Internet.com ISP-Planet
 
ISP Glossary
Find an ISP Term
 
Search ISP-Planet


Search internet.com
 
internet.com

IT
Developer
Internet News
Small Business
Personal Technology

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

internet.commerce
Partner With Us














ISP News

Intrusion Detection Systems:
Sourcefire

Sourcefire's enterprise threat management solution, based on the open source Snort IDS, continues to add functionality, from support for virtualization to real time user awareness.

by Jeff Goldman
[December 31, 2008]
Email a colleague

Marty Roesch developed the open source intrusion detection system Snort back in 1998. Three years later, Roesch launched a company, Sourcefire, Inc., to offer a commercial version. "If you think of a car, the engine itself is Snort; the whole car is Sourcefire," says Michele Perry, the company's chief marketing officer.

Sourcefire is now a public company (NASDAQ: FIRE). It recently acquired the open source antivirus project ClamAV. Perry says Snort also continues to thrive, thanks to its flexibility and its uniquely attractive price: free. "Snort itself has had over three million downloads, with 210,000 active, registered users," she says.

But in terms of real innovation, Perry says, the focus is now on Sourcefire.

Sourcefire
9770 Patuxent Woods Drive
Columbia MD, 21046
Sales: (800) 501-6008
Web contact page

Sourcefire

In late 2003, Roesch (who now serves as Sourcefire's CTO) developed an additional product called RNA, for Real-time Network Awareness, which adds intelligence to the Sourcefire system, eliminating unnecessary alerts for, say, a Linux attack on a Windows box. "By adding that intelligence, we were able to cut the noise in the system and reduce the number of alerts by over 90 percent," Perry says. For service providers in particular, Perry says, that can be a key selling point. "If folks are outsourcing this to you and you're having to staff this, wouldn't like to know that it's very clear for your staff to be able to see which are the real alerts they need to let the customer know about?" she asks. "It cuts down the costs there a lot."

As an example, Perry says, Sourcefire had a customer who complained that RNA was telling them to turn on Silicon Graphics rules, when they didn't have Silicon Graphics on their network. "Well, they're a healthcare provider, and guess what MRI machines use: they use the basic Silicon Graphics OS. RNA knew that better than they knew their own network, and told them to turn it on," she says.

VRT and pricing
Sourcefire's VRT (Vulnerability Research Team) provides regular updates to the Snort rules in response to new threats. "Those are available both to the open source community and to the Sourcefire customers," Perry says. "If you're in the open source community and you want them immediately, you pay a small fee… if you can wait 30 days to get those rules, then you don't have to pay at all." Sourcefire's sensors are priced based on the line speed they're protecting, with prices ranging from a low of $3,995 to as high as $250,000. The sensors, Perry says, then feed into the Sourcefire Defense Center for management and reporting, which ranges in price from $8,995 to $34,995. A yearly fee, ranging from 15 to 22 percent of the purchase price, covers support as well as VRT updates. Still, Perry says that for many customers, purchasing Sourcefire is actually significantly cheaper than deploying Snort. "We have an ROI calculator that customers can work with, and if you have more than five Snort sensors, it's actually more cost effective to use the commercial offering, because of the manpower used," she says.

At the same time, Perry says a company that standardizes on another product and is unhappy with it will sometimes turn to Snort (rather than Sourcefire). "They'll throw up the Snort open source sensor in parallel so they can defend through that," he says. "That's one time when they might not have gotten approval to buy another product, so they'll run the free open source stuff."

Enterprise threat management
One of the key improvements in Sourcefire's latest release, Perry says, was the addition of a widget-based dashboard to the interface. Every customer, she says, wanted something different in the interface, so widgets seemed like the perfect answer. "You can decide which widgets are on your dashboard—what you want to see," she says. Another recent addition to the Sourcefire offering, Perry says, was RUA (Real-time User Awareness). "It lets you know who's at the machine that's being attacked or attacking, so you're able to start policing and forcing compliance in the network: if you see an attack and it's against the CEO's desktop, don't you think that's probably one of your number one priorities?" she says. Sourcefire, Perry says, has also started handling virtualization. "The product now supports not just physical servers but also virtual servers, so you know at all times exactly how many virtual servers are running on your network," she says. "It really helps in the whole VM sprawl issue that's concerning folks, where these virtual machines are being set up during lunch breaks."

All of these developments, Perry notes, are proprietary to Sourcefire, making the commercial product a complete enterprise threat management solution, while Snort remains a straightforward IDS. "Everything we do in the engine itself goes into the open source as well as the commercial product, but we continue to add more and more value-added components in the commercial product," she says.

— End

Online Resources:
  Intrusion Detection Systems Directory
   IDS Quick Reference Chart


Related articles:
  [April 5, 2006] Clam AV
  [Dec. 24, 2001] White Paper: Reducing Network Security Risk
  [Sept. 25, 2001] Physical Security Augments Logical Security

 

Feedback


Advertising inquiry? Click here!

ISP-Planet's RSS feed