Sourcefire 3D System
February 01, 2008
Intrusion Sensors from $3,995; RNA Sensors from $1,195; Defense Center 1000 $16,995
- Ease of Use:
- Value for Money:
- Overall Rating:
Sophisticated IPS and IDS, tough policy-based responses, proactive networks defences, in-depth threat analysis, centralised management
Can present a steep learning curve, more costly than UTM products
Intrusion protection doesn't get much tougher than this as Sourcefire's 3D System offers industrial-strength network threat management
Whereas other network security vendors have been keen to deliver UTM (unified threat management) solutions to market, Sourcefire, best known as the brains behind the open-source Snort software, continues to focus on intrusion detection and prevention. Its 3D System takes the unified out of UTM and aims to offer an enterprise-level network defence system.
Sourcefire 3D System comprises multiple sensor appliances that are located as required on the network while management, monitoring and analysis functions are centralised on a single Defense Center appliance. Sourcefire offers a wide range of sensor appliances that can handle monitoring speeds from 5Mb to 10Gb per second. The 3D moniker alludes to Sourcefire's concept of "discover, determine, defend" as it is capable of discovering internal and external threats, determining your levels of vulnerability to them and proactively defending against them.
On review we have the latest, version 4.7, whose new features include a real-time user awareness (RUA) option at the top of the tree. This integrates with LDAP and Active Directory, allowing user information to be retrieved so it can tell you, for example, who was logged in at the time of an attack.
As you'd expect, Snort takes on all IDS/IPS duties, and this is teamed with Sourcefire's real-time network awareness (RNA). The latter monitors all internal and external systems and gathers information such as the installed OS, services, applications and their vulnerabilities. It passes this intelligence to the Defense Center, which carries out a threat assessment of each system and links its findings in with all detected threats. This allows 3D to reduce false positives.
We used a live test environment and installed a 3D 2500 sensor as a transparent gateway on the lab's main internet connection with our firewall behind it. We also connected it to the test LAN and set up port mirroring on our HP ProCurve Gigabit switch, allowing the sensor to see all local traffic and interact with a Windows Server 2003 R2 domain controller to allow us to test the RUA features.
Another new feature is a browser-based installation wizard that is run remotely from each sensor and asks for details such as the Defense Center IP address and basic network monitoring requirements. For RUA testing, we installed a small client utility on our domain controller, which allows extended information such as user logins and profiles to be sent to the Defense Center. Without this agent RUA can only gather basic user login information from Windows networks.
The Defense Center provides a well-designed remote browser interface. Its home page offers a dashboard view with plenty of graphs and charts for an overview of your threat levels. From the analysis and reporting tab, you can view all activity and use the IPS menu option to see intrusion attempts. 3D assigns each event with an impact flag icon showing its vulnerability level. This allows you to easily filter for events that require your undivided attention.
Snort provides packet decoding and inspection, allowing you to see which rule was activated by the attack. There's much more as RNA passively monitors all network traffic. You can query a host that has been attacked and see quickly if it has been compromised. You can also view details of external systems where an attack may have originated from and find out who this system has been communicating with. There's no shortage of detailed reporting tools and 3D can export to PDF, HTML and CSV formats.
The product combines information from Snort, RNA and RUA and uses policies to determine how it should react to specific events. These are set up from the policy and response section, where you can use a policy to contain multiple rules. This makes 3D very versatile, as you can watch out for events such as an attack, an unauthorised application being run, a new service appearing on a host or a client talking to a system that is blacklisted.
Responses are just as varied and include forcing a Nessus or NMAP scan of a compromised system, interacting with a third-party software distribution system to push out an update or sending an email alert. It can talk to Check Point and Cisco firewalls and send access control lists to block an IP address. The system's traffic profiling could prove useful in a number of scenarios - not least for day zero attacks. This monitors areas such as general network flows and will raise alerts and activate responses if these fall outside specific thresholds.
There's no denying point solutions are a better bet than UTM appliances for network security as they focus on specific functions rather than dilute their capabilities. The biggest drawback is increased costs, but if you want one of the best threat management systems on the market then check out Sourcefire's 3D System.
SC Webcasts UK
Information Security Manager
Infosec People - Hammersmith, West London
Senior Network Security Engineer, London, £68-85k + package
Infosec People - England, London
Information Security Risk Manager, £45-55k + bens
Infosec People - West Midlands, England, Coventry
SOC Analyst, Aldershot, £55-63k + benefits
Infosec People - England, Aldershot, Hampshire
Security Architect, Cardiff - to £70k Basic
Infosec People - Cardiff, Wales
Sign up to our newsletters
SC Magazine UK Articles
- Gooligan ad fraud malware infects 1.3M Android users, installs over 2M unwanted apps
- Met Police grab suspect with phone unlocked to get hold of data
- Cyber-security must reflect risk not just regulation
- Report: Mirai 'is just the tip of the iceberg'
- Data centres are on the move - where will they end up?
- SC Awards Europe 2016 winners announcements!
- ISIS radicalises 'lone wolves' through strong social media presence
- Updated: How will Brexit affect the cyber-security industry in UK and Europe?
- 9.2 million medical records for sale on darkweb
- Microsoft Office 365 hit with massive Cerber ransomware attack, report
- 400% increase in POS malware variants across US Thanksgiving weekend
- Only 25% of businesses can effectively detect and respond to data breaches
- Is BYOD your company's norm? Beware the ghosts of data past this Christmas
- Over 400,000 phishing sites have been detected each month in 2016
- TalkTalk customers urged to get routers swapped over hacker fears