sourcefire webinar - new generation ips
Post on 24-Apr-2015
2.963 Views
Preview:
DESCRIPTION
TRANSCRIPT
Next-GenerationIntrusion Detection & Prevention
Manuel Minzoni, Brand Manager
ITWAY VAD
5
Today’s Reality
Dynamic Threats● Organized attackers
● Sophisticated threats
● Multiple attack vectors
Static Defenses● Ineffective defenses
● Black box limits flexibility
● Set-and-forget doesn’t work
“Begin the transformation to context-aware and adaptive security infrastructure now as you replace legacy static security infrastructure.”
Source: Gartner, Inc., “The Future of Information Security is Context Aware and Adaptive,” May 14, 2010
Neil MacDonaldVP & Gartner Fellow
Company Overview & Performance
8
Sourcefire Worldwide Locations
Worldwide HQColumbia, MD
Education &Professional ServicesLivonia, MI
Americas Sales Vienna, VA
EMEA HQWokingham, UK
Southern Europe SalesParis, France
Central Europe SalesFrankfurt, Germany
Asia Pacific HQSingapore
Japan SalesTokyo, Japan
ANZ SalesSydney, Australia
South American Sales Sao Paulo, Brazil
9
Firemen Principles
10
About Sourcefire
● Founded in 2001 by Snort Creator, Martin Roesch, CTO
● Headquarters: Columbia, MD
● Focus on enterprise and government customers
● Global Security Alliance ecosystem
● NASDAQ: FIRE
Mission: To be the leading provider of intelligent cybersecurity solutions for the enterprise.
11
Powered by Snort®
• Global standard for Intrusion Detection and Prevention
• World’s largest threat response community
• Interoperable with other security products
• Owned and controlled by Sourcefire, Inc.
• www.snort.org
12
Backed by the VRT™
“Best-in-Class”Threat Protection
150+Private &
PublicThreatFeeds
Snort & ClamAV
CommunityInsight
20,000MalwareSamplesper Day
Advanced Microsoft &
Industry Disclosure
SourcefireVulnerability Research Team (VRT)
Research & Analysis
Competitor Landscape
14
Gartner 2010 IPS Magic Quadrant
FACT:
Sourcefire has been
a leader in Gartner’s
IPS Magic Quadrant
since 2006.
The Magic Quadrant is copyrighted 6 December 2010 by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner's analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders" quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
15
Sourcefire Insights Versus McAfee
[ability to execute]Larger channel & support infrastructure
[completeness of vision]Broader product portfolio
“[McAfee] isn’t considered widely by enterprises and channel partners as a strong network network security provider.” - Gartner 2010 IPS MQ Report
Key Sourcefire advantages: ✔ Open detection engine & rules ✔ Real-time impact assessment ✔ Automated IPS tuning ✔ Broad third-party integration ✔ Virtual IPS offerings
16
NSS Labs Group IPS TestBlock Rate Comparison
Source: Graphic used with permission by NSS Labs. “Network Intrusion Prevention Systems Comparative Test Results,” December 2009.
17
NSS Labs Group IPS TestResistance to Evasion
Juniper missed 60% of evasionsTippingPoint missed 80% of evasionsCisco missed 100% of evasions
Source: Graphic used with permission by NSS Labs. “Network Intrusion Prevention Systems Comparative Test Results,” December 2009.
18
● About the Test▸ Published December 2010▸ 11 vendors evaluated▸ 1,179 live exploits▸ 75 anti-evasion test cases▸ No cost to vendors to participate
● Sourcefire Test Results▸ Recommend rating▸ Best overall detection▸ Best vulnerability coverage▸ Best vendor-stated vs. actual performance▸ No evasions
Second-Annual NSS Labs IPS Group Test
19
Best Overall DetectionSecond Straight Year!
Source-fire
Vendor 2
Vendor 3
Vendor 4
Vendor 5
Vendor 6
Vendor 7
Vendor 8
Vendor 9
Vendor 10
Vendor 11
98% 97% 95% 94% 93% 91%85% 83%
79%
63%
43%
Graphic by Sourcefire, Inc. Source data from NSS Labs “Network IPS 2010 Comparative Test Results.”
20
Best Vulnerability CoverageSecond Straight Year!
Vendor 2
Vendor 3
Vendor 4
Vendor 5
Vendor 4
Vendor 6
Vendor 7
Vendor 8
Vendor 9
Vendor 6Vendor 10
Vendor 10
Vendor 11
Sourcefire
21Sourc
efire 3
D4500
Product
B
Product
C
Product
D
Product
E
Product
F
Product
G
Product
H
Product
I
Product
J
Product
K
Product
L
Product
M
0%
20%
40%
60%
80%
100%
120%
140%
160%
180%161%
115% 113%
100%
81%
49%40% 39%
35%
20% 17%
3% 3%
Best Vendor-Stated vs. Actual PerformanceSecond Straight Year!
Sourcefire’s 2G IPS achieved 3.2G for 161% of vendor-stated performance
100% Performance Baseline
Graphic by Sourcefire, Inc. Computations derived from NSS Labs “Network IPS 2010 Comparative Test Results.”
Most IPS products achieved well below vendor-stated performance claims
22
Anti-Evasion Testing
Sourcefire
Vendor 2
Vendor 3
Vendor 4
Vendor 5
Vendor 6
Vendor 7
Vendor 9
Vendor 10
Vendor 11
Vendor 8
IPS Solutions
24
Unique Solutions for Unique Markets
Sourcefire IPS Portfolio
Security Specialists Feature Rich
NGIPSIPS
Network GeneralistsSimplicity
IPSx
25
Sourcefire IPS Solutions Portfolio
IPSx IPS NGIPSIPS Detection & Blocking ✓ ✓ ✓
Snort Rules & SEUs ✓ ✓ ✓
Reports, Alerts & Dashboard ✓ ✓ ✓
Policy Management ✓ ✓ ✓
Advanced Policy Mgmt. ✓ ✓
Snort Rule Editing ✓ ✓
Custom Workflows & Tables ✓ ✓
Impact Assessment ✓
Automated Tuning ✓
Host Profiles & Network Map ✓
Network Behavior Analysis ✓
Application Monitoring ✓
User Identity Tracking ✓
26
Target Markets
IPSx IPS NGIPS
Target User Network AdminIT Generalist
Security Specialist Security Specialist
Typical Deployments
Perimeter All All
Key Benefits Ease of deploymentSimplified mgmt.Satisfy compliance
Open architectureAdvanced policy mgmt.Detailed eventsCustom workflows
All IPS benefits, plus:Context awareImpact assessmentAutomated tuningNetwork visibilityApp monitoringUser identity tracking
Purchase Motivations
Value orientedSet and forgetRegulatory compliance
Best-of-breed securityGranular, flexible policyEvent details / analysis
IPS motivations, plus:Automating key tasksNetwork visibilityRapid response
27
Solution Ingredients
Defense Center 3D Sensors
+ = IPS Solution
Defense CenterAwareness Bundle
3D Sensors+ = NGIPS Solution
Network Application Behavior Identity
DC750x IPSx Sensors
+ = IPSx Solution
Appliances / 3D8000 Series
29
Introducing…
Sourcefire 3D8000 Series
“Speed Meets Flexibility”
30
3D8000 Series Performance
3D8140 3D8250 3D8260
Model Throughput 10 Gbps 20 Gbps 40 Gbps
IPS Throughput 6 Gbps 10 Gbps 20 Gbps
31
3D8000 Series Product Line
All 3D8000 Series chassis support lights out management, solid state drives, redundant power, and an LCD interface.
32
● Modular▸ Choose number and type
of ports▸ Lower Entry Prices
● Expandable▸ Add ports as needed
● Scalable▸ Add processing power as
needed
Hardware Platform Sets New Standard for Security Appliances
SSL Appliance
34
SSL Blind Spots
Network and security appliances are blind to the contents of SSL-encrypted communications
35
Deployment Mode:Inbound SSL Inspection
The Security StackIPS/IDS/DLP/
Forensics/SIEM
Transparent SSL Proxy
Common Control/Management
Decrypted (Inspected)
Non-SSL
SSL
Session 1
Web Browser(SSL Client)
Web Servers(SSL Servers)
Session 2
Internet/WAN
36
Web Browser(SSL Client)
Transparent SSL Proxy
Common Control/Management
Decrypted (Inspected)
Non-SSL
SSL
SSL ServerSSL ProxySession 1 Session 2
Internet/WANWeb Servers(SSL Servers)
The Security StackIPS/IDS/DLP/
Forensics/SIEM
Deployment Mode:Outbound SSL Inspection
37
SSL Appliance Features and Benefits
Feature Benefit
Inbound inspection Greater protection for internal servers from SSL-based threats
Outbound inspection Prevents enterprise data leakage
Transparent proxy Minimizes disruption to network configuration; Compatible with ALL security devices
SSL policy enforcement Detects invalid or unauthorized certificates; selectively inspects SSL traffic
Fast path capability Lower latency of sensitive traffic via cut-through
How It Works
44
Intelligent Correlation to the Target
3D SENSOR
3D SENSOR
3D SENSOR
DEFENSE CENTER
3D SENSOR
BlockedEvent
Logged
LINUXSERVER
WINDOWSSERVER
Linux server
not vulnerabl
eWindows
server vulnerabl
e
AttackBlocked
Attack Is Correlated to Targets
Latest Windows attack targets Microsoft Windows Server and Linux Server. Attacks are correlated to targets. High-priority event generated for Windows Server target.
Latest Windows attack targets Microsoft Windows Server and Linux Server. Attacks are correlated to targets. High-priority event generated for Windows Server target.
