Sourcefire 3D IPS1000

May 1, 2006

The Sourcefire box does allthe things an IPS shoulddo. It fits comfortably inthe category of an average IPS,although it must be rememberedthat the Sourcefire 3D Suiteincludes a ton of IDS, scanning,and vulnerability managementcapability which falls outside thecontext of this review. As an IPS,the box has no standout features,and nothing specifically separatesit from other IPSs.

With the management interfacegeared around the suite as a whole,narrowing down IPS functionalitywas difficult. There is no definedprocedure for setting policies ordetermining what types of policiesare needed.

The configuration of the boxitself involves a long navigationthrough a complicated web interface,and setting different policiesand generating the reports weneeded was time-consuming andbecame more difficult the furtherwe progressed.

The box defended againstnormal scans and attacks, but wewere able to compromise thesensor by launching a denial-ofserviceattack and bypassing theIPS. With the sensor disabled, thecomputers on our target networkbecame susceptible to attack byour testing tools. The consolecould flag up a dead sensor, butthat of course will not protect thesystems that are under attack.

The appliance comes with a CDthat contains documentation andrestore information. There aretwo manuals, one is an installationguide and the other is an administratormanual. But the documentationis very long, more than 900pages, and is geared to operatingthe suite as a whole. If the manualis needed to answer specificconfiguration issues or questions,the search for information can bevery time-consuming.

There is a lot of support offeredfrom Sourcefire, including fulltelephone technical support aswell as online help files and emailsupport, as part of an onlinesupport site.

The product comprises threeappliances: the IS 1000; the RNA;and the Defense Center. It is fairlypricey for its abilities but doesrequire reasonably intensivedeployment and management. Butyou would not buy it for the IPS– this is just one component ofthe whole suite, which is a muchmore attractive proposition.

Product title
Sourcefire 3D IPS1000
Product info
Name: Sourcefire 3D IPS1000 Description: Price: from $4,500 for IS1000; from $1,385 for RNA; from $20,200 for Defense Center
Strength
Performs well under normal attack conditions and can work well as a layer of protection for average networks.
Weakness
If the sensor is compromised for any reason, the IPS system leaves the network vulnerable to attack.
Verdict
Not an IPS star: Sourcefire’s rating here does not take into account the suite’s full capabilities.
prestitial ad