The Case For The

Next-Generation IPS

Whitepaper

Executive Summary
A Next-Generation IPS (NGIPS) offers a logical
and essential progression of capabilities needed
to protect networks from emerging threats.
Pioneered by Sourcefire, and now endorsed by
Gartner, the NGIPS builds on typical IPS solutions
by providing contextual awarenessabout
network activity, systems and applications, people,
and moreto promptly assess threats, ensure a
consistent and appropriate response, and reduce
an organizations security expenditures.
The purpose of this paper is:

To describe why NGIPS is critical in

defending against todays threat landscape
To list the essential ingredients of a NGIPS
solution, as defined by Gartner
To map Gartners requirements against
Sourcefires NGIPS offering
To contrast Sourcefires NGIPS against a
typical, first-generation IPS

Why Next-Generation IPS?

Organizations have been using network intrusion
detection and prevention systems (IDS/IPS) for
well over a decade. Theyve proven their worth in
protecting networks from a wide range of threats.
Network-based IDS and IPS systems are now viewed

as essential elements of an overall network security

strategy, and are mandated by many regulatory and
audit frameworks. These technologies have changed
significantly over time, reflecting the evolving needs
of users.
At first, the industry intended for IDS to simply
satisfy a security professionals need for
information. Understanding what attacks were
taking place, where they originated, and what
assets were targeted was of immense value. As
that knowledge was secured, systems evolved
to add attack forensics capabilitiescrucial in
prosecuting attackers.
Soon, reporting and high-level analysis emerged
as essential features to inform security staff of the
potential affect of attacks and the effectiveness of
defenses. As detection capabilities and accuracy
improved, confidence in automated assessments
led users to demand the ability to prevent, not just
detect, attacks.
Network security continues to evolve with the
needs of security administrators and executives.
For example, IPS systems have generally focused
on detecting attacks against servers and serverbased applications. But today, attackers are
increasingly employing attacks against clients
using applications. As a result, the ability to
identify and respond to attacks against a new set
of targets is essential.

The case for the next-generation ips

Data center constraints on space, power, and

coolingtogether with the potential efficiencies
of multifunction security deviceshave prompted
considerable interest in consolidating network
security devices. At the same time, the promise
of increased flexibility and speed has driven
expanded server virtualization programs.
As was the case with previous changes in
networking, all of these trends have served to
further fuel the ongoing evolution of network
security technologies.
How does this evolution affect IPS?

The ability to identify, monitor, and inspect

What Is A Next-Generation IPS?

According to Gartner1, a next-generation network
IPS, at a minimum, should have the following
attributes:

Inline, bump-in-the-wire configuration:

Should never disrupt network operations.
Standard first-generation IPS capabilities:
Should support vulnerability-and threatfacing signatures.

Application awareness and full-stack

visibility: Should identify applications and

enforce network security policy at the
application layer.

a wide range of client applications is

increasingly critical to both security and
compliance initiatives.

Context awareness: Should bring

data, such as network behavior, user

identity, and the resources used on the
network, offers exceptional value when
assessing and responding to attacks, and
in maintaining defenses.

Content awareness: Should be able to

Ready access to other types of contextual

Comprehensive support for virtualized

networking environments is essential.

That support should entail the ability
to both provide visibility into the virtual
environment, as well as to operate within it.

When selecting security technologies,

organizations and vendors must

balance the many potential benefits of
consolidation with real-world issues of
performance, varied security requirements
in different portions of the network, and
even budgetary constraints and technology
refresh cycles.

Building on its pioneering work in network- and

user-awareness technologies, and best-in-class
attack detection capabilities, Sourcefire has
now again led the industry in satisfying these
requirements, with the creation of its NextGeneration IPS (NGIPS).

information from sources outside the IPS

to make improved blocking decisions or to
modify the blocking rule set.
inspect and classify inbound executables
and other similar file types, such as PDF
and Microsoft Office files.

Agile engine: Should support upgrade

paths for the integration of new

information feeds and new techniques to
address future threats.

