Sourcefire 3D System
Installation Guide
Version 5.2 Sourcefire 3D System Installation Guide 1
Version 5.2
Terms of Use Applicable to the User Documentation
The legal notices, disclaimers, terms of use, and other information contained herein (the "terms") apply only to
the information discussed in this documentation (the "Documentation") and your use of it. These terms do not
apply to or govern the use of websites controlled by Sourcefire, Inc. or its subsidiaries (collectively, "Sourcefire")
or any Sourcefire-provided products. Sourcefire products are available for purchase and subject to a separate
license agreement and/or terms of use containing very different terms and conditions.
Terms of Use and Copyright and Trademark Notices
The copyright in the Documentation is owned by Sourcefire and is protected by copyright and other intellectual
property laws of the United States and other countries. You may use, print out, save on a retrieval system, and
otherwise copy and distribute the Documentation solely for non-commercial use, provided that you (i) do not
modify the Documentation in any way and (ii) always include Sourcefire's copyright, trademark, and other
proprietary notices, as well as a link to, or print out of, the full contents of this page and its terms.
No part of the Documentation may be used in a compilation or otherwise incorporated into another work or with
or into any other documentation or user manuals, or be used to create derivative works, without the express
prior written permission of Sourcefire. Sourcefire reserves the right to change the terms at any time, and your
continued use of the Documentation shall be deemed an acceptance of those terms.
Sourcefire, the Sourcefire logo, Snort, the Snort and Pig logo, Immunet, ClamAV and certain other trademarks
and logos are trademarks or registered trademarks of Sourcefire, Inc. in the United States and other countries.
Other company, product and service names may be trademarks or service marks of others.
© 2004 - 2013 Sourcefire, Inc. All rights reserved.
Disclaimers
THE DOCUMENTATION AND ANY INFORMATION AVAILABLE FROM IT MAY INCLUDE INACCURACIES OR
TYPOGRAPHICAL ERRORS. SOURCEFIRE MAY CHANGE THE DOCUMENTATION FROM TIME TO TIME.
SOURCEFIRE MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE ACCURACY OR SUITABILITY OF
ANY SOURCEFIRE-CONTROLLED WEBSITE, THE DOCUMENTATION AND/OR ANY PRODUCT INFORMATION.
SOURCEFIRE-CONTROLLED WEBSITES, THE DOCUMENTATION AND ALL PRODUCT INFORMATION ARE
PROVIDED "AS IS" AND SOURCEFIRE DISCLAIMS ANY AND ALL EXPRESS AND IMPLIED WARRANTIES,
INCLUDING BUT NOT LIMITED TO WARRANTIES OF TITLE AND THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL SOURCEFIRE BE
LIABLE TO YOU FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE, OR
CONSEQUENTIAL DAMAGES (INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES, LOSS OF DATA, LOSS OF PROFITS, AND/OR BUSINESS INTERRUPTIONS), ARISING OUT OF OR IN
ANY WAY RELATED TO SOURCEFIRE-CONTROLLED WEBSITES OR THE DOCUMENTATION, NO MATTER HOW
CAUSED AND/OR WHETHER BASED ON CONTRACT, STRICT LIABILITY, NEGLIGENCE OR OTHER TORTUOUS
ACTIVITY, OR ANY OTHER THEORY OF LIABILITY, EVEN IF SOURCEFIRE IS ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES. BECAUSE SOME STATES/JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION
OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATIONS MAY NOT APPLY TO
YOU.
The Documentation may contain "links" to websites that are not created by, or under the control of Sourcefire.
Sourcefire provides such links solely for your convenience, and assumes no responsibility for the availability or
content of such other sites.
2013-Oct-18 16:20
Table of Contents
Chapter 1: Introduction to the Sourcefire 3D System ............................... 8
Sourcefire 3D System Appliances ........................................................................ 9
Defense Centers...................................................................................... 9
Managed Devices .................................................................................. 10
Understanding Appliance Series, Models, and Capabilities ................... 10
Sourcefire 3D System Components ................................................................... 16
Licensing the Sourcefire 3D System .................................................................. 19
Using Legacy RNA Host and RUA User Licenses ................................. 22
Security, Internet Access, and Communication Ports......................................... 23
Internet Access Requirements .............................................................. 23
Open Communication Ports Requirements ........................................... 24
Chapter 2: Understanding Deployment ..................................................... 27
Understanding Deployment Options .................................................................. 28
Understanding Interfaces ................................................................................... 28
Passive Interfaces.................................................................................. 29
Inline Interfaces ..................................................................................... 29
Switched Interfaces ............................................................................... 30
Routed Interfaces .................................................................................. 31
Hybrid Interfaces ................................................................................... 32
Version 5.2 Sourcefire 3D System Installation Guide 3
Table of Contents
Connecting Devices to Your Network................................................................. 32
Using a Hub ........................................................................................... 33
Using a Span Port .................................................................................. 33
Using a Network Tap.............................................................................. 33
Cabling Inline Deployments on Copper Interfaces................................. 34
Special Cases......................................................................................... 36
Deployment Options........................................................................................... 36
Deploying with a Virtual Switch.............................................................. 37
Deploying with a Virtual Router ............................................................. 38
Deploying with Hybrid Interfaces........................................................... 40
Deploying a Gateway VPN ..................................................................... 41
Deploying with Policy-Based NAT.......................................................... 42
Deploying with Access Control.............................................................. 43
Using a Multi-Port Managed Device ................................................................... 48
Complex Network Deployments ........................................................................ 50
Integrating with VPNs ............................................................................ 51
Detecting Intrusions on Other Points of Entry ....................................... 51
Deploying in Multi-Site Environments.................................................... 53
Integrating Managed Devices within Complex Networks ..................... 55
Chapter 3: Installing a Sourcefire 3D System Appliance ....................... 57
Included Items .................................................................................................... 58
Security Considerations ...................................................................................... 58
Identifying the Management Interfaces ............................................................. 58
Sourcefire Defense Center 750 ............................................................. 59
Sourcefire Defense Center 1500 ........................................................... 59
Sourcefire Defense Center 3500 ........................................................... 60
Sourcefire 3D500/1000/2000................................................................. 60
Sourcefire 7000 Series .......................................................................... 60
Sourcefire 8000 Series .......................................................................... 61
Identifying the Sensing Interfaces ...................................................................... 61
Sourcefire 3D500/1000/2000................................................................. 62
Sourcefire 7000 Series .......................................................................... 63
Sourcefire 8000 Series .......................................................................... 67
Using Devices in a Stacked Configuration .......................................................... 74
Connecting the 3D8140 ......................................................................... 75
Connecting the 3D8250/8260/8270/8290.............................................. 75
Using the 8000 Series Stacking Cable................................................... 79
Managing Stacked Devices.................................................................... 79
Installing the Appliance in a Rack ....................................................................... 80
Redirecting Console Output ............................................................................... 82
Testing an Inline Bypass Interface Installation .................................................... 83
Version 5.2 Sourcefire 3D System Installation Guide 4
Table of Contents
Chapter 4: Setting Up a Sourcefire 3D System Appliance ..................... 86
Understanding the Setup Process ...................................................................... 87
Setting Up a Series 2 Appliance or Series 3 Defense Center ................ 88
Setting Up a Series 3 Device ................................................................. 89
Configuring Network Settings Using a Script ..................................................... 90
Performing Initial Setup on a Series 3 Device Using the CLI .............................. 91
Registering a Series 3 Device to a Defense Center Using the CLI........ 92
Initial Setup Page: Devices ................................................................................. 93
Initial Setup Page: Defense Centers ................................................................. 100
Next Steps ........................................................................................................ 109
Chapter 5: Using the LCD Panel on a Series 3 Device .......................... 111
Understanding LCD Panel Components ........................................................... 112
Using the LCD Multi-Function Keys.................................................................. 113
Idle Display Mode ............................................................................................. 114
Network Configuration Mode ........................................................................... 115
Allowing Network Reconfiguration Using the LCD Panel ..................... 117
System Status Mode ........................................................................................ 118
Information Mode ............................................................................................. 119
Error Alert Mode ............................................................................................... 121
Chapter 6: Hardware Specifications........................................................ 122
Rack and Cabinet Mounting Options ................................................................ 122
Sourcefire Defense Centers ............................................................................. 123
Sourcefire DC750 ................................................................................ 123
Sourcefire DC1500 .............................................................................. 129
Sourcefire DC3500 .............................................................................. 135
Sourcefire Series 2 Devices.............................................................................. 142
Sourcefire 3D500, 3D1000 and 3D2000 Devices ................................ 142
3D500/1000/2000 Physical and Environmental Parameters ................ 145
Sourcefire 7000 Series Devices ....................................................................... 146
Sourcefire 3D7010, 3D7020, and 3D7030 ........................................... 146
Sourcefire 3D7110 and 3D7120 ........................................................... 153
Sourcefire 3D7115 and 3D7125 ........................................................... 162
Sourcefire 8000 Series Devices ....................................................................... 172
8000 Series Chassis Front View .......................................................... 173
8000 Series Chassis Rear View........................................................... 178
8000 Series Physical and Environmental Parameters .......................... 181
8000 Series Modules........................................................................... 185
Version 5.2 Sourcefire 3D System Installation Guide 5
Table of Contents
Chapter 7: Restoring a Sourcefire Appliance to Factory Defaults...... 198
Before You Begin .............................................................................................. 198
Configuration and Event Backup Guidelines ........................................ 199
Traffic Flow During the Restore Process.............................................. 199
Understanding the Restore Process ................................................................. 199
Obtaining the Restore ISO and Update Files .................................................... 201
Beginning the Restore Process ........................................................................ 203
Starting the Restore Utility Using KVM or Physical Serial.................... 203
Starting the Restore Utility Using Lights-Out Management ................ 205
Using the Interactive Menu to Restore an Appliance ....................................... 207
Identifying the Appliance’s Management Interface ............................. 209
Specifying ISO Image Location and Transport Method ....................... 210
Updating System Software and Intrusion Rules During Restore ......... 211
Downloading the ISO and Update Files and Mounting the Image ...... 212
Invoking the Restore Process .............................................................. 213
Saving and Loading Restore Configurations ........................................ 215
Restoring a DC1000 or DC3000 Using a CD .................................................... 217
Next Steps ........................................................................................................ 218
Scrubbing the Contents of the Hard Drive........................................................ 219
Setting up Lights-Out Management ................................................................. 219
Enabling LOM and LOM Users............................................................ 221
Installing an IPMI Utility ....................................................................... 222
Chapter 8: Safety and Regulatory Information....................................... 224
General Safety Guidelines ................................................................................ 224
Safety Warning Statements.............................................................................. 226
Regulatory Information ..................................................................................... 229
Sourcefire Defense Center 750/1500/3500 Information ...................... 229
Sourcefire 3D500 Information ............................................................. 230
Sourcefire Series 3 Information ........................................................... 232
Waste Electrical and Electronic Equipment Directive (WEEE) .......................... 238
Appendix A: Power Requirements for Sourcefire Devices ..................... 240
Warnings and Cautions..................................................................................... 240
Interface Connections.......................................................................... 240
Static Control ....................................................................................... 241
3D7010/7020/7030............................................................................................ 241
Installation............................................................................................ 241
Grounding/Earthing Requirements ...................................................... 242
Version 5.2 Sourcefire 3D System Installation Guide 6
Table of Contents
3D7110/7120 and 3D7115/7125 ........................................................................ 243
Installation............................................................................................ 243
Grounding/Earthing Requirements ...................................................... 244
3D8120/8130/8140 and 3D8250/8260/8270/8290 ............................................ 245
AC Installation...................................................................................... 245
DC Installation...................................................................................... 247
Grounding/Earthing Requirements ...................................................... 249
Appendix B: Using SFP Transceivers on a 3D7115 or 3D7125 ................. 251
3D7115 and 3D7125 SFP Sockets and Transceivers ......................................... 251
Inserting an SFP Transceiver............................................................................. 253
Removing an SFP Transceiver........................................................................... 254
Appendix C: Inserting and Removing 8000 Series Modules.................... 255
Module Slots on the 8000 Series Appliances ................................................... 255
81xx Family.......................................................................................... 256
82xx Family.......................................................................................... 256
Included Items .................................................................................................. 257
Identifying the Module Parts ............................................................................ 258
Before You Begin .............................................................................................. 259
Removing a Module or Slot Cover .................................................................... 259
Inserting a Module or Slot Cover ...................................................................... 260
Glossary .....................................................................................................................264
Version 5.2 Sourcefire 3D System Installation Guide 7
CHAPTER 1
INTRODUCTION TO THE SOURCEFIRE 3D
YSTEM
S
The Sourcefire 3D® System combines the security of an industry-leading
network intrusion protection system with the power to control access to your
network based on detected applications, users, and URLs. You can also use
Sourcefire appliances to serve in a switched, routed, or hybrid (switched and
routed) environment; to perform network address translation (NAT); and to build
secure virtual private network (VPN) tunnels among the virtual routers on
Sourcefire managed devices, or from managed devices to remote devices or
other third-party VPN endpoints.
The Sourcefire Defense Center® provides a centralized management console and
database repository for the Sourcefire 3D System. Managed devices installed on
network segments monitor traffic for analysis.
Devices in a passive deployment monitor traffic flowing across a network, for
example, using a switch SPAN, virtual switch, or mirror port. Passive sensing
interfaces receive all traffic unconditionally and no traffic received on these
interfaces is retransmitted.
Devices in an inline deployment allow you to protect your network from attacks
that might affect the availability, integrity, or confidentiality of hosts on the
network. Inline interfaces receive all traffic unconditionally, and traffic received on
these interfaces is retransmitted unless explicitly dropped by some configuration
in your deployment. Inline devices can be deployed as a simple intrusion
prevention system. You can also configure inline devices to perform access
control as well as manage network traffic in other ways.
This installation guide provides information about deploying, installing, and setting
up Sourcefire appliances (devices and Defense Centers). It also contains
Version 5.2 Sourcefire 3D System Installation Guide 8
Introduction to the Sourcefire 3D System
Sourcefire 3D System Appliances
hardware specifications and safety and regulatory information for Sourcefire
appliances.
TIP! You can host virtual Defense Centers and devices, which can manage and
be managed by physical appliances. However, virtual appliances do not support
any of the system’s hardware-based features: redundancy, switching, routing, and
so on. For detailed information, see the Sourcefire 3D System Virtual Installation
Guide.
The topics that follow introduce you to the Sourcefire 3D System and describe its
key components:
• Sourcefire 3D System Appliances on page 9
• Sourcefire 3D System Components on page 16
• Licensing the Sourcefire 3D System on page 19
• Security, Internet Access, and Communication Ports on page 23
Chapter 1
Sourcefire 3D System Appliances
A Sourcefire appliance is either a traffic-sensing managed device or a managing
Defense Center:
Physical devices are fault-tolerant, purpose-built network appliances available with
a range of throughputs and capabilities. Defense Centers serve as central
management points for these devices, and automatically aggregate and correlate
the events they generate. There are several models of each physical appliance
type; these models are further grouped into series and family.
Many Sourcefire 3D System capabilities are appliance dependent. For more
information, see the following sections:
• Defense Centers on page 9
• Managed Devices on page 10
• Understanding Appliance Series, Models, and Capabilities on page 10
Defense Centers
The Defense Center provides a centralized management point and event
database for your Sourcefire 3D System deployment. Defense Centers, which
can be physical or virtual, aggregate and correlate intrusion, file, malware,
discovery, connection, and performance data. This allows you to monitor the
information that your devices report in relation to one another, and to assess and
control the overall activity that occurs on your network.
Version 5.2 Sourcefire 3D System Installation Guide 9
Introduction to the Sourcefire 3D System
Sourcefire 3D System Appliances
Key features of the Defense Center include:
• device, license, and policy management
• display of event and contextual information using tables, graphs, and charts
• health and performance monitoring
• external notification and alerting
• real-time threat response using correlation and remediation features
• reporting
For many physical Defense Centers, a high availability (redundancy) feature can
help you ensure continuity of operations.
Managed Devices
Physical Sourcefire devices are fault-tolerant, purpose-built network appliances
available in a range of throughputs. You can also host virtual devices. Devices
deployed passively help you gain insight into your network traffic. Deployed inline,
you can use Sourcefire devices to affect the flow of traffic based on multiple
criteria. You must manage Sourcefire devices with a Defense Center.
Chapter 1
Depending on model and license, managed devices:
• gather detailed information about your organization’s hosts, operating
systems, applications, users, files, networks, and vulnerabilities
• block or allow network traffic based on various network-based criteria, as
well as other criteria including applications, users, URLs, IP address
reputations, and the results of intrusion or malware inspections
• have switching, routing, DHCP, NAT, and VPN capabilities, as well as
configurable bypass interfaces, fast-path rules, and strict TCP enforcement
• have clustering (redundancy) to help you ensure continuity of operations,
and stacking to combine resources from multiple devices
Understanding Appliance Series, Models, and Capabilities
Version 5.2 of the Sourcefire 3D System is available on two series of physical
appliances, as well as virtual appliances. Many Sourcefire 3D System capabilities
are appliance dependent. For more information, see:
• Series 2 Appliances on page 11
• Series 3 Appliances on page 11
• Virtual Appliances on page 12
• Appliances Delivered with Version 5.2 on page 12
• Supported Capabilities by Appliance Model on page 13
Version 5.2 Sourcefire 3D System Installation Guide 10
Introduction to the Sourcefire 3D System
Sourcefire 3D System Appliances
Series 2 Appliances
Series 2 is the second series of Sourcefire physical appliances. Because of
resource and architecture limitations, Series
Sourcefire 3D System features.
