Sourcefire makes IDSes more flexible

Founder and CTO Martin Roesch talks about the state of security in the industry

IDSES (INTRUSION DETECTION systems) are probably one of the hottest segments of the overall security market these days. For many companies, the best tool is an open-source offering from Sourcfire called Snort. Now the company is delivering a commercial IDS based on Snort. In an interview with InfoWorld Editor in Chief Michael Vizard and Test Center Director Steve Gillmor, Sourcefire founder and CTO Martin Roesch, who was the driving force behind the creation of Snort, talks about the state of security in the industry as a whole and the opportunities that are available.

InfoWorld: What is Snort?

Roesch: Snort is an excellent sensor technology and it does a very good job at actually doing the basic job of intrusion detection, which is picking up the intruders and providing information about them. But there’s actually a lot of other infrastructure that you need to wrap around an IDS in order to use it effectively, especially in large settings. What we did is [we] decided to deploy the product on an appliance instead of deploying it as software. And we actually did this for a couple of reasons. This allowed us to simplify the support aspects [as a] startup company, because Snort itself runs on something like 30 platforms and I don’t want to support anything on 30 platforms in a startup environment. That also gives us more control over the configuration of the system, which lets us tweak the software to give us optimal performance.

InfoWorld: What do you provide in terms of adding value to Snort?

Roesch: We built Web-based GUIs to make the software easier to use and more manageable. And we provide systems to let you manage the policy on the sensor, we provide high-performance data analysis tools so that you can actually do the other hard problem of intrusion detection, which is managing all the data that comes out of [the systems] effectively. Those are all the big things that we put in [Snort]. We made it manageable, we put it on an appliance, and made it easy to use and made it easy to deploy.

InfoWorld: How does Snort compare with rival commercial IDS offerings?

Roesch: Certainly the price point is attractive. But it turns out that the performance and capabilities of Snort are on par with the best commercial systems that are out there. And Snort tends to be more flexible and more extensible than the commercial systems that are out there. People started using Snort and they realized they could do everything that they could do with their commercial IDSes on the one hand. And on the other hand, they realized that it was less expensive than the commercial IDSes. Then they realized that they could actually shape it to their network because it was so flexible. It has a rules language that lets you essentially shape the functionality of the sensor technology to your network instead of kind of the converse of that, which is the intrusion detection technology works one way and you have to do intrusion detection that way. It really came at intrusion detection [at] a different angle, and I think many people feel it’s a superior way of doing it. It gives the user a great set of defaults and then lets the user shape it to their network, as opposed to just kind of having this top-down approach of telling people how they’re going to do intrusion detection. A lot of the major commercial intrusion detection systems allow you no flexibility whatsoever with how you actually implement the technology.

InfoWorld: How should people be thinking when it comes to taking all these security point products and linking them together to create some kind of solution?

Roesch: The fabric that ties it all together these days is now being called the Enterprise Security Management product. Point products are OK when they’re best of breed, but the problem is without the interoperability and without the ability to share data, it really limits their usefulness in large-scale implementations. What we’re kind of doing here at Sourcefire is trying to provide the best of both worlds, where we provide the manageability and scalability through building high-performance management systems, and we also provide best-of-breed sensor technology.

InfoWorld: We still seem to have security breaches, so is it really impossible to create the silver bullet solution to security woes?

Roesch: I would debate that it’s impossible to build a silver bullet. There’s a lot of misunderstanding about how intrusion detection works and how to effectively deploy it. There are a lot of people [who] get in an IDS and just run it with the default configuration without taking the time to actually mold them to their network. It basically boils down to a time and knowledge equation. People who are willing to dedicate the time and the resources that they need to do the job properly usually do a very good job at securing the network. And the ones who don’t are the ones [you hear about in] the newspapers.

InfoWorld: Are we ever really going to get to the point where we have truly trusted systems?

Roesch: I don’t think that we’re going to get there in the near future. Eventually, someday, I think we will, but I think there’s always going to be ways around those mechanisms. If you allow people onto your systems and the systems don’t have protections built into the hardware itself that are effective and can’t be circumvented by the software, then there are always going to be problems. And software can always be broken, one way or another. I saw something to the effect that somebody at Microsoft was saying that in five or 10 years, all the security companies are going to disappear because everything is going to be so secure. I really got a chuckle from that because it’s just ridiculous. Between legacy systems and the fact that Microsoft and other operating systems vendors and applications vendors can’t seem to engineer even simple, secure systems effectively, I don’t think we need to worry about being out of work any time soon.

