Академический Документы
Профессиональный Документы
Культура Документы
Next-Generation IPS
2
Executive Summary
A Next-Generation IPS (NGIPS) offers a logical
and essential progression of capabilities needed
to protect networks from emerging threats.
Pioneered by Sourcefire
vulnerability
management product is available.
Contextual data also helps enhance the
performance of other network and system
security programs. For example, the identification
of new systems on a network enables patch
management systems to evaluate their status,
helping prevent insecure systems from exposing
a network to unnecessary risks.
Application Awareness
Threats posed by specific applications along with
usage policies prompt organizations to develop
standards articulating the applications permitted on
a given network or segment. For example, certain
applicationstypically file sharing, messaging, and
social applicationspose a higher-than-acceptable
level of risk.
Sourcefire has long supported the ability to
identify the use of applications and has led
the market in delivering the ability to detect
operating systems, virtual machines, consumer
devices like smart phones and tablet computers,
VoIP systems, network devices, printers, and
more. This data, which is gathered passively
in a way that poses no operational risks to the
network, makes a broad range of compliance
and policy enforcement initiatives possible.
Identity Awareness
Sourcefire NGIPS also provides essential
information about users of a network, either
individually or as members of groups. This data
available from both Microsoft Active Directory
APPLICATION AWARENESS - REPRESENTATIVE
SAMPLING OF APPLICATIONS IDENTIFIED
AIM Clarizen eHarmony.com eTrade
Facebook Gmail Jabber Lotus
Match.com Myspace.com NetBotz Oracle
Outlook Salesforce.com Scottrade Skype
Twitter WebEx
Windows Mes-
senger
Yahoo Mail
Table 2. Sample applications detected by Sourcefire
FireSIGHT technology.
FLAG MEANING DISCUSSION
1 - Red Act immediately
Vulnerable
The targeted system is associated with a known vulnerability.
2 - Orange Investigate
Potentially Vulnerable
The targeted system either:
Is known to operate the service assoicated with the attack (port-oriented traffic)
Is known to use a protocol associated with the attack (non port-oriented traffic)
3 - Yellow Information
Currently Not Vulnerable
The targeted system either:
Has closed the associated port (for TCP/UDP traffic)
Does not use the associated protocol (i.e., ICMP)
4 - Blue Information
Unknown Target
The host is known to exist, but no data regarding the system is available.
0 - White Information
Unknown Network
The target is located on a network which is not being monitored.
Gray Information
Blocked
Traffic was dropped by the NGIPS
Table 1. Sourcefire Defense Center correlates threats against target systems to assess the impact of security events, helping to reduce the
number of actionable events by up to 99%.
6 THE CASE FOR THE NEXT-GENERATION IPS
systems and a variety of open standards-based
LDAP directory serversis frequently used
to identify the potential victims of an attack,
speeding response.
For example, most intrusion prevention and
detection systems operate solely on the basis of an
affected systems IP address. If a device has been
compromised, its often essential that security staff
communicate with its owner. They may need to speak
with the individual to investigate the circumstances
of a breach, warn the individual of interruptions in
network services, or prompt the person to undertake
remediation and restoration efforts. With only an IP
address to go on, those activities are delayed. The
Sourcefire NGIPS automatically makes the connection
between device and owner, and conveniently
provides contact information that speeds and
simplifies incident workflows.
Behavior Awareness
Behavior awareness works by establishing
expected traffic baselines, an understanding
of what type and amount of network traffic
is normal. From there, the NGIPS monitors
network activity, looking for unusual or
anomalous traffic.
Unexpected network traffic or connections might
signal a botnet attempting to contact a command
and control server, for example. Highlighting
such events and responding to themeither
automatically by quarantining compromised
systems, or by alerting trained individuals
aids in preventing system breaches and data
loss. Behavior awareness also aids operations
by monitoring bandwidth consumption and
delivering troubleshooting information to help
diagnose performance degradation.
Intelligent Automation
Automation is a critical emerging requirement
for security systems of all types. The number
of incidents, the complexity of networks, and
the increasing criticality of compliance and
standards initiatives all demand an NGIPS
to respond to events in real-time. Along with
speeding response, intelligent automation can
reduce costs, ensure a consistent response to
events, and enable strained security staffs to
focus their attention on only the most crucial and
challenging problems.
The Sourcefire NGIPS delivers multiple
automation capabilities.