Although Sourcefire does not deliver Version 5.2 on Series 2 appliances other
than 3D500/1000/2000 devices, you can restore the following Series
and Defense Centers to Version 5.2:
• 3D2100/2500/3500/4500
• 3D6500
• 3D9900
• DC500/1000/3000
There is no update path from Version 4.10.x to Version 5.2; you must use an ISO
image to restore your appliances. Reimaging results in the loss of all
configuration and event data on the appliance. You cannot import this data onto
an appliance after a reimage. For more information, see
Appliance to Factory Defaults on page 198.
Chapter 1
2 devices support a restricted set of
2 devices
Restoring a Sourcefire
IMPORTANT! Only reimage your appliances during a maintenance window.
Reimaging resets devices in inline deployments to a non-bypass configuration
and disrupts traffic on your network. For more information, see Traffic Flow During
the Restore Process on page 199.
When running Version 5.2, Series 2 devices automatically have most of the
capabilities associated with a Protection license: intrusion detection and
prevention, file control, and basic access control. However, Series
cannot perform Security Intelligence filtering, advanced access control, or
advanced malware protection. You also cannot enable other licensed capabilities
on a Series
rules, stacking, and tap mode, Series
hardware-based features associated with Series
NAT, and so on.
When running Version 5.2, DC1000 and DC3000 Series 2 Defense Centers
support all the features of the Sourcefire 3D System; the DC500 has more limited
capabilities.
2 device. With the exception of the 3D9900, which supports fast-path
2 devices do not support any of the
3 devices: switching, routing,
2 devices
Series 3 Appliances
Series 3 is the third series of Sourcefire physical appliances. All 7000 Series and
8000
Series devices are Series 3 appliances. 8000 Series devices are more
powerful and support a few features that 7000
Series devices do not.
Version 5.2 Sourcefire 3D System Installation Guide 11
Introduction to the Sourcefire 3D System
Sourcefire 3D System Appliances
Virtual Appliances
You can host 64-bit virtual Defense Centers and devices on VMware ESX/ESXi.
Virtual Defense Centers can manage up to 25 physical or virtual devices; physical
Defense Centers can manage virtual devices.
Regardless of the licenses installed and applied, virtual appliances do not support
any of the system’s hardware-based features: redundancy, switching, routing, and
so on. Also, virtual devices do not have web interfaces. For detailed information
on virtual appliances, see the Sourcefire 3D System Virtual Installation Guide.
Appliances Delivered with Version 5.2
The following table lists the appliances that Sourcefire delivers with Version 5.2 of
the Sourcefire 3D System.
Version 5.2 Sourcefire Appliances
MODELS/FAMILY SERIES TYPE
Chapter 1
Series 2 devices:
3D500, 3D1000, and 3D2000
70xx Family:
3D7010, 3D7020 and 3D7030
71xx Family:
3D7110, 3D7115, 3D7120m
and 3D7125
81xx Family:
3D8120/8130/8140
82xx Family:
3D8250, 3D8260, 3D8270,
and 3D8290
virtual devices none device
Series 3 Defense Centers:
DC750/1500/3500
virtual Defense Centers none Defense Center
Although Sourcefire does not deliver Version 5.2 on Series 2 appliances other
than 3D500, 3D1000m and 3D2000 devices, you can reimage the following
Series
2 devices and Defense Centers to Version 5.2:
• 3D2100/2500/3500/4500
• 3D6500
Series 2 device
Series 3 (7000 Series) device
Series 3 (7000 Series) device
Series 3 (8000 Series) device
Series 3 (8000 Series) device
Series 3 Defense Center
Version 5.2 Sourcefire 3D System Installation Guide 12
Introduction to the Sourcefire 3D System
Sourcefire 3D System Appliances
• 3D9900
• DC500/1000/3000
Reimaging results in the loss of all configuration and event data on the appliance.
See
Restoring a Sourcefire Appliance to Factory Defaults on page 198 for more
information.
Supported Capabilities by Appliance Model
Many Sourcefire 3D System capabilities are appliance dependent. The table
below matches the major capabilities of the system with the appliances that
support those capabilities, assuming you have the correct licenses installed and
applied. For a brief summary of these features and licenses, see
Capabilities by Appliance Model on page 13 and Licensing the Sourcefire 3D
System on page 19.
The Defense Center column for device-based capabilities (such as stacking,
switching, and routing) indicates whether that Defense Center can manage and
configure devices to perform their functions. For example, you can use a Series
DC1000 to manage NAT on Series
is unsupported, while
not relevant to managed devices.
Chapter 1
Supported
2
3 devices. Also, a blank cell means the feature
n/a marks certain Defense Center-based features that are
Supported Capabilities by Appliance Model
FEATURE SERIES 2
network discovery:
host, application, and
user
geolocation data DC1000,
intrusion detection
and prevention (IPS)
Security Intelligence
filtering
access control: basic
network control
access control:
applications
access control: users DC1000,
DEVICE
SERIES 2
DEFENSE
C
ENTER
DC3000
DC1000,
DC3000
DC3000
SERIES 3
DEVICE
SERIES 3
DEFENSE
C
ENTER
VIRTUAL
DEVICE
VIRTUAL
DEFENSE
C
ENTER
Version 5.2 Sourcefire 3D System Installation Guide 13
Introduction to the Sourcefire 3D System
Sourcefire 3D System Appliances
Supported Capabilities by Appliance Model (Continued)
Chapter 1
FEATURE SERIES 2
access control: literal
URLs
access control: URL
filtering by category
and reputation
file control: by file
type
network-based
advanced malware
protection (AMP)
FireAMP integration n/a n/a n/a
fast-path rules 3D9900 8000 Series
strict TCP
enforcement
configurable bypass
interfaces
DEVICE
except
SERIES 2
DEFENSE
C
ENTER
DC1000,
DC3000
DC1000,
DC3000
SERIES 3
DEVICE
where
hardware
limited
SERIES 3
DEFENSE
C
ENTER
VIRTUAL
DEVICE
VIRTUAL
DEFENSE
C
ENTER
tap mode 3D9900
switching and
routing
NAT policies
VPN
high availability n/a DC1000,
device stacking 3D9900 3D8140,
DC3000
n/a DC1500,
DC3500
82xx Family
n/a
Version 5.2 Sourcefire 3D System Installation Guide 14
Introduction to the Sourcefire 3D System
Sourcefire 3D System Appliances
Supported Capabilities by Appliance Model (Continued)
Chapter 1
FEATURE SERIES 2
DEVICE
device clustering
clustered stacks 3D8140,
interactive CLI
SERIES 2
DEFENSE
C
ENTER
SERIES 3
DEVICE
82xx Family
SERIES 3
DEFENSE
C
ENTER
VIRTUAL
DEVICE
VIRTUAL
DEFENSE
C
ENTER
Series 3 Device Chassis Designations
The following section lists the 7000 Series and 8000 Series devices and their
respective chassis hardware codes. The chassis code appears on the regulatory
label on the outside of the chassis, and is the official reference code for hardware
certifications and safety.
7000 Series Chassis Designations
The 7000 Series Chassis Models table lists the chassis designations for the
7000 Series models available world-wide.
7000 Series Chassis Models
3D DEVICE MODEL HARDWARE CHASSIS CODE
3D7010, 3D7020, and 3D7030 CHRY-1U-AC
3D7110 and 3D7120 (Copper) GERY-1U-8-C-AC
3D7110 and 3D7120 (Fiber) GERY-1U-8-FM-AC
3D7115 and 3D7125 GERY-1U-4C8S-AC
Version 5.2 Sourcefire 3D System Installation Guide 15
Introduction to the Sourcefire 3D System
Sourcefire 3D System Components
8000 Series Chassis Designations
The 8000 Series Chassis Models table lists the chassis designations for the
Series 3 models available world-wide.
8000 Series Chassis Models
3D DEVICE MODEL HARDWARE CHASSIS CODE
Chapter 1
3D8120, 3D8130, and 3D8140
(AC power)
3D8120, 3D8130, and 3D8140
(DC power)
3D8250, 3D8260, 3D8270, and 3D8290
(AC power)
3D8250, 3D8260, 3D8270, and 3D8290
(DC power)
Sourcefire 3D System Components
The sections that follow describe some of the key capabilities of the Sourcefire
3D System that contribute to your organization’s security, acceptable use policy,
and traffic management strategy.
TIP! Many Sourcefire 3D System capabilities are appliance model, license, and
user role dependent. Where needed, Sourcefire documentation outlines the
requirements for each feature and task.
CHAS-1U-AC
CHAS-1U-DC
CHAS-2U-AC
CHAS-2U-DC
Redundancy and Resource Sharing
The redundancy and resource-sharing features of the Sourcefire 3D System allow
you to ensure continuity of operations and to combine the processing resources
of multiple physical devices:
• Defense Center high availability allows you to designate redundant DC1000,
DC1500, DC3000, or DC3500 Defense Centers to manage devices.
• Device stacking allows you to increase the amount of traffic inspected on a
network segment by connecting two to four physical devices in a stacked
configuration.
• Device clustering allows you to establish redundancy of networking
functionality and configuration data between two or more Series 3 devices
or stacks.
Version 5.2 Sourcefire 3D System Installation Guide 16
Introduction to the Sourcefire 3D System
Sourcefire 3D System Components
Network Traffic Management
The Sourcefire 3D System’s network traffic management features allow Series 3
devices to act as part of your organization’s network infrastructure. You can:
• configure a Layer 2 deployment to perform packet switching between two
or more network segments
• configure a Layer 3 deployment to route traffic between two or more
interfaces
• perform network address translation (NAT)
• build secure VPN tunnels from virtual routers on managed devices to
remote devices or other third-party VPN endpoints
FireSIGHT
FireSIGHT™ is Sourcefire’s discovery and awareness technology that collects
information about hosts, operating systems, applications, users, files, networks,
geolocation information, and vulnerabilities, in order to provide you with a
complete view of your network.
You can use the Defense Center’s web interface to view and analyze data
collected by FireSIGHT. You can also use this data to help you perform access
control and modify intrusion rule states.
Chapter 1
Access Control
Access control is a policy-based feature that allows you to specify, inspect, and
log the traffic that traverses your network. As part of access control, the Security
Intelligence feature allows you to blacklist—deny traffic to and from—specific IP
addresses before the traffic is subjected to deeper analysis.
After Security Intelligence filtering occurs, you can define which and how traffic is
handled by targeted devices, from simple IP address matching to complex
scenarios involving different users, applications, ports, and URLs. You can trust,
monitor, or block traffic, or perform further analysis, such as:
• intrusion detection and prevention
• file control
• file tracking and network-based advanced malware protection (AMP)
Intrusion Detection and Prevention
Intrusion detection and prevention is a policy-based feature, integrated into
access control, that allows you to monitor your network traffic for security
violations and, in inline deployments, to block or alter malicious traffic. An
intrusion policy contains a variety of components, including:
• rules that inspect the protocol header values, payload content, and certain
packet size characteristics
• rule state configuration based on FireSIGHT recommendations
Version 5.2 Sourcefire 3D System Installation Guide 17
Introduction to the Sourcefire 3D System
Sourcefire 3D System Components
• advanced settings, such as preprocessors and other detection and
performance features
• preprocessor rules that allow you to generate events for associated
preprocessors and preprocessor options
File Tracking, Control, and Malware Protection
To help you identify and mitigate the effects of malware, the Sourcefire 3D
System’s file control, network file trajectory, and advanced malware protection
components can detect, track, and optionally block the transmission of files
(including malware files) in network traffic.
File control is a policy-based feature, integrated into access control, that allows
managed devices to detect and block your users from uploading (sending) or
downloading (receiving) files of specific types over specific application protocols.
Network-based advanced malware protection (AMP) allows the system to inspect
network traffic for malware in specific types of files. When a managed device
detects one of these file types, the Defense Center obtains the file’s disposition
from the Sourcefire cloud. The managed device uses this information to track and
then block or allow the file.
FireAMP is Sourcefire’s enterprise-class, endpoint-based AMP solution. If your
organization has a FireAMP subscription, individual users install FireAMP
Connectors on their computers and mobile devices. These lightweight agents
communicate with the Sourcefire cloud, which in turn communicates with the
Defense Center. In this way, you can use the Defense Center to view malware
detection and quarantines on the endpoints in your organization, as well as to
track the malware’s trajectory.
Chapter 1
Application Programming Interfaces
There are several ways to interact with the system using application programming
interfaces (APIs):
• The Event Streamer (eStreamer) allows you to stream several kinds of event
data from a Sourcefire appliance to a custom-developed client application.
• The database access feature allows you to query several database tables on
a Defense Center, using a third-party client that supports JDBC SSL
connections.
• The host input feature allows you to augment the information in the
network map by importing data from third-party sources using scripts or
command-line files.
• Remediations are programs that your Defense Center can automatically
launch when certain conditions on your network are met. This can not only
automatically mitigate attacks when you are not immediately available to
address them, but can also ensure that your system remains compliant with
your organization’s security policy.
Version 5.2 Sourcefire 3D System Installation Guide 18
Introduction to the Sourcefire 3D System
Licensing the Sourcefire 3D System
Licensing the Sourcefire 3D System
You can license a variety of features to create an optimal Sourcefire 3D System
deployment for your organization. You must use the Defense Center to control
licenses for itself and the devices it manages.
Sourcefire recommends you add the licenses your organization has purchased
during the initial setup of your Defense Center. Otherwise, any devices you
register during initial setup are added to the Defense Center as unlicensed. You
must then enable licenses on each device individually after the initial setup
process is over. For more information, see
Appliance on page 86.
A FireSIGHT license is included with each Defense Center purchase, and is
required to perform host, application, and user discovery. The FireSIGHT license
on your Defense Center also determines how many individual hosts and users
you can monitor with the Defense Center and its managed devices, as well as
how many users you can use to perform user control. FireSIGHT host and user
license limits are model specific, as listed in the following table.
Chapter 1
Setting Up a Sourcefire 3D System
FireSIGHT Limits by Defense Center Model
DEFENSE CENTER MODEL FIRESIGHT HOST AND USER LIMIT
DC500 1000 (no user control)
DC750 2000
DC1000 20,000
DC1500 50,000
DC3000 100,000
DC3500 300,000
If your Defense Center was previously running Version 4.10.x, you may be able to
use legacy RNA Host and RUA User licenses instead of a FireSIGHT license. For
more information, see
page 22.
Additional model-specific licenses allow your managed devices to perform a
variety of functions, as follows:
Using Legacy RNA Host and RUA User Licenses on
Protection
A Protection license allows managed devices to perform intrusion detection
and prevention, file control, and Security Intelligence filtering.
Version 5.2 Sourcefire 3D System Installation Guide 19
Introduction to the Sourcefire 3D System
Licensing the Sourcefire 3D System
Control
A Control license allows managed devices to perform user and application
control. It also allows devices to perform switching and routing (including
DHCP relay), NAT, and to cluster devices and stacks. A Control license
requires a Protection license.
URL Filtering
A URL Filtering license allows managed devices to use regularly updated
cloud-based category and reputation data to determine which traffic can
traverse your network, based on the URLs requested by monitored hosts. A
URL Filtering license requires Protection and Control licenses.
Malware
A Malware license allows managed devices to perform network-based
advanced malware protection (AMP), that is, to detect and block malware in
files transmitted over your network. It also allows you to view trajectories,
which track files transmitted over your network. A Malware license requires a
Protection license.
Chapter 1
VPN
A VPN license allows you to build secure VPN tunnels among the virtual
routers on Sourcefire managed devices, or from managed devices to remote
devices or other third-party VPN endpoints. A VPN license requires Protection
and Control licenses.
Because of architecture and resource limitations, not all licenses can be applied to
all managed devices. In general, you cannot license a capability that a device does
not support; see
The following table summarizes which licenses you can add to your Defense
Center and apply to each device model. The Defense Center rows (for all licenses
except FireSIGHT) indicate whether that Defense Center can manage devices
using those licenses. For example, you can use a Series
VPN deployment using Series
category and reputation-based URL filtering, regardless of the devices it
Supported Capabilities by Appliance Model on page 13.
2 DC1000 to create a
3 devices, but you cannot use a DC500 to perform
Version 5.2 Sourcefire 3D System Installation Guide 20
Introduction to the Sourcefire 3D System
Licensing the Sourcefire 3D System
manages. Also, a blank cell means the license is unsupported, while n/a marks
Defense Center-based licenses that are not relevant to managed devices.
Supported Licenses by Model
Chapter 1
MODELS FIRESIGHT PROTECTION CONTROL URL
F
ILTERING
Series 2 devices:
• 3D500/1000/2000
• 3D2100/2500/
3500/4500
• 3D6500
• 3D9900
Series 3 devices:
• 7000 Series
• 8000 Series
virtual devices n/a no support
DC500 Series 2
Defense Center
DC1000/3000
Series 2 Defense
Centers
DC750/1500/3500
Series 3 Defense
Centers
n/a automatic,
no Security
Intelligence
n/a
for hardware
features
no Security
Intelligence
no user
control
MALWARE VPN
virtual Defense
Centers
In addition to the information in the table, note that:
• Series 2 devices automatically have Protection capabilities, with the
exception of Security Intelligence filtering.
• Although you can enable a Control license on a virtual device, a virtual
device does not support any of the hardware-based features granted by that
license, such as switching or routing.
• Although the DC500 can manage devices with Protection and Control
licenses, you cannot perform Security Intelligence filtering or user control.
For detailed information on licensing, see the Licensing the Sourcefire 3D System
chapter in the Sourcefire 3D System User Guide.
Version 5.2 Sourcefire 3D System Installation Guide 21
Introduction to the Sourcefire 3D System
Licensing the Sourcefire 3D System
Using Legacy RNA Host and RUA User Licenses
In Version 4.10.x of the Sourcefire 3D System, RNA Host and RUA User feature
licenses determined your monitored host and user limits, respectively. If your
Defense Center was previously running Version 4.10.x, you can use your legacy
host and user licenses instead of a FireSIGHT license.
Version 5.2 Defense Centers using legacy licenses use the RNA Host limit as the
FireSIGHT host limit and the RUA User limit as both the FireSIGHT user and
authoritative user limit. The FireSIGHT Host License Limit health module alerts
appropriately for your licensed limit.
Note that RNA Host and RUA User limits are cumulative. That is, you can add
multiple licenses of each type to the Defense Center to monitor the total number
of hosts or users allowed by the licenses.
If you later add a FireSIGHT license, the Defense Center uses the higher of the
limits. For example, the FireSIGHT license on the DC1500 supports up to 50,000
hosts and users. If the RNA Host limit on your Version 4.10.x DC1500 was higher
than 50,000, using that legacy host license on the same Defense Center running
Version 5.2 gives you the higher limit. For your convenience, the web interface
displays only the licenses that represent the higher limits.
Chapter 1
IMPORTANT! Because FireSIGHT license limits are matched to the hardware
capabilities of Defense Centers, Sourcefire does not recommend exceeding
them when using legacy licensing. For guidance, contact Sourcefire Support.
Because there is no update path from Version 4.10.x to Version 5.2, you must use
an ISO image to “restore” the Defense Center. Note that reimaging results in the
loss of all configuration and event data on the appliance. You cannot import this
data onto an appliance after a reimage. For more information, see
Sourcefire Appliance to Factory Defaults on page 198.
IMPORTANT! Only reimage your appliances during a maintenance window.
Reimaging resets devices in an inline deployment to a non-bypass configuration
and disrupts traffic on your network until you reconfigure bypass mode. For more
information, see Traffic Flow During the Restore Process on page 199.
During the restore process, you are prompted to delete license and network
settings. Keep these settings, although you can re-add them later if you
accidentally delete them. Note that Version 5.2 Defense Centers cannot manage
Version 4.10.x devices. You can, however, restore and update supported Version
4.10.x devices to the latest version. For more information, see
Sourcefire Appliance to Factory Defaults on page 198.
Restoring a
Restoring a
Version 5.2 Sourcefire 3D System Installation Guide 22
Introduction to the Sourcefire 3D System
Security, Internet Access, and Communication Ports
Security, Internet Access, and Communication Ports
To safeguard the Defense Center, you must install the Defense Center on a
protected internal network. Although the Defense Center is configured to have
only the necessary services and ports available, you must make sure that attacks
cannot reach it from outside the firewall.
If the Defense Center and the managed device reside on the same network, you
can connect the management interface on the device to the same protected
internal network as the Defense Center. This allows you to securely control the
device from the Defense Center and aggregate the event data generated on the
managed device’s network segment. By using the Defense Center’s filtering
capabilities, you can analyze and correlate data from attacks across your network
to evaluate how well your security policies are being implemented.
Note, however, that Sourcefire appliances are configured to directly connect to
the Internet. Specific features of the Sourcefire 3D System require this direct
connection, and others support use of a proxy server. Additionally, the system
requires that certain ports remain open for basic intra-appliance communication,
as well as to allow you to access appliances’ web interfaces. By default, several
other ports are open to allow the system to take advantage of additional features
and functionality.
For more information, see:
• Internet Access Requirements on page 23
• Open Communication Ports Requirements on page 24
Chapter 1
Internet Access Requirements
By default, Sourcefire appliances are configured to directly connect to the
Internet. Specific features of the Sourcefire 3D System require this direct
connection, while others support use of a proxy server; see the Configuring s
chapter in the Sourcefire 3D System User Guide.
TIP! You can manually upload system software, intrusion rule, GeoDB, and VDB
updates to appliances.
To ensure continuity of operations, both Defense Centers in a high availability pair
must have Internet access. For specific features, the primary Defense Center
contacts the Internet, then shares information with the secondary during the
synchronization process. Therefore, if the primary fails, you should promote the
secondary to primary as described in the Managing Devices chapter in the
Sourcefire 3D System User Guide.
Version 5.2 Sourcefire 3D System Installation Guide 23
Introduction to the Sourcefire 3D System
Security, Internet Access, and Communication Ports
The following table describes the Internet access requirements of the Sourcefire
3D System.
Sourcefire 3D System Internet Access Requirements
FOR... INTERNET ACCESS IS REQUIRED TO... HIGH AVAILABILITY CONSIDERATIONS PROXY?
Chapter 1
RSS Feed dashboard
widget
Security Intelligence
feeds
URL filtering data download cloud-based URL
malware cloud lookups
(Malware licensed)
FireAMP integration
(FireAMP subscription)
system, intrusion rule,
GeoDB, and VDB
updates
download RSS feed data from
an external source, including
Sourcefire.
download Security Intelligence
feed data from an external
source, including the
Sourcefire Intelligence Feed.
category and reputation data
for access control, and
perform lookups for
uncategorized URLs.
perform cloud lookups to
determine if files detected in
network traffic contain
malware.
receive endpoint-based
malware events from the
Sourcefire cloud.
download or schedule the
download of an intrusion rule,
GeoDB, VDB, or system
update directly to the
appliance.
Feed data is not synchronized.
The primary Defense Center
downloads feed data and
shares it with the secondary.
In case of primary failure, you
must switch roles.
The primary Defense Center
downloads URL filtering data
and shares it with the
secondary. In case of primary
failure, you must switch roles.
Paired Defense Centers
perform cloud lookups
independently, although file
policies are synchronized.
Cloud connections are not
synchronized. Configure them
on both Defense Centers.
Rule, GeoDB, and VDB
updates are synchronized;
system updates are not. All
appliances that download
updates must have Internet
access.
obtaining whois
information using the IP
address context menu
obtain whois information. Any appliance requesting
whois information must have
Internet access.
Open Communication Ports Requirements
The Sourcefire 3D System requires that ports 443 (inbound) and 8305 (inbound
and outbound) remain open for basic intra-appliance communication, as well as to
allow you to access appliances’ web interfaces.
Version 5.2 Sourcefire 3D System Installation Guide 24
Introduction to the Sourcefire 3D System
Security, Internet Access, and Communication Ports
By default, several other ports are open to allow the system to take advantage of
additional features and functionality. The following table lists these ports. Note
that DHCP is disabled by default on ports 67 and 68.
Sourcefire 3D System Open Communication Ports Requirements
PORTS DESCRIPTION PROTOCOL DIRECTION OPEN THE PORT TO...
22 SSH/SSL TCP Bidirectional allow a secure remote connection to the
appliance.
25 SMTP TCP Outbound send email notices and alerts from the
appliance.
53 DNS TCP Outbound use DNS.
67, 68 DHCP UDP Outbound use DHCP. Disabled by default.
Chapter 1
80 HTTP TCP Outbound or
Bidirectional
161, 162 SNMP UDP Bidirectional
(161);
Outbound
(162)
389, 636 LDAP TCP Outbound track user activity and for authentication.
443 HTTPS/AMPQ TCP Inbound or
Bidirectional
514 syslog UDP Outbound send alerts to a remote syslog server.
allow the RSS Feed dashboard widget to
connect to a remote web server; use for
auto-update.
Adding inbound access allows the
Defense Center to update custom and
third-party Security Intelligence feeds via
HTTP, and to download URL filtering
information.
provide access if you enabled SNMP
polling (inbound) and SNMP traps
(outbound).
access the appliance. Required.
Adding outbound access allows the
Defense Center to download or receive
software updates, VDB and GeoDB
updates, URL filtering information,
secure Security Intelligence feeds, and
endpoint-based (FireAMP) malware
events.
623 SOL/LOM UDP Bidirectional allow you to perform Lights-Out
Management (LOM) using a Serial Over
LAN (SOL) connection on a Series 3
appliance.
Version 5.2 Sourcefire 3D System Installation Guide 25
Introduction to the Sourcefire 3D System
Security, Internet Access, and Communication Ports
Sourcefire 3D System Open Communication Ports Requirements (Continued)
PORTS DESCRIPTION PROTOCOL DIRECTION OPEN THE PORT TO...
Chapter 1
1500, 2000 database
access
1812, 1813 RADIUS UDP Outbound or
3306 Sourcefire
User Agent
8302 eStreamer TCP Bidirectional use for an eStreamer client.
8305 device
management
8307 Host Input
Client API
32137 malware cloud
lookups
TCP Inbound access the Defense Center if external
Bidirectional
TCP Inbound allow communication between the
TCP Bidirectional communicate between the Defense
TCP Bidirectional communicate with the Defense Center
TCP Outbound allow the Defense Center to perform
database access is enabled.
use RADIUS. Adding inbound access
ensures that RADIUS authentication and
accounting function correctly.
Ports 1812 and 1813 are the default, but
you can configure RADIUS to use other
ports instead. For more information, see
the Sourcefire 3D System User Guide.
Defense Center and Sourcefire User
Agents.
Center and managed devices. Required.
during client/server authentication.
cloud lookups to determine if a file
detected in network traffic contains
malware, and to track file trajectories.
Version 5.2 Sourcefire 3D System Installation Guide 26
CHAPTER 2
UNDERSTANDING DEPLOYMENT
The Sourcefire 3D System can be deployed to accommodate the needs of each
unique network architecture. The Defense Center provides a centralized
management console and database repository for the Sourcefire 3D System.
Devices are installed on network segments to collect traffic connections for
analysis.
Devices in a passive deployment monitor traffic flowing across a network using a
switch SPAN, virtual switch, or mirror port to collect data about the nature of the
traffic traversing your network. Devices in an inline deployment allow you to
monitor your network for attacks that might affect the availability, integrity, or
confidentiality of hosts on the network. A device can be deployed in an inline,
switched, routed, or hybrid (Layer 2/Layer3) environment.
To learn more about your deployment options, see the following sections for
more information:
• Understanding Deployment Options on page 28 provides some factors to
consider when designing your deployment.
• Understanding Interfaces on page 28 explains the different between
interfaces and how they function in your deployment.
• Connecting Devices to Your Network on page 32 describes how to use a
hub, span, and network tap in your deployment.
• Deployment Options on page 36 describes a basic deployment and
identifies the primary functional locations within it.
• Deploying with Access Control on page 43 describes the advantages of
using access control in an inline deployment.
Version 5.2 Sourcefire 3D System Installation Guide 27
Understanding Deployment
Understanding Deployment Options
• Using a Multi-Port Managed Device on page 48 explains how to use a
managed device for multiple networks or for use as a virtual router or virtual
switch in your network deployment.
• Complex Network Deployments on page 50 explains advanced deployment
scenarios, such as using a VPN or having multiple entry points.
For additional information about deployments, consult the Best Practices Guide,
available from the Sourcefire sales department.
Understanding Deployment Options
Your deployment decisions will be based on a variety of factors. Answering these
questions can help you understand the vulnerable areas of your network and
clarify your intrusion detection and prevention needs:
• Will you be deploying your managed device with passive or inline
interfaces? Does your device support a mix of interfaces, some passive and
others inline? See Understanding Interfaces on page 28 for more
information.
• How will you connect the managed devices to the network? Hubs? Taps?
Spanning ports on switches? Virtual switches? See Connecting Devices to
Yo u r N et wo r k on page 32 for more information.
• Do you want to detect every attack on your network, or do you only want to
know about attacks that penetrate your firewall? Do you have specific
assets on your network such as financial, accounting, or personnel records,
production code, or other sensitive, protected information that require
special security policies? See Deployment Options on page 36 for more
information.
• Do you provide VPN or modem access for remote workers? Do you have
remote offices that also require an IPS deployment? Do you employ
contractors or other temporary employees? Are they restricted to specific
network segments? Do you integrate your network with the networks of
other organizations such as customers, suppliers, or business partners? See
Complex Network Deployments on page 50 for more information.
Chapter 2
Understanding Interfaces
The sections that follow describe how different interfaces affect the capabilities of
the Sourcefire 3D System. In addition to passive and inline interfaces, you can
Version 5.2 Sourcefire 3D System Installation Guide 28
Understanding Deployment
Understanding Interfaces
also have routed, switched, and hybrid interfaces. See the following sections for
more information:
• Passive Interfaces on page 29
• Inline Interfaces on page 29
• Switched Interfaces on page 30
• Routed Interfaces on page 31
• Hybrid Interfaces on page 32
Passive Interfaces
You can configure a passive IPS deployment to monitor traffic flowing across a
network using a switch SPAN, virtual switch, or mirror port, allowing traffic to be
copied from other ports on the switch. Passive interfaces allow you to inspect
traffic within the network without being in the flow of network traffic. When
configured in a passive deployment, the system cannot take certain actions such
as blocking or shaping traffic. Passive interfaces receive all traffic unconditionally
and do not retransmit received traffic.
LICENSE: Any
S
UPPORTED DEVICES: Any
Chapter 2
You can configure one or more physical ports on a managed device as passive
interfaces. For more information, see
page 32.
Inline Interfaces
LICENSE: Any
S
UPPORTED DEVICES: Any
You configure an inline IPS deployment transparently on a network segment by
binding two ports together. Inline interfaces allow you to install a device in any
network configuration without the configuration of adjacent network devices.
Inline interfaces receive all traffic unconditionally, then retransmit all traffic
received on these interfaces except traffic explicitly dropped.
You can configure one or more physical ports on a managed device as inline
interfaces. You must assign a pair of inline interfaces to an inline set before they
can handle traffic in an inline deployment.
IMPORTANT! If you configure an interface as an inline interface, the adjacent port
on its NetMod automatically becomes an inline interface as well to complete the
pair.
Configurable bypass inline sets allow you to select how your traffic is handled if
your hardware fails completely (for example, the device loses power). You may
determine that connectivity is critical on one network segment, and, on another
Connecting Devices to Your Network on
Version 5.2 Sourcefire 3D System Installation Guide 29
Understanding Deployment
Understanding Interfaces
network segment, you cannot permit uninspected traffic. Using configurable
bypass inline sets, you can manage the traffic flow of your network traffic in one
of the following ways:
• Bypass: an interface pair configured for bypass allows all traffic to flow if the
• Non-bypass: an interface pair configured for non-bypass stops all traffic if
Configure the inline set as bypass to ensure that traffic continues to flow if your
device fails. Configure the inline set as non-bypass to stop traffic if the device
fails. Note that reimaging resets appliances in bypass mode to a non-bypass
configuration and disrupts traffic on your network until you reconfigure bypass
mode. For more information, see
page 199.
Chapter 2
device fails. The traffic bypasses the device and any inspection or other
processing by the device. Bypass allows uninspected traffic across the
network segment, but ensures that the network connectivity is maintained.
the device fails. Traffic that reaches the failed device does not enter the
device. Non-bypass does not permit traffic to pass uninspected, but the
network segment loses connectivity if the device fails. Use non-bypass
interfaces in deployment situations where network security is more
important than loss of traffic.
Traffic Flow During the Restore Process on
All appliances can contain configurable bypass interfaces. The 8000 Series
appliances can also contain NetMods with interfaces that cannot be configured
for bypass. For more information on NetMods, see
page 185.
Advanced options vary by appliance and can include tap mode, propagate link
state, transparent inline mode, and strict TCP mode. For information on how to
configure your inline interface sets, see Configuring Inline Sets in the Sourcefire
3D System User Guide. For more information on using inline interfaces, see
Connecting Devices to Your Network on page 32.
Switched Interfaces
LICENSE: Control
S
UPPORTED DEVICES: Series 3
You can configure switched interfaces on a managed device in a Layer 2
deployment to provide packet switching between two or more networks. You can
also configure virtual switches on managed devices to operate as standalone
broadcast domains, dividing your network into logical segments. A virtual switch
uses the media access control (MAC) address from a host to determine where to
send packets.
8000 Series Modules on
Version 5.2 Sourcefire 3D System Installation Guide 30
Understanding Deployment
Understanding Interfaces
Switched interfaces can have either a physical or logical configuration:
• Physical switched interfaces are physical interfaces with switching
• Logical switched interfaces are an association between a physical interface
Virtual switches can operate as standalone broadcast domains, dividing your
network into logical segments. A virtual switch uses the media access control
(MAC) address from a host to determine where to send packets. When you
configure a virtual switch, the switch initially broadcasts packets through every
available port on the switch. Over time, the switch uses tagged return traffic to
learn which hosts reside on the networks connected to each port.
You can configure your device as a virtual switch and use the remaining interfaces
to connect to network segments you want to monitor. To use a virtual switch on
your device, create physical switched interfaces and then follow the instructions
for Setting Up Virtual Switches in the Sourcefire 3D System Guide.
Chapter 2
configured. Use physical switched interfaces to handle untagged VLAN
traffic.
and a VLAN tag. Use logical interfaces to handle traffic with designated
VLAN tags.
Routed Interfaces
LICENSE: Control
S
UPPORTED DEVICES: Series 3
You can configure routed interfaces on a managed device in a Layer 3 deployment
so that it routes traffic between two or more interfaces. You must assign an IP
address to each interface and assign the interfaces to a virtual router to route
traffic.
You can configure routed interfaces for use with a gateway virtual private network
(gateway VPN) or with network address translation (NAT). For more information,
see
Deploying a Gateway VPN on page 41 and Deploying with Policy-Based NAT
on page 42.
You can also configure the system to route packets by making packet forwarding
decisions according to the destination address. Interfaces configured as routed
interfaces receive and for ward the Layer 3 traffic. Routers obtain the destination
from the outgoing interface based on the forwarding criteria, and access control
rules designate the security policies to be applied.
Routed interfaces can have either a physical or logical configuration:
• Physical routed interfaces are physical interfaces with routing configured.
Uses physical routed interfaces to handle untagged VLAN traffic.
• Logical switched interfaces are an association between a physical interface
and a VLAN tag. Use logical interfaces to handle traffic with designated
VLAN tags.
Version 5.2 Sourcefire 3D System Installation Guide 31
Understanding Deployment
Connecting Devices to Your Network
To use routed interfaces in a Layer 3 deployment, you must configure virtual
routers and assign routed interfaces to them. A virtual router is a group of routed
interfaces that route Layer 3 traffic.
