Source fire 500, 1000, 2000, 2500, 3500 Installation Manual
...
3D Sensor
Installation Guide
Version 4.10.3
Terms of Use Applicable to the User Documentation
The legal notices, disclaimers, terms of use, and other information contained herein (the “terms”) apply only to
the information discussed in this documentation (the “Documentation”) and your use of it. These terms do not
apply to or govern the use of websites controlled by Sourcefire, Inc. or its subsidiaries (collectively,
“Sourcefire“) or any Sourcefire-provided products. Sourcefire products are available for purchase and subject
to a separate license agreement and/or terms of use containing very different terms and conditions.
Terms of Use and Copyright and Trademark Notices
The copyright in the Documentation is owned by Sourcefire and is protected by copyright and other intellectual
property laws of the United States and other countries. You may use, print out, save on a retrieval system, and
otherwise copy and distribute the Documentation solely for non-commercial use, provided that you (i) do not
modify the Documentation in any way and (ii) always include Sourcefire's copyright, trademark, and other
proprietary notices, as well as a link to, or print out of, the full contents of this page and its terms.
No part of the Documentation may be used in a compilation or otherwise incorporated into another work or with
or into any other documentation or user manuals, or be used to create derivative works, without the express
prior written permission of Sourcefire. Sourcefire reserves the right to change the terms at any time, and your
continued use of the Documentation shall be deemed an acceptance of those terms.
SOURCEFIRE®, SNORT®, CLAMAV®, SOURCEFIRE DEFENSE CENTER®, SOURCEFIRE 3D®, RNA®, RUA®,
SECURITY FOR THE REAL WORLD®, the Sourcefire logo, the Snort and Pig logo, the ClamAV logo, Sourcefire
IPS, RAZORBACK, Sourcefire Master Defense Center, DAEMONLOGGER, and certain other trademarks and
logos are trademarks or registered trademarks of Sourcefire, Inc. in the United States and other countries. Other
company, product and service names may be trademarks or service marks of others.
© 2004 - 2013 Cisco and/or its affiliates. All rights reserved.
Disclaimers
THE DOCUMENTATION AND ANY INFORMATION AVAILABLE FROM IT MAY INCLUDE INACCURACIES OR
TYPOGRAPHICAL ERRORS. SOURCEFIRE MAY CHANGE THE DOCUMENTATION FROM TIME TO TIME.
SOURCEFIRE MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE ACCURACY OR SUITABILITY OF
ANY SOURCEFIRE-CONTROLLED WEBSITE, THE DOCUMENTATION AND/OR ANY PRODUCT INFORMATION.
SOURCEFIRE-CONTROLLED WEBSITES, THE DOCUMENTATION AND ALL PRODUCT INFORMATION ARE
PROVIDED “AS IS” AND SOURCEFIRE DISCLAIMS ANY AND ALL EXPRESS AND IMPLIED WARRANTIES,
INCLUDING BUT NOT LIMITED TO WARRANTIES OF TITLE AND THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL SOURCEFIRE BE
LIABLE TO YOU FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE, OR
CONSEQUENTIAL DAMAGES (INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES, LOSS OF DATA, LOSS OF PROFITS, AND/OR BUSINESS INTERRUPTIONS), ARISING OUT OF OR IN
ANY WAY RELATED TO SOURCEFIRE-CONTROLLED WEBSITES OR THE DOCUMENTATION, NO MATTER HOW
CAUSED AND/OR WHETHER BASED ON CONTRACT, STRICT LIABILITY, NEGLIGENCE OR OTHER TORTUOUS
ACTIVITY, OR ANY OTHER THEORY OF LIABILITY, EVEN IF SOURCEFIRE IS ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES. BECAUSE SOME STATES/JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION
OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATIONS MAY NOT APPLY TO
YOU.
The Documentation may contain “links” to websites that are not created by, or under the control of Sourcefire.
Sourcefire provides such links solely for your convenience, and assumes no responsibility for the availability or
content of such other sites.
