Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/15/2008
10:30 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Snort Turns 10, Sourcefire Goes Virtual

IDS/IPS vendor joins the ranks of VMWare partners, gears up for commercial rollout of next-generation Snort

Sourcefire is about to hit a couple of major milestones. First, its popular open-source Snort intrustion detection and prevention platform will celebrate its tenth birthday next month by unveiling a revamped code base and a new look that does more than intrusion detection and prevention.

Second, Sourcefire went virtual today at VMWorld in Las Vegas, announcing that its RNA network behavior analysis, network access control (NAC), and vulnerability management platform can now handle security for both physical and VMware-based virtual machines. According to reports, Sourcefire is also planning to roll out a virtual appliance version of RNA.

“It’s survival… Any IDS/IPS or firewall company will be pushing to make a virtual appliance version of their solutions for reasons quite obvious at this point” given the emergence of virtual environments, says Christofer Hoff, chief security architect for Unisys. One big problem with virtual environments is the lack of visibility into these environments, especially when it comes to detecting security issues, he says.

Just what Sourcefire's virtualization strategy with RNA ultimately means to Snort and IDS/IPS technology is unclear. The company says it’s just the first step in its plans for securing virtual environments.

“In the long run, behavior-based systems will likely take the place of signature-based systems, so from that perspective, you could say that this [announcement] reflects a change in network-based monitoring,” says Eric Maiwald, vice president and service director of security and risk management strategies for the Burton Group. But Maiwald says he doesn’t see the RNA announcement as part of any major evolution in IDS/IPS.

Some big changes are afoot for Snort, though: The core system framework of Snort 3.0, which is out in beta and due for commercial release early next year, was recently renamed SnortSP (Snort Security Platform) because it encompasses more than IDS. “Snort is not just IDS/IPS anymore,” says Marty Roesch, founder and CTO of Sourcefire. “It’s for building arbitrary network security operations.”

Roesch says he rewrote Snort’s code base in 3.0 from the ground up, looking for ways to make it faster and more scalable. He also looked at some of the problems of attackers evading IPSs: “I wanted to minimize the evadability of the system… by incorporating data bout the network we’re protecting into the Snort process itself… Now we teach Snort what the network looks like so it can defend itself accordingly. My end goal is a self-tuning protection engine.”

IPS technology is still Sourcefire’s bread and butter, says Thomas Ptacek, principal with Matasano Security. “I think Sourcefire has been pretty disciplined. When CheckPoint IPO'd, they differentiated into all sorts of crazy stuff -- performance management, antivirus, a bunch of half-hearted IPS attempts. SourceFire has the IPS and RNA,” Ptacek says. “Since RNA is the part that isn't open-source and can't be licensed by competitors, it’s where most of the ‘innovation’ goes.”

Intrusion detection and prevention technology suffers from the same shortcomings as traditional antivirus -- its reliance on signature-based detection that doesn’t see the new threats, only the known ones. Even so, you can’t have prevention without detection, according to Unisys’s Hoff. “IPS is part of a whole security architecture,” he says.

Burton’s Maiwald says behavior-based monitoring will eventually overtake signature-based IDS/IPS. “The the new features [in Snort 3.0] help with the basic weakness of signature-based monitoring, but they do not change the overall problem. In order for a signature to be created, something bad must be seen or found. Not every type of bad event fits this model."

Sourcefire today also announced that it has joined VMware’s Technology Alliance Partnership (TAP) and VMsafe Partner programs, so it will be able to deploy VMware’s VMsafe API and get that visibility into virtual machine operations in order to detect and remove malware, for instance.

Meanwhile, Richard Park, virtualization product manager for Sourcefire, says there are cases of virtual machines running without any anti-virus or anti-spyware. “It has really been the Wild West out there” in virtual environments, Park says. “This is really just about traditional security. Making sure the actual machines are secure… and that policies aren’t being violated.”

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Burton Group
  • Matasano Security LLC
  • Sourcefire Inc. (Nasdaq: FIRE)
  • Unisys Corp. (NYSE: UIS)

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Data Leak Week: Billions of Sensitive Files Exposed Online
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
    Intel Issues Fix for 'Plundervolt' SGX Flaw
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    The Year in Security: 2019
    This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-5252
    PUBLISHED: 2019-12-14
    There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
    CVE-2019-5235
    PUBLISHED: 2019-12-14
    Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
    CVE-2019-5264
    PUBLISHED: 2019-12-13
    There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
    CVE-2019-5277
    PUBLISHED: 2019-12-13
    Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
    CVE-2019-5254
    PUBLISHED: 2019-12-13
    Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...