Sourcefire Next-Generation IPS v4.9
Strengths: High availability features, incident management, customizable, and integration to other products.
Weaknesses: As a standalone IDS/IPS, lacks analysis tools for combating zero-day threats.
Verdict: If your enterprise already owns a SIEM, this would make a nice addition for providing IDS/IPS functions at an attractive price point.
SummaryThe Sourcefire Next-Generation IPS v4.9 is a distributed appliance-based offering modeled on the Snort detection engine. It is part of the Sourcefire 3D System that provides a suite of tools for delivering real-time user and network awareness. The Sourcefire Intrusion Prevention System (IPS) is one of the components of the Sourcefire 3D System that runs on the 3D Sensor. IPS allows one to monitor a network for attacks that can affect the availability, integrity or confidentiality of hosts on the network. By placing 3D Sensors on key network segments, one can examine the packets that traverse the network for malicious activity. Each 3D Sensor uses rules, decoders and preprocessors to look for the broad range of exploits that attackers can develop.
A typical Sourcefire IPS deployment consists of one or more physical Defense Center management console appliances deployed on a trusted network and multiple physical IPS appliances distributed throughout the environment. The appliance can be installed in either a passive, inline, or inline with fail-open deployment option. IPS and Defense Center appliances also can be deployed as software on VMware vSphere and open source Xen hosts to monitor VM-to-VM traffic.
The appliance is accessed via a web-based browser connection. Nice alerting features allow for SNMP, email or syslog automated response. There is also support for automated firewall response, but it is limited to Check Point OPSEC compatibility. We liked the incident management feature that allows one to create and manage an incident through the lifecycle of the incident management process. Reporting is good and includes the ability to generate reports from various event views.
Support is included for a fee of 18 or 22 percent of the purchase price. This solution would make a nice addition to any environment that wants to add IDS/IPS to a layered security solution at a reasonable price point.