Professional Documents
Culture Documents
Next-Generation IPS
Whitepaper
Executive Summary
A Next-Generation IPS (NGIPS) offers a logical
and essential progression of capabilities needed
to protect networks from emerging threats.
Pioneered by Sourcefire, and now endorsed by
Gartner, the NGIPS builds on typical IPS solutions
by providing contextual awarenessabout
network activity, systems and applications, people,
and moreto promptly assess threats, ensure a
consistent and appropriate response, and reduce
an organizations security expenditures.
The purpose of this paper is:
Standard, First-Generation
IPS Capabilities
Sourcefire is consistently recognized for offering
the best protection in the business. Based on
the award-winning open source Snort detection
engine, which has rapidly become the most
widely used IPS detection engine in the world
today, Sourcefire has been recognized by NSS
Labs as offering the industrys best overall
protection among all major IPS providers for two
years running.
Results like these are a consequence of the
rigorous development methodology employed
by the Sourcefire Vulnerability Research
Team (VRT), which is designed to maximize
performance, eliminate false negatives, and
minimize false positives.
Contextual Awareness
Accurate and timely detection of attacks is an
essential requirement of an NGIPS. But equally
important is deciding how to respond, or even
whether to respond, to those attacks. Context, the
complex set of circumstances that surround a
specific attack, is a crucial element in assessing
the risk posed by an attack, dictating the priority
of the response. Sourcefire was the first vendor
to deliver commercial IPS solutions that provided
essential information about both the behavior
and composition of a network under attack,
as well as the identification of the specific
individuals affected by a security incident.
Network Awareness
Contextual information about the network
provides benefits by enabling proactive
responses to developing situations before an
attack or breach. Sourcefire NGIPS provides
continuous network visibility, including
identification of new hosts as they join the
network, network and host configuration
changes, and compliance with IT policies.
The experience of Sourcefire customers has
shown the value of incorporating this contextual
data into threat response and ongoing
operational and administrative activities. For
example, if certain operating systems, devices,
or applications are not expected to exist in a
network, protections related to those systems
can be turned off, eliminating unneeded checks.
However, if Sourcefire detects the emergence
of an unexpected device, relevant protections
can automatically be engagedprotecting
the devices from attack while security staffers
investigate the network addition.
Similarly, contextual data can be used when
evaluating attacks for possible response.
Sourcefire employs Impact Flags to guide
security staff in identifying the most pressing
attacks. Attacks against devices not susceptible
to an exploitan IIS exploit directed at an
Apache server, for exampleare of little
Application Awareness
Threats posed by specific applications along with
usage policies prompt organizations to develop
FLAG
Clarizen
eHarmony.com
eTrade
Gmail
Jabber
Lotus
Match.com
Myspace.com
NetBotz
Oracle
Outlook
Salesforce.com
Scottrade
Skype
WebEx
Windows Messenger
Yahoo Mail
Identity Awareness
Sourcefire NGIPS also provides essential
information about users of a network, either
individually or as members of groups. This data
available from both Microsoft Active Directory
Meaning
discussion
1 - Red
Act immediately
Vulnerable
2 - Orange
Investigate
Potentially Vulnerable
3 - Yellow
Information
Currently Not Vulnerable
4 - Blue
Information
Unknown Target
The host is known to exist, but no data regarding the system is available.
0 - White
Information
Unknown Network
Gray
Information
Blocked
Table 1. Sourcefire Defense Center correlates threats against target systems to assess the impact of security events, helping to reduce the
number of actionable events by up to 99%.
Behavior Awareness
Behavior awareness works by establishing
expected traffic baselines, an understanding
of what type and amount of network traffic
is normal. From there, the NGIPS monitors
network activity, looking for unusual or
anomalous traffic.
Unexpected network traffic or connections might
signal a botnet attempting to contact a command
and control server, for example. Highlighting
such events and responding to themeither
automatically by quarantining compromised
systems, or by alerting trained individuals
aids in preventing system breaches and data
loss. Behavior awareness also aids operations
by monitoring bandwidth consumption and
delivering troubleshooting information to help
diagnose performance degradation.
Intelligent Automation
Automation is a critical emerging requirement
for security systems of all types. The number
of incidents, the complexity of networks, and
the increasing criticality of compliance and
standards initiatives all demand an NGIPS
to respond to events in real-time. Along with
speeding response, intelligent automation can
reduce costs, ensure a consistent response to
events, and enable strained security staffs to
focus their attention on only the most crucial and
challenging problems.
