New Generation IPS Sourcefire 3D System

1
New Generation IPSSourcefire 3D System

• Cyrille Badeau
• Regional Sales Manager Southern Europe

2
Agenda

• Technologies and limitations
• History and Sourcefire positioning
• How does it work ?
• Demo ?

3
IPS ? IDS ? IDPS ? INLINE IPS ???????History and
definitions

• End of the 90th IDS birth
• Passive mode only
• The Large detection capability
• The - cost of usage (time intensive)
• The key Signatures or rules database

10 000 Rules
01/05/2007
4
IPS ? IDS ? IDPS ? INLINE IPS ???????History and
definitions

• Early 2000 IPS birth
• Now working INLINE
• The No admin anymore !!!!!!!! ?
• The - Protection level and security coverage
• The Key not to do false positive!!!

2 500 Rules
01/05/2007
5
Technology limitation
IDS
First generation IPS
10 000 Rules IDS
2 500 rules
IPS
Vulnerability coverage
6
Who Is Sourcefire?

• Founded in 2001 by Snort Creator, Martin Roesch
• Headquarters Columbia, MD
• Employees More than 200
• More than 1,500 enterprise and government
  customers
• Over 25 of the Fortune 100 are customers.
• Global partner/distributor network

7
Reconnaissance mondiale
8
Gartner recognize the value of Sourcefire 3D
Q2 04
Q4 05
Providing endpoint and network intelligence to
network security products significantly improves
their capabilities and limits the obstacles to a
successful deployment. Organizations deploying
network security products should look for their
integration with vulnerability assessment and
network intelligence solutions. Amrit Williams,
Gartner Research Director
9
Gartner presents Sourcefire amount the leaders
10
How Sourcefire is DifferentLeveraging The SNORT
Community
Sourcefire VRT is augmented by the resources of
the communitygiving customers the worlds
largest threat response team.
75 commercial products use Snortgiving
customers all the benefits of the industry
standard.
11
Sourcefire 3D IPS coverage
12
Sourcefire 3D IPS coverage
13
Sourcefire 3D architecture
Sourcefire Sensors Snort Rna
Email, SNMP, Syslog,Help Desk
Sourcefire Defense Center
Firewall, IPS, Switchers, Routers
Sourcefire Sensors Snort Rna
Patch Management, Configuration Management
14
Key Sourcefire IPS Capabilities

• Threat Protection
• Comprehensive vulnerability-based Snort rules (10
  000 rules)
• Inline (IPS) and/or passive (IDS) deployments
• 2 500 rules recommended INLINE
• Reassembles TCP segments and IP fragments
• Open-Standard Rules Language
• View, edit, and create rules
• Industry-standard rule format with over 100,000
  active users
• Performance
• 5 Mbps to 10 Gbps
• Platform choice
• Sourcefire, Nokia, Crossbeam

15
Sourcefire RNA Real-time Network Awareness
Network Behavior Analysis (NBA)

• Passive discovery of the network assets and
  communications
• Real time recognition and detection
• Identifies policy and regulatory violations

16
What RNA is seeing Real-time Network Awareness

• Network Composition
• Operating Systems,Services, Ports, Protocols,
  MAC, IP addresses, and vulnerability inference
• Flow Mapping
• Creates traffic baseline/NetFlow record
• Detects traffic anomalies inside the network
• User Identity Tracking
• Link to any Sourcefire 3D System event
• Who are the users running non-standard
  applications?
• Who are the laptop users that generate the most
  IDS events?

NBA can be considered the last line of defense.
Organizations looking to integrate IDS/IPS,
vulnerability assessment, and NBA functions into
a single system should include Sourcefire on the
shortlist. Paul Proctor Research VP,
Gartner MarketScope for Network Behavior
Analysis, 2H06
Option
17
Easy Compliance Management
With just a few mouse clicks

• Create compliance profiles and baseline
  configurations
• Identify and track policy
  non-compliance and make changes
• Verify compliance of OS, service, and
  protocol usage
• Create specific OS and
  service/protocol linkages and refer to them in
  other compliance profiles

18
New generation IPS
IPS based on Remediation on Network Behavior
Analysis
YES
NO
IPS based on Remediation After real time
correlation (7 500 rules)
YES
NO
IPS on INLINE Rules or signatures (2 500)
YES
YES
19
New generation IPS
1. Reconnaissance activity detected by
passive Intrusion Sensor, events associated
with the target assigned higher priority.
?
2. RNA detects change in the behavior and/or
composition of the compromised asset.
Patch Management (or other solution)
Sourcefire Intrusion Sensor (in-line)
3. Correlated events trigger remediation
policy - Isolate compromised server
- Block attacker at firewall - Direct
configuration mgmt. - Notify system
administrator
Sourcefire Intrusion RNA Sensors
?
4. In-line Intrusion Sensor policy updated
to prevent reoccurrence.
Sourcefire Defense Center
20
Sourcefire today and tomorrow
21
Introducing Enterprise Threat Management (ETM)
Clearly, the whole is greater than the sum of the
parts
Enterprise Threat Management (ETM)

• Sourcefire 3D
• Knowing the Network Map in Real-Time and
  understanding Network Behavior at any time in
  order to provide to security tools a better
  efficiency

22
Vulnerability Research Team (VRT)
Matt Watchinskis team is working for you

• 10 M investment
• Vulnerability research
• Snort rules creation
• NMAP plug Ins creation
• RNA engine writing
• Constant link with the Open Source community
• Constant link with our customers SEU updates

23
Why Sourcefire 3D ???

• For SNORT VRT Team Largest coverage (10 000
  open rules among witch 2 500 recommended INLINE)
  with SNORT/NMAP community support
• For RNA leading solution allowing 99 IDPS
  events reduction capabilities (automatic impact
  calculation)
• For RNA Network compliance rules extremely easy
  to deploy and incredibly powerful
• For RNA allowing IPS tuning based on RNA
  discovery. Adaptive IPS.
• For platform choice Sourcefire, Nokia,
  Crossbeam

24
Questions ????

• Sourcefire, framing the future of IT security

Information Security Magazine, The Influence List
www.sourcefire.com 800.917.4134
25
3D Visualizer