The Case For The

Next-Generation IPS
2
Executive Summary
A Next-Generation IPS (NGIPS) offers a logical
and essential progression of capabilities needed
to protect networks from emerging threats.
Pioneered by Sourcefire

, and now endorsed by

Gartner, the NGIPS builds on typical IPS solutions
by providing contextual awarenessabout
network activity, systems and applications, people,
and moreto promptly assess threats, ensure a
consistent and appropriate response, and reduce
an organizations security expenditures.
The purpose of this paper is:

To describe why NGIPS is critical in
defending against todays threat landscape

To list the essential ingredients of a NGIPS
solution, as defined by Gartner

To map Gartners requirements against
Sourcefires NGIPS offering

To contrast Sourcefires NGIPS against a
typical, first-generation IPS
Why Next-Generation IPS?
Organizations have been using network intrusion
detection and prevention systems (IDS/IPS) for
well over a decade. Theyve proven their worth in
protecting networks from a wide range of threats.
Network-based IDS and IPS systems are now viewed
as essential elements of an overall network security
strategy, and are mandated by many regulatory and
audit frameworks. These technologies have changed
significantly over time, reflecting the evolving needs
of users.
At first, the industry intended for IDS to simply
satisfy a security professionals need for
information. Understanding what attacks were
taking place, where they originated, and what
assets were targeted was of immense value. As
that knowledge was secured, systems evolved
to add attack forensics capabilitiescrucial in
prosecuting attackers.
Soon, reporting and high-level analysis emerged
as essential features to inform security staff of the
potential affect of attacks and the effectiveness of
defenses. As detection capabilities and accuracy
improved, confidence in automated assessments
led users to demand the ability to prevent, not just
detect, attacks.
Network security continues to evolve with the
needs of security administrators and executives.
For example, IPS systems have generally focused
on detecting attacks against servers and server-
based applications. But today, attackers are
increasingly employing attacks against clients
using applications. As a result, the ability to
identify and respond to attacks against a new set
of targets is essential.
Whitepaper
THE CASE FOR THE NEXT-GENERATION IPS
3 THE CASE FOR THE NEXT-GENERATION IPS
Data center constraints on space, power, and
coolingtogether with the potential efficiencies
of multifunction security deviceshave prompted
considerable interest in consolidating network
security devices. At the same time, the promise
of increased flexibility and speed has driven
expanded server virtualization programs.
As was the case with previous changes in
networking, all of these trends have served to
further fuel the ongoing evolution of network
security technologies.
How does this evolution affect IPS?

The ability to identify, monitor, and inspect
a wide range of client applications is
increasingly critical to both security and
compliance initiatives.

Ready access to other types of contextual
data, such as network behavior, user
identity, and the resources used on the
network, offers exceptional value when
assessing and responding to attacks, and
in maintaining defenses.

Comprehensive support for virtualized
networking environments is essential.
That support should entail the ability
to both provide visibility into the virtual
environment, as well as to operate within it.

When selecting security technologies,
organizations and vendors must
balance the many potential benefits of
consolidation with real-world issues of
performance, varied security requirements
in different portions of the network, and
even budgetary constraints and technology
refresh cycles.
Building on its pioneering work in network- and
user-awareness technologies, and best-in-class
attack detection capabilities, Sourcefire has
now again led the industry in satisfying these
requirements, with the creation of its Next-
Generation IPS (NGIPS).
What Is A Next-Generation IPS?
According to Gartner
1
, a next-generation network
IPS, at a minimum, should have the following
attributes:

Inline, bump-in-the-wire configuration:
Should never disrupt network operations.

Standard first-generation IPS capabilities:
Should support vulnerability-and threat-
facing signatures.

Application awareness and full-stack
visibility: Should identify applications and
enforce network security policy at the
application layer.

Context awareness: Should bring
information from sources outside the IPS
to make improved blocking decisions or to
modify the blocking rule set.

Content awareness: Should be able to
inspect and classify inbound executables
and other similar file types, such as PDF
and Microsoft Office files.