The Sourcefire NGIPS delivers multiple
automation capabilities.
Remediation
Once Sourcefire NGIPS has identified an out-ofcompliance system, its necessary for the security
team to respond and resolve the issue. Manually
responding to the myriad of these issues in the
typical network can cause a significant drain
on staff. Users can automate many of these
activities using the Remediation and OPSEC APIs
supported by Sourcefire NGIPS. The APIs are
highly flexible and support a range of possible
responses. Examples include:
requirements
Content Awareness
The ability to detect threats is by far the most
important aspect of any network IPS device. But
todays threats are constantly evolving and more
sophisticated than ever. Network security vendors
must raise the bar by not only detecting more
traditional threats (e.g., worms, Trojans, spyware,
buffer overflows, denial-of-service attacks), but
also threats embedded in content, such as
Adobe PDFs and Microsoft Office files.
Sourcefire leads the industry in preventing threats
embedded in content within its NGIPS solution
and its comprehensive Snort rules library.
Agile Engine
We are famously advised to trust, but verify.
That axiom carries even more weight in the
security community where trust is a fundamental
requirement. But even within the context of
a trusted relationship, the ability to examine
detection approaches and threat detection rules
to understand exactly whats being inspected is a
crucial requirement.
Open systems and rules can be easily extended
when default protections dont address unique
security requirements. Open systems are easier
to evaluate. Understanding and documenting
detection capabilities may be necessary to
demonstrate protection against an attack.
Regardless of the motivation, open architectures
enable the ready evaluation, validation, and
customization of security protections. Its
surprising, then, so many vendors force customers
into a closed, black box architecture that in
some cases cant even be customized. Were
asked to trust, but are given no means to verify.
Since the original release of the Snort open
source intrusion detection system, Sourcefire
has championed an open architecture. This
philosophy is one of the reasons the Snort
detection engine, the basis for the commercial
Sourcefire NGIPS offering, has become the most
widely deployed intrusion prevention technology
in the world. The Snort rule format, in the
Custom Configurations
Along with these basic configurations, our open
architecture provides opportunities to customize
and refine both detection activities and overall
policies to accommodate unique requirements.
For example, users can divide Sourcefire rules
into different categories, including those based
on platforms, applications, services, specific
threats, and many others. Users can also view,
enable, or disable individual rules or groups of
rules based on these categories. This makes
it simple to modify default rule sets to reflect
organizational needs.
The Sourcefire Defense Center also supports a
hierarchical approach for implementing policies.
With Policy Layering, administrators supplement
Sourcefire-defined policy layers with their own
custom layers. For example, broad security
policies might be defined in a company-wide
layer, while more specific limits would be placed
in a site-specific layer. Higher-level policies take
precedence over settings in lower policy layers.
Virtual Environments
As organizations embrace options for
virtualization and cloud computing, new types of
threats emerge and existing threats may change
with the new environment. Sourcefire was the
first and remains the only vendor to deliver
a complete virtual network security solution,
fully interoperable and compatible with its
physical offerings. The following are available on
VMware, Xen, and Red Hat platforms:
Conclusion
Security teams must address a variety of
functional requirements in a diverse mix of
network environments. Within an organization,
the mix of inspection and control needs can
vary considerably from the perimeter to the data
center and within different network segments.
Organizations are also at different points in
their technology lifecycle and, unfortunately,
acquisition and end-of-life activities dont
generally mesh across products. For all of these
reasons, it is essential that security teams be able
key capabilities
typical ips
sourcefire ngips
Policy Management
Custom Rules
Automated Tuning
Table 3. The Next-Generation IPS from Sourcefire significantly extends the capabilities
of typical IPS products, delivering strong network security functions and fully meeting
needs for an open architecture, full contextual awareness, and automation.
2013 Sourcefire, the Sourcefire logo, Snort, the Snort and Pig logo, Agile Security and the Agile Security logo, ClamAV, FireAMP, FirePOWER, FireSIGHT and certain other
trademarks and logos are trademarks or registered trademarks of Sourcefire, Inc. in the United States and other countries. Other company, product and service names may
be trademarks or service marks of others.
5.13 | REV2B