Importantly, the NGIPS does not include traditional

enterprise network firewall capabilities. Many
organizations will benefit from a security system
that combines high performing network inspection
and control functions, such as a Next-Generation
Firewall (NGFW). However, its also clear such an
offering isnt universally applicable. According to
Gartner1, the high end of the security market will
tend to continue to use separate firewalls and
IPSs, driven by complexity, desire for defense in
depth and network operational considerations.
Sourcefire maximizes choice by providing systems
offering a range of security functionality, across
both physical and virtual platforms. This Agile
Security strategy offers security teams a high
degree of flexibility in deployment decisions, as
well as the potential for significant capital and
operational expense savings.
The remainder of this paper will describe how
Sourcefires NGIPS solution meets and exceeds
the requirements as defined by Gartner.

THE CASE FOR THE NEXT-GENERATION IPS

Inline, Bump-in-the-Wire Configuration

In the event of service disruption from a network
IPS device configured for inline operation
perhaps caused by onboard hardware failure,
software malfunction, or power lossin most
instances, the network IPS should be configured
to fail open as not to cause disruption in
network connectivity. In this case, ingress
and egress interfaces of an interface set are
mechanically bridged, thus continuing to pass
traffic (without further inspection).
Unlike other providers that offer limited or no failopen interfaces, 100% of Sourcefires purposebuilt 3D Appliances come equipped with failopen copper and/or fiber interfaces. This often
negates the need to purchase expensive inline
taps, saving considerable time and money.

Standard, First-Generation
IPS Capabilities
Sourcefire is consistently recognized for offering
the best protection in the business. Based on
the award-winning open source Snort detection
engine, which has rapidly become the most
widely used IPS detection engine in the world
today, Sourcefire has been recognized by NSS
Labs as offering the industrys best overall
protection among all major IPS providers for two
years running.
Results like these are a consequence of the
rigorous development methodology employed
by the Sourcefire Vulnerability Research
Team (VRT), which is designed to maximize
performance, eliminate false negatives, and
minimize false positives.

Application Awareness and

Full-Stack Visibility
Sourcefire is the first and only IPS provider
to offer passive, real-time network intelligence
gathering. Sourcefire FireSIGHT (formerly
Sourcefire RNA) aggregates rich network
intelligence in real-time to enable security
administrators to actually enforce corporate
acceptable use policies (AUPs) regarding usage of
approved operating systems and applications. This
can be accomplished within Sourcefires NGIPS
solution through compliance rules and whitelists.

By limiting the use of operating systems and

applications that can be used on the network,
organizations can improve productivity and
reduce risk by minimizing the networks surface
area of attack.

Contextual Awareness
Accurate and timely detection of attacks is an
essential requirement of an NGIPS. But equally
important is deciding how to respond, or even
whether to respond, to those attacks. Context, the
complex set of circumstances that surround a
specific attack, is a crucial element in assessing
the risk posed by an attack, dictating the priority
of the response. Sourcefire was the first vendor
to deliver commercial IPS solutions that provided
essential information about both the behavior
and composition of a network under attack,
as well as the identification of the specific
individuals affected by a security incident.

Network Awareness
Contextual information about the network
provides benefits by enabling proactive
responses to developing situations before an
attack or breach. Sourcefire NGIPS provides
continuous network visibility, including
identification of new hosts as they join the
network, network and host configuration
changes, and compliance with IT policies.
The experience of Sourcefire customers has
shown the value of incorporating this contextual
data into threat response and ongoing
operational and administrative activities. For
example, if certain operating systems, devices,
or applications are not expected to exist in a
network, protections related to those systems
can be turned off, eliminating unneeded checks.
However, if Sourcefire detects the emergence
of an unexpected device, relevant protections
can automatically be engagedprotecting
the devices from attack while security staffers
investigate the network addition.
Similarly, contextual data can be used when
evaluating attacks for possible response.
Sourcefire employs Impact Flags to guide
security staff in identifying the most pressing
attacks. Attacks against devices not susceptible
to an exploitan IIS exploit directed at an
Apache server, for exampleare of little

THE CASE FOR THE NEXT-GENERATION IPS

operational concern. While the attack itself

may be recorded to provide information for
statistical and historical analysis, the NGIPS set
Impact Flags for such events to a low priority.
This signals to security analysts and event
responders that they can safely ignore the
attacks. Experience has demonstrated that this
approach reduces actionable events by up to
99%, delivering a dramatic productivity gain.
Augmenting the identifying information passively
gathered by Sourcefire with specific knowledge
about known vulnerabilities further refines the
accuracy of Impact Flags. To that end, Sourcefire
supports an application-programming interface
(API) that facilitates information sharing between
vulnerability management systems (and other
security and configuration management systems)
and the NGIPS. This enables users to share
information with virtually any such system,
and a fully tested and supported interface for
the market-leading QualysGuard vulnerability
management product is available.
Contextual data also helps enhance the
performance of other network and system
security programs. For example, the identification
of new systems on a network enables patch
management systems to evaluate their status,
helping prevent insecure systems from exposing
a network to unnecessary risks.