Agile engine: Should support upgrade
paths for the integration of new
information feeds and new techniques to
address future threats.
Importantly, the NGIPS does not include traditional
enterprise network firewall capabilities. Many
organizations will benefit from a security system
that combines high performing network inspection
and control functions, such as a Next-Generation
Firewall (NGFW). However, its also clear such an
offering isnt universally applicable. According to
Gartner
1
, the high end of the security market will
tend to continue to use separate firewalls and
IPSs, driven by complexity, desire for defense in
depth and network operational considerations.
Sourcefire maximizes choice by providing systems
offering a range of security functionality, across
both physical and virtual platforms. This Agile
Security strategy offers security teams a high
degree of flexibility in deployment decisions, as
well as the potential for significant capital and
operational expense savings.
The remainder of this paper will describe how
Sourcefires NGIPS solution meets and exceeds
the requirements as defined by Gartner.
4 THE CASE FOR THE NEXT-GENERATION IPS
Inline, Bump-in-the-Wire Configuration
In the event of service disruption from a network
IPS device configured for inline operation
perhaps caused by onboard hardware failure,
software malfunction, or power lossin most
instances, the network IPS should be configured
to fail open as not to cause disruption in
network connectivity. In this case, ingress
and egress interfaces of an interface set are
mechanically bridged, thus continuing to pass
traffic (without further inspection).
Unlike other providers that offer limited or no fail-
open interfaces, 100% of Sourcefires purpose-
built 3D Appliances come equipped with fail-
open copper and/or fiber interfaces. This often
negates the need to purchase expensive inline
taps, saving considerable time and money.
Standard, First-Generation
IPS Capabilities
Sourcefire is consistently recognized for offering
the best protection in the business. Based on
the award-winning open source Snort detection
engine, which has rapidly become the most
widely used IPS detection engine in the world
today, Sourcefire has been recognized by NSS
Labs as offering the industrys best overall
protection among all major IPS providers for two
years running.
Results like these are a consequence of the
rigorous development methodology employed
by the Sourcefire Vulnerability Research
Team (VRT), which is designed to maximize
performance, eliminate false negatives, and
minimize false positives.
Application Awareness and
Full-Stack Visibility
Sourcefire is the first and only IPS provider
to offer passive, real-time network intelligence
gathering. Sourcefire FireSIGHT (formerly
Sourcefire RNA

) aggregates rich network

intelligence in real-time to enable security
administrators to actually enforce corporate
acceptable use policies (AUPs) regarding usage of
approved operating systems and applications. This
can be accomplished within Sourcefires NGIPS
solution through compliance rules and whitelists.
By limiting the use of operating systems and
applications that can be used on the network,
organizations can improve productivity and
reduce risk by minimizing the networks surface
area of attack.
Contextual Awareness
Accurate and timely detection of attacks is an
essential requirement of an NGIPS. But equally
important is deciding how to respond, or even
whether to respond, to those attacks. Context, the
complex set of circumstances that surround a
specific attack, is a crucial element in assessing
the risk posed by an attack, dictating the priority
of the response. Sourcefire was the first vendor
to deliver commercial IPS solutions that provided
essential information about both the behavior
and composition of a network under attack,
as well as the identification of the specific
individuals affected by a security incident.
Network Awareness
Contextual information about the network
provides benefits by enabling proactive
responses to developing situations before an
attack or breach. Sourcefire NGIPS provides
continuous network visibility, including
identification of new hosts as they join the
network, network and host configuration
changes, and compliance with IT policies.
The experience of Sourcefire customers has
shown the value of incorporating this contextual
data into threat response and ongoing
operational and administrative activities. For
example, if certain operating systems, devices,
or applications are not expected to exist in a
network, protections related to those systems
can be turned off, eliminating unneeded checks.
However, if Sourcefire detects the emergence
of an unexpected device, relevant protections
can automatically be engagedprotecting
the devices from attack while security staffers
investigate the network addition.
Similarly, contextual data can be used when
evaluating attacks for possible response.
Sourcefire employs Impact Flags to guide
security staff in identifying the most pressing
attacks. Attacks against devices not susceptible
to an exploitan IIS exploit directed at an
Apache server, for exampleare of little
5 THE CASE FOR THE NEXT-GENERATION IPS
operational concern. While the attack itself
may be recorded to provide information for
statistical and historical analysis, the NGIPS set
Impact Flags for such events to a low priority.
This signals to security analysts and event
responders that they can safely ignore the
attacks. Experience has demonstrated that this
approach reduces actionable events by up to
99%, delivering a dramatic productivity gain.
Augmenting the identifying information passively
gathered by Sourcefire with specific knowledge
about known vulnerabilities further refines the
accuracy of Impact Flags. To that end, Sourcefire
supports an application-programming interface
(API) that facilitates information sharing between
vulnerability management systems (and other
security and configuration management systems)
and the NGIPS. This enables users to share
information with virtually any such system,
and a fully tested and supported interface for
the market-leading QualysGuard

