Sourcefire ignites scanning effort

In a departure from developing intrusion-detection systems, Sourcefire this week divulged plans to build a network-discovery tool that will let users monitor system resources such as servers, desktop computers and applications.

In a departure from developing intrusion-detection systems, Sourcefire this week divulged plans to build a network-discovery tool that will let users monitor system resources such as servers, desktop computers and applications.

Realtime Network Awareness (RNA) will be an appliance that plugs into the corporate network in any LAN segment where users would run an IDS, says Sourcefire CTO Marty Roesch. RNA 1.0 will be able to locate servers and desktop computers, identifying what platform they are running (Microsoft, Unix, Linux or MacOS) and whether they’re running e-mail applications, Web servers or network services.

This type of passive scanner, which helps customers keep track of what’s deployed across large networks, puts Sourcefire in direct competition with Lumeta and the freeware tool Nessus. However, Roesch says the primary reason Sourcefire is developing RNA is not to be able to sell a stand-alone network-discovery tool, but to be able to use the information RNA collected to benefit the Sourcefire line of IDS products.

One Sourcefire customer, Kirk Drake, CIO at the National Institutes of Health Federal Credit Union in Rockville, Md., says adding the capability for an IDS to know what’s on the network and what’s been patched would be a boon.

“We get a huge amount of data now from our IDS,” Drake says. “It notifies you of about 200 to 300 alerts per day, most of which are false positives. If the IDS knew what was on your network or knew what was patched, we’d be getting a better set of alerts. But that’s not really possible right now.”

“This is a steppingstone product to gather information about the network and correlate it with IDS,” Roesch says. By having RNA share detail about the corporate intranet with the Sourcefire IDS, the IDS can more precisely tailor alerts to fit the corporate network profile. A common problem with many IDSs on the market is that they issue a alarms that are too wide-ranging and require a lot of fine-tuning to give network managers a desirable level of reporting.

Network-discovery information also would be of value in configuring inline intrusion-prevention systems (IPS), which can block network traffic. Traditional IDSs don’t block traffic but can instruct a firewall to do this or terminate sessions with TCP resets.

Sourcefire makes a line of IDSs, ranging from the 22M bit/sec NS1000 to the gigabit-speed NS3000. Roesch is also the inventor of the IDS freeware Snort, popular in use with other commercial products and a standalone IDS for some companies. The firm also has said it intends to build an IPS, without offering further specifics.

Sourcefire’s goal is to have RNA out in the third quarter. Linking scanning tools with IDSs is still a new idea, but other security vendors also are thinking along a similar path. Internet Security Systems says that by July its vulnerability-assessment scanner, Internet Scanner 7.0, will become an active source of information used by the ISS RealSecure host- and network-based IDS to protect against some types of attacks.

A number of other vendors, including SecurityProfiling – which is adapting its patch-management tool called SysUpdate to correlate information with the Snort IDS – are pursuing any advantage that can be gained in sharing network-device and application information with IDSs.