Application Awareness
Threats posed by specific applications along with
usage policies prompt organizations to develop
FLAG

standards articulating the applications permitted on

a given network or segment. For example, certain
applicationstypically file sharing, messaging, and
social applicationspose a higher-than-acceptable
level of risk.
application awareness - representative
sampling of applications identified
AIM

Clarizen

eHarmony.com

eTrade

Facebook

Gmail

Jabber

Lotus

Match.com

Myspace.com

NetBotz

Oracle

Outlook

Salesforce.com

Scottrade

Skype

WebEx

Windows Messenger

Yahoo Mail

Twitter

Table 2. Sample applications detected by Sourcefire

FireSIGHT technology.

Sourcefire has long supported the ability to

identify the use of applications and has led
the market in delivering the ability to detect
operating systems, virtual machines, consumer
devices like smart phones and tablet computers,
VoIP systems, network devices, printers, and
more. This data, which is gathered passively
in a way that poses no operational risks to the
network, makes a broad range of compliance
and policy enforcement initiatives possible.

Identity Awareness
Sourcefire NGIPS also provides essential
information about users of a network, either
individually or as members of groups. This data
available from both Microsoft Active Directory

Meaning

discussion

1 - Red

Act immediately
Vulnerable

The targeted system is associated with a known vulnerability.

2 - Orange

Investigate
Potentially Vulnerable

The targeted system either:

Is known to operate the service assoicated with the attack (port-oriented traffic)
Is known to use a protocol associated with the attack (non port-oriented traffic)

3 - Yellow

Information
Currently Not Vulnerable

The targeted system either:

Has closed the associated port (for TCP/UDP traffic)
Does not use the associated protocol (i.e., ICMP)

4 - Blue

Information
Unknown Target

The host is known to exist, but no data regarding the system is available.

0 - White

Information
Unknown Network

The target is located on a network which is not being monitored.

Gray

Information
Blocked

Traffic was dropped by the NGIPS

Table 1. Sourcefire Defense Center correlates threats against target systems to assess the impact of security events, helping to reduce the
number of actionable events by up to 99%.

THE CASE FOR THE NEXT-GENERATION IPS

systems and a variety of open standards-based

LDAP directory serversis frequently used
to identify the potential victims of an attack,
speeding response.
For example, most intrusion prevention and
detection systems operate solely on the basis of an
affected systems IP address. If a device has been
compromised, its often essential that security staff
communicate with its owner. They may need to speak
with the individual to investigate the circumstances
of a breach, warn the individual of interruptions in
network services, or prompt the person to undertake
remediation and restoration efforts. With only an IP
address to go on, those activities are delayed. The
Sourcefire NGIPS automatically makes the connection
between device and owner, and conveniently
provides contact information that speeds and
simplifies incident workflows.

Behavior Awareness
Behavior awareness works by establishing
expected traffic baselines, an understanding
of what type and amount of network traffic
is normal. From there, the NGIPS monitors
network activity, looking for unusual or
anomalous traffic.
Unexpected network traffic or connections might
signal a botnet attempting to contact a command
and control server, for example. Highlighting
such events and responding to themeither
automatically by quarantining compromised
systems, or by alerting trained individuals
aids in preventing system breaches and data
loss. Behavior awareness also aids operations
by monitoring bandwidth consumption and
delivering troubleshooting information to help
diagnose performance degradation.

Intelligent Automation
Automation is a critical emerging requirement
for security systems of all types. The number
of incidents, the complexity of networks, and
the increasing criticality of compliance and
standards initiatives all demand an NGIPS
to respond to events in real-time. Along with
speeding response, intelligent automation can
reduce costs, ensure a consistent response to
events, and enable strained security staffs to
focus their attention on only the most crucial and

challenging problems.
The Sourcefire NGIPS delivers multiple
automation capabilities.