Automated IPS Tuning
Multiple independent tests and the experience
of countless security organizations have
conclusively demonstrated that tuning intrusion
detection and prevention rule sets is a critical
activity for the most accurate results. But the
typical tuning process requires the review of
groups of rules (or, worse, even thousands of
individual rules), to ensure that appropriate
protections are in place. Its time consuming and
represents a significant risk to network integrity if
not performed promptly and accurately.
Sourcefire NGIPS uniquely eliminates the
challenges of tuning by reliably automating
the process. Since the Sourcefire NGIPS knows
what operating systems and services are running
on a network, it can automatically recommend
the activation of only those rules relevant to the
environment. Automated tuning helps eliminate
unneeded checks as well, dropping rules that
protect against attacks against nonexistent
systems. With this automation, the Sourcefire
NGIPS precisely balances sensor resources and
performance. Importantly, Sourcefire NGIPS can
implement its rule recommendations either
automatically or after human review and approval.
Network Systems Management and
Security System Integration
The typical organization, small or large, employs
multiple management systems to deploy,
monitor, and control information technology.
Speedy, efficient responses to management
issues routinely require the interaction of many of
these systems. Sourcefire offers customers more
ways to enable the integration and interoperation
of the NGIPS with other IT management systems
than any other vendor:
eStreamer API: Streams security and status
events to security information and event
management (SIEM) systems
Remediation API: Supports interaction
with routers, NAC devices and more to
quarantine a problem system
7 THE CASE FOR THE NEXT-GENERATION IPS
OPSEC: Offers capabilities similar to the
Remediation API based on Check Point
Softwares Open Platform for Security, a
proprietary SDK
SYSLOG: Captures specific system log
messages to forward to another system,
sometimes used as a less comprehensive
means of integration to SIEMs
SNMP Traps: Alerts generated by way of
the Simple Network Management Protocol
(SNMP), the lingua franca of network and
systems management solutions
Host Input API: Obtains endpoint and
vulnerability intelligence to augment data
captured by Sourcefire NGIPS; this is
the basis for the Sourcefire QualysGuard
integration offering
NetFlow: Provides access to routing and
switch data flows from Cisco systems,
used to support network behavioral
detection processes
LDAP: Access to Lightweight Directory
Access Protocol-based directories,
an (often open source) alternative to
Microsofts Active Directory
Compliance Reporting and Assessment
Maintaining and demonstrating compliance with
governmental, industry group, and corporate
audit standards is a time-consuming task.
Sourcefire NGIPS automates this process using
multiple approaches.
Policy Enforcement: NGIPS enforces an
organizations defined policies, considering
attributes such as the network address,
host information, user identity, device type,
application or service, and more. Violations
of these policy mandates can be addressed
by the generation of alerts prompting further
investigation, or more active enforcement
such as quarantining a device
2
.
Whitelists: To speed the implementation of
policy management programs, Sourcefire
NGIPS is capable of evaluating the current
condition (existing hosts, services, etc.) of
the network and establishing that state
as a baseline, known as a compliance
whitelist. Future changes from the
approved whitelist prompt alerts or other
responses as appropriate.
Compliance Reports: Customizable
compliance reports reveal information
regarding the number of network
resources and/or users that are in
compliance with mandates. By tracking
these metrics, the security team can
demonstrate progress towards achieving
goals and prove compliance to auditors
and regulators.
Remediation
Once Sourcefire NGIPS has identified an out-of-
compliance system, its necessary for the security
team to respond and resolve the issue. Manually
responding to the myriad of these issues in the
typical network can cause a significant drain
on staff. Users can automate many of these
activities using the Remediation and OPSEC APIs
supported by Sourcefire NGIPS. The APIs are
highly flexible and support a range of possible
responses. Examples include:
Network Quarantine: Instruct network
switches or routers to remove a device from
the network, or constrain network access
Vulnerability Assessment: Check the
security stance of unknown or suspect
devices by directing a vulnerability scanning
system to conduct an examination
Patch: Correct missing patches by
submitting a system for automated updates
through a patch management system
Workows and Incident Response
Sourcefire NGIPS provides highly customizable,
yet easy-to-use workflows for investigating
security events. Workflows enable a consistent,
standardized response to events and provide
access to the information and tools needed to
expedite their evaluation and resolution. Three
types of workflow are supported:
Predefined: Sourcefire-created workflows,
applicable to a broad rage of organizations
and incident types
Saved Custom: Modified versions of
predefined workflows that have been
altered to meet an organizations or teams
unique requirements
Custom: From scratch workflow
definitions created to address specific
8 THE CASE FOR THE NEXT-GENERATION IPS
requirements
Content Awareness
The ability to detect threats is by far the most
important aspect of any network IPS device. But
todays threats are constantly evolving and more
sophisticated than ever. Network security vendors
must raise the bar by not only detecting more
traditional threats (e.g., worms, Trojans, spyware,
buffer overflows, denial-of-service attacks), but
also threats embedded in content, such as
Adobe PDFs and Microsoft Office files.