You can configure your device as a virtual router and use the remaining interfaces
to connect to network segments you want to monitor. You can also enable strict
TCP enforcement for maximum TCP security. To use a virtual router on your
device, create physical routed interfaces on your device and then follow the
instructions for Setting Up Virtual Routers in the Sourcefire 3D System User
Guide.
Hybrid Interfaces
LICENSE: Control
S
UPPORTED DEVICES: Series 3
You can configure logical hybrid interfaces on managed devices that allow the
Sourcefire 3D System to bridge traffic between virtual routers and virtual
switches. If IP traffic received on interfaces in a virtual switch is addressed to the
MAC address of an associated hybrid logical interface, the system handles it as
Layer 3 traffic and either routes or responds to the traffic depending on the
destination IP address. If the system receives any other traffic, it handles it as
Layer 2 traffic and switches it appropriately.
To create a hybrid interface, you first configure a virtual switch and virtual router,
then add the virtual switch and virtual router to the hybrid interface. A hybrid
interface that is not associated with both a virtual switch and a virtual router is not
available for routing, and does not generate or respond to traffic.
You can configure hybrid interfaces with network address translation (NAT) to
pass traffic between networks. For more information, see
Policy-Based NAT on page 42.
Chapter 2
Deploying with
If you want to use hybrid interfaces on your device, define a hybrid interface on
the device and then follow the instructions for Setting Up Hybrid Interfaces in the
Sourcefire 3D System User Guide.
Connecting Devices to Your Network
You can connect your managed devices to your network in several ways.
Configure a hub or network tap using either passive or inline interfaces, or a span
port using passive interfaces. The following sections describe supported
connection methods and cabling considerations:
• Using a Hub on page 33
• Using a Span Port on page 33
• Using a Network Tap on page 33
• Cabling Inline Deployments on Copper Interfaces on page 34
• Special Cases on page 36
Version 5.2 Sourcefire 3D System Installation Guide 32
Understanding Deployment
Connecting Devices to Your Network
Using a Hub
An Ethernet hub is a simple way to ensure that the managed device can see all
the traffic on a network segment. Most hubs of this type take the IP traffic meant
for any of the hosts on the segment and broadcast it to all the devices connected
to the hub. Connect the interface set to the hub to monitor all incoming and
outgoing traffic on the segment. Using a hub does not guarantee that the
detection engine sees every packet on a higher volume network because of the
potential of packet collision. For a simple network with low traffic, this is not likely
to be a problem. In a high-traffic network, a different option may provide better
results. Note that if the hub fails or loses power, the network connection is
broken. In a simple network, the network would be down.
Some devices are marketed as hubs but actually function as switches and do not
broadcast each packet to every port. If you attach your managed device to a hub,
but do not see all the traffic, you may need to purchase a different hub or use a
switch with a Span port.
Using a Span Port
Chapter 2
Many network switches include a span port that mirrors traffic from one or more
ports. By connecting an interface set to the span port, you can monitor the
combined traffic from all ports, generally both incoming and outgoing. If you
already have a switch that includes this feature on your network, in the proper
location, then you can deploy the detection on multiple segments with little extra
equipment cost beyond the cost of the managed device. In high-traffic networks,
this solution has its limitations. If the span port can handle 200Mbps and each of
three mirrored ports can handle up to 100Mbps, then the span port is likely to
become oversubscribed and drop packets, lowering the effectiveness of the
managed device.
Using a Network Tap
Network taps allow you to passively monitor traffic without interrupting the
network flow or changing the network topology. Taps are readily available for
different bandwidths and allow you to analyze both incoming and outgoing
packets on a network segment. Because you can monitor only a single network
segment with most taps, they are not a good solution if you want to monitor the
traffic on two of the eight ports on a switch. Instead, you would install the tap
between the router and the switch and access the full IP stream to the switch.
By design, network taps divide incoming and outgoing traffic into two different
streams over two different cables. Managed devices offer multi-port options that
recombine the two sides of the conversation so that the entire traffic stream is
evaluated by the decoders, the preprocessors, and the detection engine.
Version 5.2 Sourcefire 3D System Installation Guide 33
Understanding Deployment
Connecting Devices to Your Network
Cabling Inline Deployments on Copper Interfaces
If you deploy your device inline on your network and you want to use your
device’s bypass capabilities to maintain network connectivity if the device fails,
you must pay special attention to how you cable the connections.
If you deploy a device with fiber bypass capable interfaces, there are no special
cabling issues beyond ensuring that the connections are securely fastened and
the cables are not kinked. However, if you are deploying devices with copper
rather than fiber network interfaces, then you must be aware of the device model
that you are using, because different device models use different network cards.
Note that some 8000
The network interface cards (NICs) in the device support a feature called
Auto-Medium Dependent Interface Crossover (Auto-MDI-X), which allows
network interfaces to configure automatically whether you use a straight-through
or crossover Ethernet cable to connect to another network device. The
and Bypass Characteristics table lists the various devices and whether they
bypass as straight-through or crossover connections.
Chapter 2
Series NetMods do not allow bypass configuration.
Devices
Devices and Bypass Characteristics
DEVICE FAILS OPEN AS...
3D500/1000/2000 straight-through
7000 Series crossover
8000 Series crossover
For a managed device that bypasses with a straight-through connection, wire the
device as would normally be done with the device live on the network. In most
cases you should use one straight-through cable and one crossover cable to
connect the device to the two endpoints.
Straight-Through Bypass Connection Cabling
Version 5.2 Sourcefire 3D System Installation Guide 34
Understanding Deployment
Connecting Devices to Your Network
For a managed device that bypasses with a crossover connection, wire the device
as would normally be done without a device deployed. The link should work with
power to the device removed. In most cases you should use two straight-through
cables to connect the device to the two endpoints.
Crossover Bypass Connection Cabling
The Valid Configurations for Hardware Bypass and table indicates where you
should use crossover or straight-through cables in your hardware bypass
configurations. Note that a Layer 2 port functions as a straight-through (MDI)
endpoint in the deployment, and a Layer 3 port functions as a crossover (MDIX)
endpoint in the deployment. The total crossovers (cables and appliances) should
be an odd number for bypass to function properly.
Chapter 2
Valid Configurations for Hardware Bypass
ENDPOINT 1 CABLE MANAGED
D
EVICE
MDIX===MDI
MDIX==MDI
MDI==XMDI
MDI===MDIX
MDIX=X=MDIX
MDI = X = MDI
MDIXXXMDI
MDIXXX=MDI
IMPORTANT! In the Valid Configurations for Hardware Bypass table, = indicates
a straight-through cable or managed device bypass connection, and X indicates a
crossover cable or managed device bypass connection.
CABLE ENDPOINT 2
Note that every network environment is likely to be unique, with endpoints that
have different combinations of support for Auto-MDI-X. The easiest way to
Version 5.2 Sourcefire 3D System Installation Guide 35
Understanding Deployment
Deployment Options
confirm that you are installing your device with the correct cabling is to begin by
connecting the device to its two endpoints using one crossover cable and one
straight-through cable, but with the device powered down. Ensure that the two
endpoints can communicate. If they cannot communicate, then one of the cables
is the incorrect type. Switch one (and only one) of the cables to the other type,
either straight-through or crossover.
After the two endpoints can successfully communicate with the inline device
powered down, power up the device. The Auto-MDI-X feature ensures that the
two endpoints will continue to communicate. Note that if you have to replace an
inline device, you should repeat the process of ensuring that the endpoints can
communicate with the new device powered down to protect against the case
where the original device and its replacement have different bypass
characteristics.
The Auto-MDI-X setting functions correctly only if you allow the network
interfaces to auto-negotiate. If your network environment requires that you turn
off the Auto Negotiate option on the Network Interface page, then you must
specify the correct MDI/MDIX option for your inline network interfaces. See
Configuring Inline Interfaces in the Sourcefire 3D System User Guide for more
information.
Chapter 2
Special Cases
Connecting 8000 Series Devices
8000 Series managed devices do not support half duplex network links; they also
do not support differences in speed or duplex configurations at opposite ends of a
connection. To ensure a stable network link, you must either auto-negotiate on
both sides of the connection, or set both sides to the same static speed.
Changing Your Remote Console
When you change your remote console from Physical Serial Port to Lights-Out
Management or from Lights-Out Management to Physical Serial Port on 70xx
Family devices, you may have to reboot the appliance twice to see the expected
LILO boot prompt.
TIP! 3D2100/2500/3500/4500 devices do not have functional serial ports.
Deployment Options
When you place your managed device on a network segment, you can monitor
traffic using an intrusion detection system or protect your network from threats
using an intrusion prevention system.
Version 5.2 Sourcefire 3D System Installation Guide 36
Understanding Deployment
Deployment Options
You can also deploy your managed device to function as a virtual switch, virtual
router, or gateway VPN. Additionally, you can use policies to route traffic or control
access to traffic on your network. For more information, see the following
sections:
• Deploying with a Virtual Switch on page 37
• Deploying with a Virtual Router on page 38
• Deploying with Hybrid Interfaces on page 40
• Deploying a Gateway VPN on page 41
• Deploying with Policy-Based NAT on page 42
• Deploying with Access Control on page 43
Deploying with a Virtual Switch
You can create a virtual switch on your managed device by configuring inline
interfaces as switched interfaces. The virtual switch provides Layer 2 packet
switching for your deployment. Advanced options include setting a static MAC
address, enabling spanning tree protocol, enabling strict TCP enforcement, and
dropping bridge protocol data units (BPDUs) at the domain level. For information
on switched interfaces, see
A virtual switch must contain two or more switched interfaces to handle traffic.
For each virtual switch, the system switches traffic only to the set of ports
configured as switched interfaces. For example, if you configure a virtual switch
with four switched interfaces, when the system receives traffic packets through
one port it only broadcasts these packets to the remaining three ports on the
switch.
LICENSE: Control
S
UPPORTED DEVICES: Series 3
Chapter 2
Switched Interfaces on page 30.
To configure a virtual switch to allow traffic, you configure two or more switched
interfaces on a physical port, add and configure a virtual switch, and then assign
the virtual switch to the switched interfaces. The system drops any traffic
received on an external physical interface that does not have a switched interface
waiting for it. If the system receives a packet with no VLAN tag and you have not
configured a physical switched interface for that port, it drops the packet. If the
system receives a VLAN-tagged packet and you have not configured a logical
switched interface, it also drops the packet.
You can define additional logical switched interfaces on the physical port as
needed, but you must assign a logical switched interface to a virtual switch to
handle traffic.
Virtual switches have the advantage of scalability. When you use a physical
switch, you are limited by the number of available ports on the switch. When you
replace your physical switch with a virtual switch, you are limited only by your
bandwidth and the level of complexity you want to introduce to your deployment.
Version 5.2 Sourcefire 3D System Installation Guide 37
Understanding Deployment
Deployment Options
Use a virtual switch where you would use a Layer 2 switch, such as workgroup
connectivity and network segmentation. Layer 2 switches are particularly
effective where workers spend most of their time on their local segment. Larger
deployments (for example, deployments that contain broadcast traffic, Voice-overIP, or multiple networks) can use virtual switches on smaller network segments of
the deployment.
When you deploy multiple virtual switches on the same managed device, you can
maintain separate levels of security as dictated by the needs of each network.
Virtual Switches on a Managed Device
Chapter 2
In this example, the managed device monitors traffic from two separate
networks, 172.16.1.0/20 and 192.168.1.0/24. Although both networks are
monitored by the same managed device, the virtual switch passes traffic only to
those computers or servers on the same network. Traffic can pass from
computer A to computer B through the 172.16.1.0/24 virtual switch (indicated by
the blue line) and from computer B to computer A through the same virtual
switch (indicated by the green line). Similarly, traffic can pass to and from the file
and web servers through the 192.168.1.0/24 virtual switch (indicated by the red
and orange lines). However, traffic cannot pass between the computers and the
web or file servers because the computers are not on the same virtual switch as
the servers.
For more information on configuring switched interfaces and virtual switches, see
Setting Up Virtual Switches in the Sourcefire 3D System User Guide.
Deploying with a Virtual Router
LICENSE: Control
S
UPPORTED DEVICES: Series 3
You can create a virtual router on a managed device to route traffic between two
or more networks, or to connect a private network to a public network (for
example, the Internet). The virtual router connects two routed interfaces to
provide Layer 3 packet forwarding decisions for your deployment according to the
destination address. Optionally, you can enable strict TCP enforcement on the
virtual router. For more information on routed interfaces, see
on page 31. You must use a virtual router with a gateway VPN. For more
information, see Deploying a Gateway VPN on page 41.
Routed Interfaces
Version 5.2 Sourcefire 3D System Installation Guide 38
Understanding Deployment
Deployment Options
A virtual router can contain either physical or logical routed configurations from
one or more individual devices within the same broadcast domain. You must
associate each logical interface with a VLAN tag to handle traffic received by the
physical interface with that specific tag. You must assign a logical routed interface
to a virtual router to route traffic.
To configure a virtual router, you set up routed interfaces with either physical or
logical configurations. You can configure physical routed interfaces for handling
untagged VLAN traffic. You can also create logical routed interfaces for handling
traffic with designated VLAN tags. The system drops any traffic received on an
external physical interface that does not have a routed interface waiting for it. If
the system receives a packet with no VLAN tag and you have not configured a
physical routed interface for that port, it drops the packet. If the system receives a
VLAN-tagged packet and you have not configured a logical routed interface, it also
drops the packet.
Virtual routers have the advantage of scalability. Where physical routers limit the
number of networks you can connect, multiple virtual routers can be configured
on the same managed device. Putting multiple routers on the same device
reduces the physical complexity of your deployment, allowing you to monitor and
manage multiple routers from one device.
Use a virtual router where you would use a Layer 3 physical router to forward
traffic between multiple networks in your deployment, or to connect your private
network to a public network. Virtual routers are particularly effective in large
deployments where you have many networks or network segments with different
security requirements.
When you deploy a virtual routers on your managed device, you can use one
appliance to connect multiple networks to each other, and to the Internet.
Chapter 2
Virtual Routers on a Managed Device
In this example, the managed device contains a virtual router to allow traffic to
travel between the computers on network 172.16.1.0/20 and the servers on
network 192.168.1.0/24 (indicated by the blue and green lines). A third interface
Version 5.2 Sourcefire 3D System Installation Guide 39
Understanding Deployment
Deployment Options
on the virtual router allows traffic from each network to pass to the firewall and
back (indicated by the red and orange lines).
For more information, see Setting Up Virtual Routers in the Sourcefire 3D System
User Guide.
Deploying with Hybrid Interfaces
You can create a hybrid interface on a managed device to route traffic between
Layer 2 and Layer 3 networks using a virtual switch and a virtual router. This
provides one interface that can both route local traffic on the switch and route
traffic to and from an external network. For best results, configure policy-based
NAT on the interface to provide network address translation on the hybrid
interface. See
A hybrid interface must contain one or more switched interfaces and one or more
routed interfaces. A common deployment consists of two switched interfaces
configured as a virtual switch to pass traffic on a local network and virtual routers
to route traffic to networks, either private or public.
To create a hybrid interface, you first configure a virtual switch and virtual router,
then add the virtual switch and virtual router to the hybrid interface. A hybrid
interface that is not associated with both a virtual switch and a virtual router is not
available for routing, and does not generate or respond to traffic.
LICENSE: Control
S
UPPORTED DEVICES: Series 3
Deploying with Policy-Based NAT on page 42.
Chapter 2
Hybrid interfaces have the advantage of compactness and scalability. Using a
single hybrid interface combines both Layer 2 and Layer 3 traffic routing functions
in a single interface, reducing the number of physical appliances in the
deployment and providing a single management interface for the traffic.
Use a hybrid interface where you need both Layer 2 and Layer 3 routing
functions. This deployment can be ideal for small segments of your deployment
where you have limited space and resources.
When you deploy a hybrid interface, you can allow traffic to pass from your local
network to an external or public network, such as the Internet, while addressing
separate security considerations for the virtual switch and virtual router in the
hybrid interface.
Version 5.2 Sourcefire 3D System Installation Guide 40
Understanding Deployment
Deployment Options
Hybrid Interface on a Managed Device
In this example, computer A and computer B are on the same network and
communicate using a Layer 2 virtual switch configured on the managed device
(indicated by the blue and green lines). A virtual router configured on the
managed device provides Layer 3 access to the firewall. A hybrid interface
combines the Layer 2 and Layer 3 capabilities of the virtual switch and virtual
router to allow traffic to pass from each computer through the hybrid interface to
the firewall (indicated by the red and orange lines).
Chapter 2
For more information, see Setting Up Hybrid Interfaces in the Sourcefire 3D
System User Guide.
Deploying a Gateway VPN
LICENSE: VPN
S
UPPORTED DEVICES: Series 3
You can create a gateway virtual private network (gateway VPN) connection to
establish a secure tunnel between a local gateway and a remote gateway. The
secure tunnel between the gateways protects communication between them.
You configure the Sourcefire 3D System to build secure VPN tunnels from the
virtual routers of Sourcefire managed devices to remote devices or other
third-party VPN endpoints using the Internet Protocol Security (IPSec) protocol
suite. After the VPN connection is established, the hosts behind the local
gateway can connect to the hosts behind the remote gateway through the secure
VPN tunnel. The VPN endpoints authenticate each other with either the Internet
Key Exchange (IKE) version 1 or version 2 protocol to create a security association
for the tunnel. The system runs in either IPSec authentication header (AH) mode
or the IPSec encapsulating security payload (ESP) mode. Both AH and ESP
provide authentication, and ESP also provides encryption.
Version 5.2 Sourcefire 3D System Installation Guide 41
Understanding Deployment
Deployment Options
A gateway VPN can be used in a point-to-point, star, or mesh deployment:
• Point-to-point deployments connect two endpoints with each other in a
• Star deployments establish a secure connection between a hub and
• Mesh deployments connect all endpoints together by means of VPN
For more information on gateway VPN configuration and deployments, see
Gateway VPN in the Sourcefire 3D System User Guide.