Automated IPS Tuning

Multiple independent tests and the experience
of countless security organizations have
conclusively demonstrated that tuning intrusion
detection and prevention rule sets is a critical
activity for the most accurate results. But the
typical tuning process requires the review of
groups of rules (or, worse, even thousands of
individual rules), to ensure that appropriate
protections are in place. Its time consuming and
represents a significant risk to network integrity if
not performed promptly and accurately.
Sourcefire NGIPS uniquely eliminates the
challenges of tuning by reliably automating
the process. Since the Sourcefire NGIPS knows
what operating systems and services are running
on a network, it can automatically recommend
the activation of only those rules relevant to the
environment. Automated tuning helps eliminate
unneeded checks as well, dropping rules that
protect against attacks against nonexistent
systems. With this automation, the Sourcefire
NGIPS precisely balances sensor resources and
performance. Importantly, Sourcefire NGIPS can
implement its rule recommendations either
automatically or after human review and approval.

Network Systems Management and

Security System Integration
The typical organization, small or large, employs
multiple management systems to deploy,
monitor, and control information technology.
Speedy, efficient responses to management
issues routinely require the interaction of many of
these systems. Sourcefire offers customers more
ways to enable the integration and interoperation
of the NGIPS with other IT management systems
than any other vendor:

eStreamer API: Streams security and status

events to security information and event
management (SIEM) systems

Remediation API: Supports interaction

with routers, NAC devices and more to

quarantine a problem system

THE CASE FOR THE NEXT-GENERATION IPS

 OPSEC: Offers capabilities similar to the

Remediation API based on Check Point
Softwares Open Platform for Security, a
proprietary SDK

SYSLOG: Captures specific system log

messages to forward to another system,

sometimes used as a less comprehensive
means of integration to SIEMs

SNMP Traps: Alerts generated by way of

the Simple Network Management Protocol

(SNMP), the lingua franca of network and
systems management solutions

Host Input API: Obtains endpoint and

vulnerability intelligence to augment data

captured by Sourcefire NGIPS; this is
the basis for the Sourcefire QualysGuard
integration offering

NetFlow: Provides access to routing and

switch data flows from Cisco systems,
used to support network behavioral
detection processes

LDAP: Access to Lightweight Directory

Access Protocol-based directories,
an (often open source) alternative to
Microsofts Active Directory

Compliance Reporting and Assessment

Maintaining and demonstrating compliance with
governmental, industry group, and corporate
audit standards is a time-consuming task.
Sourcefire NGIPS automates this process using
multiple approaches.

Policy Enforcement: NGIPS enforces an

organizations defined policies, considering

attributes such as the network address,
host information, user identity, device type,
application or service, and more. Violations
of these policy mandates can be addressed
by the generation of alerts prompting further
investigation, or more active enforcement
such as quarantining a device2.

Whitelists: To speed the implementation of

policy management programs, Sourcefire
NGIPS is capable of evaluating the current
condition (existing hosts, services, etc.) of
the network and establishing that state
as a baseline, known as a compliance
whitelist. Future changes from the
approved whitelist prompt alerts or other
responses as appropriate.

Compliance Reports: Customizable

compliance reports reveal information

regarding the number of network
resources and/or users that are in
compliance with mandates. By tracking
these metrics, the security team can
demonstrate progress towards achieving
goals and prove compliance to auditors
and regulators.

Remediation
Once Sourcefire NGIPS has identified an out-ofcompliance system, its necessary for the security
team to respond and resolve the issue. Manually
responding to the myriad of these issues in the
typical network can cause a significant drain
on staff. Users can automate many of these
activities using the Remediation and OPSEC APIs
supported by Sourcefire NGIPS. The APIs are
highly flexible and support a range of possible
responses. Examples include:

Network Quarantine: Instruct network

switches or routers to remove a device from

the network, or constrain network access

Vulnerability Assessment: Check the

security stance of unknown or suspect

devices by directing a vulnerability scanning
system to conduct an examination

Patch: Correct missing patches by

submitting a system for automated updates

through a patch management system

Workflows and Incident Response

Sourcefire NGIPS provides highly customizable,
yet easy-to-use workflows for investigating
security events. Workflows enable a consistent,
standardized response to events and provide
access to the information and tools needed to
expedite their evaluation and resolution. Three
types of workflow are supported:

Predefined: Sourcefire-created workflows,

applicable to a broad rage of organizations

and incident types

Saved Custom: Modified versions of

predefined workflows that have been

altered to meet an organizations or teams
unique requirements

Custom: From scratch workflow

definitions created to address specific

THE CASE FOR THE NEXT-GENERATION IPS

requirements

Content Awareness
The ability to detect threats is by far the most
important aspect of any network IPS device. But
todays threats are constantly evolving and more
sophisticated than ever. Network security vendors
must raise the bar by not only detecting more
traditional threats (e.g., worms, Trojans, spyware,
buffer overflows, denial-of-service attacks), but
also threats embedded in content, such as
Adobe PDFs and Microsoft Office files.
Sourcefire leads the industry in preventing threats
embedded in content within its NGIPS solution
and its comprehensive Snort rules library.

Agile Engine
We are famously advised to trust, but verify.
That axiom carries even more weight in the
security community where trust is a fundamental
requirement. But even within the context of
a trusted relationship, the ability to examine
detection approaches and threat detection rules
to understand exactly whats being inspected is a
crucial requirement.
Open systems and rules can be easily extended
when default protections dont address unique
security requirements. Open systems are easier
to evaluate. Understanding and documenting
detection capabilities may be necessary to
demonstrate protection against an attack.
Regardless of the motivation, open architectures
enable the ready evaluation, validation, and
customization of security protections. Its
surprising, then, so many vendors force customers
into a closed, black box architecture that in
some cases cant even be customized. Were
asked to trust, but are given no means to verify.
Since the original release of the Snort open
source intrusion detection system, Sourcefire
has championed an open architecture. This
philosophy is one of the reasons the Snort
detection engine, the basis for the commercial
Sourcefire NGIPS offering, has become the most
widely deployed intrusion prevention technology
in the world. The Snort rule format, in the

process, has become the de facto standard for

the industry.
Sourcefire NGIPS satisfies requirements for an
agile engine in the following ways.

Default Detection Policies

Sourcefire offers the industrys most accurate
default detection rates, according to independent
tests performed by NSS Labs. Sourcefire offers
three default detection policy options reflecting
differing security needs to reduce configuration
effort and shorten overall deployment time:

Security over Connectivity: For

cases where the integrity of network

infrastructure supersedes user
convenience, this is the highest level of
default security with the largest number of
protections and checks enabled.

Connectivity over Security: Recommended

when accessibility to resources and
applications by individuals is the highest
priority, this is the least restrictive option.

Balanced Security and Connectivity: This

option provides an optimal solution for the

organization with typical security needs.

Custom Configurations
Along with these basic configurations, our open
architecture provides opportunities to customize
and refine both detection activities and overall
policies to accommodate unique requirements.
For example, users can divide Sourcefire rules
into different categories, including those based
on platforms, applications, services, specific
threats, and many others. Users can also view,
enable, or disable individual rules or groups of
rules based on these categories. This makes
it simple to modify default rule sets to reflect
organizational needs.
The Sourcefire Defense Center also supports a
hierarchical approach for implementing policies.
With Policy Layering, administrators supplement
Sourcefire-defined policy layers with their own
custom layers. For example, broad security
policies might be defined in a company-wide
layer, while more specific limits would be placed
in a site-specific layer. Higher-level policies take
precedence over settings in lower policy layers.

THE CASE FOR THE NEXT-GENERATION IPS

This is helpful for larger organizations with

complex and/or extensive deployments because
it reduces the effort required to implement policy
changes across a large population of sensors.
Users can customize and modify individual
rules in the Sourcefire NGIPS precisely to deliver
needed detection and protection. Sourcefire
NGIPS is based on the Snort rule format, the most
widely used network intrusion rule format in the
industry. As a result, the majority of Sourcefireprovided rules are completely customizable. Any
customer can also create his or her own rules as
needed, using a built-in Rule Editor.

Information Capture and Interpretation

Information capture was the firstand remains
a criticalpurpose of the intrusion prevention
system. Sourcefire provides multiple event
viewing and reporting facilities. Sourcefire NGIPS
remains one of the few systems on the market
capable of efficiently capturing network packets
associated with attacks. Unlike competitive
offerings that require the use of standalone tools
for examining packets, the Sourcefire NGIPS
provides detailed displays for inspecting attacks
directly within the management system.
Regardless of the built-in capabilities of an
NGIPSs reporting system, people often find it
useful to transport alert data to another system
for specialized processing, analysis, or reporting.
For that reason, Sourcefire supports direct access
to the underlying Defense Center database by
third-party reporting tools.