45
3D SENSOR
3D SENSOR
3D SENSOR
DEFENSE CENTER
3D SENSOR
Abnormal Behavior Logged
&Alerts Triggered
ITRemediates
HostsHosts
Compromised
Intelligent Anomaly Detection
New rogue host connects internally. Sourcefire detects new host and abnormal server behavior. Defense Center triggers alerts for IT to remediate.
New rogue host connects internally. Sourcefire detects new host and abnormal server behavior. Defense Center triggers alerts for IT to remediate.
New Asset
Detected
Abnormal Behavior Detected
46
3D SENSOR
3D SENSOR
3D SENSOR
DEFENSE CENTER
3D SENSOR
P2P App TriggersWhitelist Violation
Compliance Event Logged
& User Identified
Intelligent Application Violation
Security team uses compliance whitelists to detect IT policy violations. Host detected using Skype. User identified and then contacted by IT and HR.
Security team uses compliance whitelists to detect IT policy violations. Host detected using Skype. User identified and then contacted by IT and HR.
IT & HRContact User
Sourcefire Products & Services
49
Next-Generation IPS
Defense CenterManagement Console
Intrusion Prevention
SSL Inspection Virtualization
Awareness Technologies
Networks Apps Behavior Users
50
Virtual Appliances for VMware & Xen
● Sourcefire Virtual 3D Sensor™
▸ Identical IPS Sensor functionality
▸ Available throughputs: 5, 45, 100, 250 & 500 Mbps
● Sourcefire Virtual Defense Center Management Console▸ Identical Defense Center
functionality, except no Master Defense Center (MDC) mode
▸ Manages both physical and virtual IPS 3D Sensors
51
● Sourcefire’s “Secret Sauce”
● Passive network intelligence
● Fuels powerful IPS automation:▸ Impact Flags▸ Automated IPS Tuning▸ Compliance Rules & White Lists▸ Network Behavior Analysis
● Detects hundreds of operating systems and applications
What is RNA?
52
Real-Time User Awareness (RUA)
● RUA gives “personality” to security and compliance events!
● Clicking on a username reveals full name, telephone number, email, and department
● Resolve security events more quickly when time is of the essence
● Integrated into all Sourcefire 3D Sensors
“Mapping a username to an IP address was taking us away from a
backlog of other important tasks. What used to take up to an hour now takes just a second or two.”
Tamara Fisher,AutoTrader.com
53
Sample Sourcefire Detection
Applications Operating Systems
Network Infrastructure Consumer
Hundreds of Apps, OS’s &
Devices!
54
Sourcefire Appliance Product Lines
Sourcefire Defense Center®
Sourcefire 3D®
Sensor
DC1000
DC3000
PERFORMANCE
DC500
3D5005 Mbps
3D100045 Mbps
3D2000 100 Mbps
3D2100 250 Mbps
3D2500 500 Mbps
3D35001 Gbps
3D65004 Gbps
3D45002 Gbps
3D9900 10 Gbps
Sourcefire SSL Appliance
Virtual Appliances
56
3D System 4.10 Highlights
● Expanded Application & User Awareness▸ Detect Facebook, Blackberry, Hotmail & more▸ Nmap update detects 2,500+ operating systems▸ Encrypted RUA communications
● Enhanced Deployment & Operation▸ Inline IPS test mode▸ Support for auth. SMTP gateways & web proxies
● Improved Third-Party Integration▸ Direct database access for third-party reporting▸ Support for SNMP polling▸ Support for new Crossbeam products
● Improved Performance & Usability▸ Improved GUI performance▸ Track reviewed events by user▸ Simpler installation of customer SSL certificates
Refer to “What’s New in 3D System 4.10” document for more information
57
Customizable Dashboard
58
Comprehensive EcosystemSIEM / Log
ManagementSIEM / Log
Management
Incident Management
Incident Management
Systems Management
Systems Management
Network Infrastructure
Network Infrastructure
Configuration ManagementConfiguration Management
Vulnerability ManagementVulnerability Management
59
Sourcefire Services
● Customer Support▻ 24x7 phone, email, and
web support▻ Advanced hardware
replacement
● Training & Certification▻ Public and on-site training ▻ Sourcefire & Snort
certifications
● Professional Services▻ Assistance with installation
and optimization▻ Knowledge transfer and
best practices
“I can’t say enough about the guys from Support.
The phone gets picked up the moment I call. They
stick with an issue diligently and make sure I get what I need. No other
company has given me that level of service.”
Robert WagnerSenior Security Architect
60
Why Sourcefire?
● Powered by Snort
● Driven by Awareness
● Best-in-Class Detection
● Open Architecture
● Highly Automated
Stop Doing Things the “Old Way!”Try the “Next Generation” in
Intrusion Detection & Prevention.
61
Questions & Next Steps
top related