Sniffing for sneaks
SourceFire speeds installation, but setup and tuning take sweet time
See correction below
ONE OF THE major problems with incorporating intrusion detection is that it’s a complex, difficult process. Even if you’re using an open-source product such as Snort ( ), implementation is neither trivial nor inexpensive. Worse, using an IDS (intrusion detection system) effectively requires training and skill that aren’t always easy to come by. Your staff must know everything there is to know about your network — including the devices that are attached, the kind of traffic they produce, the types of requests they generate, and the information they need.
SourceFire’s Network Sensor 3000 is an attempt to solve at least some of the problems involved with making an intrusion detection system part of your enterprise. The Network Sensor 3000 is a 1U appliance running BSD Unix and Snort. Everything comes pre-installed, so all you have to do is perform some initial configuration and connect the appliance to your network.
Once connected, the NS 3000 will start reading traffic, inspecting packet headers and payloads, and reporting on any traffic that might be considered a threat. Your job is to configure Snort so it only reports on real threats and not on all the routine traffic that passes across your network during the course of the day. To help with this, the copy of Snort that comes with the NS 3000 includes a number of pre-configured rules and an interface that automates the process of implementing them.
Although the NS 3000 isn’t particularly hard to use, it’s not exactly intuitive, either. Some actions take multiple steps to configure where there should be only a single step. So it’s not as easy to use as it might be, and you’ll need to assign some highly skilled staff members to operate Snort and the SourceFire software. In addition, getting the software running well enough to be really useful will take some time and training.
When we received the NS 3000 for testing, our initial installation used only one of the appliance’s two Ethernet ports. This configuration was chosen by the company’s sales engineer (SourceFire sends an engineer to do the initial configuration and installation), and in our case it turned out not to be an appropriate choice. To be fully functional, the NS 3000 needs one Ethernet port available to read traffic and another to report back what it finds. It can make do with one, but some functions, such as reverse IP lookups, won’t work.
Unfortunately, one of the Ethernet ports didn’t work. After a long tech-support call, in which the initial assumption was that the link light was defective, we were sent a replacement appliance. After we received the second device, we discovered that you can install both Ethernet ports on the same Ethernet segment, as long as one of them is in stealth mode, something not revealed before. We also found that you can use both ports in their normal mode as long as they’re on separate segments.
Once you have the IP addresses set, you can manage the NS 3000 from anywhere on your network using an HTTPS connection. The built-in Web-based manager is very complete and very flexible, but it’s not as easy to use as it should be. For example, when you’re scrolling through long lists of threat alerts, once you’ve reached the bottom you must scroll back to the top before you can navigate elsewhere.
SourceFire in action
Once running, the NS 3000 will track a wide array of potential threats. But note the use of the word “potential.” In its default state, the appliance does not know the difference between a UPS pinging its gateway and somebody carrying out a ping attack. Fortunately, it’s easy to tell the software when it doesn’t need to issue an alert, but doing this requires knowing what devices own the IP addresses listed in the attack warning, and being able to distinguish between normal behavior and a threat. This knowledge requires significant expertise and experience with your network.
On the other hand, Snort and the NS 3000 can track a wide range of activity. For example, it can tell you about instant message traffic on your network, including the IP address of the sender, where the IM traffic is going, and, if you wish, what’s being said.
However, when we were testing, the unit wasn’t able to identify AIM (AOL Instant Messenger) traffic because AOL had made some changes to the behavior of AIM. It’s not unusual for AOL to make such changes, but the fact that SourceFire was unaware of this problem and wasn’t immediately able to fix it concerned us. Fortunately, thanks to open-source Snort, its flexible rules engine, and its active community of supporters, with the help of one of SourceFire’s engineers we were able to track down the information we needed to create a new set of rules for flagging AIM traffic.
If you have a bigger network than one NS 3000 can handle, SourceFire sells an OpenSnort Management Console, which we did not test. The management console allows you to centrally manage multiple SourceFire appliances, whereas the NS 3000’s Web page can manage only one device.
Given a skilled administrator and plenty of time to tune the software, the NS 3000 can play a major role in securing your network. But it takes constant management, training, and monitoring to make sure that the appliance is being used properly and that its detection rules are kept up-to-date to guard against the latest threats. Furthermore, SourceFire seems to be somewhat overwhelmed by the task of keeping current, meaning that you will depend on the Snort community more than you might wish.
Overall, the SourceFire NS 3000 is an effective way to implement intrusion detection on your network. But there are other choices, including installing a copy of the free Snort software on your own hardware. If you already have the skill to run Snort on the NS 3000, you probably have the skill to do it yourself. Then the question becomes whether it’s worth nearly $10,000 to ease that part of the implementation.
Correction
In this article, we misreported the names of the product reviewed and its management console. The product is the Sourcefire NS 2000 and the console is the Sourcefire Management Console.