2014-Jan-15 12:06
Table of Contents
Chapter 1: Before You Begin......................................................................... 7
IPS Installation Considerations ............................................................................. 8
RNA Installation Considerations ........................................................................... 9
RUA Installation Considerations ......................................................................... 10
Typical 3D Sensor Deployments ......................................................................... 11
Deploying a Multi-Port 3D Sensor.......................................................... 15
Other Deployment Options ................................................................................ 18
Integrating with VPNs ............................................................................ 18
Detecting Intrusions on Other Points of Entry ....................................... 18
Deploying in Multi-Site Environments.................................................... 20
Integrating 3D Sensors with RNA within Complex Networks ............... 21
Understanding Detection Engines and Interface Sets........................................ 22
Understanding Detection Resources and 3D Sensor Models ............... 23
Comparing Inline and Passive Interface Sets......................................... 25
Connecting Sensors to Your Network................................................................. 25
Using a Hub ........................................................................................... 26
Using a Span Port .................................................................................. 26
Using a Network Tap.............................................................................. 26
Issues for Copper Cabling in Inline Deployments .................................. 27
Special Case: Connecting 8000 Series Devices .................................... 29
Using a Sourcefire Defense Center .................................................................... 29
Communication Ports ......................................................................................... 31
Version 4.10.3 Sourcefire 3D Sensor Installation Guide 3
Table of Contents
Chapter 2: Installing a 3D Sensor .............................................................. 33
Included Items .................................................................................................... 34
Security Considerations ...................................................................................... 34
Identifying the Management and Sensing Interfaces......................................... 35
Sourcefire 3D Sensor 500/1000/2000 ................................................... 35
Sourcefire 3D Sensor 2100/2500/3500/4500......................................... 36
Sourcefire 3D Sensor 6500.................................................................... 38
Sourcefire 3D Sensor 7010/7020/7030 .................................................. 42
Sourcefire 3D Sensor 7110/7120 ........................................................... 42
Sourcefire 3D Sensor 8120/8130/8140 .................................................. 45
Sourcefire 3D Sensor 8250/8260/8270/8290......................................... 48
Sourcefire 3D Sensor 9900.................................................................... 53
Using 3D Sensors in a Stacked Configuration .................................................... 55
Connecting 3D9900 Sensors................................................................. 56
Connecting 3D8140 Sensors ................................................................. 58
Connecting 3D8250/8260/8270/8290 Sensors ...................................... 58
Using the 8000 Series Stacking Cable................................................... 62
Installing the 3D Sensor in a Rack ...................................................................... 62
Configuring the Management Interface.............................................................. 64
Using the Management Interface .......................................................... 65
Using a Monitor and Keyboard............................................................... 66
Using the LCD Panel.............................................................................. 68
Using the Command Line Interface ....................................................... 71
Performing the Initial Setup ................................................................................ 72
Redirecting Console Output ............................................................................... 75
Testing an Inline Fail-Open Interface Installation ................................................ 76
Checking for Updates ......................................................................................... 78
Chapter 3: Using the LCD Panel ................................................................. 79
Understanding the LCD Panel ............................................................................ 80
Understanding LCD Panel Modes ...................................................................... 80
Initial Setup/Network Configuration ....................................................... 81
Idle Display ............................................................................................ 82
Error Alert .............................................................................................. 83
System Status........................................................................................ 83
Using the Multi-Function Keys............................................................................ 85
Resetting the Network Configuration ................................................................. 87
Adjusting the Brightness and Contrast on the LCD Panel .................................. 88
Version 4.10.3 Sourcefire 3D Sensor Installation Guide 4
Table of Contents
Chapter 4: Hardware Specifications......................................................... 89
Rack and Cabinet Mounting Options .................................................................. 89
Sourcefire 3D Sensor 500/1000/2000 Specifications ......................................... 90
Chassis Front View ................................................................................ 90
Chassis Rear View ................................................................................. 92
Physical and Environmental Parameters................................................ 93
Sourcefire 3D Sensor 2100/2500/3500/4500 Specifications .............................. 94
Chassis Front View ................................................................................ 94
Chassis Rear View ............................................................................... 100
Physical and Environmental Parameters.............................................. 102
Sourcefire 3D Sensor 6500 Specifications ....................................................... 103
Chassis Front View .............................................................................. 103
Chassis Rear View ............................................................................... 109
Physical and Environmental Parameters............................................... 111
Sourcefire 3D Sensor 7010/7020/7030 Specifications ...................................... 112
Chassis Front View .............................................................................. 113
Chassis Rear View ............................................................................... 118
Physical and Environmental Parameters.............................................. 119
Sourcefire 3D Sensor 7110/7120 Specifications ............................................... 120
Chassis Front View .............................................................................. 120
Chassis Rear View ............................................................................... 126
Physical and Environmental Parameters.............................................. 128
Sourcefire 3D Sensor 8120/8130/8140 Specifications ...................................... 130
Chassis Front View .............................................................................. 130
Chassis Rear View ............................................................................... 138
Physical and Environmental Parameters.............................................. 140
Sourcefire 3D Sensor 8250/8260/8270/8290 Specifications ............................ 142
Chassis Front View .............................................................................. 143
Chassis Rear View ............................................................................... 152
Physical and Environmental Parameters.............................................. 154
Sourcefire 3D Sensor 9900 Specifications ....................................................... 156
Chassis Front View .............................................................................. 156
Chassis Rear View ............................................................................... 162
Physical and Environmental Parameters.............................................. 165
Chapter 5: Restoring a 3D Sensor to Factory Defaults......................... 166
Using an ISO File to Restore Your System ....................................................... 167
Obtaining the Restore ISO File ............................................................ 168
Using a Restore USB Drive.................................................................. 168
Using an Internal Flash Drive ............................................................... 170
Completing the Restore Process ......................................................... 171
Updating the Restore USB Drive ...................................................................... 175
Scrubbing the Contents of the Hard Drive........................................................ 176
Version 4.10.3 Sourcefire 3D Sensor Installation Guide 5
Table of Contents
Chapter 6: Safety and Regulatory Information ...................................... 177
General Safety Guidelines ................................................................................ 177
Safety Warning Statements.............................................................................. 179
Regulatory Information ..................................................................................... 182
Sourcefire 3D Sensor 500/1000/2000 Information .............................. 183
Sourcefire 3D Sensor 2100/2500/3500/4500 Information ................... 184
Sourcefire 3D Sensor 6500/9900 Information ..................................... 185
Sourcefire 3D Sensor 7000 Series Information ................................... 186
Sourcefire 3D Sensor 8000 Series Information ................................... 189
Waste Electrical and Electronic Equipment Directive (WEEE) .......................... 193
Chapter 7: Power Requirements for Sourcefire 3D Sensors............... 194
Warnings and Cautions..................................................................................... 194
Interface Connections.......................................................................... 194
Static Control ....................................................................................... 195
3D7010/7020/7030............................................................................................ 195
Installation ........................................................................................... 195
Grounding/Earthing Requirements ..................................................... 196
3D7110/7120..................................................................................................... 197
Installation ........................................................................................... 197
Grounding/Earthing Requirements ..................................................... 198
3D8120/8130/8140 and 3D8250/8260/8270/8290 ............................................ 199
AC Installation ..................................................................................... 199
DC Installation...................................................................................... 201
Grounding/Earthing Requirements ..................................................... 202
For Assistance .................................................................................................. 204
Version 4.10.3 Sourcefire 3D Sensor Installation Guide 6
Chapter 1
Before You Begin
This guide describes how to install and set up the Sourcefire 3D Sensor.