Chapter 2
direct one-to-one relationship. Both endpoints are configured as peer
devices, and either device can initiate the secured connection. At least one
device must be a VPN-enabled managed device.
Use a point-to-point deployment to maintain your network security when a
host at a remote location uses public networks to connect to a host in your
network.
multiple remote endpoints (leaf nodes). Each connection between the hub
node and an individual leaf node is a separate VPN tunnel. Typically, the hub
node is the VPN-enabled managed device, located at the main office. Leaf
nodes are located at branch offices and initiate most of the traffic.
Use a star deployment to connect an organization’s main and branch office
locations using secure connections over the Internet or other third-party
network to provide all employees with controlled access to the
organization’s network.
tunnels. This offers redundancy in that when one endpoint fails, the
remaining endpoints can still communicate with each other.
Use a mesh deployment to connect a group of decentralized branch office
locations to ensure that traffic can travel even if one or more VPN tunnels
fails. The number of VPN-enabled managed devices you deploy in this
configuration controls the level of redundancy.
Deploying with Policy-Based NAT
LICENSE: Control
S
UPPORTED DEVICES: Any
You can use policy-based network address translation (NAT) to define policies that
specify how you want to perform NAT. You can target your policies to a single
interface, one or more devices, or entire networks.
You can configure static (one-to-one) or dynamic (one-to-many) translation. Note
that dynamic translations are order-dependent where rules are searched in order
until the first matching rule applies.
Policy-based NAT typically operates in the following deployments:
• Hide your private network address.
When you access a public network from your private network, NAT
translates your private network address to your public network address.
Your specific private network address is hidden from the public network.
Version 5.2 Sourcefire 3D System Installation Guide 42
Understanding Deployment
Deployment Options
• Allow access to a private network service.
• Redirect traffic between multiple private networks.
Using policy-based NAT removes the need for additional hardware and
consolidates the configuration of your intrusion detection or prevention system
and NAT into a single user interface. For more information, see Using NAT
Policies in the Sourcefire 3D System User Guide.
Deploying with Access Control
Chapter 2
When a public network accesses your private network, NAT translates your
public address to your private network address. The public network can
access your specific private network address.
When a server on a private network accesses a server on a connected
private network, NAT translates the private addresses between the two
private networks to ensure there is no duplication in private addresses and
traffic can travel between them.
LICENSE: Any
S
UPPORTED DEVICES: Any
Access control is a policy-based feature that allows you to specify, inspect, and
log the traffic that can enter, exit, or travel within your network. The following
section describes how access control can function in your deployment. See the
Sourcefire 3D System User Guide for more information on this feature.
An access control policy determines how the system handles traffic on your
network. You can add access control rules to your policy to provide more granular
control over how you handle and log network traffic.
An access control policy that does not include access control rules uses one of
the following default actions to handle traffic:
• block all traffic from entering your network
• trust all traffic to enter your network without further inspection
• allow all traffic to enter your network, and inspect the traffic with a network
discovery policy only
• allow all traffic to enter your network, and inspect the traffic with intrusion
and network discovery policies
Access control rules further define how traffic is handled by targeted devices,
from simple IP address matching to complex scenarios involving different users,
applications, ports, and URLs. For each rule, you specify a rule action, that is,
whether to trust, monitor, block, or inspect matching traffic with an intrusion or
file policy.
Access control can filter traffic based on Security Intelligence data, a feature that
allows you to specify the traffic that can traverse your network, per access control
policy, based on the source or destination IP address. This feature can create a
blacklist of disallowed IP addresses whose traffic is blocked and not inspected.
Version 5.2 Sourcefire 3D System Installation Guide 43
Understanding Deployment
Deployment Options
The sample deployment illustrates common network segments. Deploying your
managed devices in each of these locations serves different purposes. The
following sections describe typical location recommendations:
• Inside the Firewall on page 44 explains how access control functions on
• On the DMZ on page 45 explains how access control within the DMZ can
• On the Internal Network on page 46 explains how access control can
• On the Core Network on page 46 explains how an access control policy
• On a Remote or Mobile Network on page 47 explains how access control
Inside the Firewall
Chapter 2
traffic that passes through the firewall.
protect outward-facing servers.
protect your internal network from intentional or accidental attack.
with strict rules can protect your critical assets.
can monitor and protect the network from traffic at remote locations or on
mobile devices.
Managed devices inside the firewall monitor inbound traffic allowed by the
firewall or traffic that passes the firewall due to misconfiguration. Common
network segments include the DMZ, the internal network, the core, mobile
access, and remote networks.
The diagram below illustrates traffic flow through the Sourcefire 3D System, and
provide some details on the types of inspection performed on that traffic. Note
that the system does not inspect fast-pathed or blacklisted traffic. For traffic
handled by an access control rule or default action, flow and inspection depend on
the rule action. Although rule actions are not shown in the diagram for simplicity,
the system does not perform any kind of inspection on trusted or blocked traffic.
Additionally, file inspection is not supported with the default action.
An incoming packet is first checked against any fast-path rules. If there is a match,
the traffic is fast-pathed. If there is no match, Security Intelligence-based filtering
determines if the packet is blacklisted. If not, any access control rules are applied.
Version 5.2 Sourcefire 3D System Installation Guide 44
Understanding Deployment
Deployment Options
If the packet meets the conditions of a rule, traffic flow and inspection depend on
the rule action. If no rules match the packet, traffic flow and inspection depend on
the default policy action. (An exception occurs with Monitor rules, which allow
traffic to continue to be evaluated.) The default action on each access control
policy manages traffic that has not been fast-pathed or blacklisted, or matched by
any non-Monitor rule. Note that fast-path is available only for 8000
3D9900 devices.
You can create access control rules to provide more granular control over how you
handle and log network traffic. For each rule, you specify an action (trust, monitor,
block, or inspect) to apply to traffic that meets specific criteria.
On the DMZ
The DMZ contains outward-facing servers (for example, web, FTP, DNS, and
mail), and may also provide services such as mail relay and web proxy to users on
the internal network.
Content stored in the DMZ is static, and changes are planned and executed with
clear communication and advance notice. Attacks in this segment are typically
inbound and become immediately apparent because only planned changes
should occur on the servers in the DMZ. An effective access control policy for this
segment tightly controls access to services and searches for any new network
events.
Servers in the DMZ can contain a database that the DMZ can query via the
network. Like the DMZ, there should be no unexpected changes, but the
database content is more sensitive and requires greater protection than a web
site or other DMZ service. A strong intrusion policy, in addition to the DMZ access
control policy, is an effective strategy.
A managed device deployed on this segment can detect attacks directed to the
Internet that originate from a compromised server in the DMZ. Monitoring
network traffic using Network Discovery can help you monitor these exposed
servers for changes (for example, an unexpected service suddenly appearing) that
could indicate a compromised server in the DMZ.
Chapter 2
Series and
Version 5.2 Sourcefire 3D System Installation Guide 45
Understanding Deployment
Deployment Options
On the Internal Network
A malicious attack can originate from a computer on your internal network. This
can be a deliberate act (for example, an unknown computer appears unexpectedly
on your network), or an accidental infection (for example, a work laptop infected
off-site is connected to the network and spreads a virus). Risk on the internal
network can also be outbound (for example, a computer sends information to a
suspicious external IP address).
This dynamic network requires a strict access control policy for all internal traffic
in addition to outbound traffic. Add access control rules to tightly control traffic
between users and applications.
Chapter 2
On the Core Network
Core assets are those assets critical to the success of your business and must be
protected at all cost. Although core assets vary depending on the nature of your
business, typical core assets include financial and management centers or
intellectual property repositories. If the security on the core assets is breached,
your business can be destroyed.
Although this segment must be readily available for your business to function, it
must be tightly restricted controlled. Access control should ensure that these
assets cannot be reached by those network segments with the highest risk, such
Version 5.2 Sourcefire 3D System Installation Guide 46
Understanding Deployment
Deployment Options
as remote networks or mobile devices. Always use the most aggressive control
on this segment, with strict rules for user and application access.
On a Remote or Mobile Network
Remote networks, located off-site, often use a virtual private network (VPN) to
provide access to the primary network. Mobile devices and the use of personal
devices for business purposes (for example, using a “smart phone” to access
corporate email) are becoming increasingly common.
Chapter 2
These networks can be highly dynamic environments with rapid and continual
change. Deploying a managed device on a dedicated mobile or remote network
allows you to create a strict access control policy to monitor and manage traffic to
and from unknown external sources. Your policy can reduce your risk by rigidly
limiting how users, network, and applications access core resources.
Version 5.2 Sourcefire 3D System Installation Guide 47
Understanding Deployment
Using a Multi-Port Managed Device
Using a Multi-Port Managed Device
The managed device offers multiple sensing ports on its network modules. You
can use the multi-port managed devices to:
• recombine the separate connections from a network tap
• capture and evaluate traffic from different networks
• perform as a virtual router
• perform as a virtual switch
IMPORTANT! Although each port is capable of receiving the full throughput for
which the device is rated, the total traffic on the managed device cannot exceed
its bandwidth rating without some packet loss.
Deploying a multi-port managed device with a network tap is a straightforward
process. The following diagram shows a network tap installed on a high-traffic
network segment.
Chapter 2
In this scenario, the tap transmits incoming and outgoing traffic through separate
ports. When you connect the multi-port adapter card on the managed device to
the tap, the managed device is able to combine the traffic into a single data
stream so that it can be analyzed.
Version 5.2 Sourcefire 3D System Installation Guide 48
Understanding Deployment
Using a Multi-Port Managed Device
Note that with a gigabit optical tap, as shown in the illustration below, both sets
of ports on the managed device are used by the connectors from the tap.
Chapter 2
You can use the virtual switch to replace both the tap and the switch in your
deployment. Note that if you replace the tap with a virtual switch, you lose the tap
packet delivery guarantee.
Version 5.2 Sourcefire 3D System Installation Guide 49
Understanding Deployment
Complex Network Deployments
You can also create interfaces to capture data from separate networks. The
following diagram shows a single device with a dual-port adapter and two
interfaces connected to two networks.
In addition to using one device to monitor both network segments, you can use
the virtual switch capability of the device to replace both switches in your
deployment.
Chapter 2
Complex Network Deployments
Your enterprise’s network may require remote access, such as using a VPN, or
have multiple entry points, such as a business partner or banking connection. The
following sections describe some of the issues involved with these deployments:
• Integrating with VPNs on page 51
• Detecting Intrusions on Other Points of Entry on page 51
• Deploying in Multi-Site Environments on page 53
• Integrating Managed Devices within Complex Networks on page 55
Version 5.2 Sourcefire 3D System Installation Guide 50
Understanding Deployment
Complex Network Deployments
Integrating with VPNs
Virtual private networks, or VPNs, use IP tunneling techniques to provide the
security of a local network to remote users over the Internet. In general, VPN
solutions encrypt the data payload in an IP packet. The IP header is unencrypted
so that the packet can be transmitted over public networks in much the same way
as any other packet. When the packet arrives at its destination network, the
payload is decrypted and the packet is directed to the proper host.
Because network appliances cannot analyze the encrypted payload of a VPN
packet, placing managed devices outside the terminating endpoints of the VPN
connections ensures that all packet information can be accessed. The following
diagram illustrates how managed devices can be deployed in a VPN environment.
Chapter 2
You can replace the firewall and the tap on either side of the VPN connection with
the managed device. Note that if you replace the tap with a managed device, you
lose the tap packet delivery guarantee.
Detecting Intrusions on Other Points of Entry
Many networks include more than one access point. Instead of a single border
router that connects to the Internet, some enterprises use a combination of the
Internet, modem banks, and direct links to business partner networks. In general,
you should deploy managed devices near firewalls (either inside the firewall,
outside the firewall, or both) and on network segments that are important to the
integrity and confidentiality of your business data. The following diagram shows
Version 5.2 Sourcefire 3D System Installation Guide 51
Understanding Deployment
Complex Network Deployments
how managed devices can be installed at key locations on a complex network
with multiple entry points.
Chapter 2
Version 5.2 Sourcefire 3D System Installation Guide 52
Understanding Deployment
Complex Network Deployments
You can replace the firewall and the router with the managed device deployed on
that network segment.
Chapter 2
Deploying in Multi-Site Environments
Many organizations want to extend intrusion detection across a geographically
disparate enterprise and then analyze all the IPS data from one location. The
Sourcefire 3D System supports this by offering the Defense Center, which
aggregates and correlates events from managed devices deployed throughout
the organization’s many locations. Unlike deploying multiple managed devices and
Defense Centers in the same geographic location on the same network, when
deploying managed devices in disparate geographic locations, you must take
precautions to ensure the security of the managed devices and the data stream.
To secure the data, you must isolate the managed devices and Defense Center
from unprotected networks. You can do this by transmitting the data stream from
Version 5.2 Sourcefire 3D System Installation Guide 53
Understanding Deployment
Complex Network Deployments
the managed devices over a VPN or with some other secure tunneling protocol as
shown in the following diagram.
Chapter 2
Version 5.2 Sourcefire 3D System Installation Guide 54
Understanding Deployment
Complex Network Deployments
You can replace the firewalls and routers with the managed device deployed in
each network segment.
Chapter 2
Integrating Managed Devices within Complex Networks
You can deploy managed devices in more complex network topologies than a
simple multi-sector network. This section describes the issues surrounding
network discovery and vulnerability analysis when deploying in environments
where proxy servers, NAT devices, and VPNs exist, in addition to information
about using the Sourcefire Defense Center to manage multiple managed devices
and the deployment and management of managed devices in a multi-site
environment.
Version 5.2 Sourcefire 3D System Installation Guide 55
Understanding Deployment
Complex Network Deployments
Integrating with Proxy Servers and NAT
Network address translation (NAT) devices or software may be employed across a
firewall, effectively hiding the IP addresses of internal hosts behind a firewall. If
managed devices are placed between these devices or software and the hosts
being monitored, the system may incorrectly identify the hosts behind the proxy
or NAT device. In this case, Sourcefire recommends that you position managed
devices inside the network segment protected by the proxy or NAT device to
ensure that hosts are correctly detected.
Integrating with Load Balancing Methods
In some network environments, “server farm” configurations are used to
perform network load balancing for services such as web hosting, FTP storage
sites, and so on. In load balancing environments, IP addresses are shared
between two or more hosts with unique operating systems. In this case, the
system detects the operating system changes and cannot deliver a static
operating system identification with a high confidence value. Depending on the
number of different operating systems on the affected hosts, the system may
generate a large number of operating system change events or present a static
operating system identification with a lower confidence value.
Chapter 2
Other Detection Considerations
If an alteration has been made to the TCP/IP stack of the host being identified, the
system may not be able to accurately identify the host operating system. In some
cases, this is done to improve performance. For instance, administrators of
Windows hosts running the Internet Information Services (IIS) Web Server are
encouraged to increase the TCP window size to allow larger amounts of data to
be received, thereby improving performance. In other instances, TCP/IP stack
alteration may be used to obfuscate the true operating system to preclude
accurate identification and avoid targeted attacks. The likely scenario that this
intends to address is where an attacker conducts a reconnaissance scan of a
network to identify hosts with a given operating system followed by a targeted
attack of those hosts with an exploit specific to that operating system.
Version 5.2 Sourcefire 3D System Installation Guide 56
CHAPTER 3
INSTALLING A SOURCEFIRE 3D SYSTEM
PPLIANCE
A
Sourcefire appliances are easily installed on your network as part of a larger
Sourcefire 3D System deployment. You install devices on network segments to
inspect traffic and generate intrusion events based on the intrusion policy applied
to it. This data is transmitted to a Defense Center, which manages one or more
devices to correlate data across your full deployment, and coordinate and respond
to threats to your security.
See the following sections for more information about installing a Sourcefire
appliance:
• Included Items on page 58
• Security Considerations on page 58
• Identifying the Management Interfaces on page 58
• Identifying the Sensing Interfaces on page 61
• Using Devices in a Stacked Configuration on page 74
• Installing the Appliance in a Rack on page 80
• Redirecting Console Output on page 82
• Testing an Inline Bypass Interface Installation on page 83
Version 5.2 Sourcefire 3D System Installation Guide 57
Installing a Sourcefire 3D System Appliance
Included Items
Included Items
The following is a list of components that ship with Sourcefire appliances. As you
unpack the system and the associated accessories, check that your package
contents are complete as follows:
• one Sourcefire appliance
• power cord (two power cords are included with appliances that include
redundant power supplies)
• Category 5e Ethernet straight-through cables: one for a Defense Center;
two for a managed device
• one rack-mounting kit (not applicable to the 3D500/1000/2000; required tray
and rack-mounting kit available separately for the 3D7010/7020/7030)
Security Considerations
Before you install your appliance, Sourcefire recommends that you consider the
following:
• Locate your Sourcefire 3D System appliance in a lockable rack within a
secure location that prevents access by unauthorized personnel. Place a
desktop device (3D500/1000/2000) within a secure location that prevents
access by unauthorized personnel.
• Allow only trained and qualified personnel to install, replace, administer, or
service the Sourcefire appliance.
• Always connect the management interface to a secure internal
management network that is protected from unauthorized access.
• Identify the specific workstation IP addresses that can be allowed to access
appliances. Restrict access to the appliance to only those specific hosts
using Access Lists within the appliance’s system policy. For more
information, see the Sourcefire 3D System User Guide.
Chapter 3
Identifying the Management Interfaces
You connect each appliance in your deployment to the network using the
management interface. This allows the Defense Center to communicate with and
administer the devices it manages.
