Title: New Generation IPS Sourcefire 3D System
1New Generation IPSSourcefire 3D System
- Cyrille Badeau
- Regional Sales Manager Southern Europe
2Agenda
- Technologies and limitations
- History and Sourcefire positioning
- How does it work ?
- Demo ?
3IPS ? IDS ? IDPS ? INLINE IPS ???????History and
definitions
- End of the 90th IDS birth
- Passive mode only
- The Large detection capability
- The - cost of usage (time intensive)
- The key Signatures or rules database
10 000 Rules
01/05/2007
4IPS ? IDS ? IDPS ? INLINE IPS ???????History and
definitions
- Early 2000 IPS birth
- Now working INLINE
- The No admin anymore !!!!!!!! ?
- The - Protection level and security coverage
- The Key not to do false positive!!!
2 500 Rules
01/05/2007
5Technology limitation
IDS
First generation IPS
10 000 Rules IDS
2 500 rules
IPS
Vulnerability coverage
6Who Is Sourcefire?
- Founded in 2001 by Snort Creator, Martin Roesch
- Headquarters Columbia, MD
- Employees More than 200
- More than 1,500 enterprise and government
customers - Over 25 of the Fortune 100 are customers.
- Global partner/distributor network
7Reconnaissance mondiale
8Gartner recognize the value of Sourcefire 3D
Q2 04
Q4 05
Providing endpoint and network intelligence to
network security products significantly improves
their capabilities and limits the obstacles to a
successful deployment. Organizations deploying
network security products should look for their
integration with vulnerability assessment and
network intelligence solutions. Amrit Williams,
Gartner Research Director
9Gartner presents Sourcefire amount the leaders
10How Sourcefire is DifferentLeveraging The SNORT
Community
Sourcefire VRT is augmented by the resources of
the communitygiving customers the worlds
largest threat response team.
75 commercial products use Snortgiving
customers all the benefits of the industry
standard.
11Sourcefire 3D IPS coverage
12Sourcefire 3D IPS coverage
13Sourcefire 3D architecture
Sourcefire Sensors Snort Rna
Email, SNMP, Syslog,Help Desk
Sourcefire Defense Center
Firewall, IPS, Switchers, Routers
Sourcefire Sensors Snort Rna
Patch Management, Configuration Management
14Key Sourcefire IPS Capabilities
- Threat Protection
- Comprehensive vulnerability-based Snort rules (10
000 rules) - Inline (IPS) and/or passive (IDS) deployments
- 2 500 rules recommended INLINE
- Reassembles TCP segments and IP fragments
- Open-Standard Rules Language
- View, edit, and create rules
- Industry-standard rule format with over 100,000
active users - Performance
- 5 Mbps to 10 Gbps
- Platform choice
- Sourcefire, Nokia, Crossbeam
15Sourcefire RNA Real-time Network Awareness
Network Behavior Analysis (NBA)
- Passive discovery of the network assets and
communications - Real time recognition and detection
- Identifies policy and regulatory violations
16What RNA is seeing Real-time Network Awareness
- Network Composition
- Operating Systems,Services, Ports, Protocols,
MAC, IP addresses, and vulnerability inference - Flow Mapping
- Creates traffic baseline/NetFlow record
- Detects traffic anomalies inside the network
- User Identity Tracking
- Link to any Sourcefire 3D System event
- Who are the users running non-standard
applications? - Who are the laptop users that generate the most
IDS events?
NBA can be considered the last line of defense.
Organizations looking to integrate IDS/IPS,
vulnerability assessment, and NBA functions into
a single system should include Sourcefire on the
shortlist. Paul Proctor Research VP,
Gartner MarketScope for Network Behavior
Analysis, 2H06
Option
17Easy Compliance Management
With just a few mouse clicks
- Create compliance profiles and baseline
configurations - Identify and track policy
non-compliance and make changes - Verify compliance of OS, service, and
protocol usage - Create specific OS and
service/protocol linkages and refer to them in
other compliance profiles
18New generation IPS
IPS based on Remediation on Network Behavior
Analysis
YES
NO
IPS based on Remediation After real time
correlation (7 500 rules)
YES
NO
IPS on INLINE Rules or signatures (2 500)
YES
YES
19New generation IPS
1. Reconnaissance activity detected by
passive Intrusion Sensor, events associated
with the target assigned higher priority.
?
2. RNA detects change in the behavior and/or
composition of the compromised asset.
Patch Management (or other solution)
Sourcefire Intrusion Sensor (in-line)
3. Correlated events trigger remediation
policy - Isolate compromised server
- Block attacker at firewall - Direct
configuration mgmt. - Notify system
administrator
Sourcefire Intrusion RNA Sensors
?
4. In-line Intrusion Sensor policy updated
to prevent reoccurrence.
Sourcefire Defense Center
20Sourcefire today and tomorrow
21Introducing Enterprise Threat Management (ETM)
Clearly, the whole is greater than the sum of the
parts
Enterprise Threat Management (ETM)
- Sourcefire 3D
- Knowing the Network Map in Real-Time and
understanding Network Behavior at any time in
order to provide to security tools a better
efficiency
22Vulnerability Research Team (VRT)
Matt Watchinskis team is working for you
- 10 M investment
- Vulnerability research
- Snort rules creation
- NMAP plug Ins creation
- RNA engine writing
- Constant link with the Open Source community
- Constant link with our customers SEU updates
23Why Sourcefire 3D ???
- For SNORT VRT Team Largest coverage (10 000
open rules among witch 2 500 recommended INLINE)
with SNORT/NMAP community support - For RNA leading solution allowing 99 IDPS
events reduction capabilities (automatic impact
calculation) - For RNA Network compliance rules extremely easy
to deploy and incredibly powerful - For RNA allowing IPS tuning based on RNA
discovery. Adaptive IPS. - For platform choice Sourcefire, Nokia,
Crossbeam
24Questions ????
- Sourcefire, framing the future of IT security
Information Security Magazine, The Influence List
www.sourcefire.com 800.917.4134
253D Visualizer