Depending on which Sourcefire 3D System products you have licensed, a
Sourcefire 3D Sensor can include:
• IPS, the intrusion detection and prevention component
• RNA, the Real-time Network Awareness component
• RUA, the Real-time User Awareness component
• any two components, or all three
Each of the components is described in detail in the Sourcefire 3D System User
Guide. You can install a 3D Sensor with the IPS component as a standalone
appliance, but if you want to use RNA or RUA, you must use the 3D Sensor with
a Defense Center. Note that some models of the 3D Sensor do not support every
combination of components. See Understanding Detection Resources and
3D Sensor Models on page 23 for more information.
Before you install a Sourcefire 3D Sensor, you should consider how your network
is configured and how you want to deploy the various components of the
Sourcefire 3D System within it.
Version 4.10.3 Sourcefire 3D Sensor Installation Guide 7
Before You Begin
IPS Installation Considerations
This chapter describes some of the considerations for deploying a 3D Sensor,
including:
• the concept of the detection engine and the modes in which you can deploy
detection engines on the 3D Sensor: passive or inline
• your goals in deploying sensors that use RNA to perform network discovery
and vulnerability assessment, as well as your goals in deploying sensors
that use IPS to detect and prevent attacks on your network assets
• deployment issues, such as which network segments you want to monitor
with your 3D Sensors, and why
• how you will physically connect the sensors to your network, taking into
account any special network configuration factors, such as firewall
placement, VPN deployments
• whether you will use a Sourcefire Defense Center to aggregate and
correlate RNA and intrusion events
See the following sections for more information:
• IPS Installation Considerations on page 8
• RNA Installation Considerations on page 9
• RUA Installation Considerations on page 10
• Typical 3D Sensor Deployments on page 11
• Other Deployment Options on page 18
• Understanding Detection Engines and Interface Sets on page 22
• Connecting Sensors to Your Network on page 25
• Using a Sourcefire Defense Center on page 29
Chapter 1
IPS Installation Considerations
IPS is the intrusion prevention and detection component of the Sourcefire 3D
System. Before you install a 3D Sensor with IPS, you should consider how your
network is configured and how you want to deploy the various components of the
Sourcefire 3D System within it.
Every network architecture is different, and every enterprise has different security
needs. This section lists some of the factors you should consider as you
formulate your deployment plans and includes a description of how the Sourcefire
3D System can help you meet common network security goals.
Version 4.10.3 Sourcefire 3D Sensor Installation Guide 8
Before You Begin
RNA Installation Considerations
Your deployment decisions for 3D Sensors with IPS will be based on a variety of
factors. Answering these questions can help you understand the vulnerable areas
of your network and clarify your intrusion detection and prevention needs:
• Will you be deploying your 3D Sensor with passive or inline interface sets?
Does your 3D Sensor support multiple detection engines with a mix of
interface sets, some passive and others inline? See Understanding
Detection Engines and Interface Sets on page 22 for more information
about detection engines and interface sets and how they influence your
sensor deployment.
• How will you connect the 3D Sensors to the network? Hubs? Taps?
Spanning ports on switches? See Connecting Sensors to Your Network on
page 25 for more information about methods for connecting the sensing
interfaces on your sensor to your network.
• Do you want to detect every attack on your network, or do you only want to
know about attacks that penetrate your firewall? Do you have specific
assets on your network such as financial, accounting, or personnel records,
production code, or other sensitive, protected information that require
special security policies? See Typical 3D Sensor Deployments on page 11
for more information.
• Do you provide VPN or modem access for remote workers? Do you have
remote offices that also require an IPS deployment? Do you employ
contractors or other temporary employees? Are they restricted to specific
network segments? Do you integrate your network with the networks of
other organizations such as customers, suppliers, or business partners? See
Other Deployment Options on page 18 for more information.
Chapter 1
RNA Installation Considerations
RNA is the Real-time Network Awareness component of the Sourcefire 3D
System. Before you install a 3D Sensor with RNA, you should first consider your
goals in deploying network discovery and vulnerability assessment sensors. Next,
consider deployment issues, such as which network segments you want to
monitor with RNA (and why), and how you will physically connect these
appliances to your network. Finally, you should take into account any special
network configuration factors, such as firewall placement, VPN deployments, and
how you will use a Sourcefire Defense Center to aggregate and correlate RNA
events.
Monitoring network changes with RNA can help you realize a variety of goals.
Clarifying your network discovery and vulnerability assessment goals can guide
Version 4.10.3 Sourcefire 3D Sensor Installation Guide 9
Before You Begin
RUA Installation Considerations
your deployment choices. This section examines some general goals that can
influence a deployment of 3D Sensors with RNA, such as:
• gaining a more thorough understanding of your current network
infrastructure
• learning when network change occurs and how it affects your network’s
susceptibility to compromise
• using RNA data to refine your intrusion rules and firewall rules
RUA Installation Considerations
RUA is the Real-time User Awareness component of the Sourcefire 3D System.
RUA allows your organization to correlate threat, endpoint, and network
intelligence with user identity information. 3D Sensors with RUA allow you to
identify the source of policy breaches, attacks, or network vulnerabilities. By
linking network behavior, traffic, and events directly to individual users, RUA helps
to mitigate risk, block users or user activity, and take action to protect others from
disruption. These capabilities also significantly improve audit controls and
enhance regulatory compliance.
