Intrusion detection on steroids
- By Earl Greer
- Jul 11, 2005
Locking the cyber doors has never been easy because as soon as one door is locked, intruders merely look for another vulnerability and the number of vulnerabilities seems to be endless. The Sourcefire 3D System seeks to lock all of those doors.
Time has shown that most malware or malicious software techniques are ephemeral. They are useful until the defenders close the doors on those tricks. Then the invaders must find a new means of attack.
The Sourcefire 3D System is a commercial intrusion-detection and intrusion-prevention system originally based on Snort, the popular open-source program.
Snort is based on signatures for detecting known methods of network intrusion. This is an effective approach, and we expect signature-detection technology to exist for many years.
When the 3D System arrived at my lab, it had three distinct appliances. Somewhat intimidated, I asked a Sourcefire technician who happened to be there to install it for me. I soon realized that installation of those Linux-based computers was easy. Only 30 minutes after I opened the box, the systems were operating.
But despite the ease of installation, I would like to see some quick-start manuals.
All intrusion-detection products need further tweaking after deployment. I spent the next few weeks tuning Sourcefire and fiddling with its many options through a Web browser.
The amount of tuning was less than I would have expected. In fact, the real-time network awareness unit did some of the tuning for me. For example, it detected that my Web server used Microsoft Internet Information Server and turned off useless checking for attacks directed at other vendors' Web servers.
Using the Real-time Network Awareness (RNA) sensors, the Sourcefire system began passive monitoring and data gathering immediately after I specified which networks to scan. The RNA sensors examine packets to identify operating systems and specific applications and then match known vulnerabilities to the software or systems detected.
The product's accuracy would be significantly enhanced if Sourcefire included a traditional vulnerability scanner. But the current process has the advantage of giving real-time information.
Administrators can set the RNA sensors to instruct Check Point Software Technologies firewalls and Cisco routers and firewalls to block malicious traffic aimed at vulnerabilities.
I like Sourcefire's strategy of employing several technologies to detect intrusions, but I was more impressed by the RNA sensors' ability to detect vulnerabilities in specific hosts in real time.
Network mapping is an additional use for the data gathered by the real-time awareness unit on host addresses, operating systems, applications and open ports.
I enjoyed using the Sourcefire Network Visualizer program that projects colorful 3D displays of network activities. Managers of large networks will appreciate the ability to identify new hosts added to the network and new ports being opened.
The intrusion-detection device contains the Snort program. Snort is so popular that in a large operation, the chances are good that someone is currently using it. Snort works by decoding packets and matching the contents against known methods of network intrusion. Those attack methods are described in Snort rules, which are written in a special language to define an attack and provide an action to take specifically for that attack.
You can write your own rules or modify existing ones, and you can keep your database of rules current through automatic downloads from Sourcefire's support site.
You can place certain models of the intrusion sensor in line in your network to drop harmful traffic. Because experience has shown that network perimeters
are porous, this adds to internal network security.
To test Sourcefire's response to malicious traffic, I attacked various targets within the network using the Blast and UDPflood programs available from Foundstone, a division of McAfee.
I had to turn off my real-time antivirus program to use those applications because the antivirus software correctly identifies them as potentially destructive. Sourcefire handled the attack with ease.
Integration of Snort technology into Sourcefire is a significant advantage. All known methods of network intrusion are quickly detected.
We appreciate that Sourcefire actively contributes to the Snort open-source community by contributing code, rules and maintenance to Snort.org.
There appears to be a trend for administrators to turn on at least some automated network intrusion prevention when possible.
Evidently administrators are willing to take the chance of false positives to stop intrusions while they are happening. For this reason, I have begun to give more weight to intrusion-prevention features, such as those in Sourcefire 3D.
Overall, I found Sourcefire 3D to be an effective tool and a good value.
Greer is a network security consultant. He can be reached at [email protected]