Sourcefire 3D System 4.9
Strengths: Sourcefire's Snort, extensive policy-based threat assessments and responses, good reporting and centralised management
Weaknesses: RNA and RUA components are not included in the base price and can increase costs substantially
Verdict: A comprehensive network threat assessment and protection system that's easy to deploy, with good centralised management
Sourcefire has an enviable reputation with its excellent Snort intrusion detection and prevention software and puts this to good use in its 3D System, which aims to offer complete enterprise-level network defence.
The 3D System uses multiple sensor appliances to monitor network segments and Sourcefire offers models supporting speeds ranging from 5Mbps up to 20Gbps. All management, monitoring and analysis functions are centralised on Defense Center (DC) appliances. With this release, Sourcefire now offers both sensors and DCs as virtual appliances.
The '3D' name alludes to the system's ability to discover internal and external threats, determine levels of vulnerability and defend against them. On review is the latest version, 4.9, which delivers a number of new features, including Sourcefire's policy layers and PEP (policy enforcement point).
We had no problems installing the 3D System in the lab and for testing we used a sensor appliance as a transparent gateway on our main internet connection. We also linked it to our test LAN and set up port mirroring on a 48-port HP ProCurve Gigabit switch, allowing the sensor to see all local traffic. An important physical update to the sensor appliances is that they now incorporate hardware bypasses, so won't interrupt the network if they fail.
Initial deployment is handled smoothly by wizards which provide each sensor with a local address, plus that of the DC. Then it's over to the DC itself, whose tidy web interface opens with a smart dashboard view, with plenty of graphs and charts allowing you to see at a glance what your threat levels are.
The view is customised using widgets that can be added or removed and arranged using drag and drop. Usefully, these can be exported to other users, so specific views can be easily shared. If you just want the IPS functions, you can deploy sensors in standalone mode and manage them via their own web interface.
Naturally, Snort looks after all intrusion detection and prevention duties and can be teamed up with Sourcefire's optional RNA (real-time network awareness) and RUA (real-time user awareness) components. RNA monitors all internal and external systems and gathers information about them - such as the installed OS, services, apps and also their vulnerabilities.
RUA supports a range of authentication methods, including Active Directory, and retrieves information about users, so you can see, for example, who was logged on when an attack occurred. Using all the information provided by the Snort, RNA and RUA components, the DC carries out threat assessments of each system with a view to reducing false positives.
Reactions to network events and threats are controlled with policies containing multiple rules. It's here that you will need to take time out to understand how the 3D System works, as it offers a lot of choices. A good indication of its complexity is the default policy - it contains nearly 1,400 rules.
The default policy covers all the main threats, while vulnerability and fingerprint databases are automatically updated by Sourcefire. The new layer feature is a valuable improvement, as it makes policy management much easier and shows clearly where changes have been made.
Policy layers have been included, primarily as a response to administrators of distributed networks that want to delegate management of local appliances. Using the default policy as a base, you can make rule modifications that will be listed under the policy layers section as separate changes.
The whole policy interface has been completely redesigned to incorporate these layers. It allows administrators to create global IPS policies that are applied to all sensors, but which can be customised at the local level for specific appliances located, perhaps, in a branch office or remote site.
The new PEP feature takes into account that some traffic streams can be trusted and don't need to have IPS policies applied, with encrypted VoIP a good example. PEP policies are applied directly at the sensor's network interfaces and can comprise source and destination addresses, protocols, VLANs and ports.
Actions include the new fast path option that allows selected traffic to side-step IPS policies for improved network performance.
Snort's packet decoding and inspection capabilities need no introduction and this detailed information is used to show you which rule was activated by an attack. RNA also joins in by passively monitoring all network traffic and gathering details about each host and system. This combination allows you to query a host and see immediately whether it has been compromised.
External systems don't get off lightly either, as details about where an attack may have originated from are gathered, along with its OS and services and who the system has been communicating with. We did find that OS identification was generally very good, although Windows 7 systems are currently being shown in the host listing as having Vista installed.
Responses to network events are extensive and can include forcing a Nessus or NMAP scan of a compromised system, interacting with a third party software distribution system or sending an email alert. ACLs can be sent to Check Point and Cisco firewall to block IP addresses and 3D System can request a physical port block on compliant network switches.
This solution does represent a significant investment, but add in Sourcefire's detailed reporting features and you have a sophisticated threat management system. Snort's rules, along with the policies and responses, allow the 3D System to be extensively customised to suit pretty much any network, making it one of the top IPS systems on the market.