Chapter 1
You can deploy RUA in two ways: as a component on a 3D Sensor or as an agent
on a Microsoft Active Directory server. The implications of each deployment
method are described in “Using Real-time User Awareness” in the Sourcefire 3D
System User Guide.
3D Sensors with RUA use detection engines to passively analyze the traffic that
travels through your network. An RUA detection engine collects user login events
by passively monitoring traffic. Refer to “Setting up Sourcefire 3D Sensors with
RUA” in the Sourcefire 3D System User Guide for more information.
The Sourcefire RUA Agent on a Microsoft Active Directory (AD) server detects all
AD server logins and reports them to the Defense Center as RUA events. Only
usernames and IP addresses associated with RUA events are collected in this
manner. Information about loading the RUA Agent on a Microsoft Active Directory
server is provided in “Installing an RUA Agent on an Active Directory Server” in
the Sourcefire 3D System User Guide.
Version 4.10.3 Sourcefire 3D Sensor Installation Guide 10
Before You Begin
Typical 3D Sensor Deployments
Typical 3D Sensor Deployments
In the following simple network architecture diagram, the network has three
areas with three different security policies:
• between the border router and the firewall
• in the demilitarized zone, or DMZ
• in the internal, protected network
Chapter 1
Deploying your 3D Sensors in each of these locations serves different purposes.
Security requirements vary, so the following are typical location
recommendations:
• Placement outside the firewall gives you a clear picture of all the traffic
traversing your network via this gateway. This location is appropriate for IPS
only. Most enterprises would not need to identify user identities or employ
host and vulnerability detection capabilities in this area.
• Placement in the DMZ provides you with useful information about attacks
on outward-facing servers. This location is appropriate for IPS and RNA,
although some enterprises would want to add the user identification
capabilities of RUA here as well.
• Placement on the internal network monitors inbound traffic for firewall
misconfiguration and detects attacks that originate from hosts on the
internal network. All internal networks are ideal locations for the combined
capabilities of IPS, RNA, and RUA.
These three locations indicate where you may want to connect the 3D Sensor’s
sensing interfaces. Regardless of where you connect the sensing interfaces,
Version 4.10.3 Sourcefire 3D Sensor Installation Guide 11
Before You Begin
Typical 3D Sensor Deployments
make sure you connect the 3D Sensor’s management interface to a secure
internal network that is protected from unauthorized access.
Outside the Firewall
Outside the firewall, the router provides the first line of defense. Although you
can configure most routers to block unwanted packets, this is not typically used
to secure the network segment between the router and the firewall. Placing the
3D Sensor here can help you detect attacks made against your network as well as
attacks from your network to another.
Chapter 1
Deploying the 3D Sensor on this segment of your network for a week or two can
help you understand what kinds of attacks reach your firewall and where they
originate. Although you can readily inspect all traffic traversing your network,
considerable resources are required to prioritize, investigate, and respond to
events that may be blocked by your firewall. Your enterprise’s ability to gain
knowledge from this approach depends on the amount of traffic traversing your
network and your security analyst resources. Gaining this kind of information can
help you tune your firewall rules to be as effective as possible.
Version 4.10.3 Sourcefire 3D Sensor Installation Guide 12
Before You Begin
Typical 3D Sensor Deployments
In the DMZ
In this simple network architecture, the DMZ contains outward-facing servers
(web, FTP, DNS, mail, and so on). The hosts in the DMZ provide services to
external users and are at a greater security risk than those inside the firewall.
Chapter 1
In this network configuration, the servers in the DMZ also provide services such
as mail relay and web proxy to users on the internal network. A 3D Sensor with
IPS on this segment can provide useful information about the kinds of attacks on
outward facing servers as well as detect attacks directed to the Internet that
originate from a compromised server in the DMZ. Adding RNA to the sensor on
this segment can help you monitor these exposed servers for changes (for
example, a new unknown service suddenly appearing) that could indicate a
compromised server in the DMZ.
Version 4.10.3 Sourcefire 3D Sensor Installation Guide 13
Before You Begin
Typical 3D Sensor Deployments
On the Internal Side of Redundant Firewalls
Many network environments implement a redundant data path for Internet
connectivity. These secondary links may also require monitoring in situations
when the primary, or active, links go offline. Two options are available for ensuring
continuous monitoring during a primary link outage:
• A single 3D Sensor can monitor both the active (primary) and passive
(secondary) links over multiple inline links passing through the single
sensor. Built-in fail-open bypass capabilities ensure that traffic is always
moving through the appliance, and any traffic that moves to the secondary
link is still monitored by the sensor appliance as if nothing had failed.
• Two 3D Sensor appliances may be placed on the network. One can monitor
the active (primary) link and one the passive (secondary) link, with both
sensors up and continuously monitoring the specified link. If a condition
causes traffic to move from the primary to the secondary link, the
3D Sensor on the secondary link automatically takes over all monitoring
responsibilities.
Chapter 1
On the Internal Network
Although the sample network includes a firewall configured to provide security to
the servers and workstations on the internal network, 3D Sensors on this
segment can monitor traffic that is allowed inbound by the firewall by choice or
due to firewall misconfiguration. For example, if you have a security policy that
prohibits FTP connections to any host on the internal network, you can create a
rule on the 3D Sensor that will trigger when it detects traffic directed to port 21
on any IP address in the segment. A 3D Sensor on this segment can also detect
attacks that originate from hosts on the internal network. For instance, attaching
one 3D Sensor to a mirror or span port on a switch helps you identify attacks from
Version 4.10.3 Sourcefire 3D Sensor Installation Guide 14
Before You Begin
Typical 3D Sensor Deployments
one computer on the internal network directed against other computers on the
internal network if the attack traffic traverses the switch.
