Sourcefire is about to hit a couple of major milestones. First, its popular open-source Snort intrustion detection and prevention platform will celebrate its tenth birthday next month by unveiling a revamped code base and a new look that does more than intrusion detection and prevention.
Second, Sourcefire went virtual today at VMWorld in Las Vegas, announcing that its RNA network behavior analysis, network access control (NAC), and vulnerability management platform can now handle security for both physical and VMware-based virtual machines. According to reports, Sourcefire is also planning to roll out a virtual appliance version of RNA.
“It’s survival… Any IDS/IPS or firewall company will be pushing to make a virtual appliance version of their solutions for reasons quite obvious at this point” given the emergence of virtual environments, says Christofer Hoff, chief security architect for Unisys. One big problem with virtual environments is the lack of visibility into these environments, especially when it comes to detecting security issues, he says.
Just what Sourcefire's virtualization strategy with RNA ultimately means to Snort and IDS/IPS technology is unclear. The company says it’s just the first step in its plans for securing virtual environments.
“In the long run, behavior-based systems will likely take the place of signature-based systems, so from that perspective, you could say that this [announcement] reflects a change in network-based monitoring,” says Eric Maiwald, vice president and service director of security and risk management strategies for the Burton Group. But Maiwald says he doesn’t see the RNA announcement as part of any major evolution in IDS/IPS.
Some big changes are afoot for Snort, though: The core system framework of Snort 3.0, which is out in beta and due for commercial release early next year, was recently renamed SnortSP (Snort Security Platform) because it encompasses more than IDS. “Snort is not just IDS/IPS anymore,” says Marty Roesch, founder and CTO of Sourcefire. “It’s for building arbitrary network security operations.”
Roesch says he rewrote Snort’s code base in 3.0 from the ground up, looking for ways to make it faster and more scalable. He also looked at some of the problems of attackers evading IPSs: “I wanted to minimize the evadability of the system… by incorporating data bout the network we’re protecting into the Snort process itself… Now we teach Snort what the network looks like so it can defend itself accordingly. My end goal is a self-tuning protection engine.”
IPS technology is still Sourcefire’s bread and butter, says Thomas Ptacek, principal with Matasano Security. “I think Sourcefire has been pretty disciplined. When CheckPoint IPO'd, they differentiated into all sorts of crazy stuff -- performance management, antivirus, a bunch of half-hearted IPS attempts. SourceFire has the IPS and RNA,” Ptacek says. “Since RNA is the part that isn't open-source and can't be licensed by competitors, it’s where most of the ‘innovation’ goes.”
Intrusion detection and prevention technology suffers from the same shortcomings as traditional antivirus -- its reliance on signature-based detection that doesn’t see the new threats, only the known ones. Even so, you can’t have prevention without detection, according to Unisys’s Hoff. “IPS is part of a whole security architecture,” he says.
Burton’s Maiwald says behavior-based monitoring will eventually overtake signature-based IDS/IPS. “The the new features [in Snort 3.0] help with the basic weakness of signature-based monitoring, but they do not change the overall problem. In order for a signature to be created, something bad must be seen or found. Not every type of bad event fits this model."
Sourcefire today also announced that it has joined VMware’s Technology Alliance Partnership (TAP) and VMsafe Partner programs, so it will be able to deploy VMware’s VMsafe API and get that visibility into virtual machine operations in order to detect and remove malware, for instance.
Meanwhile, Richard Park, virtualization product manager for Sourcefire, says there are cases of virtual machines running without any anti-virus or anti-spyware. “It has really been the Wild West out there” in virtual environments, Park says. “This is really just about traditional security. Making sure the actual machines are secure… and that policies aren’t being violated.”
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.