Sourcefire 3D System
Sophisticated IPS and IDS, tough policy-based responses, proactive networks defences, in-depth threat analysis, centralised management
Can present a steep learning curve, more costly than UTM products
Intrusion protection doesn't get much tougher than this as Sourcefire's 3D System offers industrial-strength network threat management
Whereas other network security vendors have been keen to deliver UTM (unified threat management) solutions to market, Sourcefire, best known as the brains behind the open-source Snort software, continues to focus on intrusion detection and prevention. Its 3D System takes the unified out of UTM and aims to offer an enterprise-level network defence system.
Sourcefire 3D System comprises multiple sensor appliances that are located as required on the network while management, monitoring and analysis functions are centralised on a single Defense Center appliance. Sourcefire offers a wide range of sensor appliances that can handle monitoring speeds from 5Mb to 10Gb per second. The 3D moniker alludes to Sourcefire's concept of "discover, determine, defend" as it is capable of discovering internal and external threats, determining your levels of vulnerability to them and proactively defending against them.
On review we have the latest, version 4.7, whose new features include a real-time user awareness (RUA) option at the top of the tree. This integrates with LDAP and Active Directory, allowing user information to be retrieved so it can tell you, for example, who was logged in at the time of an attack.
As you'd expect, Snort takes on all IDS/IPS duties, and this is teamed with Sourcefire's real-time network awareness (RNA). The latter monitors all internal and external systems and gathers information such as the installed OS, services, applications and their vulnerabilities. It passes this intelligence to the Defense Center, which carries out a threat assessment of each system and links its findings in with all detected threats. This allows 3D to reduce false positives.
We used a live test environment and installed a 3D 2500 sensor as a transparent gateway on the lab's main internet connection with our firewall behind it. We also connected it to the test LAN and set up port mirroring on our HP ProCurve Gigabit switch, allowing the sensor to see all local traffic and interact with a Windows Server 2003 R2 domain controller to allow us to test the RUA features.
Another new feature is a browser-based installation wizard that is run remotely from each sensor and asks for details such as the Defense Center IP address and basic network monitoring requirements. For RUA testing, we installed a small client utility on our domain controller, which allows extended information such as user logins and profiles to be sent to the Defense Center. Without this agent RUA can only gather basic user login information from Windows networks.
The Defense Center provides a well-designed remote browser interface. Its home page offers a dashboard view with plenty of graphs and charts for an overview of your threat levels. From the analysis and reporting tab, you can view all activity and use the IPS menu option to see intrusion attempts. 3D assigns each event with an impact flag icon showing its vulnerability level. This allows you to easily filter for events that require your undivided attention.
Snort provides packet decoding and inspection, allowing you to see which rule was activated by the attack. There's much more as RNA passively monitors all network traffic. You can query a host that has been attacked and see quickly if it has been compromised. You can also view details of external systems where an attack may have originated from and find out who this system has been communicating with. There's no shortage of detailed reporting tools and 3D can export to PDF, HTML and CSV formats.
The product combines information from Snort, RNA and RUA and uses policies to determine how it should react to specific events. These are set up from the policy and response section, where you can use a policy to contain multiple rules. This makes 3D very versatile, as you can watch out for events such as an attack, an unauthorised application being run, a new service appearing on a host or a client talking to a system that is blacklisted.
Responses are just as varied and include forcing a Nessus or NMAP scan of a compromised system, interacting with a third-party software distribution system to push out an update or sending an email alert. It can talk to Check Point and Cisco firewalls and send access control lists to block an IP address. The system's traffic profiling could prove useful in a number of scenarios - not least for day zero attacks. This monitors areas such as general network flows and will raise alerts and activate responses if these fall outside specific thresholds.
There's no denying point solutions are a better bet than UTM appliances for network security as they focus on specific functions rather than dilute their capabilities. The biggest drawback is increased costs, but if you want one of the best threat management systems on the market then check out Sourcefire's 3D System.