Chapter 1
Similarly, if a host on your network is compromised from within, RNA can
immediately identify both unauthorized changes on hosts. For example, a
Microsoft shop can use RNA to identify in real time a rogue Linux or FreeBSD
system that mysteriously appears on their network segment. RNA on a switched
network segment can monitor all the hosts and services on the segment for
changes and vulnerabilities. For example, attaching an 3D Sensor to a mirror or
SPAN port on the switch allows you to monitor the entire network segment, as
long as all traffic to and from all hosts on the segment traverses the switch.
In either case, by adding RUA to the 3D Sensor, you can immediately identify the
user who is logged into the host that is running the rogue operating system or
launching the internal attack.
Deploying a Multi-Port 3D Sensor
Selected models of the 3D Sensor offer multiple sensing ports on an adapter
card. You can use the multi-port 3D Sensors in either of two ways:
• to recombine the separate connections from a network tap
• to capture and evaluate traffic from different networks
IMPORTANT! Although each port is capable of receiving the full throughput for
which the sensor is rated, the total traffic on the 3D Sensor cannot exceed its
bandwidth rating without some packet loss.
Version 4.10.3 Sourcefire 3D Sensor Installation Guide 15
Before You Begin
Typical 3D Sensor Deployments
Deploying a multi-port 3D Sensor with a network tap is a straightforward process.
The following diagram shows a network tap installed on a high-traffic network
segment.
Chapter 1
In this scenario, the tap transmits incoming and outgoing traffic through separate
ports. When you connect the multi-port adapter card on the 3D Sensor to the tap,
the 3D Sensor is able to combine the traffic into a single data stream so that it
can be analyzed.
Version 4.10.3 Sourcefire 3D Sensor Installation Guide 16
Before You Begin
Typical 3D Sensor Deployments
Note that with a gigabit optical tap, as shown in the illustration below, both sets
of ports on the 3D Sensor are used by the connectors from the tap.
Chapter 1
If your 3D Sensor supports multiple detection engines, you can also create
interface sets to capture data from separate networks. The following diagram
shows a single sensor with a dual-port adapter and two interface sets connected
to two networks.
Version 4.10.3 Sourcefire 3D Sensor Installation Guide 17
Before You Begin
Other Deployment Options
Other Deployment Options
The following sections describe other installation scenarios that may affect your
enterprise’s deployment of the Sourcefire 3D System:
• Integrating with VPNs on page 18
• Detecting Intrusions on Other Points of Entry on page 18
• Deploying in Multi-Site Environments on page 20
• Integrating 3D Sensors with RNA within Complex Networks on page 21
Integrating with VPNs
Virtual private networks, or VPNs, use IP tunneling techniques to provide the
security of a local network to remote users over the Internet. In general, VPN
solutions encrypt the data payload in an IP packet. The IP header is unencrypted
so that the packet can be transmitted over public networks in much the same way
as any other packet. When the packet arrives at its destination network, the
payload is decrypted and the packet is directed to the proper host.
Because network appliances cannot analyze the encrypted payload of a VPN
packet, placing 3D Sensors outside the terminating endpoints of the VPN
connections ensures that all packet information can be accessed. The following
diagram illustrates how 3D Sensors can be deployed in a VPN environment.
Chapter 1
Detecting Intrusions on Other Points of Entry
Many networks include more than one access point. Instead of a single border
router that connects to the Internet, some enterprises use a combination of the
Internet, modem banks, and direct links to business partner networks. In general,
you should deploy 3D Sensors near firewalls (either inside the firewall, outside
the firewall, or both) and on network segments that are important to the integrity
and confidentiality of your business data. The following diagram shows how
Version 4.10.3 Sourcefire 3D Sensor Installation Guide 18
Before You Begin
Other Deployment Options
3D Sensors can be installed at key locations on a complex network with multiple
entry points.
Chapter 1
Version 4.10.3 Sourcefire 3D Sensor Installation Guide 19
Before You Begin
Other Deployment Options
Deploying in Multi-Site Environments
Many organizations want to extend intrusion detection across a geographically
disparate enterprise and then analyze all the IPS data from one location. The
Sourcefire 3D System supports this by offering the Defense Center, which
aggregates and correlates events from 3D Sensors deployed throughout the
organization’s many locations. Unlike deploying multiple 3D Sensors and Defense
Centers in the same geographic location on the same network, when deploying
3D Sensors in disparate geographic locations, you must take precautions to
ensure the security of the 3D Sensors and the data stream. To secure the data,
you must isolate the 3D Sensors and Defense Center from unprotected
networks. You can do this by transmitting the data stream from the 3D Sensors
over a VPN or with some other secure tunneling protocol as shown in the
following diagram.
Chapter 1
Version 4.10.3 Sourcefire 3D Sensor Installation Guide 20
Before You Begin
Other Deployment Options
Integrating 3D Sensors with RNA within Complex Networks
You can deploy 3D Sensors with RNA in more complex network topologies than a
simple multi-sector network. This section describes the issues surrounding
network discovery and vulnerability analysis when deploying RNA in
environments where proxy servers, NAT devices, and VPNs exist, in addition to
information about using the Sourcefire Defense Center to manage multiple
3D Sensors and the deployment and management of 3D Sensors in a multi-site
environment.