vulnerability
management product is available.
Contextual data also helps enhance the
performance of other network and system
security programs. For example, the identification
of new systems on a network enables patch
management systems to evaluate their status,
helping prevent insecure systems from exposing
a network to unnecessary risks.
Application Awareness
Threats posed by specific applications along with
usage policies prompt organizations to develop
standards articulating the applications permitted on
a given network or segment. For example, certain
applicationstypically file sharing, messaging, and
social applicationspose a higher-than-acceptable
level of risk.
Sourcefire has long supported the ability to
identify the use of applications and has led
the market in delivering the ability to detect
operating systems, virtual machines, consumer
devices like smart phones and tablet computers,
VoIP systems, network devices, printers, and
more. This data, which is gathered passively
in a way that poses no operational risks to the
network, makes a broad range of compliance
and policy enforcement initiatives possible.
Identity Awareness
Sourcefire NGIPS also provides essential
information about users of a network, either
individually or as members of groups. This data
available from both Microsoft Active Directory
APPLICATION AWARENESS - REPRESENTATIVE
SAMPLING OF APPLICATIONS IDENTIFIED
AIM Clarizen eHarmony.com eTrade
Facebook Gmail Jabber Lotus
Match.com Myspace.com NetBotz Oracle
Outlook Salesforce.com Scottrade Skype
Twitter WebEx
Windows Mes-
senger
Yahoo Mail
Table 2. Sample applications detected by Sourcefire
FireSIGHT technology.
FLAG MEANING DISCUSSION
1 - Red Act immediately
Vulnerable
The targeted system is associated with a known vulnerability.
2 - Orange Investigate
Potentially Vulnerable
The targeted system either:
Is known to operate the service assoicated with the attack (port-oriented traffic)
Is known to use a protocol associated with the attack (non port-oriented traffic)
3 - Yellow Information
Currently Not Vulnerable
The targeted system either:
Has closed the associated port (for TCP/UDP traffic)
Does not use the associated protocol (i.e., ICMP)
4 - Blue Information
Unknown Target
The host is known to exist, but no data regarding the system is available.
0 - White Information
Unknown Network
The target is located on a network which is not being monitored.
Gray Information
Blocked
Traffic was dropped by the NGIPS
Table 1. Sourcefire Defense Center correlates threats against target systems to assess the impact of security events, helping to reduce the
number of actionable events by up to 99%.
6 THE CASE FOR THE NEXT-GENERATION IPS
systems and a variety of open standards-based
LDAP directory serversis frequently used
to identify the potential victims of an attack,
speeding response.
For example, most intrusion prevention and
detection systems operate solely on the basis of an
affected systems IP address. If a device has been
compromised, its often essential that security staff
communicate with its owner. They may need to speak
with the individual to investigate the circumstances
of a breach, warn the individual of interruptions in
network services, or prompt the person to undertake
remediation and restoration efforts. With only an IP
address to go on, those activities are delayed. The
Sourcefire NGIPS automatically makes the connection
between device and owner, and conveniently
provides contact information that speeds and
simplifies incident workflows.
Behavior Awareness
Behavior awareness works by establishing
expected traffic baselines, an understanding
of what type and amount of network traffic
is normal. From there, the NGIPS monitors
network activity, looking for unusual or
anomalous traffic.
Unexpected network traffic or connections might
signal a botnet attempting to contact a command
and control server, for example. Highlighting
such events and responding to themeither
automatically by quarantining compromised
systems, or by alerting trained individuals
aids in preventing system breaches and data
loss. Behavior awareness also aids operations
by monitoring bandwidth consumption and
delivering troubleshooting information to help
diagnose performance degradation.
Intelligent Automation
Automation is a critical emerging requirement
for security systems of all types. The number
of incidents, the complexity of networks, and
the increasing criticality of compliance and
standards initiatives all demand an NGIPS
to respond to events in real-time. Along with
speeding response, intelligent automation can
reduce costs, ensure a consistent response to
events, and enable strained security staffs to
focus their attention on only the most crucial and
challenging problems.
The Sourcefire NGIPS delivers multiple
automation capabilities.
Automated IPS Tuning
Multiple independent tests and the experience
of countless security organizations have
conclusively demonstrated that tuning intrusion
detection and prevention rule sets is a critical
activity for the most accurate results. But the
typical tuning process requires the review of
groups of rules (or, worse, even thousands of
individual rules), to ensure that appropriate
protections are in place. Its time consuming and
represents a significant risk to network integrity if
not performed promptly and accurately.
Sourcefire NGIPS uniquely eliminates the
challenges of tuning by reliably automating
the process. Since the Sourcefire NGIPS knows
what operating systems and services are running
on a network, it can automatically recommend
the activation of only those rules relevant to the
environment. Automated tuning helps eliminate
unneeded checks as well, dropping rules that
protect against attacks against nonexistent
systems. With this automation, the Sourcefire
NGIPS precisely balances sensor resources and
performance. Importantly, Sourcefire NGIPS can
implement its rule recommendations either
automatically or after human review and approval.
Network Systems Management and
Security System Integration
The typical organization, small or large, employs
multiple management systems to deploy,
monitor, and control information technology.
Speedy, efficient responses to management
issues routinely require the interaction of many of
these systems. Sourcefire offers customers more
ways to enable the integration and interoperation
of the NGIPS with other IT management systems
than any other vendor:

