Sourcefire takes intrusion prevention to masses with IPSx
- — 18 April, 2011 23:09
Open-source security company Sourcefire has announced an entry-level Intrusion Prevention System (IPS) it claims will democratize a technology that is still seen as being exclusively for large companies with experienced security teams, rather than small and medium-size enterprises.
Called IPSx, in essence it is a stripped-down and boxed version of the Snort rules system that has made the company's name, a sort of 'Snort lite in a box', aimed at larger SMEs that would not normally buy intrusion prevention.
The thinking behind this pared design is well-founded. IPS systems were invented to serve the needs to large enterprises worried about detecting hacks that happen inside networks and therefore beyond the ken of externally-facing firewalls.
The problem has been that smaller networks and SMEs lack the security staff trained to configure or respond to such a demanding application let alone come up with considerable sums needed to buy it.
The IPSx addresses this problem partly by stripping out features designed for larger networks, supplying pre-defined rulesets that build in IPS alert responses honed from its well-established Snort user base.
Gone is unnecessary advanced policy management, Snort rule editing and custom workflows as well as the sort of impact assessments way over the heads of managers. What remains are the core reporting and alerts, pre-defined policies, and intrusion detection system found on more expensive products sold by the company.
Administrators encountering alerts are offered a kinder interface that leads them through online documentation so they understand what has happened and how the detection system dealt with the threat. The interface is claimed to be so good that a 'firewall guy' can have the IPSx up and running out of the box in 30 minutes.
"Tier one IPS technology has been designed for the top tier that might have a team of security analysts," said Sourcefire Field Marketing Manager Leon Ward, explaining the company's ambition to move beyond this sector. "It [IPSx] puts us into a very disruptive position."
Separately, the company has also announced the 8000 Series Appliances, which set out to solve another problem of IPS, namely the difficulty of peering into network traffic without adding latency. These will feature a new acceleration technology called FirePower, which the company claims will offer 20Gbits/s of real-world IPS protection.
Despite Sourcefire's reputation and well-regarded Snort rule-set, taking IPS to the masses could be harder than it looks. Not all SME admins will see the need to invest in a technology that opens the lid on internal traffic security problems while others will take some convincing that IPS can ever be made simple enough to be used inexperienced staff.
The notion of entry-level in IPS is also a relative one -- the IPSx250 starter kit price is $18,245 including a sensor. This rises to $35,245 for the IPSx1000. Even larger SMEs might not see this sort of expenditure as a priority.
Meanwhile, other vendors are trying to sell IPS to SMEs by the back door in Unified Threat Management (UTM) systems that bundle up a range of security technology into one system. Sourcefire IPSx is an example of a very different outlook, that of the standalone 'box of magic' philosophy.
Available from early May along with the 8000 Series, IPSx comes in three models, capable of 250Mbps, 500Mbps and 1Gbps throughput, with a separate management console.