Virtual Environments
As organizations embrace options for
virtualization and cloud computing, new types of
threats emerge and existing threats may change
with the new environment. Sourcefire was the
first and remains the only vendor to deliver
a complete virtual network security solution,
fully interoperable and compatible with its
physical offerings. The following are available on
VMware, Xen, and Red Hat platforms:

Sourcefire Virtual Defense Center:

Customers can leverage their investment in

virtualization technology and support the

operation of one or more Defense Center

instances on a single physical host with this
full-featured virtual appliance implementation
of the Sourcefire Defense Center.

Sourcefire Virtual 3D Sensor: Customers

can use this feature-complete appliance to

enhance the level of protection provided
within virtual environments, to economically
extend deployment of sensors to the far
corners of the network, and to further take
advantage of the cost and energy saving
benefits associated with virtualization.

Inspection of Encrypted Traffic

Encrypted network traffic has emerged as a
growing security concern.
Ironically, this is partially a consequence of efforts
to enhance the security of users and applications.
Encrypted links to browsers or applications and
VPN connections keep authorized traffic safe from
prying eyes and manipulation. But it also means
required threat detection isnt being performed.
In industries where security and integrity are
crucial, such as finance, its been observed that as
much as 70% of all network traffic is encrypted.
Lacking the ability to cost-effectively decrypt and
re-encrypt traffic, most security gateways simply
pass it on and hope its attack free. This has
created a large, and growing, blind spot.
Sometimes, encryption is used as a
means of bypassing security controls.
Annonymizing networks, file sharing, and ad
hoc communication applications like instant
messaging frequently exploit encryption to hide,
leading to liability and compliance issues.
The typical IPS fails to provide a solution to
these security challenges. A few products that
do attempt to decrypt traffic do so using a
software-based process executing directly on
the device. Most organizations have discovered
this approach is simply unworkable, since the
processing demands of decryption drag down
sensor performance to unacceptable levels.
Additional security risks are created when, in an
effort to boost performance, traffic is not reencrypted after inspection.

THE CASE FOR THE NEXT-GENERATION IPS

The Sourcefire NGIPS overcomes these problems

by employing a dedicated appliance for
decryption (and re-encryption) of network traffic.
In addition to providing optimal performance and
reliability, the approach enhances flexibility by
enabling deployment of the technology only as
and where needed.

Conclusion
Security teams must address a variety of
functional requirements in a diverse mix of
network environments. Within an organization,
the mix of inspection and control needs can
vary considerably from the perimeter to the data
center and within different network segments.
Organizations are also at different points in
their technology lifecycle and, unfortunately,
acquisition and end-of-life activities dont
generally mesh across products. For all of these
reasons, it is essential that security teams be able
key capabilities

to select from a mix of product offerings to best

address their unique requirements.
As both technology and security threats evolve,
its essential that tools and systems intended
to protect and defend resources keep pace.
Sourcefire, the developer of Snort, the original and
most widely deployed network intrusion prevention
and detection system, has demonstrated a record
of innovation and advancement unmatched in
the industry. As organizations begin to consider
requirements for additional capabilities and
converged security infrastructure, Sourcefire will
continue to lead the way.
To learn more, visit us at www.sourcefire.com or
contact Sourcefire or a member of the Sourcefire
Global Security Alliance today.

typical ips

sourcefire ngips

Inline IPS and Passive IDS Modes

Reports, Alerts & Dashboard

Policy Management

Advanced Poilcy Management

Custom Rules

Automated Impact Assessment

Automated Tuning

Host Profiles and Network Map

Network Behavior Analysis

User Identity Tracking

Table 3. The Next-Generation IPS from Sourcefire significantly extends the capabilities
of typical IPS products, delivering strong network security functions and fully meeting
needs for an open architecture, full contextual awareness, and automation.

2013 Sourcefire, the Sourcefire logo, Snort, the Snort and Pig logo, Agile Security and the Agile Security logo, ClamAV, FireAMP, FirePOWER, FireSIGHT and certain other
trademarks and logos are trademarks or registered trademarks of Sourcefire, Inc. in the United States and other countries. Other company, product and service names may
be trademarks or service marks of others.
5.13 | REV2B

THE CASE FOR THE NEXT-GENERATION IPS 10