Sourcefire appliances are delivered on different hardware platforms. Make sure
you refer to the correct illustration for your appliance as you follow the installation
procedure:
• Sourcefire Defense Center 750 on page 59
• Sourcefire Defense Center 1500 on page 59
• Sourcefire Defense Center 3500 on page 60
Version 5.2 Sourcefire 3D System Installation Guide 58
Installing a Sourcefire 3D System Appliance
Management Interface
Management Interface
Management Interface
Identifying the Management Interfaces
• Sourcefire 3D500/1000/2000 on page 60
• Sourcefire 7000 Series on page 60
• Sourcefire 8000 Series on page 61
Sourcefire Defense Center 750
The DC750 is available as a 1U appliance.
The following illustration of the rear of the chassis indicates the location of the
management interface on a DC750 (Rev 1).
DC750 (Rev 1)
Chapter 3
The following illustration of the rear of the chassis indicates the location of the
management interface on a DC750 (Rev 2).
DC750 (Rev 2)
Sourcefire Defense Center 1500
The DC1500 is available as a 1U appliance. The following illustration of the rear of
the chassis indicates the location of the management interface.
Version 5.2 Sourcefire 3D System Installation Guide 59
Installing a Sourcefire 3D System Appliance
Management Interface
Management Interface
eth0
Management Interface
Identifying the Management Interfaces
Sourcefire Defense Center 3500
The DC3500 is available as a 1U appliance. The following illustration of the rear of
the chassis indicates the location of the management interface.
Sourcefire 3D500/1000/2000
The 3D500/1000/2000 is available as a desktop appliance. The following
illustration indicates the location of the management interface.
Chapter 3
Sourcefire 7000 Series
The 3D7010, 3D7020, and 3D7030 are 1U appliances that are one-half the width
of the chassis tray. The following illustration of the front of the chassis indicates
the management interface.
Version 5.2 Sourcefire 3D System Installation Guide 60
Installing a Sourcefire 3D System Appliance
Management Interface
Management Interface
Management Interface
Identifying the Sensing Interfaces
The 3D7110/7120 and the 3D7115/7125 are available as 1U appliances. The
following illustration of the rear of the chassis indicates the location of the
management interface.
Sourcefire 8000 Series
The 3D8120/8130/8140 is available as a 1U appliance. The following illustration of
the rear of the chassis indicates the location of the management interface.
Chapter 3
The 3D8250 is available as a 2U appliance. The 3D8260/8270/8290 is available as
a 2U appliance with one, two, or three secondary 2U appliances. The following
illustration of the rear of the chassis indicates the location of the management
interface for each 2U appliance.
Identifying the Sensing Interfaces
Managed devices connect to network segments using sensing interfaces. The
number of segments each device can monitor depends on the number of sensing
interfaces on the device and the type of connection (passive, inline, routed, or
switched) that you want to use on the network segment.
Version 5.2 Sourcefire 3D System Installation Guide 61
Installing a Sourcefire 3D System Appliance
Sensing Interfaces
eth1 eth2 eth3 eth4
Identifying the Sensing Interfaces
The following sections describe the sensing interfaces for each managed device.
For information on connection types, see
• To locate the sensing interfaces on the 3D500/1000/2000, see Sourcefire
3D500/1000/2000 on page 62.
• To locate the sensing interfaces on the 7000 Series, see Sourcefire
7000 Series on page 63.
• To locate the module slots on the 8000 Series on the Sourcefire
8000 Series on page 67.
• To locate the sensing interfaces on the 8000 Series NetMods, see
8000 Series Modules on page 68.
Sourcefire 3D500/1000/2000
The 3D500/1000/2000 is available as a desktop appliance. The following
illustration indicates the locations of the sensing interfaces.
Chapter 3
Understanding Interfaces on page 28.
You can use the sensing interfaces to passively sense up to four separate
network segments.
You also can use paired interfaces in inline or inline with bypass mode, which
allows you to deploy the device as an intrusion prevention system. The 3D500
can monitor one network when deployed inline, while the 3D1000 and 3D2000
can monitor two networks inline.
If you want to take advantage of the device’s automatic bypass capability, you
must connect either the two interfaces on the left (eth1 and eth2) or the two
interfaces on the right (eth3 and eth 4) to a network segment. This allows traffic
to flow even if the device fails or loses power. You must also use the web
interface to configure the interface set as inline with bypass.
If you configure the interfaces as inline without using the bypass capability, you
can use any two of the interfaces on the device as an inline pair.
IMPORTANT! By default, the initial setup process supports one inline bypass
interface pair for eth1 and eth2. For more information, see the Sourcefire 3D
System User Guide.
Version 5.2 Sourcefire 3D System Installation Guide 62
Installing a Sourcefire 3D System Appliance
Sensing Interfaces
Link LED
Link LED
Activity LED
Activity LED
Bypass LED
Identifying the Sensing Interfaces
Sourcefire 7000 Series
The Sourcefire 7000 Series is available in the following configurations:
• 1U device one-half the width of the rack tray with eight copper interfaces,
each with configurable bypass capability.
• 1U device with either eight copper interfaces or eight fiber interfaces, each
with configurable bypass capability
• 1U device with four copper interfaces with configurable bypass capability
and eight small form-factor pluggable (SFP) ports without bypass capability
3D7010/7030/7030
The 3D7010/7020/7030 is delivered with eight copper port sensing interfaces,
each with configurable bypass capability. The following illustration of the front of
the chassis indicates the location of the sensing interfaces.
Eight Port 1000BASE-T Copper Configurable Bypass Interfaces
Chapter 3
You can use these connections to passively monitor up to eight separate network
segments. You can also use paired interfaces in inline or inline with bypass mode
to deploy the device as an intrusion prevention system on up to four networks.
If you want to take advantage of the device’s automatic bypass capability, you
must connect two interfaces vertically (interfaces 1 and 2, 3 and 4, 5 and 6, or 7
and 8) to a network segment. Automatic bypass capability allows traffic to flow
even if the device fails or loses power. After you cable the interfaces, you use the
web interface to configure a pair of interfaces as an inline set and enable bypass
mode on the inline set.
Version 5.2 Sourcefire 3D System Installation Guide 63
Installing a Sourcefire 3D System Appliance
Sensing Interfaces
Link LED
Activity LED Bypass LED
Sensing Interfaces
Identifying the Sensing Interfaces
3D7110/7120
The 3D7110/7120 is delivered with eight copper port sensing interfaces, or eight
fiber port sensing interfaces, each with configurable bypass capability. The
following illustration of the front of the chassis indicates the location of the
sensing interfaces.
3D7110/7120 Copper Interfaces
Eight-Port 1000BASE-T Copper Interfaces
Chapter 3
You can use these connections to passively monitor up to eight separate network
segments. You can also use paired interfaces in inline or inline with bypass mode
to deploy the device as an intrusion prevention system on up to four networks.
If you want to take advantage of the device’s automatic bypass capability, you
must connect either the two interfaces on the left or the two interfaces on the
right to a network segment. Automatic bypass capability allows traffic to flow
even if the device fails or loses power. After you cable the interfaces, you use the
web interface to configure a pair of interfaces as an inline set and enable bypass
mode on the inline set.
3D7110/7120 Fiber Interfaces
Version 5.2 Sourcefire 3D System Installation Guide 64
Installing a Sourcefire 3D System Appliance
Link LED
Activity LED
Bypass LED
Copper Sensing Interfaces
SFP Sockets
Identifying the Sensing Interfaces
Eight-Port 1000BASE-SX Fiber Configurable Bypass
The eight-port 1000BASE-SX fiber configurable bypass configuration uses LC-type
(Local Connector) optical transceivers.
You can use these connections to passively monitor up to eight separate network
segments. You can also use paired interfaces in inline or inline with bypass mode
to deploy the device as an intrusion prevention system on up to four networks.
TIP! For best performance, use the interface sets consecutively. If you skip any
interfaces, you may experience degraded performance.
Chapter 3
If you want to take advantage of the device’s automatic bypass capability, you
must connect either the two interfaces on the left or the two interfaces on the
right to a network segment. Automatic bypass capability allows traffic to flow
even if the device fails or loses power. After you cable the interfaces, you use the
web interface to configure a pair of interfaces as an inline set and enable bypass
mode on the inline set.
3D7115/7125
The 3D7115 and 3D7125 devices are delivered with four-port copper interfaces
with configurable bypass capability, and eight hot-swappable small form-factor
pluggable (SFP) ports without bypass capability. The following illustration of the
front of the chassis indicates the location of the sensing interfaces.
3D7115/7125 Copper and SFP Interfaces
Version 5.2 Sourcefire 3D System Installation Guide 65
Installing a Sourcefire 3D System Appliance
Link LED
Activity LED Bypass LED
Sample Fiber Sample Copper
Front with Bale
Rear with Contacts
Identifying the Sensing Interfaces
Four 1000BASE-T Copper Interfaces
You can use the copper interfaces to passively monitor up to four separate
network segments. You can also use paired interfaces in inline or inline with
bypass mode to deploy the device as an intrusion prevention system on up to two
networks.
If you want to take advantage of the device’s automatic bypass capability, you
must connect either the two interfaces on the left or the two interfaces on the
right to a network segment. Automatic bypass capability allows traffic to flow
even if the device fails or loses power. After you cable the interfaces, you use the
web interface to configure a pair of interfaces as an inline set and enable bypass
mode on the inline set.
Chapter 3
SFP Interfaces
When you install Sourcefire SFP transceivers into the SFP sockets, you can
passively monitor up to eight separate network segments. You can also use
paired interfaces in inline, non-bypass mode to deploy the device as an intrusion
detection system on up to four networks.
Sourcefire SFP transceivers are available in 1G copper, 1G short range fiber, or 1G
long range fiber, and are hot-swappable. You can use any combination of copper
or fiber transceivers in your device in either passive or inline configuration. Note
that SFP transceivers do not have bypass capability and should not be used in
intrusion prevention deployments. To ensure compatibility, use only SFP
transceivers available from Sourcefire. See
or 3D7125 on page 251 for more information.
Sample SFP Transceivers
Using SFP Transceivers on a 3D7115
Version 5.2 Sourcefire 3D System Installation Guide 66
Installing a Sourcefire 3D System Appliance
Link LED
Activity LED
Identifying the Sensing Interfaces
SFP Sockets
Sourcefire 8000 Series
The Sourcefire 8000 Series is available as a 1U device with a 10G network switch
or a 2U device with either a 10G or a 40G network switch. This device can be
shipped fully assembled, or you can install the network modules (NetMods) that
contain the sensing interfaces.
IMPORTANT! If you install a NetMod in an incompatible slot on your device (for
example, inserting a 40G NetMod in slots 1 and 4 on a 3D8250) or a NetMod is
otherwise incompatible with your system, an error or warning message appears
in the web interface of the managing Defense Center when you attempt to
configure the NetMod. Contact Sourcefire Support for assistance.
Chapter 3
The following modules contain configurable bypass sensing interfaces:
• a quad-port 1000BASE-T copper interface with configurable bypass
capability
• a quad-port 1000BASE-SX fiber interface with configurable bypass capability
• a dual-port 10GBASE (MMSR or SMLR) fiber interface with configurable
bypass capability
• a dual-port 40GBASE-SR4 fiber interface with configurable bypass capability
(2U devices only)
The following modules contain non-bypass sensing interfaces:
• a quad-port 1000BASE-T copper interface without bypass capability
• a quad-port 1000BASE-SX fiber interface without bypass capability
• a dual-port 10GBASE (MMSR or SMLR) fiber interface without bypass
capability
In addition, a stacking module combines the resources of two or more identically
configured appliances. The stacking module is optional on the 3D8140 and
3D8250, and is provided in the 3D8260/8270/8290 stacked configurations.
WARNING! Modules are not hot-swappable. See Inserting and Removing
8000 Series Modules on page 255 for more information.
Version 5.2 Sourcefire 3D System Installation Guide 67
Installing a Sourcefire 3D System Appliance
Module Slots
1
2
3
Module Slots
4
5
7
1
2
3
6
Identifying the Sensing Interfaces
The following illustrations of the front of the chassis indicates the location of the
module slots that contain the sensing interfaces.
81xx Family Front Chassis View
82xx Family Front Chassis View
Chapter 3
8000 Series Modules
The 8000 Series can be delivered with the following modules with configurable
bypass capability:
• a quad-port 1000BASE-T copper interface with configurable bypass
capability. See Quad-Port 1000BASE-T Copper Configurable Bypass
NetMod on page 69 for more information.
• a quad-port 1000BASE-SX fiber interface with configurable bypass
capability. See Quad-Port 1000BASE-SX Fiber Configurable Bypass NetMod
on page 69 for more information.
• a dual-port 10GBASE (MMSR or SMLR) fiber interface with configurable
bypass capability. See Dual-Port 10GBASE (MMSR or SMLR) Fiber
Configurable Bypass NetMod on page 70 for more information.
• a dual-port 40GBASE-SR4 fiber interface with configurable bypass
capability. See Dual-Port 40GBASE-SR4 Fiber Configurable Bypass NetMod
on page 71 for more information.
Version 5.2 Sourcefire 3D System Installation Guide 68
Installing a Sourcefire 3D System Appliance
Link LED
Activity LED Bypass LED
Ports Bypass LED Activity LEDs
Link LEDs
Identifying the Sensing Interfaces
The 8000 Series can be delivered with the following modules without
configurable bypass capability:
• a quad-port 1000BASE-T copper interface without bypass capability. See
Quad-Port 1000BASE-T Copper Non-Bypass NetMod on page 72 for more
information.
• a quad-port 1000BASE-SX fiber interface without bypass capability. See
Quad-Port 1000BASE-SX Fiber Non-Bypass NetMod on page 72 for more
information.
• a quad-port 10GBASE (MMSR or SMLR) fiber interface without bypass
capability. See Quad-Port 10GBASE (MMSR or SMLR) Fiber Non-Bypass
NetMod on page 72 for more information.
A stacking module is optional on the 3D8140 and 3D8250, and is provided in the
3D8260/8270/8290 stacked configurations. See
page 73 for more information.
Quad-Port 1000BASE-T Copper Configurable Bypass NetMod
Chapter 3
8000 Series Stacking Module on
You can use these connections to passively monitor up to four separate network
segments. You also can use paired interfaces in inline or inline with bypass mode,
which allows you to deploy the device as an intrusion prevention system on up to
two networks.
If you want to take advantage of the device’s automatic bypass capability, you
must connect either the two interfaces on the left or the two interfaces on the
right to a network segment. This allows traffic to flow even if the device fails or
loses power. You must also use the web interface to configure a pair of interfaces
as an inline set and enable bypass mode on the inline set.
Quad-Port 1000BASE-SX Fiber Configurable Bypass NetMod
Version 5.2 Sourcefire 3D System Installation Guide 69
Installing a Sourcefire 3D System Appliance
Activity LED Ports Bypass LED
Link LED
Identifying the Sensing Interfaces
The quad-port 1000BASE-SX fiber configurable bypass configuration uses LC-type
(Local Connector) optical transceivers.
You can use this configuration to passively monitor up to four separate network
segments. You also can use paired interfaces in inline or inline with bypass mode,
which allows you to deploy the managed device as an intrusion prevention
system on up to two separate networks.
TIP! For best performance, use the interface sets consecutively. If you skip
interfaces, you may experience degraded performance.
If you want to take advantage of a device’s automatic bypass capability, you must
connect the two interfaces on the left or the two interfaces on the right to a
network segment. This allows traffic to flow even if the device fails or loses
power. You must also use the web interface to configure a pair of interfaces as an
inline set and enable bypass mode on the inline set.
Dual-Port 10GBASE (MMSR or SMLR) Fiber Configurable Bypass NetMod
Chapter 3
The dual-port 10GBASE fiber configurable bypass configuration uses LC-type
(Local Connector) optical transceivers. Note that these can be either MMSR or
SMLR interfaces.
You can use this configuration to passively monitor up to two separate network
segments. You also can use paired interfaces in inline or inline with bypass mode,
which allows you to deploy the managed device as an intrusion prevention
system on a single network.
TIP! For best performance, use the interface sets consecutively. If you skip
interfaces, you may experience degraded performance.
If you want to take advantage of a device’s automatic bypass capability, you must
connect two interfaces to a network segment. This allows traffic to flow even if
the device fails or loses power. You must also use the web interface to configure
a pair of interfaces as an inline set and enable bypass mode on the inline set.
Version 5.2 Sourcefire 3D System Installation Guide 70
Installing a Sourcefire 3D System Appliance
Link LED
Activity LED
Bypass LED
Port
Second 40G NetMod First 40G NetModNot Available for 40G NetMod
Identifying the Sensing Interfaces
Dual-Port 40GBASE-SR4 Fiber Configurable Bypass NetMod
The dual-port 40GBASE-SR4 fiber configurable bypass configuration uses MPO
(Multiple-Fiber Push On) connector optical transceivers.
You can use the 40G NetMod only in the 3D8270/8290 or a 40G-capable
3D8250/8260. If you attempt to create a 40G interface on a device that is not
40G-capable, the 40G interface screen on its managing Defense Center web
interface displays red. A 40G-capable device displays “3D 8250-40G” on the LCD
Panel.
You can use this configuration to passively monitor up to two separate network
segments. You also can use the paired interface in inline or inline with bypass
mode, which allows you to deploy the device as an intrusion prevention system
on one network.
You can use up to two 40G NetMods. Install the first 40G NetMod in slots 3 and 7,
and the second in slots 2 and 6. You cannot use a 40G NetMod in slots 1 and 4.
Chapter 3
40G NetMod Placement
If you want to take advantage of a device’s automatic bypass capability, you must
use the web interface to configure a pair of interfaces as an inline set and enable
bypass mode on the inline set.
Version 5.2 Sourcefire 3D System Installation Guide 71
Installing a Sourcefire 3D System Appliance
Link LED
Activity LED
Link LED
Activity LED
Ports
Activity LED Ports
Link LED
Identifying the Sensing Interfaces
Quad-Port 1000BASE-T Copper Non-Bypass NetMod
You can use these connections to passively monitor up to four separate network
segments. You also can use paired interfaces in inline configuration on up to two
network segments.
