Sourcefire 3D IPS1000
Strengths: Performs well under normal attack conditions and can work well as a layer of protection for average networks.
Weaknesses: If the sensor is compromised for any reason, the IPS system leaves the network vulnerable to attack.
Verdict: Not an IPS star: Sourcefire’s rating here does not take into account the suite’s full capabilities.
The Sourcefire box does all the things an IPS should do. It fits comfortably in the category of an average IPS, although it must be remembered that the Sourcefire 3D Suite includes a ton of IDS, scanning, and vulnerability management capability which falls outside the context of this review. As an IPS, the box has no standout features, and nothing specifically separates it from other IPSs.
With the management interface geared around the suite as a whole, narrowing down IPS functionality was difficult. There is no defined procedure for setting policies or determining what types of policies are needed.
The configuration of the box itself involves a long navigation through a complicated web interface, and setting different policies and generating the reports we needed was time-consuming and became more difficult the further we progressed.
The box defended against normal scans and attacks, but we were able to compromise the sensor by launching a denial-ofservice attack and bypassing the IPS. With the sensor disabled, the computers on our target network became susceptible to attack by our testing tools. The console could flag up a dead sensor, but that of course will not protect the systems that are under attack.
The appliance comes with a CD that contains documentation and restore information. There are two manuals, one is an installation guide and the other is an administrator manual. But the documentation is very long, more than 900 pages, and is geared to operating the suite as a whole. If the manual is needed to answer specific configuration issues or questions, the search for information can be very time-consuming.
There is a lot of support offered from Sourcefire, including full telephone technical support as well as online help files and email support, as part of an online support site.
The product comprises three appliances: the IS 1000; the RNA; and the Defense Center. It is fairly pricey for its abilities but does require reasonably intensive deployment and management. But you would not buy it for the IPS – this is just one component of the whole suite, which is a much more attractive proposition.