Sourcefire 3D

Sourcefire is a security company that has built a reputation for providing security across the network. While others focus on just point solutions such as anti-virus, intrusion detection and firewalls, Sourcefire has focused on producing an enterprise-class system that encompasses everything. It can be bought as a single comprehensive solution or you can add components as needed.

3D stands for Discover, Determine and Defend, hence the Sourcefire 3D name. Each of the three components has a specific job. Discover is done by the Intrusion and RNA Sensors, Determine by the Defence Centre and Defence by your existing tools. The Sensors and the Defence Centre are shipped as hardware appliances.

Much depends on what part of the solution you buy and the complexity of your network as to what you get in the box. You can buy all three appliances as a single package or you can buy as separate components. If required, the whole thing can come in a single appliance but for real security you are going to want to deploy and lot of the sensors around your network.

The Defence Centre is a 2U appliance while the Intrusion and RNA Sensors are 1U appliances although the RNA Sensor can be purchased as just a software package and installed on your own hardware.

At first glance this is a complex system to get to grips with. The GUI needs to be reworked and you must have a real understanding of what the components do before deploying. A good knowledge of what you have on your network is always helpful here as it will assist you in understanding what information you get from Sourcefire 3D. Without that, you will find big differences in the type and number of alerts from existing solutions you may have and Sourcefire 3D.

All sensors have their own Gigabit connection to the Defence Centre and use an encrypted SSL (AES 256bit) link. Sourcefire recommends that you place the Defence Centre on a separate LAN or at least use a separate VLAN from the Sensors.

The Intrusion Sensor is a beefed up version of Snort, the software sniffing tool that you can get free. You can configure the Intrusion Sensor in either active or passive mode and this slightly changes its role. In active mode the focus is on intrusion protection, actively monitoring and blocking traffic based on rules. In passive mode it offers intrusion detection using rules to monitor and raise alerts.

What makes the Intrusion Sensor interesting is the use of multiple detection engines all of which work with the main Snort rules engine. This means that whenever a new attack is detected, a single rules update becomes available to all the detection engines.

The RNA Sensor only works in passive mode and there are good reasons for this. Its first job is to identify all the assets on your network and determine what is out there. This has to be done in passive mode as in a critical environment; active mode could interfere with the running of your other equipment. One of the shocking things about the RNA Sensor is the amount of data that it does acquire.

If getting a fairly accurate map of your network was not enough, the RNA Sensor is very smart about how it responds to threats. When a threat is detected, it looks to see what systems you have that are vulnerable to that threat. If there are no vulnerabilities then the threat becomes moot. This is important to understand because you could find yourself caught between different systems giving conflicting data.