Quad-Port 1000BASE-SX Fiber Non-Bypass NetMod
Chapter 3
The quad-port 1000BASE-SX fiber non-bypass configuration uses LC-type (Local
Connector) optical transceivers.
You can use these connections to passively monitor up to four separate network
segments. You also can use paired interfaces in inline configuration on up to two
network segments.
TIP! For best performance, use the interface sets consecutively. If you skip
interfaces, you may experience degraded performance.
Quad-Port 10GBASE (MMSR or SMLR) Fiber Non-Bypass NetMod
Version 5.2 Sourcefire 3D System Installation Guide 72
Installing a Sourcefire 3D System Appliance
Link LED
Activity LED
Identifying the Sensing Interfaces
The quad-port 10GBASE fiber non-bypass configuration uses LC-type (Local
Connector) optical transceivers with either MMSR or SMLR interfaces.
WARNING! The quad-port 10G BASE non-bypass NetMod contains
non-removable small form-factor pluggable (SFP) transceivers. Any attempt to
remove the SFPs can damage the module.
You can use these connections to passively monitor up to four separate network
segments. You also can use paired interfaces in inline configuration on up to two
network segments.
TIP! For best performance, use the interface sets consecutively. If you skip
interfaces, you may experience degraded performance.
8000 Series Stacking Module
A stacking module combines the resources of two or more identically configured
appliances. The stacking module is optional on the 3D8140 and 3D8250, and is
provided in the 3D8260/8270/8290 stacked configurations.
Chapter 3
The stacking module allows you to combine the resources of two devices, using
one as the primary device and one as the secondary. Only the primary device has
sensing interfaces.
• The 3D8140 and 3D8250 can be delivered with the stacking module.
• The 3D8260 is delivered with one stacking module in the primary device
and one stacking module in the secondary device.
• The 3D8270 is delivered with two stacking modules in the primary device
and one stacking module in each of the two secondary devices.
• The 3D8290 is delivered with three stacking modules in the primary device,
and one stacking module in each of the three secondary devices.
For more information on using stacked devices, see Using Devices in a Stacked
Configuration.
Version 5.2 Sourcefire 3D System Installation Guide 73
Installing a Sourcefire 3D System Appliance
Using Devices in a Stacked Configuration
Using Devices in a Stacked Configuration
You can increase the amount of traffic inspected on network segments by
combining the resources of identically configured devices in a stacked
configuration. One device is designated as the primary device and is connected to
the network segments. All other devices are designated secondary devices, and
are used to provide additional resources to the primary device. A Defense Center
creates, edits, and manages the stacked configuration.
The primary device contains sensing interfaces and one set of stacking interfaces
for each secondary device connected to it. You connect the sensing interfaces on
the primary device to the network segments you want to monitor in the same
way as a non-stacked device. You connect the stacking interfaces on the primary
device to the stacking interfaces on the secondary devices using the stacking
cables. Each secondary device is connected directly to the primary device using
the stacking interfaces. If a secondary device contains sensing interfaces, they
are not used.
You can stack devices in the following configurations:
• two 3D8140s
• up to four 3D8250s
• a 3D8260 (a 10G-capable primary device and a secondary device)
• a 3D8270 (a 40G-capable primary device and two secondary devices)
• a 3D8290 (a 40G-capable primary device and three secondary devices)
For the 3D8260 and 3D8270, you can stack additional devices for a total of four
devices in the stack.
One device is designated as the primary device and is displayed on the Defense
Center’s web interface with the primary role. All other devices in the stacked
configuration are secondary and displayed in the web interface with the
secondary role. You use the combined resources as a single entity except when
viewing information from the stacked devices.
Connect the primary device to the network segments you want to analyze in the
same way that you would connect a single 3D8140 or 3D8250. Connect the
secondary devices to the primary device as indicated in the stack cabling diagram.
After the devices are physically connected to the network segments and to each
other, use a Defense Center to establish and manage the stack.
Chapter 3
The following sections provide more information on how to connect and manage
stacked devices:
• Connecting the 3D8140 on page 75
• Connecting the 3D8250/8260/8270/8290 on page 75
• Using the 8000 Series Stacking Cable on page 79
• Managing Stacked Devices on page 79
Version 5.2 Sourcefire 3D System Installation Guide 74
Installing a Sourcefire 3D System Appliance
Primary
Secondary
Using Devices in a Stacked Configuration
Connecting the 3D8140
You can connect two 3D8140s in a stacked configuration. You must use one
8000
Series stacking cable to create the physical connection between the
primary device and the secondary device. For more information on using the
stacking cable, see
Install the devices in your rack so you can easily connect the cable between the
stacking modules. You can install the secondary device above or below the
primary device.
Connect the primary device to the network segments you want to analyze in the
same way that you would connect a single 3D8140. Connect the secondary
device directly to the primary device.
The following graphic shows a primary device with a secondary device installed
below the primary device.
Using the 8000 Series Stacking Cable on page 79.
Chapter 3
To connect a 3D8140 secondary device:
Use an 8000 Series stacking cable to connect the left stacking interface on
the primary device to the left stacking interface on the secondary device,
then use the Defense Center that manages the devices to establish the
stacked device relationship in the system. Note that the right stacking
interface is not connected. See Managing Stacked Devices on page 79.
Connecting the 3D8250/8260/8270/8290
You can connect any of the following configurations:
• up to four 3D8250s
• a 3D8260 (a 10G-capable primary device and a secondary device)
• a 3D8270 (a 40G-capable primary device and two secondary devices)
• a 3D8290 (a 40G-capable primary device and three secondary devices)
For the 3D8260 and 3D8270, you can stack additional devices for a total of four
devices in the stack.
You must use two 8000 Series stacking cables for each secondary device you
want to connect to the primary device. For more information on using the
stacking cable, see
Using the 8000 Series Stacking Cable on page 79.
Version 5.2 Sourcefire 3D System Installation Guide 75
Installing a Sourcefire 3D System Appliance
Primary
Secondary
Primary
Secondary
Using Devices in a Stacked Configuration
Install the devices in your rack so you can easily connect the cables between the
stacking modules. You can install the secondary devices above or below the
primary device.
Connect the primary device to the network segments you want to analyze in the
same way that you would connect a single 3D8250. Connect each secondary
device directly to the primary device as required for the number of secondary
devices in the configuration.
3D8250 Primary Device with One Secondary Device
The following example shows a 3D8250 primary device and one secondary
device. The secondary device is installed below the primary device. Note that the
secondary device contains no sensing interfaces.
Chapter 3
3D8260 - 3D8250 Primary Device and One Secondary Device
The following example shows a 3D8260 configuration, which includes a
10G-capable 3D8250 primary device and one dedicated secondary device. The
secondary device is installed below the primary device.
Version 5.2 Sourcefire 3D System Installation Guide 76
Installing a Sourcefire 3D System Appliance
Primary
Secondary
Secondary
Using Devices in a Stacked Configuration
3D8270 - 3D8250 (40G) Primary Device and Two Secondary Devices
The following example shows a 3D8270, which includes a 40G-capable 3D8250
primary device and two dedicated secondary devices. One secondary device is
installed above the primary device and the other is installed below the primary
device.
Chapter 3
3D8290 - 3D8250 (40G) Primary Device and Three Secondary Devices
The following example shows a 3D8290, which includes a 40G-capable 3D8250
primary device and three dedicated secondary devices. One secondary device is
Version 5.2 Sourcefire 3D System Installation Guide 77
Installing a Sourcefire 3D System Appliance
Primary
Secondary
Secondary
Secondary
Using Devices in a Stacked Configuration
installed above the primary device and two secondary devices are installed below
the primary device.
Chapter 3
To connect a 3D8250 secondary device:
1. Use an 8000 Series stacking cable to connect the left interface on the
stacking module on the primary device to the left interface on the stacking
module on the secondary device.
2. Use a second 8000 Series stacking cable to connect the right interface on the
Version 5.2 Sourcefire 3D System Installation Guide 78
stacking module on the primary device to the right interface on the stacking
module on the secondary device.
3. Repeat steps 1 and 2 for each secondary device you want to connect.
4. Use the Defense Center that manages the devices to establish the stacked
device relationship and manage their joint resources. See Managing Stacked
Devices on page 79.
Installing a Sourcefire 3D System Appliance
Latch Release Tab
Keyed Cable End
Latch
Using Devices in a Stacked Configuration
Using the 8000 Series Stacking Cable
The 8000 Series stacking cable has identically-keyed ends, each with a latch to
secure the cable in the device and a latch release tab.
Use 8000 Series stacking cables to create the physical connection between the
primary device and each secondary device as required for each device
configuration. The 3D8250/8260/8270/8290 requires two cables per connection
and the 3D8140 requires one cable. Devices do not need to be powered down to
insert or remove the stacking cable.
Chapter 3
WARNING! Use only the Sourcefire 8000 Series stacking cable when cabling
your devices. Using unsupported cables can create unforeseen errors.
Use the Defense Center to manage the stacked devices after you have physically
connected the devices.
To insert an 8000 Series stacking cable:
To insert the cable, hold the cable end with release tab facing up, then insert
the keyed end into the port on the stacking module until you hear the latch
click into place.
To remove an 8000 Series stacking cable:
To remove the cable, pull on the release tab to release the latch, then remove
the cable end.
Managing Stacked Devices
A Defense Center establishes the stacked relationship between the devices,
controls the interface sets of the primary device, and manages the combined
resources in the stack. You cannot manage interface sets on the local web
interface of a stacked device.
After the stacked relationship is established, each device inspects traffic
separately using a single, shared detection configuration. If the primary device
fails, traffic is handled according to the configuration of the primary device (that is,
as if the stacked relationship did not exist). If the secondary device fails, the
primary device continues to sense traffic, generate alerts, and send traffic to the
failed secondary device where the traffic is dropped.
Version 5.2 Sourcefire 3D System Installation Guide 79
Installing a Sourcefire 3D System Appliance
Installing the Appliance in a Rack
For information on establishing and managing stacked devices, see Managing
Stacked Devices in the Sourcefire 3D System User Guide.
Installing the Appliance in a Rack
The Sourcefire 3D System is delivered on different hardware platforms. You can
rack-mount all Sourcefire appliances, including the 3D500/1000/2000 desktop
devices (with purchase of a 1U mounting kit). When you install an appliance, you
must also make sure that you can access the appliance’s console. To access the
console for initial setup, connect to a Sourcefire appliance in one of the following
ways:
Keyboard and Monitor/KVM
You can connect a USB keyboard and VGA monitor to any Sourcefire
appliance, which is useful for rack-mounted appliances connected to a
keyboard, video, and mouse (KVM) switch.
Chapter 3
Ethernet Connection to Management Interface
Configure a local computer, which must not be connected to the internet,
with the following s:
• IP address:
• netmask: 255.255.255.0
• default gateway: 192.168.45.1
Using an Ethernet cable, connect the network interface on the local computer
to the management interface on the appliance. To interact with the appliance,
use terminal emulation software such as HyperTerminal or XModem. The
settings for this software are 9600 baud, 8 data bits, no parity checking, 1
stop bit, and no flow control.
Note that the management interface on a physical Sourcefire appliance is
preconfigured with a default IPv4 address. However, you can reconfigure the
management interface with an IPv6 address as part of the setup process.
After initial setup, you can access the console in the following additional ways:
192.168.45.2
Serial Connection/Laptop
You can use a serial cable to connect a computer to any Sourcefire appliance
except the 3D2100/2500/3500/4500 devices. To interact with the appliance,
use terminal emulation software as described above.
Lights-Out Management Using Serial over LAN
The LOM feature allows you to perform a limited set of management actions
on a Series 3 appliance, including restoring to factory defaults, using a Serial
over LAN (SOL) connection. For more information, see Setting up Lights-Out
Management on page 219.
Version 5.2 Sourcefire 3D System Installation Guide 80
Installing a Sourcefire 3D System Appliance
Installing the Appliance in a Rack
By default, Sourcefire appliances direct initialization status, or init, messages to
the VGA port. If you want to use the physical serial port or SOL to access the
console, Sourcefire recommends you redirect console output to the serial port
after you complete initial setup. For more information, see
Output on page 82.
To install the appliance:
1. Mount the appliance in your rack using the mounting kit and its supplied
instructions.
Optionally, you can deploy the 3D500/1000/2000 as a desktop device.
2. Connect to the appliance using either a keyboard and monitor or Ethernet
connection.
3. If you are using a keyboard and monitor to set up the appliance, use an
Ethernet cable now to connect the management interface to a protected
network segment.
If you plan to perform the initial setup process by connecting a computer
directly to the appliance’s physical management interface, you will connect
the management interface to the protected network when you finish setup.
Chapter 3
Redirecting Console
4. For a managed device, connect the sensing interfaces to the network
segments you want to analyze using the appropriate cables for your
interfaces:
• Copper Sensing Interfaces: If your device includes copper sensing
interfaces, make sure you use the appropriate cables to connect them
to your network; see Cabling Inline Deployments on Copper Interfaces
on page 34.
• Fiber Adapter Card: For devices with a fiber adapter card, connect the
LC connectors on the optional multimode fiber cable to two ports on
the adapter card in any order. Connect the SC plug to the network
segment you want to analyze.
• Fiber Tap: If you are deploying the device with an optional fiber optic
tap, connect the SC plug on the optional multimode fiber cable to the
“analyzer” port on the tap. Connect the tap to the network segment
you want to analyze.
• Copper Tap: If you are deploying the device with an optional copper tap,
connect the A and B ports on the left of the tap to the network segment
you want to analyze. Connect the A and B ports on the right of the tap
(the “analyzer” ports) to two copper ports on the adapter card.
For more information about options for deploying the managed device, see
Understanding Deployment Options on page 28.
Note that if you are deploying a device with bypass interfaces, you are taking
advantage of your device’s ability to maintain network connectivity even if the
device fails. See Testing an Inline Bypass Interface Installation on page 83 for
information on installation and latency testing.
Version 5.2 Sourcefire 3D System Installation Guide 81
Installing a Sourcefire 3D System Appliance
Redirecting Console Output
5. Attach the power cord to the appliance and plug into a power source.
If your appliance has redundant power supplies, attach power cords to both
power supplies and plug them into separate power sources. Note that the
3D500/1000/2000 does not have a power switch. This device turns on when
you connect the power supply.
6. Turn on the appliance.
If you are using a direct Ethernet connection to set up the appliance, confirm
that the link LED is on for both the network interface on the local computer
and the management interface on the appliance. If the management interface
and network interface LEDs are not lit, try using a crossover cable. For more
information, see Cabling Inline Deployments on Copper Interfaces on
page 34.
7. Continue with the next chapter, Setting Up a Sourcefire 3D System Appliance
on page 86.
Redirecting Console Output
Chapter 3
By default, Sourcefire appliances direct initialization status, or init, messages to
the VGA port. If you restore an appliance to factory defaults and delete its license
and network settings, the restore utility also resets console output to VGA. If you
want to use the physical serial port or SOL to access the console, Sourcefire
recommends you redirect console output to the serial port after you complete
initial setup.
TIP! 3D2100/2500/3500/4500 devices do not have functional serial ports.
To redirect console output, run a script from the appliance’s shell. The following
table lists the console you should use depending on the way you plan to access
the appliance.
Console Redirection Options
APPLIANCE VGA (DEFAULT) PHYSICAL SERIAL LOM VIA SOL
3D500/1000/2000
3D2100/2500/3500/4500
3D6500
3D9900
tty0 ttyS0
tty0
tty0 ttyS1
tty0 ttyS1
n/a n/a
n/a
n/a
n/a
Version 5.2 Sourcefire 3D System Installation Guide 82
Installing a Sourcefire 3D System Appliance
Testing an Inline Bypass Interface Installation
Console Redirection Options (Continued)
APPLIANCE VGA (DEFAULT) PHYSICAL SERIAL LOM VIA SOL
Chapter 3
Series 2 Defense Centers
all Series 3 appliances
Note that while all Series 3 appliances support LOM, 7000 Series devices do not
support LOM and physical serial access at same time. However, the console
setting is the same regardless of which you want to use.
To redirect the console output:
A
CCESS: Admin
1. Using your keyboard/monitor or serial connection, log into the appliance using
an account with Administrator privileges. The password is the same as the
password for the appliance’s web interface.
The prompt for the appliance appears.
2. At the prompt, access
• On a Defense Center or Series 2 managed device, type
provide the password again.
• On a Series 3 managed device, type
Then, type
The root prompt appears.
3. Set the console output by typing the following:
/usr/local/sf/bin/set_console.sh -c
where
as described in the Console Redirection Options table above.
console_value
sudo su - and provide the password again.
tty0 ttyS0
tty0 ttyS0 ttyS0
root privileges on the appliance:
expert to display the shell prompt.
console_value
represents the way you plan to access the appliance,
n/a
sudo su - and
4. To implement your changes, reboot the appliance by typing
The appliance reboots.
reboot.
Testing an Inline Bypass Interface Installation
Managed devices with bypass interfaces provide the ability to maintain network
connectivity even when the device is powered off or inoperative. It is important to
Version 5.2 Sourcefire 3D System Installation Guide 83
Installing a Sourcefire 3D System Appliance
Testing an Inline Bypass Interface Installation
ensure that you properly install these devices and quantify any latency introduced
by their installation.
IMPORTANT! Your switch’s spanning tree discovery protocol can cause a
30-second traffic delay. Sourcefire recommends that you disable the spanning
tree during the following procedure.
The following procedure, applicable only to copper interfaces, describes how to
test the installation and ping latency of an inline bypass interface. You will need to
connect to the network to run ping tests and connect to the managed device
console.
To test a device with inline bypass interface installation:
A
CCESS: Admin
1. Ensure that the interface set type for the appliance is configured for inline
bypass mode.
See Configuring Inline Sets in the Sourcefire 3D System User Guide for
instructions on configuring an interface set for inline bypass mode.