eStreamer API: Streams security and status
events to security information and event
management (SIEM) systems

Remediation API: Supports interaction
with routers, NAC devices and more to
quarantine a problem system
7 THE CASE FOR THE NEXT-GENERATION IPS

OPSEC: Offers capabilities similar to the
Remediation API based on Check Point
Softwares Open Platform for Security, a
proprietary SDK

SYSLOG: Captures specific system log
messages to forward to another system,
sometimes used as a less comprehensive
means of integration to SIEMs

SNMP Traps: Alerts generated by way of
the Simple Network Management Protocol
(SNMP), the lingua franca of network and
systems management solutions

Host Input API: Obtains endpoint and
vulnerability intelligence to augment data
captured by Sourcefire NGIPS; this is
the basis for the Sourcefire QualysGuard
integration offering

NetFlow: Provides access to routing and
switch data flows from Cisco systems,
used to support network behavioral
detection processes

LDAP: Access to Lightweight Directory
Access Protocol-based directories,
an (often open source) alternative to
Microsofts Active Directory
Compliance Reporting and Assessment
Maintaining and demonstrating compliance with
governmental, industry group, and corporate
audit standards is a time-consuming task.
Sourcefire NGIPS automates this process using
multiple approaches.

Policy Enforcement: NGIPS enforces an
organizations defined policies, considering
attributes such as the network address,
host information, user identity, device type,
application or service, and more. Violations
of these policy mandates can be addressed
by the generation of alerts prompting further
investigation, or more active enforcement
such as quarantining a device
2
.

Whitelists: To speed the implementation of
policy management programs, Sourcefire
NGIPS is capable of evaluating the current
condition (existing hosts, services, etc.) of
the network and establishing that state
as a baseline, known as a compliance
whitelist. Future changes from the
approved whitelist prompt alerts or other
responses as appropriate.

Compliance Reports: Customizable
compliance reports reveal information
regarding the number of network
resources and/or users that are in
compliance with mandates. By tracking
these metrics, the security team can
demonstrate progress towards achieving
goals and prove compliance to auditors
and regulators.
Remediation
Once Sourcefire NGIPS has identified an out-of-
compliance system, its necessary for the security
team to respond and resolve the issue. Manually
responding to the myriad of these issues in the
typical network can cause a significant drain
on staff. Users can automate many of these
activities using the Remediation and OPSEC APIs
supported by Sourcefire NGIPS. The APIs are
highly flexible and support a range of possible
responses. Examples include:

Network Quarantine: Instruct network
switches or routers to remove a device from
the network, or constrain network access

Vulnerability Assessment: Check the
security stance of unknown or suspect
devices by directing a vulnerability scanning
system to conduct an examination

Patch: Correct missing patches by
submitting a system for automated updates
through a patch management system
Workows and Incident Response
Sourcefire NGIPS provides highly customizable,
yet easy-to-use workflows for investigating
security events. Workflows enable a consistent,
standardized response to events and provide
access to the information and tools needed to
expedite their evaluation and resolution. Three
types of workflow are supported:

Predefined: Sourcefire-created workflows,
applicable to a broad rage of organizations
and incident types