InfoWorld: Why are most security products so difficult to master and usually beyond the ken of the average network manager?

Roesch: This is going to be kind of an oxymoronic statement, but for a command-line-driven tool, Snort’s actually pretty easy to run. We had the same sort of concept when we built our appliances. One of the tenets that I always used when I was designing and building Snort was that users should be able to download this thing and get it up and running and have it doing its basic job in 5 minutes or less. We have the exact same expectation for our sensors. If the user can’t get this thing up and running and see that it’s working in 10 minutes or less, it lessens the user experience. If we can’t make this thing easy enough to install and get up and running in 10 minutes, then something is drastically wrong. We’ve taken that to heart and we’ve actually implemented a system where you can get it running that fast.

InfoWorld: What’s the latest, most pressing security challenge?

Roesch: You now have mobile code with all types of objects that are floating around out there. So now you’ve got these automated attackers that seek out and attack anybody who puts out a vulnerable server on the network. It’s pretty bad. The hacker tools are getting a lot better and they’re getting much more automated. We’ve seen a real rise in the advent of these auto-attack systems that seek out and attack in an automated fashion and will exploit vulnerable systems that they find out there on the Net. So the time between when an attack gets discovered and when some sort of exploit becomes widespread is getting a lot shorter.

InfoWorld: What challenges do wireless networks present?

Roesch: Wireless is really interesting because you really get into the concept of extending the borders of your network outside the physical walls of your office. It really kind of changes the whole foundation of security. I think effective [wireless] security mechanisms are going to be put in place in pretty short order. Probably in the next year or so you’re going to see some kind of best practices come out for how to deploy wireless in the network and not completely expose yourself. In the intrusion detection world, I think we’re going to see some really interesting developments there as well because it really presents some interesting opportunities. Wireless right now is kind of like the wild, Wild West. It’s very wide open at this point for any security company that wants to get in there.

InfoWorld: What impact will Web services have on security?

Roesch: It presents challenges to our capacity to analyze the traffic. The opportunities that it presents is that you’ve got all these protocols that are designed to circumvent security and they’re going to produce giant security problems probably over the next five years, which will keep us busy and well fed for the foreseeable future. You kind of groan and grin at the same time. You groan because it’s such a bad idea, but you grin because you’ve got some job security there.

InfoWorld: How do you maintain an effective partnership with the open-source community as a provider of commercial software?

Roesch: You’ve just got to be honest with the user community. We refer to it here as separation of church and state. You’ve got to be true to the user community and you’ve got to manage their expectations and just be up front with them. And you’ve got to find ways to leverage what they can help you do to make your business more successful. The concept here is that Snort itself will always be free. We don’t sell Snort, we sell everything else. Snort happens to be on our boxes, but we’re selling all the other stuff that you actually need to deploy it in an enterprise setting effectively. We still develop Snort as an open-source system. All the improvements that we put into [Snort] go back to the user community, so they can see real value in having a commercial entity associated with it. I think that we’ve got a pretty effective mechanism for working with the community and maintaining it so that we don’t alienate anybody.

InfoWorld: Where do IDS offerings and other security technologies such as anti-virus software come together?

Roesch: Where they eventually come together is where you start seeing these inline intrusion detection technologies. A passive IDS that’s sitting on the network isn’t going to be able to help you out very much, other than to identify that you’ve been hit by some worm or you’ve been hit by some virus, and you should be aware of that. An IDS is something that actually sits on the wire and has an active access control point and you have a chance of potentially intercepting an activity. I think that it’s probably best done by the anti-virus guys and by the filtering mail gateways. I don’t see where the IDS needs to be a critical part of the anti-virus infrastructure. But if it’s going to happen, it will happen in the inline system. There’s an equivalent of Snort called Hogwash that is an inline IDS built on top of Snort. There are things are out there and they can do the job, but I think the job is done better by dedicated organizations just because the problem space is so large.

InfoWorld: So where does Sourcefire go from here?

Roesch: We are building sensor technology on top of Snort right now, which is a perfect place for us to start. Snort is the most widely deployed intrusion detection technology on the planet, and you couldn’t ask for a better starting foundation. We have a two-year product development road map right now that takes us through a variety of different sensoring and management technologies that will allow people to have an integrated network sensor capability that gives them a lot more information than they can get from just having point products tied together with some sort of ESM system. Ultimately, that’s where we’re headed.

Source: www.infoworld.com