Sourcefire 3D System
Matching threat assessment to risk is a corporate must.
Passive sensing could be more accurate.
A major advance in net security.
Sourcefire calls its 3D System a "network defense system," avoiding the now loaded terms IDS and IPS. But while some of its components are strictly IDS or IPS, the package as a whole deserves a much broader description.
3D stands for "discover, determine, defend," and reflects the three core areas of specialization within the suite. Sensors that detect and classify network traffic, a central management system that brings the information into context, and agents which can react to defend the network.
Although Sourcefire sent us the components (in appliance form) of the 3D System to test in the SC labs, we opted to try the tools running live in a real-world site.
The site, which is a large ISP and managed network provider whose staff requested anonymity, was chosen without Sourcefire's knowledge. We spent some time with the ISP's security team, using Sourcefire in a live environment where the gloves are definitely off.
The first part we looked at was the sensor technology. The 3D System can manage alerts from various sources, including the free Snort IDS tool, but Sourcefire's RNA (Real-time Network Awareness) and Intrusion Sensors are the ideal route. RNA does the usual signature/rule analysis, but goes a very significant step further. The sensors watch network traffic passively, and identify hosts, operating systems, applications and a slew of other information about the network without ever conducting an active scan.
The immediate and obvious benefit is that you get, literally within minutes of firing up the sensor, a realtime asset database of what is on your network. RNA is about 80 percent accurate – some things are hard to identify until sufficient data has been observed, which is the downside of passive versus active scanning. However, we were not put off by that – in a live environment you would be more interested in anomalies, and anything new or unidentified is always going to warrant further investigation.
The only downside is that you need lots more sensors placed throughout your network than otherwise you might – every hop away from the source makes accurate assessment less likely.
The real winner is RNA's ability to match what it knows about network resources with its vulnerability signature database. A storm of Slammer traffic would have other IDSs lit up like a Christmas tree, but if RNA knows that the network segment contains no unpatched Microsoft SQL servers that are vulnerable to Slammer, it will mark the attack as low priority using a new "impact flag."
We were skeptical at first, because this relies on the success of the passive scanning, but in practise it is astonishingly thorough. Conversely, a normally low-priority vulnerability noticed on a segment with a business-critical server might have the impact flag set to its highest level.
The combination of vulnerability priority and this impact flag can be tuned to map directly onto your risk model. This is very much the point of RNA, and why it beats the standard model of IDS hands down. Tuning is simple – it is just a function of categorizing your assets and, if necessary, writing beefed-up Snort rules (and nearly anyone can write those). This is not the first time Sourcefire's legacy of the hugely-popular open source Snort IDS has proved a major advantage.
All that alert data is then fed upwards into the Sourcefire Defense Center, the management console. This is where the minute-by-minute admin takes place, and the interface is heavily geared to realtime analysis of events. From a given alert, you might want to track similar activity, or dig into what is happening on that host, or broaden the scope to check for other vulnerable hosts.
Even without training we could find our way around the interface with ease.
There is not the space here to describe the interface in more detail, but it is a web-based GUI which just gets it right.
With a high volume of alert data, the system does start to struggle with analysis, although the sensor architecture ensures that alerts should never be dropped under normal conditions, and the platform is very scalable. We would like to see more tools for analyzing data for trends, especially for change management and benchmarking, with a view to compliance and auditing.
Sourcefire told us this was in the pipeline, but we could imagine the extra work bringing the interface to a grinding halt. Better to pair the 3D System with a platform dedicated to that sort of data manipulation – in our test environment the ISP's engineers use ArcSight ESM (see review on page 51), and the combination of the two is tremendously powerful.
Sourcefire's 3D System is a superb piece of work. The combination of passive network sensing, analysis capabilities and a slick interface all works very well.
It is unlikely to remain unchallenged for long – we expect other IDS/IPS firms to step in with tools and partnerships of their own to correlate asset-management and vulnerabilities in similar fashion.
But until then, the 3D System must be ranked among the very best options available to track and manage risk on your network.