Saved Custom: Modified versions of
predefined workflows that have been
altered to meet an organizations or teams
unique requirements

Custom: From scratch workflow
definitions created to address specific
8 THE CASE FOR THE NEXT-GENERATION IPS
requirements
Content Awareness
The ability to detect threats is by far the most
important aspect of any network IPS device. But
todays threats are constantly evolving and more
sophisticated than ever. Network security vendors
must raise the bar by not only detecting more
traditional threats (e.g., worms, Trojans, spyware,
buffer overflows, denial-of-service attacks), but
also threats embedded in content, such as
Adobe PDFs and Microsoft Office files.
Sourcefire leads the industry in preventing threats
embedded in content within its NGIPS solution
and its comprehensive Snort rules library.
Agile Engine
We are famously advised to trust, but verify.
That axiom carries even more weight in the
security community where trust is a fundamental
requirement. But even within the context of
a trusted relationship, the ability to examine
detection approaches and threat detection rules
to understand exactly whats being inspected is a
crucial requirement.
Open systems and rules can be easily extended
when default protections dont address unique
security requirements. Open systems are easier
to evaluate. Understanding and documenting
detection capabilities may be necessary to
demonstrate protection against an attack.
Regardless of the motivation, open architectures
enable the ready evaluation, validation, and
customization of security protections. Its
surprising, then, so many vendors force customers
into a closed, black box architecture that in
some cases cant even be customized. Were
asked to trust, but are given no means to verify.
Since the original release of the Snort

open
source intrusion detection system, Sourcefire
has championed an open architecture. This
philosophy is one of the reasons the Snort
detection engine, the basis for the commercial
Sourcefire NGIPS offering, has become the most
widely deployed intrusion prevention technology
in the world. The Snort rule format, in the
process, has become the de facto standard for
the industry.
Sourcefire NGIPS satisfies requirements for an
agile engine in the following ways.
Default Detection Policies
Sourcefire offers the industrys most accurate
default detection rates, according to independent
tests performed by NSS Labs. Sourcefire offers
three default detection policy options reflecting
differing security needs to reduce configuration
effort and shorten overall deployment time:

Security over Connectivity: For
cases where the integrity of network
infrastructure supersedes user
convenience, this is the highest level of
default security with the largest number of
protections and checks enabled.

Connectivity over Security: Recommended
when accessibility to resources and
applications by individuals is the highest
priority, this is the least restrictive option.

Balanced Security and Connectivity: This
option provides an optimal solution for the
organization with typical security needs.
Custom Configurations
Along with these basic configurations, our open
architecture provides opportunities to customize
and refine both detection activities and overall
policies to accommodate unique requirements.
For example, users can divide Sourcefire rules
into different categories, including those based
on platforms, applications, services, specific
threats, and many others. Users can also view,
enable, or disable individual rules or groups of
rules based on these categories. This makes
it simple to modify default rule sets to reflect
organizational needs.
The Sourcefire Defense Center also supports a
hierarchical approach for implementing policies.
With Policy Layering, administrators supplement
Sourcefire-defined policy layers with their own
custom layers. For example, broad security
policies might be defined in a company-wide
layer, while more specific limits would be placed
in a site-specific layer. Higher-level policies take
precedence over settings in lower policy layers.
9 THE CASE FOR THE NEXT-GENERATION IPS
This is helpful for larger organizations with
complex and/or extensive deployments because
it reduces the effort required to implement policy
changes across a large population of sensors.
Users can customize and modify individual
rules in the Sourcefire NGIPS precisely to deliver
needed detection and protection. Sourcefire
NGIPS is based on the Snort rule format, the most
widely used network intrusion rule format in the
industry. As a result, the majority of Sourcefire-
provided rules are completely customizable. Any
customer can also create his or her own rules as
needed, using a built-in Rule Editor.
Information Capture and Interpretation
Information capture was the firstand remains
a criticalpurpose of the intrusion prevention
system. Sourcefire provides multiple event
viewing and reporting facilities. Sourcefire NGIPS
remains one of the few systems on the market
capable of efficiently capturing network packets
associated with attacks. Unlike competitive
offerings that require the use of standalone tools
for examining packets, the Sourcefire NGIPS
provides detailed displays for inspecting attacks
directly within the management system.
Regardless of the built-in capabilities of an
NGIPSs reporting system, people often find it
useful to transport alert data to another system
for specialized processing, analysis, or reporting.
For that reason, Sourcefire supports direct access
to the underlying Defense Center database by
third-party reporting tools.
Virtual Environments
As organizations embrace options for
virtualization and cloud computing, new types of
threats emerge and existing threats may change
with the new environment. Sourcefire was the
first and remains the only vendor to deliver
a complete virtual network security solution,
fully interoperable and compatible with its
physical offerings. The following are available on
VMware

