As the threat landscape evolved, Network Intrusion Detection and Prevention Systems (NIDS / NIPS) became an enterprise best practice to spot and automatically block network-borne attacks. In this edition of Enterprise Networking Planet’s NIPS buyer’s guide, we examine capabilities and features offered by Sourcefire, the company behind the popular open source Snort engine.
Starting with Snort
Snort was one of the first systems to focus on network intrusion detection. Released in 1998 by Sourcefire founder Martin Roesch, Snort has evolved into a mature NIPS with an extensive community-generated and tested rule set. Sourcefire claims that Snort–downloaded over 4 million times–is the most widely-deployed IPS in the world. The principle behind Snort’s open source approach: Many eyeballs can help to detect and respond more effectively to a wide variety of threats experienced by organizations across the globe.
Sourcefire not only distributes and supports Snort–it builds on this foundation to deliver extremely successful commercial NIPS products. But why do customers that prefer a commercial NIPS choose a product based on Snort? According to Sourcefire Director of Marketing Steve Piper, “What’s different about us is that our rules are open–Snort is its own ecosystem, with more than 400,000 registered users. Snort is used by more organizations on planet earth than any other IPS technology, so it is easier to hire Snort talent.”
In addition, Piper said Sourcefire’s Vulnerability Research Team (VRT) has taken the spot vacated by ISS X-Force. By monitoring over 150 public and private threat feeds, Snort and ClamAV community posts, industry disclosure advanced notifications, and over 20K malware samples per day, VRT works to continuously improve Sourcefire’s coverage and effectiveness. “We have dozens of researchers who consider it their mission in life to provide timely coverage and best in class protection against zero-day threats,” he said.
Deploying Sourcefire 3D Sensors
Sourcefire engineers have parlayed the Snort engine and VRT threat intelligence into a portfolio of commercial products which the company refers to as “Next Generation IPS.”
Every Sourcefire NIPS installation starts by deploying 3D Sensors in desired locations throughout the network to be protected. Sourcefire sells a range of ICSA-certified 3D Sensor appliances which run identical software on purpose-built platforms sized to meet varied needs. At the low end, the 3D500 inspects traffic at speeds up to 5 Mbps. At the high end, the 3D9900 delivers 10 Gbps of line-speed inspection. A Virtual 3D Appliance can also handle up to 500 Mbps, running on VMware or Xen. According to Senior Field Marketing Manager Jason Wright, Sourcefire’s sweet spot is around 1-2Gbps–delivered by 3D3500 and 3D4500 Sensors.
“Most customers deploy 3D Sensors at the perimeter, behind the firewall,” said Wright. “The firewall should block everything except the good stuff, while IPS detects any bad stuff that gets through. Customers used to deploy Sensors off span ports, but these days are more likely to deploy Sensors in-line. We offer fail open ports on all 3D models for fault-tolerance, so we can never bring down the network.”
When deployed at the perimeter, 3D Sensors inspect traffic passing into the DMZ and network interior. In PCI deployments, 3D Sensors have been installed at the edge of cardholder data environments. “We have also seen customers deploy Sourcefire at the network core, inside the data center, typically in a passive out of band mode,” said Wright. Customers can cluster a pair of 10 Gbps 3D9900 Sensors, or run the Virtual 3D Appliance on up to 8 Crossbeam blades, delivering up to 40 GB of protection.
Traffic inspection can be hampered by encryption. To avoid blind spots more efficiently, Sourcefire also sells an SSL Appliance. “We offer on-box decryption, but if you have lots of Sensors, that can be labor intensive and drastically decrease IPS performance,” said Wright. “Alternatively, you can use our SSL Appliance to decrypt traffic to be inspected by our Sensors and other security devices–for example, Data Leak Prevention or secure email gateways. We can decrypt traffic, route it through those bumps-in-the-wire, and then re-encrypt results, with lower latency.”