Integrating with Proxy Servers and NAT
Network address translation (NAT) devices or software may be employed across a
firewall, effectively hiding the IP addresses of internal hosts behind a firewall. If
3D Sensors with RNA are placed between these devices or software and the
hosts being monitored, RNA may incorrectly identify the hosts behind the proxy
or NAT device. In this case, Sourcefire recommends that you position 3D Sensors
with RNA inside the network segment protected by the proxy or NAT device to
ensure that hosts are correctly detected.
Chapter 1
Integrating with Load Balancing Methods
In some network environments, “server farm” configurations are used to
perform network load balancing for services such as web hosting, FTP storage
sites, and so on. In load balancing environments, IP addresses are shared
between two or more hosts with unique operating systems. In this case, RNA
detects the operating system changes and cannot deliver a static operating
system identification with a high confidence value. Depending on the number of
different operating systems on the affected hosts, RNA may generate a large
number of operating system change events or present a static operating system
identification with a lower confidence value.
Other RNA Detection Considerations
If an alteration has been made to the TCP/IP stack of the host being identified,
RNA may not be able to accurately identify the host operating system. In some
cases, this is done to improve performance. For instance, administrators of
Windows hosts running the Internet Information Services (IIS) Web Server are
encouraged to increase the TCP window size to allow larger amounts of data to
be received, thereby improving performance. In other instances, TCP/IP stack
alteration may be used to obfuscate the true operating system to preclude
accurate identification and avoid targeted attacks. The likely scenario that this
intends to address is where an attacker conducts a reconnaissance scan of a
network to identify hosts with a given operating system followed by a targeted
attack of those hosts with an exploit specific to that operating system.
Version 4.10.3 Sourcefire 3D Sensor Installation Guide 21
Before You Begin
Understanding Detection Engines and Interface Sets
Understanding Detection Engines and Interface Sets
A detection engine is the mechanism on a 3D Sensor that is responsible for
analyzing the traffic on the network segment where the sensor is connected.
Depending on which components are licensed on the sensor, 3D Sensors can
support three types of detection engines: IPS, RNA, and RUA.
A detection engine has two main components:
• an interface set, which can include one or more sensing interfaces
• a detection resource, which is a portion of the sensor’s computing
resources
3D Sensor models have at least three detection resources available and can
support at least three detection engines: one for IPS, one for RNA, and the third
for RUA.
An interface set refers to a grouping of one or more sensing interfaces on a
sensor; a sensing interface can belong to only one interface set at a time. The
Sourcefire 3D System supports three types of interface sets, but the interface
options available to you depend on the type of sensor and the capabilities of its
sensing interfaces.
Chapter 1
Interface Set Types
Type Description
Passive Use a passive interface set if you deployed the sensor out of
band from the flow of network traffic.
Inline Use an inline interface set if you deployed the sensor inline on
your network and the sensing interfaces do not support
automatic fail-open capabilities. Note that you can use any
two of the non-fail-open interfaces on the sensor’s network
interface cards as part of an inline interface set.
Inline with
Fail Open
The typical scenario for deploying 3D Sensors across your network infrastructure
calls for installing a different sensor in each location where you want to enforce a
security policy. In other words, you may want to install one 3D Sensor in the DMZ
and others on each internal network segment. If you have a network segment
with hosts that are likely to be targets of specialized attacks (for example, a web
host farm), you would deploy another 3D Sensor there.
Use an inline with fail-open interface set if you deployed the
sensor inline on your network and the sensing interfaces do
support automatic fail-open capabilities. Note that you must
use paired fail-open interfaces on the sensor’s network
interface cards for an inline with fail-open interface set.
Multiple IPS detection engines on a single 3D Sensor can provide you with more
flexibility in deploying 3D Sensors throughout your network. A detection engine is
Version 4.10.3 Sourcefire 3D Sensor Installation Guide 22
Before You Begin
Understanding Detection Engines and Interface Sets
like a virtual sensor within a sensor. When you create a detection engine on a
3D Sensor, you specify which of the sensor’s sensing interfaces it uses and what
portion of the sensor’s detection resources it can use. You can then create and
apply an intrusion policy that is tuned especially for the network attacks that are
likely to be seen on the segment of the network that the detection engine
monitors. See the “Using Detection Engines and Interface Sets” chapter in the
Sourcefire 3D System User Guide for more information about creating and using
detection engines.
Understanding Detection Resources and 3D Sensor Models
3D Sensor with IPS can use multiple detection resources per detection engine,
which allows you to use more computing resources when network traffic is high.
For example, if you plan to use the 3D3500 sensor in inline mode, you could
assign two detection resources to your detection engine to allow processing of
more events per second. As a best practice, use one detection resource per
application per core on your appliance. Different sensor models have different
numbers of detection resources as shown in the Detection Resources by Model
table on page 23:
Chapter 1
• The Optimal column indicates the per sensor total number of detection
resources you should use if you want to maximize the performance of the
sensor. It also indicates the maximum number of detection resources you
can assign a single detection engine.
• The Maximum column indicates the total number of detection resources
available on the sensor.
• The Combination Restrictions column indicates the permitted combinations of
detection resources that you can allocate to detection engines on the same
sensor; 3D Sensors can run combinations of IPS, RNA, and RUA.
Note that for some sensor models, the availability of detection resources
depends on the amount of RAM on the sensor, which you can determine using
the Memory Usage field on the Statistics page (Operations > Monitoring > Statistics).
