," said Wright. "The firewall should block everything except the good stuff, while IPS detects any bad stuff that gets through. Customers used to deploy Sensors off span ports, but these days are more likely to deploy Sensors in-line. We offer fail open ports on all 3D models for fault-tolerance, so we can never bring down the network."
When deployed at the perimeter, 3D Sensors inspect traffic passing into the DMZ and network interior. In PCI deployments, 3D Sensors have been installed at the edge of cardholder data environments. "We have also seen customers deploy Sourcefire at the network core, inside the data center, typically in a passive out of band mode," said Wright. Customers can cluster a pair of 10 Gbps 3D9900 Sensors, or run the Virtual 3D Appliance on up to 8 Crossbeam blades, delivering up to 40 GB of protection.
Traffic inspection can be hampered by encryption. To avoid blind spots more efficiently, Sourcefire also sells an SSL Appliance. "We offer on-box decryption, but if you have lots of Sensors, that can be labor intensive and drastically decrease IPS performance," said Wright. "Alternatively, you can use our SSL Appliance to decrypt traffic to be inspected by our Sensors and other security devices--for example, Data Leak Prevention or secure email gateways. We can decrypt traffic, route it through those bumps-in-the-wire, and then re-encrypt results, with lower latency."