Pulling it all together
Ultimately, potential threats detected by 3D Sensors must be analyzed and presented to administrators – this job falls to Sourcefire’s Defense Center. This management console serves as Sourcefire’s dashboard, using drag-and-drop widgets to deliver information appropriate for each installation and administrator. Defense Center is also responsible for aggregating and analyzing Sensor-generated events, applying configurable policies to generated customizable alerts and reports.
A single DC500 can manage three 3D Sensors and store 2.5 million events, while a single DC3000 can manage 100 3D Sensors and store up to 100 million events. In addition, Sourcefire offers a manager-of-managers capability for large or highly distributed enterprises. “You can take one of our DCs and convert it to a master DC to control up to 10 subordinate DCs,” explained Wright. “This gives us the largest scalability in the industry, using several hundred DCs, all rolled up through a master DC for centralized monitoring and defense.”
In addition, each DC provides interfaces that enable integration with an enterprise’s security eco-system. First, a Remediation API can be used to trigger changes on firewalls, routers, vulnerability scanners, or patch managers. Second, an eStreamer interface can be used to relay security, compliance, and sensor health events to SIEMs, log managers, or third-party network managers. Finally, Sourcefire’s Host Input API can pump “endpoint intelligence” into its host database – for example, adding input supplied by Qualys. These hooks help Sourcefire work in tandem with other security systems, breaking down barriers that can otherwise reduce organizational efficiency.
Evolving to battle contemporary threats
According to Wright, Sourcefire’s “next generation IPS” takes a different approach than yesterday’s traditional NIPS. “It’s a more dangerous world out there. Today, we see more organized, sophisticated attacks. Organized crime now generates income from hacking endeavors by leveraging very smart people to create very targeted threats using multiple vectors, including web pages, email, social networks, and even people to attack organizations. As a result, you need more sophisticated IPS technology,” he said.
“We’re working with customers that have smart people in their security teams,” said Wright. “They don’t want to just trust that vendors are doing the right thing inside a static black box. They want to understand why we’re blocking what we’re blocking. They want to write their own signatures and to be able to integrate IPS with other technologies.” Rules can also be adapted to address advanced persistent threats that might be aimed at your organization but not seen by the larger Snort community.
Furthermore, Wright argues that old-school IPS rule sets just look at packets, but may lack context. “We also look at devices and users – that is, what am I protecting? Without awareness of what’s on the network, it’s difficult to make intelligent decisions about traffic. With our Real-Time Network Awareness (RNA) and Real-Time User Awareness (RUA) products, we can add this kind of intelligence to NIPS.
In addition, Sourcefire now offers automated IPS tuning. “Adjusting policies on a daily basis has become quite a burden for large enterprises. We’ve automated that capability to tune your IPS, based on fingerprinted devices , operating systems, and applications normally used on your network,” explained Wright. “For example, if you’re not running Linux servers, there’s no reason to alert on Linux exploits. Automation has become key to reduce the workload of managing IPS.”
To illustrate, Piper described how a particular threat might be handled. “We start with intelligent correlation to the target: Is the attack actually going to be impactful on its target? Next, we apply intelligent anomaly detection, using network behavior analysis to baseline activity and detect anomalies. Finally, we look for application violations: white lists that apply application and user awareness to trigger alerts on activities that violate IT policy, like a user placing a Skype call.” With this multi-pronged approach, Sourcefire can offer much more than basic NIPS, improving operational efficiency to reduce TCO.
Sourcefire is very proud of its heritage and continues to leverage threat intelligence supplied by the Snort community. Sourcefire is also proud of recent NSS Labs test results, in which Sourcefire 3D Appliances detected 98 percent of tested attacks and covered 98 percent of CVEs (2004-2010). With purpose-built appliances, scalable management, and modules like RNA and RUA, Sourcefire is working hard to add value to its commercial portfolio, turning a popular open source foundation into a more comprehensive, automated security system focused on business risks and needs.