Detection Resources by Model
Model Optimal
per Sensor
3D500 1 2 Maximum of one IPS
3D1000 (512MB RAM) 1 2 Maximum of one IPS
Maximum
per Sensor
Combination
Restrictions
and either one RNA or
one RUA
and either one RNA or
one RUA
3D1000 (1GB RAM) 1 2 No restrictions
Version 4.10.3 Sourcefire 3D Sensor Installation Guide 23
Before You Begin
Understanding Detection Engines and Interface Sets
Detection Resources by Model (Continued)
Chapter 1
Model Optimal
per Sensor
3D2000 1 2 No restrictions
3D2100 2 3 No restrictions
3D2500 2 4 No restrictions
3D3000 2 4 No restrictions
3D3500 2 6 No restrictions
3D4500 4 8 No restrictions
3D6500 8 12 No restrictions
3D7010 Auto 6 No restrictions
3D7020 Auto 6 No restrictions
3D7030 Auto 6 No restrictions
3D7110 Auto 6 No restrictions
Maximum
per Sensor
Combination
Restrictions
3D7120 Auto 6 No restrictions
3D8120 Auto 16 No restrictions
3D8130 Auto 22 No restrictions
3D8140 Auto 22 No restrictions
3D8250 Auto 22 No restrictions
3D9900 7 12 No restrictions
Note that disabling hyperthreading on 3D7010/7020/7030 and 8000 Series
sensors reduces the maximum number of detection engines you can create. If
you disable hyperthreading after creating more than the allowable number of
detection engines for a sensor with disabled hyperthreading, you are prohibited
from creating additional detection engines. For information on hyperthreading,
see “Command Line Reference” in the Sourcefire 3D System User Guide.
Version 4.10.3 Sourcefire 3D Sensor Installation Guide 24
Before You Begin
Connecting Sensors to Your Network
Comparing Inline and Passive Interface Sets
An interface set is comprised of one or more sensing interfaces on the
3D Sensor. Each detection engine is assigned to an interface set and uses those
interfaces to monitor the traffic on specific network segments. Interface sets can
be one of the following types:
• passive
• inline
• inline with fail open
If you create an IPS detection engine that uses either type of the inline interface
set, you can deploy your detection engine inline. This allows you to take
advantage of drop rules that prevent suspicious traffic from reaching a potentially
vulnerable host. You can also use replace rules that substitute malicious content
with a benign alternative. You can also create RNA and RUA detection engines for
inline or inline with fail open interface sets.
A detection engine that uses an inline with fail open interface set has the same
properties as an inline interface set with one exception. You can only use an inline
with fail open interface set with fail-open network interface cards (NICs). If a
3D Sensor with a fail-open card should fail for some reason (power failure, hard
drive failure, and so on), traffic is not blocked by the sensor and your network
continues to function.
On the 3D9900 model of the 3D Sensor, you can also take advantage of a feature
called tap mode. Tap mode allows you to use interface sets to passively monitor
traffic when your sensor is deployed inline on your network.
Chapter 1
Connecting Sensors to Your Network
There are several ways to connect 3D Sensors to your network. The following
sections outline the supported connection methods:
• Using a Hub on page 26
• Using a Span Port on page 26
• Using a Network Tap on page 26
Additionally, Issues for Copper Cabling in Inline Deployments on page 27 explains
some of the guidelines for using straight-through or crossover cables in your
deployment and Special Case: Connecting 8000 Series Devices on page 29
describes how to configure stable network links for Series 3 devices.
Version 4.10.3 Sourcefire 3D Sensor Installation Guide 25
Before You Begin
Connecting Sensors to Your Network
Using a Hub
An Ethernet hub is an inexpensive way to ensure that the detection engine on a
3D Sensor can see all the traffic on a network segment. Most hubs of this type
take the IP traffic meant for any of the hosts on the segment and broadcast it to
all the devices connected to the hub. Connect the interface set to the hub to
monitor all incoming and outgoing traffic on the segment. Using a hub does not
guarantee that the detection engine sees every packet on a higher volume
network because of the potential of packet collision. For a simple network with
low traffic, this is not likely to be a problem. In a high-traffic network, a different
option may provide better results. Note that if the hub fails or loses power, the
network connection is broken. In a simple network, the network would be down.
IMPORTANT! Some devices are marketed as hubs but actually function as
switches and do not broadcast each packet to every port. If you attach your
3D Sensor to a hub, but do not see all the traffic, you may need to purchase a
different hub or use a switch with a Span port.
Chapter 1
Using a Span Port
Many network switches include a span port that mirrors traffic from one or more
ports. By connecting an interface set to the span port, you can monitor the
combined traffic from all ports, generally both incoming and outgoing. If you
already have a switch that includes this feature on your network, in the proper
location, then you can deploy the detection on multiple segments with little extra
equipment cost beyond the cost of the 3D Sensor. In high-traffic networks, this
solution has its limitations. If the span port can handle 200 Mbps and each of
three mirrored ports can handle up to 100 Mbps, then the span port is likely to
become oversubscribed and drop packets, lowering the effectiveness of the
3D Sensor.
Using a Network Tap
Network taps allow you to passively monitor traffic without interrupting the
network flow or changing the network topology. Taps are readily available for
different bandwidths and allow you to analyze both incoming and outgoing
packets on a network segment. Unfortunately, you can monitor only a single
network segment with most taps, so they are not a good solution if you want to
monitor, for example, the traffic on two out of the eight ports on a switch.
Instead, you would have to install the tap between the router and the switch and
access the full IP stream to the switch.
By design, network taps divide incoming and outgoing traffic into two different
streams over two different cables. 3D Sensors offer multi-port options that
recombine the two sides of the conversation so that the entire traffic stream is
evaluated by the decoders, the preprocessors, and the detection engine.
