Sourcefire’s open-source IDS engine, Snort, has long been the gold standard of signature-based intrusion detection systems. Snort’s commercial sibling, Sourcefire 3D, takes Snort a step further by adding passive vulnerability assessment and service anomaly detection to the mix.
3D stands for discover, determine and defend, referring to Sourcefire 3D’s capability to use knowledge of the services and vulnerabilities that are present in the network to defend against attacks intelligently.
The Sourcefire 3D system comprises three layers: RNA (real-time network awareness) sensors, which perform asset discovery, vulnerability assessment and anomaly detection; intrusion sensors, which analyze network traffic and block or alert on threats; and the defense centre, which aggregates information from all the sensors and allows you to manage the system centrally.
In addition to a variety of alerting methods, Sourcefire 3D can block traffic via inline intrusion sensors, or via third-party firewalls, switches, and routers. It can also facilitate remediation of vulnerabilities via third-party patch and configuration management software.
We found the RNA sensor interface remarkably intuitive and easy to navigate. RNA was useful in providing powerful security data for review, with its capability to determine host operating systems as well as which services are running and even which applications are running them.
As network hosts communicated on our network, the RNA sensor quickly populated its database, and we found this database of services very helpful in performing an audit of firewall rules and monitoring for policy compliance. Within minutes of setting up the RNA sensor, we could see all of our live SSH, Web and mail servers, and locate P2P file-sharing and other network policy violations.
Unlike other products that identify unauthorized services and other behavioural anomalies, Sourcefire requires you to create rules for flagging them. As a result, generating service anomaly alarms is less intuitive with RNA than with, say, Lancope’s StealthWatch. Although we successfully created Snort signatures that used service profile information, we needed help from Sourcefire support to get the alarms firing properly.
In testing, we found that the distance between the sensor and the host was directly linked to the accuracy of the service profile. Although RNA can determine that Apache, for example, is running on port 80/tcp of a host, it can’t determine if a required patch or security setting is needed. When the capability to perform targeted active scans is incorporated in its upcoming 4.5 release, both the accuracy of service profiles and the completeness of vulnerability information should be improved.
As with most anomaly-based detection systems, Sourcefire 3D requires a baseline of network traffic to be created as a point of reference. After a baseline of services is created, RNA can flag when a new or unauthorized service appears. This anomaly detection will empower a trained analyst to detect a zero-day attack.
Nothing to Snort at
As you may suspect, Sourcefire’s intrusion sensor is built on the Snort IDS engine. Using the Snort signature syntax, we were able to create or customize Snort signatures to fit our network. Sourcefire’s vulnerability research team consistently develops new signatures that are designed to catch known attacks and produce a low occurrence of false positives. Although quality assurance did result in significantly fewer false positives than we found using Snort forum signatures, we did have to spend a few hours adjusting policy and signatures to remove the trickle of false alarms sent to the monitoring station.
In our lab tests, we used the penetration testing tool to shoot 10 attacks past the intrusion sensor, and the sensor detected each of our attacks accurately. The quality of information given for the attacks was decent, but required us to look at additional references to gain a full understanding of the attack type and magnitude.
Centre of it all
The defense centre appliance gathers and processes the data from the distributed RNA and intrusion sensors. The gritty Web-based interface on the defense center allows you to drill down to the granular aspects of security events.
The interface allows easy querying of events based on all the relevant data points, such as source IP, destination IP, asset category, signature category, etc. The configurable graphical reports can be exported to PDF, CSV, or HTML and then e-mailed to appropriate responders and management.
The defense centre also allows categorization of network assets. These groupings can be used for policy development and determining event impact.
Using the data gathered from RNA and asset criticality levels you assign, the defense centre can raise or lower the “impact flag” of an event based on the target’s importance and its susceptibility to the attack.
Sourcefire 3D is the first system we have tested that incorporates signature, service-anomaly, and behavioural-anomaly detection into one IPS solution.
With the additional value of policy compliance checking, network asset inventory, and passive vulnerability assessment, the 3D system is a security package that moves us a step closer to a self- defending network.