Sourcefire leads the industry in preventing threats
embedded in content within its NGIPS solution
and its comprehensive Snort rules library.
Agile Engine
We are famously advised to trust, but verify.
That axiom carries even more weight in the
security community where trust is a fundamental
requirement. But even within the context of
a trusted relationship, the ability to examine
detection approaches and threat detection rules
to understand exactly whats being inspected is a
crucial requirement.
Open systems and rules can be easily extended
when default protections dont address unique
security requirements. Open systems are easier
to evaluate. Understanding and documenting
detection capabilities may be necessary to
demonstrate protection against an attack.
Regardless of the motivation, open architectures
enable the ready evaluation, validation, and
customization of security protections. Its
surprising, then, so many vendors force customers
into a closed, black box architecture that in
some cases cant even be customized. Were
asked to trust, but are given no means to verify.
Since the original release of the Snort
open
source intrusion detection system, Sourcefire
has championed an open architecture. This
philosophy is one of the reasons the Snort
detection engine, the basis for the commercial
Sourcefire NGIPS offering, has become the most
widely deployed intrusion prevention technology
in the world. The Snort rule format, in the
process, has become the de facto standard for
the industry.
Sourcefire NGIPS satisfies requirements for an
agile engine in the following ways.
Default Detection Policies
Sourcefire offers the industrys most accurate
default detection rates, according to independent
tests performed by NSS Labs. Sourcefire offers
three default detection policy options reflecting
differing security needs to reduce configuration
effort and shorten overall deployment time:
Security over Connectivity: For
cases where the integrity of network
infrastructure supersedes user
convenience, this is the highest level of
default security with the largest number of
protections and checks enabled.
Connectivity over Security: Recommended
when accessibility to resources and
applications by individuals is the highest
priority, this is the least restrictive option.
Balanced Security and Connectivity: This
option provides an optimal solution for the
organization with typical security needs.
Custom Configurations
Along with these basic configurations, our open
architecture provides opportunities to customize
and refine both detection activities and overall
policies to accommodate unique requirements.
For example, users can divide Sourcefire rules
into different categories, including those based
on platforms, applications, services, specific
threats, and many others. Users can also view,
enable, or disable individual rules or groups of
rules based on these categories. This makes
it simple to modify default rule sets to reflect
organizational needs.
The Sourcefire Defense Center also supports a
hierarchical approach for implementing policies.
With Policy Layering, administrators supplement
Sourcefire-defined policy layers with their own
custom layers. For example, broad security
policies might be defined in a company-wide
layer, while more specific limits would be placed
in a site-specific layer. Higher-level policies take
precedence over settings in lower policy layers.
9 THE CASE FOR THE NEXT-GENERATION IPS
This is helpful for larger organizations with
complex and/or extensive deployments because
it reduces the effort required to implement policy
changes across a large population of sensors.
Users can customize and modify individual
rules in the Sourcefire NGIPS precisely to deliver
needed detection and protection. Sourcefire
NGIPS is based on the Snort rule format, the most
widely used network intrusion rule format in the
industry. As a result, the majority of Sourcefire-
provided rules are completely customizable. Any
customer can also create his or her own rules as
needed, using a built-in Rule Editor.
Information Capture and Interpretation
Information capture was the firstand remains
a criticalpurpose of the intrusion prevention
system. Sourcefire provides multiple event
viewing and reporting facilities. Sourcefire NGIPS
remains one of the few systems on the market
capable of efficiently capturing network packets
associated with attacks. Unlike competitive
offerings that require the use of standalone tools
for examining packets, the Sourcefire NGIPS
provides detailed displays for inspecting attacks
directly within the management system.
Regardless of the built-in capabilities of an
NGIPSs reporting system, people often find it
useful to transport alert data to another system
for specialized processing, analysis, or reporting.
For that reason, Sourcefire supports direct access
to the underlying Defense Center database by
third-party reporting tools.
Virtual Environments
As organizations embrace options for
virtualization and cloud computing, new types of
threats emerge and existing threats may change
with the new environment. Sourcefire was the
first and remains the only vendor to deliver
a complete virtual network security solution,
fully interoperable and compatible with its
physical offerings. The following are available on
VMware
, Xen