Version 4.10.3 Sourcefire 3D Sensor Installation Guide 26
Before You Begin
Connecting Sensors to Your Network
Issues for Copper Cabling in Inline Deployments
If you are deploying your sensor inline on your network, and you are taking
advantage of your sensor’s fail open capabilities to maintain network connectivity
even if the sensor goes down, there are a few important points to keep in mind.
If you are deploying a sensor with fiber fail-open interfaces, there are no special
cabling issues beyond ensuring that the connections are securely fastened and
the cables are not kinked. However, if you are deploying sensors with copper
rather than fiber network interfaces, then you must be aware of the sensor model
that you are using, because different sensor models use different network cards.
The network interface cards (NICs) in the sensor support a feature called
Auto-Medium Dependent Interface Crossover (Auto-MDI-X), which allows
network interfaces to configure automatically whether you are using a
straight-through or crossover Ethernet cable to connect to another network
device. However, the network cards in the sensor can act in a different manner
when the sensor loses power and the NICs fail open. Some of the cards will fail
open as a straight-through connection, others as crossover. This has implications
for you as you choose cables to connect a sensor to each endpoint. The Sensor
Models and Fail Open Characteristics table lists the various sensor models and
whether they fail open as crossover or straight-through devices.
Chapter 1
Sensor Models and Fail Open Characteristics
Model Fails open as...
3D500 straight-through
3D1000 straight-through
3D2000 straight-through
3D2100 straight-through
3D2500 straight-through
3D3500 straight-through
3D4500 straight-through
3D6500 crossover
3D9900 crossover
7000 Series crossover
8000 Series crossover
Version 4.10.3 Sourcefire 3D Sensor Installation Guide 27
Before You Begin
Connecting Sensors to Your Network
For sensor models that fail open as straight-through, wire the device as you
would for normal operation without a sensor deployed. The link should work with
power to the sensor removed. In most cases you should use one crossover cable
and one straight-through cable to connect the sensor to the two endpoints.
For sensor models that fail open as crossover, wire the device as would normally
be done with the 3D Sensor live on the network. In most cases you should use
two straight-through cables to connect the sensor to the two endpoints.
Chapter 1
The following table indicates where you should use crossover or straight-through
cables in your hardware bypass configurations.
Valid Configurations for Hardware Bypass
Endpoint 1 Cable Sensor Cable Endpoint 2
MDIX===MDI
MDIX==MDI
MDI = = X MDI
MDI===MDIX
MDIX=X=MDIX
MDI = X = MDI
MDIXXXMDI
MDIX X X = MDI
= indicates a straight-through cable or sensor bypass connection
X indicates a crossover cable or sensor bypass connection
Version 4.10.3 Sourcefire 3D Sensor Installation Guide 28
Before You Begin
Using a Sourcefire Defense Center
Note that every network environment is likely to be unique, with endpoints that
have different combinations of support for Auto-MDI-X. The easiest way to
confirm that you are installing your sensor with the correct cabling is to begin by
connecting the sensor to its two endpoints using one of the cabling scenarios
shown in the illustration, but with the sensor powered down. Ensure that the two
endpoints can communicate. If they cannot communicate, then one of the cables
is the incorrect type. Switch one (and only one) of the cables to the other type,
either straight-through or crossover.
After the two endpoints can successfully communicate with the inline sensor
powered down, power up the sensor. The Auto-MDI-X feature ensures that the
two endpoints will continue to communicate. Note that if you have to replace an
inline sensor, you should repeat the process of ensuring that the endpoints can
communicate with the new sensor powered down to protect against the case
where the original sensor and its replacement have different fail-open
characteristics.
The Auto-MDI-X setting functions correctly only if you allow the network
interfaces to auto-negotiate. If your network environment requires that you turn
off the Auto Negotiate option on the Network Interface page, then you must
specify the correct MDI/MDIX option for your inline network interfaces. See
“Editing Network Interface Configurations” in the Sourcefire 3D System User
Guide for more information.
Chapter 1
Special Case: Connecting 8000 Series Devices
8000 Series managed devices do not support half duplex network links; they also
do not support differences in speed or duplex configurations at opposite ends of a
connection. To ensure a stable network link, you must either auto-negotiate on
both sides of the connection, or set both sides to the same static speed.
Using a Sourcefire Defense Center
You must manage 7000 Series and 8000 Series 3D Sensors with a Sourcefire
Defense Center. The Defense Center aggregates and correlates events
generated by multiple 3D Sensors on different segments of your network. You
can also use the Defense Center to manage, change, and standardize the
intrusion policies on 3D Sensors.
In addition to running Series 2 3D Sensors with IPS as standalone appliances, you
can manage 3D Sensors with the Sourcefire Defense Center. The Defense
Center aggregates and correlates events generated by multiple 3D Sensors on
different segments of your network. You can also use the Defense Center to
manage, change, and standardize the intrusion policies on 3D Sensors.
To safeguard the Defense Center, it must be installed on a protected internal
network. Although the Defense Center is configured to have only the necessary
services and ports available, you must make sure that attacks cannot reach it from
outside the firewall.
Version 4.10.3 Sourcefire 3D Sensor Installation Guide 29
Before You Begin
Using a Sourcefire Defense Center
If the 3D Sensor and the Defense Center reside on the same network, you can
connect the management interface on the 3D Sensor to the same protected
internal network as the Defense Center. This allows you to securely control the
sensor from the Defense Center and aggregate the event data generated on the
3D Sensor’s network segment. By using the Defense Center’s filtering
capabilities, you can analyze and correlate data from attacks across your network
to evaluate how well your security policies are being implemented.
Chapter 1
Version 4.10.3 Sourcefire 3D Sensor Installation Guide 30
Loading...