The Sourcefire 3D System version 4.8

Best known for its excellent Snort IPS software, Sourcefire also offers a sophisticated network threat management solution, and this latest version of its 3D System comes with greatly simplified deployment and management.

The three main concepts behind the 3D System are the ability to discover internal and external threats, determine vulnerabilities and then, defend against them. This is an appliance-based solution where you have multiple sensors that can be located anywhere on the network, and are all managed centrally by a Defense Center (DC) appliance. Sourcefire offers a selection of sensors capable of monitoring connection speeds ranging from 5Mbps right up to 10Gbps.

The sensors run Snort, which provides intrusion detection and prevention, and this is partnered by Sourcefire's RNA (real-time network awareness) and RUA (real-time user awareness). RNA monitors internal and external systems and gathers detailed information about them, such as the OS, services, applications and, more importantly, their vulnerabilities. This information is passed to the DC which conducts threat assessments on each system. It then ties this in with detected threats, allowing it to act only on events relevant to the network it protects, thus drastically reducing false positives and their resulting management overheads.

RUA integrates with LDAP and Active Directory, allowing user details to be

mapped to security events. It can monitor any users logging in via IMAP, LDAP, Kerberos and POP3, so security policies can offer users protection no matter where they log in from. Deployment is simple, as each sensor has its own web interface; here you provide a local IP address, the address of the DC, pick from inline or passive modes and finally, enable automatic updates. DC installation is just as swift as its web console provides a guided install and here we entered the details of our managed sensors. Immediate protection is provided as a default security policy is automatically applied.

The DC web console is very well designed and offers a smart user configurable dashboard replete with graphs and charts, showing active systems and IP addresses, threat levels and appliance status.

A new feature is that the dashboard is now widget based. These are provided by Sourcefire and widgets can be exported to other users so entire dashboard views can be shared. A wealth of information is available under the Analysis and Reporting tab, and selecting the IPS option provides a categorised list of intrusion events with each one assigned an impact flag icon to show its vulnerability level. Selecting one reduces the list to that impact level only, making it easy to see the events that pose a threat. For each event you view the source and target systems and their

associated users, and selecting either will bring up attack details specifically for them.

Naturally, Snort handles packet decoding and inspection and you can easily see which rule was activated by an attack. Extensive reporting is provided and these can be exported to PDF, HTML and CSV formats, and analysts will find it useful that the rule source code is also provided.

RNA can gather plenty of host system details by passively monitoring network traffic, allowing it to provide a full NBA (network behavioural analysis) service. This information is incorporated into the DC console, allowing you to look at the host systems that have been attacked and see easily whether or not they have been compromised.

Not only is 3D System a sophisticated IPS solution, but it's capable of gathering a remarkable amount of information about internal and external systems. It delivers on Sourcefire's claims as it is extremely easy to deploy and manage. The well respected Snort provides top level detection and protection, and Sourcefire's policy based security makes it extremely versatile. NC

Product: 3D System 4.8
Supplier: Sourcefire Ltd
Telephone: 0118 989 8400
Web site:www.sourcefire.com
Price: From £3,177 excluding VAT ($4,995 USD)