, Xen

, and Red Hat platforms:

Sourcefire Virtual Defense Center:
Customers can leverage their investment in
virtualization technology and support the
operation of one or more Defense Center
instances on a single physical host with this
full-featured virtual appliance implementation
of the Sourcefire Defense Center.

Sourcefire Virtual 3D Sensor: Customers
can use this feature-complete appliance to
enhance the level of protection provided
within virtual environments, to economically
extend deployment of sensors to the far
corners of the network, and to further take
advantage of the cost and energy saving
benefits associated with virtualization.
Inspection of Encrypted Traffic
Encrypted network traffic has emerged as a
growing security concern.
Ironically, this is partially a consequence of efforts
to enhance the security of users and applications.
Encrypted links to browsers or applications and
VPN connections keep authorized traffic safe from
prying eyes and manipulation. But it also means
required threat detection isnt being performed.
In industries where security and integrity are
crucial, such as finance, its been observed that as
much as 70% of all network traffic is encrypted.
Lacking the ability to cost-effectively decrypt and
re-encrypt traffic, most security gateways simply
pass it on and hope its attack free. This has
created a large, and growing, blind spot.
Sometimes, encryption is used as a
means of bypassing security controls.
Annonymizing networks, file sharing, and ad
hoc communication applications like instant
messaging frequently exploit encryption to hide,
leading to liability and compliance issues.
The typical IPS fails to provide a solution to
these security challenges. A few products that
do attempt to decrypt traffic do so using a
software-based process executing directly on
the device. Most organizations have discovered
this approach is simply unworkable, since the
processing demands of decryption drag down
sensor performance to unacceptable levels.
Additional security risks are created when, in an
effort to boost performance, traffic is not re-
encrypted after inspection.
10 THE CASE FOR THE NEXT-GENERATION IPS
5.13 | REV2B
2013 Sourcefire, the Sourcefire logo, Snort, the Snort and Pig logo, Agile Security and the Agile Security logo, ClamAV, FireAMP, FirePOWER, FireSIGHT and certain other
trademarks and logos are trademarks or registered trademarks of Sourcefire, Inc. in the United States and other countries. Other company, product and service names may
be trademarks or service marks of others.
The Sourcefire NGIPS overcomes these problems
by employing a dedicated appliance for
decryption (and re-encryption) of network traffic.
In addition to providing optimal performance and
reliability, the approach enhances flexibility by
enabling deployment of the technology only as
and where needed.
Conclusion
Security teams must address a variety of
functional requirements in a diverse mix of
network environments. Within an organization,
the mix of inspection and control needs can
vary considerably from the perimeter to the data
center and within different network segments.
Organizations are also at different points in
their technology lifecycle and, unfortunately,
acquisition and end-of-life activities dont
generally mesh across products. For all of these
reasons, it is essential that security teams be able
to select from a mix of product offerings to best
address their unique requirements.
As both technology and security threats evolve,
its essential that tools and systems intended
to protect and defend resources keep pace.
Sourcefire, the developer of Snort, the original and
most widely deployed network intrusion prevention
and detection system, has demonstrated a record
of innovation and advancement unmatched in
the industry. As organizations begin to consider
requirements for additional capabilities and
converged security infrastructure, Sourcefire will
continue to lead the way.
To learn more, visit us at www.sourcefire.com or
contact Sourcefire or a member of the Sourcefire
Global Security Alliance today.
KEY CAPABILITIES TYPICAL IPS SOURCEFIRE NGIPS
Inline IPS and Passive IDS Modes
Reports, Alerts & Dashboard
Policy Management
Advanced Poilcy Management
Custom Rules
Automated Impact Assessment
Automated Tuning
Host Profiles and Network Map
Network Behavior Analysis
User Identity Tracking
Table 3. The Next-Generation IPS from Sourcefire significantly extends the capabilities
of typical IPS products, delivering strong network security functions and fully meeting
needs for an open architecture, full contextual awareness, and automation.