By Joel Snyder, Network World Lab Alliance
Network World, 08/23/04
Original Article on Network World Web Site
Sourcefire's Real-time Network Awareness Sensor 2000 is like a magic eye that watches everything happening on your network. By combining passive network analysis with a Web-based management system, Sourcefire delivers a powerful tool to IT personnel who need more information about their networks.
While RNA Sensors offer a wealth of information about the systems and services on your network, the downside is that it is up to you to make sense out of it all.
To help network managers understand the information from RNA Sensors and the alerts and events from the company's intrusion-detection systems sensors (Intrusion Sensor), Sourcefire offers the Defense Center (if purchased collectively, Sourcefire refers to the package as its 3D Product Suite). RNA Sensors and Intrusion Sensors send information to the Defense Center, which provides a central view of alerts and events, network configuration information and forensic data.
RNA Sensors sit passively on the network and watch the traffic pass by. The RNA Sensor we tested had four Ethernet interfaces, but we used only one with virtual LAN-based monitoring to give RNA Sensor visibility into different parts of our production network. While this virtual LAN capability is a great feature for a network site, if you wanted to monitor multiple sites, you'd need to deploy multiple sensors. (See How we did it .) Configuration is simple: once you tell RNA Sensor what networks to watch, it begins collecting data and populating its databases.
As RNA Sensor watches the packets fly by, it builds a model of the network topology and pinpoints the hosts on your network, the network applications they are running, and the users and devices they are communicating with. Because RNA Sensor watches every connection to every host, it also collects information about specific network flows, such as a particular HTTP connection from a client to a server.
RNA Sensor's information about our network was quite accurate. Application identification was excellent, as the sensor found obscure mail servers on non-standard ports and managed to get product and version information for most products. When it came to guessing operating systems , the results were mixed. RNA Sensor collected the least amount of information for embedded systems, such as printers and time servers.
RNA Sensor has piles of useful information - but it doesn't volunteer specific data if you don't ask for it. If you go to the dashboard, it doesn't have a big flashing light saying "Hey, look at this." RNA Sensor's "policy-free" architecture is great for the sophisticated network professional, but you've got to have an idea of what you want to know - or combine it with Sourcefire's Defense Center management console - before it becomes a very useful tool .
For example, when we got a complaint about poor performance at a site, we made an educated guess to look at the flow summary to see the top 10 connection initiators. RNA Sensor showed us a list, and the system that sat at the top of the list far outweighed any other device in the network. It had been compromised by a hacker and was actively looking for other vulnerable systems, consuming lots of bandwidth. Looking at detailed flow data from that system provided by RNA Sensor, we quickly identified the scanning pattern and even the IP address it to which it reported. When you do know what you're looking for, RNA Sensor can provide the data.
Once you start asking questions, you can customize display screens to present and summarize information and generate reports. Read about a patch for an obscure FTP server and want to know if you're running the vulnerable version? RNA Sensor will give you that information in two clicks, even if the FTP server is running on a non-standard port. Need a table of all your BSD-based hosts, along with version numbers? That takes three clicks (plus you have to type "BSD").
There are limits, though: RNA Sensor doesn't show information such as patch levels or applications running within Web servers. And it only keeps track of network server applications, not client applications, so you can't find out what Web browsers or e-mail clients users have, for example.
Events and policy
RNA Sensor offers a limited policy-compliance tool kit. As the product gathers information about systems, it generates internal events. You can search the event logs at any time, or with the policy tool kit you can build rules that watch for particular combinations of events and values. When these incidents occur, RNA Sensor will send e-mail, an SNMP trap or a syslog message. The main problem with this policy-compliance tool kit is its limited vocabulary. For example, you can be alerted if a host suddenly starts running any new service, but you cannot specify that it be only a new mail service. Although you can be alerted about any RNA Sensor event, the detail is coarse enough that you'd need another tool, such as a security event manager. (See the test of these tools here, to filter out the alerts.)
The true power of RNA for policy compliance and monitoring comes in the Defense Center, and this is where Sourcefire hits its stride. When RNA Sensors are connected to a Defense Center console, policy-compliance rules are evaluated on the management console, which means you can combine the results from multiple sensors when writing policy rules. That provides a greater amount of information, but it still falls short of writing rules based on both RNA Sensor and Intrusion Sensor events.
Sourcefire's Defense Center does some limited correlation of Intrusion Sensor and RNA Sensor information in a feature the company calls "impact alerting." The idea behind impact alerting sounds great: match up an Intrusion Sensor alert with RNA Sensor information, and send only the relevant alerts. Unfortunately, it doesn't work well. Because RNA Sensor doesn't have perfect knowledge of what is and isn't vulnerable on the network, you have irrelevant impact alerts. While you can filter out the Intrusion Sensor alerts, which will keep the impact alerts from showing up, you can't do anything about RNA Sensor's knowledgebase: there's no way to add or modify information that will make RNA Sensor smarter about a host's services or vulnerabilities. So if RNA Sensor has misdetected an operating system or doesn't realize that a patch has been applied, you can't make it any smarter.
Unlike the Intrusion Sensor rules, which are fully customizable and visible, impact rules that correlate RNA Sensor information and Intrusion Sensor alerts together are opaque and can't be seen or individually enabled or disabled. The only detail you have is whether to receive alerts classified as "vulnerable," "potentially vulnerable," "currently not vulnerable," or "unknown." If you disagree with Sourcefire's embedded analysis, you have to suppress the Intrusion Sensor alert so that it never gets to the impact-alerting part of your management console.
Sourcefire engineers acknowledge this and are working to improve impact alerts, company officials say.
By itself, or integrated with Sourcefire's Defense Center, RNA Sensor is a powerful tool for discovering and reporting on what is happening on your network. Like many tools, what you get out of it depends on the skill of the craftsman.