Snort Turns 10, Sourcefire Goes VirtualIDS/IPS vendor joins the ranks of VMWare partners, gears up for commercial rollout of next-generation Snort
Sourcefire is about to hit a couple of major milestones. First, its popular open-source Snort intrustion detection and prevention platform will celebrate its tenth birthday next month by unveiling a revamped code base and a new look that does more than intrusion detection and prevention.
Second, Sourcefire went virtual today at VMWorld in Las Vegas, announcing that its RNA network behavior analysis, network access control (NAC), and vulnerability management platform can now handle security for both physical and VMware-based virtual machines. According to reports, Sourcefire is also planning to roll out a virtual appliance version of RNA.
Any IDS/IPS or firewall company will be pushing to make a virtual appliance version of their solutions for reasons quite obvious at this point given the emergence of virtual environments, says Christofer Hoff, chief security architect for Unisys. One big problem with virtual environments is the lack of visibility into these environments, especially when it comes to detecting security issues, he says.
Just what Sourcefire's virtualization strategy with RNA ultimately means to Snort and IDS/IPS technology is unclear. The company says its just the first step in its plans for securing virtual environments.
In the long run, behavior-based systems will likely take the place of signature-based systems, so from that perspective, you could say that this [announcement] reflects a change in network-based monitoring, says Eric Maiwald, vice president and service director of security and risk management strategies for the Burton Group. But Maiwald says he doesnt see the RNA announcement as part of any major evolution in IDS/IPS.
Some big changes are afoot for Snort, though: The core system framework of Snort 3.0, which is out in beta and due for commercial release early next year, was recently renamed SnortSP (Snort Security Platform) because it encompasses more than IDS. Snort is not just IDS/IPS anymore, says Marty Roesch, founder and CTO of Sourcefire. Its for building arbitrary network security operations.
Roesch says he rewrote Snorts code base in 3.0 from the ground up, looking for ways to make it faster and more scalable. He also looked at some of the problems of attackers evading IPSs: I wanted to minimize the evadability of the system
by incorporating data bout the network were protecting into the Snort process itself
Now we teach Snort what the network looks like so it can defend itself accordingly. My end goal is a self-tuning protection engine.
IPS technology is still Sourcefires bread and butter, says Thomas Ptacek, principal with Matasano Security. I think Sourcefire has been pretty disciplined. When CheckPoint IPO'd, they differentiated into all sorts of crazy stuff -- performance management, antivirus, a bunch of half-hearted IPS attempts. SourceFire has the IPS and RNA, Ptacek says. Since RNA is the part that isn't open-source and can't be licensed by competitors, its where most of the innovation goes.
Intrusion detection and prevention technology suffers from the same shortcomings as traditional antivirus -- its reliance on signature-based detection that doesnt see the new threats, only the known ones. Even so, you cant have prevention without detection, according to Unisyss Hoff. IPS is part of a whole security architecture, he says.
Burtons Maiwald says behavior-based monitoring will eventually overtake signature-based IDS/IPS. The the new features [in Snort 3.0] help with the basic weakness of signature-based monitoring, but they do not change the overall problem. In order for a signature to be created, something bad must be seen or found. Not every type of bad event fits this model."
Sourcefire today also announced that it has joined VMwares Technology Alliance Partnership (TAP) and VMsafe Partner programs, so it will be able to deploy VMwares VMsafe API and get that visibility into virtual machine operations in order to detect and remove malware, for instance.
Meanwhile, Richard Park, virtualization product manager for Sourcefire, says there are cases of virtual machines running without any anti-virus or anti-spyware. It has really been the Wild West out there in virtual environments, Park says. This is really just about traditional security. Making sure the actual machines are secure
and that policies arent being violated.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
Matasano Security LLC
Sourcefire Inc. (Nasdaq: FIRE)
Unisys Corp. (NYSE: UIS)
Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio