Sourcefire update protects virtual machines

Security firm Sourcefire is planning an upgrade to its Sourcefire 3D intrusion prevention system (IPS) that will provide better protection for virtual infrastructure.

The new version will also be available as a virtual appliance, offering customers greater flexibility in deployment.

Due for release before the end of the year, Sourcefire 3D System 4.9 will be able to monitor network traffic between virtual machines, in addition to activity on physical network connections supported by current releases.

"The challenge for large organisations is that virtual infrastructure is just as vulnerable to attack as physical networks, but it is more difficult to monitor. With this release, we'll be able to help companies identify and secure virtual infrastructure," said Sourcefire managing director for EMEA Graham Welch.

This support will be provided by virtual 3D sensors deployed on VMware ESX and ESXi to inspect traffic. These will complement physical sensor appliances on the network, and be able to monitor traffic between virtual machines that might not necessarily impinge on the physical Lan.

The new version will initially be available only for VMware infrastructure, but Sourcefire said it has not ruled out other virtualisation platforms such as Citrix Xen and Microsoft's Hyper-V.

Version 4.9 of the Sourcefire 3D System, which builds on the technology in the Snort open-source tool, will also include a new Virtual Defence Centre console to manage both the physical and virtual sensors.

Virtual Defence Centre will also enable managed service providers to oversee virtual environments for multiple customers from the one console, according to Welch.

Other new features include layered policy management, allowing each business unit within a large organisation to apply its own local policies on top of the global settings. Each virtual Lan (VLan) can also have its own policies.

Meanwhile, rate-based attack detection will enable Sourcefire to correlate a large number of similar attacks within a certain timeframe and automatically block them, providing some measure of protection against distributed denial of service (DDOS) attacks, Welch said.

Sourcefire's Real-time Network Awareness (RNA) has also been enhanced in version 4.9. It can automatically configure itself, and can send an alert if a new virtual machine instance suddenly appears on the network.

RNA has now gained application and service fingerprints, enabling Sourcefire to identify applications such as SAP and Oracle operating on the network, and if they are being targeted by an attack.

"One of the biggest problems with intrusion detection is that you otherwise have no idea what the target of an attack is," explained Welch.

Sourcefire 3D System 4.9 is currently in beta testing, and existing customers on Sourcefire's maintenance programme will automatically get an upgrade when it is available, according to Welch.

However, the virtual sensors and Virtual Defense Center are extras, with costs starting at US$4,000 and varying depending on network throughput.