Chapter 3
2. Set all interfaces on the switch, the firewall, and the device sensing interfaces
to auto-negotiate.
IMPORTANT! Cisco devices require auto-negotiate when using auto-MDIX
on the device.
3. Power off the device and disconnect all network cables.
Reconnect the device and ensure you have the proper network connections.
Check cabling instructions for crossover versus straight-through from the
device to the switches and firewalls, see Cabling Inline Deployments on
Copper Interfaces on page 34.
4. With the device powered off, ensure that you can ping from the firewall
through the device to the switch.
If the ping fails, correct the network cabling.
5. Run a continuous ping until you complete step 10.
6. Power the device back on.
7. Using your keyboard/monitor or serial connection, log into the device using an
account with Administrator privileges. The password is the same as the
password for the device’s web interface.
The prompt for the device appears.
Version 5.2 Sourcefire 3D System Installation Guide 84
Installing a Sourcefire 3D System Appliance
Testing an Inline Bypass Interface Installation
8. Shut down the device:
• On a Series 2 device, type
At the root prompt, shut down the appliance by typing
now
.
• On a Series 3 device, type
You can also shut down the device using its web interface; see the Managing
Devices chapter in the Sourcefire 3D System User Guide. As most devices
power off, they emit an audible click sound. The click is the sound of relays
switching and the device going into hardware bypass.
9. Wait 30 seconds.
Verify that your ping traffic resumes.
10. Power the device back on, and verify that your ping traffic continues to pass.
11. For appliances that support tap mode, you can test and record ping latency
results under the following sets of conditions:
• device powered off
• device powered on, policy with no rules applied, inline intrusion policy
protection mode
• device powered on, policy with no rules applied, inline intrusion policy
protection tap mode
• device powered on, policy with tuned rules applied, inline intrusion
policy protection mode
Ensure that the latency periods are acceptable for your installation. For
information on resolving excessive latency problems, see Configuring Packet
Latency Thresholding and Understanding Rule Latency Thresholding in the
Sourcefire 3D System User Guide.
Chapter 3
sudo su -, then type your password again.
shutdown -h
system shutdown.
Version 5.2 Sourcefire 3D System Installation Guide 85
CHAPTER 4
SETTING UP A SOURCEFIRE 3D SYSTEM
PPLIANCE
A
After you deploy and install a Sourcefire appliance, you must complete a setup
process that allows the new appliance to communicate on your trusted
management network. You must also change the administrator password and
accept the end user license agreement (EULA).
The setup process also allows you to perform many initial administrative-level
tasks, such as setting the time, registering and licensing devices, and scheduling
updates. The options you choose during setup and registration determine the
default interfaces, inline sets, zones, and policies that the system creates and
applies.
The purpose of these initial configurations and policies is to provide an
out-of-the-box experience and to help you quickly set up your deployment, not to
restrict your options. Regardless of how you initially configure a device, you can
change its configuration at any time using the Defense Center. In other words,
choosing a detection mode or access control policy during setup, for example,
does not lock you into a specific device, zone, or policy configuration.
For more information on each of the steps in the initial setup process, see the
following sections:
• Understanding the Setup Process on page 87 outlines the setup process,
which depends on the appliance’s model and whether you have physical
access to the appliance.
IMPORTANT! If you are not already familiar with the setup process,
Sourcefire strongly recommends you read this section first.
Version 5.2 Sourcefire 3D System Installation Guide 86
Setting Up a Sourcefire 3D System Appliance
Understanding the Setup Process
• Configuring Network Settings Using a Script on page 90 explains how to
use a script to specify network settings that allow a new appliance to
communicate on your management network. This step is required for all
Defense Centers and Series 2 devices that you are accessing using a
keyboard and monitor.
• Performing Initial Setup on a Series 3 Device Using the CLI on page 91
explains how to use an interactive command line interface (CLI) to perform
the setup process on a Series 3 device.
• Initial Setup Page: Devices on page 93 explains how to use any device’s
web interface to complete its initial setup.
• Initial Setup Page: Defense Centers on page 100 explains how to use a
Defense Center’s web interface to complete its initial setup.
• Next Steps on page 109 contains guidance on the post-setup tasks you may
want to perform as you set up your Sourcefire 3D System deployment.
WARNING! The procedures in this chapter explain how to set up an appliance
without powering it down. However, if you need to power down for any reason,
use the procedure in the Managing Devices chapter in the Sourcefire 3D System
User Guide, the
or the
shutdown -h now command from an appliance’s shell (sometimes called
expert mode).
system shutdown command from the CLI on a Series 3 device,
Chapter 4
Understanding the Setup Process
After you deploy and install a new Sourcefire appliance, as described in earlier
chapters of this guide, you must complete a setup process. Before you begin the
setup, make sure that you can meet the following conditions.
Appliance Model
You must know which appliance you are setting up. A Sourcefire appliance
is either a traffic-sensing managed device or a managing Defense Center:
There are several models of each appliance type; these models are further
grouped into series and family. For more information, see Understanding
Appliance Series, Models, and Capabilities on page 10.
Access
To set up a new appliance, you must connect using either keyboard and
monitor/KVM (keyboard, video, and mouse) or a direct Ethernet connection
to the appliance’s management interface. After initial setup, you can
configure the appliance for serial access. For more information, see
Installing the Appliance in a Rack on page 80.
Version 5.2 Sourcefire 3D System Installation Guide 87
Setting Up a Sourcefire 3D System Appliance
Understanding the Setup Process
Information
You have, at minimum, the information needed to allow the appliance to
communicate on your management network: an IPv4 or IPv6 management IP
address, a netmask or prefix length, and a default gateway.
If you know how the appliance is deployed, the setup process is also a good
time to perform many initial administrative-level tasks, including registration
and licensing.
TIP! If you are deploying multiple appliances, set up your devices first, then their
managing Defense Center. The initial setup process for a device allows you to
preregister it to a Defense Center; the setup process for a Defense Center allows
you to add and license preregistered managed devices.
After you complete setup, you will use the Defense Center‘s web interface to
perform most management and analysis tasks for your deployment. Physical
managed devices have a restricted web interface that you can use only to
perform basic administration. For more information, see
For details on how to set up each type of Sourcefire appliance, see:
Chapter 4
Next Steps on page 109 .
• Setting Up a Series 2 Appliance or Series 3 Defense Center on page 88
• Setting Up a Series 3 Device on page 89
TIP! If you are setting up an appliance after restoring it to factory defaults (see
Restoring a Sourcefire Appliance to Factory Defaults on page 198) and you did not
delete the appliance’s license and network settings, you can use a computer on
your management network to browse directly to the appliance’s web interface to
perform the setup. Skip to Initial Setup Page: Devices on page 93 or Initial Setup
Page: Defense Centers on page 100.
Setting Up a Series 2 Appliance or Series 3 Defense Center
SUPPORTED DEVICES: Series 2
S
UPPORTED DEFENSE CENTERS: Series 2, Series 3
The following diagram illustrates the choices you can make when setting up
Series
2 devices and Defense Centers, as well as Series 3 Defense Centers:
Version 5.2 Sourcefire 3D System Installation Guide 88
Setting Up a Sourcefire 3D System Appliance
Understanding the Setup Process
To set up any Series 2 appliance or a Series 3 Defense Center:
A
CCESS: Admin
1. If you are using a keyboard and monitor, run a script that helps you configure
settings to allow the appliance to communicate on your management
network; see Configuring Network Settings Using a Script on page 90.
If you are setting up a reimaged appliance and you kept your network settings
as part of the restore process, or if you are accessing the appliance via a
direct Ethernet connection, skip to the next step.
2. Complete the setup process by browsing to the appliance’s web interface
from a computer on your management network:
• To complete the setup of a managed device using its web interface, see
Initial Setup Page: Devices on page 93.
• To complete the setup of a Defense Center using its web interface, see
Initial Setup Page: Defense Centers on page 100.
Setting Up a Series 3 Device
SUPPORTED DEVICES: Series 3
The following diagram illustrates the choices you can make when setting up
Series
3 devices:
Chapter 4
Your access to a Series 3 device determines how you set it up. You have the
following options:
• Regardless of how you are connected to the device, you can use the CLI to
set it up; see Performing Initial Setup on a Series 3 Device Using the CLI on
page 91.
• If you are accessing the appliance via a direct Ethernet connection, you can
browse to the appliance’s web interface from a local computer; see Initial
Setup Page: Devices on page 93.
If you are setting up a reimaged device and you kept your network settings as part
of the restore process, you can access the CLI via SSH or a Lights-Out
Version 5.2 Sourcefire 3D System Installation Guide 89
Setting Up a Sourcefire 3D System Appliance
Configuring Network Settings Using a Script
Management (LOM) connection. You can also browse to the device’s web
interface from a computer on your management network.
Configuring Network Settings Using a Script
SUPPORTED DEVICES: Series 2
After you install a new Defense Center or Series 2 device, or delete its network
settings as part of a reimage, you must configure the appliance to communicate
on your management network. Complete this step by running a script at the
console.
The Sourcefire 3D System provides a dual stack implementation for both IPv4 and
IPv6 management environments. First, the script prompts you to configure (or
disable) IPv4 management settings, then IPv6. For IPv6 deployments, you can
retrieve settings from a local router. You must provide the IPv4 or IPv6
management IP address, netmask or prefix length, and default gateway.
When following the script’s prompts, for multiple-choice questions, your options
are listed in parentheses, such as
such as
[y]. Press Enter to confirm a choice.
(y/n). Defaults are listed in square brackets,
Chapter 4
Note that the script prompts you for much of the same setup information that the
appliance’s setup web page does. For more information, see
page 96 (device) and Network Settings on page 103 (Defense Center).
To configure network settings using a script:
A
CCESS: Admin
1. At the console, log into the appliance.
Use
admin as the username and Sourcefire as the password.
2. At the admin prompt, switch to the root user by typing
typing the password again if prompted.
3. At the root prompt, run the following script:
/usr/local/sf/bin/configure-network
4. Follow the script’s prompts.
Configure (or disable) IPv4 management settings first, then IPv6. If you
manually specify network settings, you must:
• enter IPv4 addresses, including the netmask, in dotted decimal form.
For example, you could specify a netmask of 255.255.0.0.
• enter IPv6 addresses in colon-separated hexadecimal form. For an IPv6
prefix, specify the number of bits; for example, a prefix length of 112.
5. Confirm that your settings are correct.
If you entered settings incorrectly, type
can then enter the correct information. The console may display messages as
your settings are implemented.
n at the prompt and press Enter. You
Network Settings on
sudo su -, then
Version 5.2 Sourcefire 3D System Installation Guide 90
Setting Up a Sourcefire 3D System Appliance
Performing Initial Setup on a Series 3 Device Using the CLI
6. Log out of the appliance.
7. Your next step depends on the appliance:
• To complete the setup of a managed device using its web interface,
continue with Initial Setup Page: Devices on page 93.
• To complete the setup of a Defense Center using its web interface,
continue with Initial Setup Page: Defense Centers on page 100.
Chapter 4
Performing Initial Setup on a Series 3 Device Using the CLI
SUPPORTED DEVICES: Series 3
Optionally, you can use the CLI to configure Series 3 devices instead of using the
device’s web interface. When you first log in to a newly configured device using
the CLI, you must read and accept the EULA. Then, follow the setup prompts to
change the administrator password, configure the device’s network settings and
detection mode. Finally, register the device to the Defense Center that will
manage it.
When following the setup prompts, options are listed in parentheses, such as
(y/n)
. Defaults are listed in square brackets, such as [y]. Press Enter to confirm
a choice.
Note that the CLI prompts you for much of the same setup information that a
device’s setup web page does. For detailed information on these options, see
Initial Setup Page: Devices on page 93.
To complete the initial setup on a Series 3 device using the CLI:
A
CCESS: Admin
1. Log into the device. Use
password.
• For a Series 3 device attached to a monitor and keyboard, log in at the
console.
• If you connected a computer to the management interface of a Series 3
device using an Ethernet cable, SSH to the interface’s default IPv4
address: 192.168.45.45.
The device immediately prompts you to read the EULA.
2. Read and accept the EULA.
3. Change the password for the
privileges and cannot be deleted.
Sourcefire recommends that you use strong password that is at least eight
alphanumeric characters of mixed case and includes at least one numeric
character. Avoid using words that appear in a dictionary. For more information,
see Change Password on page 95.
admin as the username and Sourcefire as the
admin account. This account has Administrator
Version 5.2 Sourcefire 3D System Installation Guide 91
Setting Up a Sourcefire 3D System Appliance
Performing Initial Setup on a Series 3 Device Using the CLI
4. Configure network settings for the device.
First configure (or disable) IPv4 management settings, then IPv6. If you
manually specify network settings, you must:
• enter IPv4 addresses, including the netmask, in dotted decimal form.
For example, you could specify a netmask of 255.255.0.0.
• enter IPv6 addresses in colon-separated hexadecimal form. For an IPv6
prefix, specify the number of bits; for example, a prefix length of 112.
For more information, see Network Settings on page 96. The console may
display messages as your settings are implemented.
5. Select whether you want to allow changing of the device’s network settings
using the LCD panel.
WARNING! Enabling this option can present a security risk. You need only
physical access, not authentication, to configure network settings using the
LCD panel. For more information, see Using the LCD Panel on a Series 3
Device on page 111.
Chapter 4
6. Specify the detection mode based on how you deployed the device.
For more information, see Detection Mode on page 98. The console may
display messages as your settings are implemented. When finished, the
device reminds you to register this device to a Defense Center, and displays
the CLI prompt.
7. To use the CLI to register the device to the Defense Center that will manage
it, continue with the next section, Registering a Series 3 Device to a Defense
Center Using the CLI.
You must manage devices with a Defense Center. If you do not register the
device now, you must log in later and register it before you can add it to a
Defense Center.
8. Log out of the appliance.
Registering a Series 3 Device to a Defense Center Using the CLI
SUPPORTED DEVICES: Series 3
If you configured a Series 3 device using the CLI, Sourcefire recommends that
you use the CLI to register the device to a Defense Center at the conclusion of
the setup script. It is easiest to register a device to its Defense Center during the
initial setup process, because you are already logged into the device’s CLI.
To register a device, use the configure manager add command. A unique
alphanumeric registration key is always required to register a device to a Defense
Center. This is a simple key that you specify, and is not the same as a license key.
Version 5.2 Sourcefire 3D System Installation Guide 92
Setting Up a Sourcefire 3D System Appliance
Initial Setup Page: Devices
In most cases, you must provide the Defense Center’s hostname or the IP
address along with the registration key, for example:
configure manager add DC.example.com my_reg_key
However, if the device and the Defense Center are separated by a NAT device,
enter a unique NAT ID along with the registration key, and specify
instead of the hostname, for example:
configure manager add DONTRESOLVE my_reg_key my_nat_id
To register a device to a Defense Center:
A
CCESS: CLI Configuration
1. Log in to the device as a user with Configuration CLI access level:
• If you are performing the initial setup from the console, you are already
logged in as the
• Otherwise, SSH to the device’s management IP address or host name.
Chapter 4
DONTRESOLVE
admin user, which has the required access level.
2. At the prompt, register the device to a Defense Center using the
manager add
configure manager add {
IPv6_address
where:
•
{
hostname
specifies either the fully qualified host name or IP address of the
Defense Center. If the Defense Center is not directly addressable, use
DONTRESOLVE.
•
reg_key
a device to the Defense Center.
•
nat_id
is an optional alphanumeric string used during the registration
process between the Defense Center and the device. It is required if
the hostname is set to
3. Log out of the appliance.
The device is ready to be added to a Defense Center.
Initial Setup Page: Devices
For all managed devices (except Series 3 devices that you configured using the
CLI; see
you must complete the setup process by logging into the device’s web interface
and specifying initial configuration options on a setup page.
You must change the administrator password, specify network settings if you
have not already, and accept the EULA. You can also preregister the device to a
Defense Center and specify a detection mode; the detection mode and other
options you choose during registration determine the default interfaces, inline
Performing Initial Setup on a Series 3 Device Using the CLI on page 91),
configure
command, which has the following syntax:
hostname
| DONTRESOLVE}
|
IPv4_address
|
|
IPv4_address
reg_key [nat_id
IPv6_address
| DONTRESOLVE}
|
]
is the unique alphanumeric registration key required to register
DONTRESOLVE.
Version 5.2 Sourcefire 3D System Installation Guide 93
Setting Up a Sourcefire 3D System Appliance
Initial Setup Page: Devices
sets, and zones that the system creates, as well as the policies that it initially
applies to managed devices.
To complete the initial setup on a physical managed device using its web interface:
A
CCESS: Admin
Chapter 4
1. Direct your browser to
of the device’s management interface.
• For a device connected to a computer with an Ethernet cable, direct the
browser on that computer to the default management interface IPv4
address:
• For a device where network settings are already configured, use a
computer on your management network to browse to the IP address of
the device’s management interface.
The login page appears.
2. Log in using admin as the username and Sourcefire as the password.
The setup page appears. See the following sections for information on
completing the setup:
• Change Password on page 95
• Network Settings on page 96
• Series 3 Device LCD Panel Configuration on page 97
• Remote Management on page 97
• Time Settings on page 98
• Detection Mode on page 98
• Automatic Backups on page 100
• End User License Agreement on page 100
https://192.168.45.45/.
https://
mgmt_ip
/, where
mgmt_ip
is the IP address
3. When you are finished, click Apply.
The device is configured according to your selections. After an intermediate
page appears, you are logged into the web interface as the
has the Administrator role.
admin user, which
Version 5.2 Sourcefire 3D System Installation Guide 94
Setting Up a Sourcefire 3D System Appliance
Initial Setup Page: Devices
4. Log out of the device.
The device is ready to be added to its managing Defense Center.
IMPORTANT! If you connected directly to the device using an Ethernet cable,
disconnect the computer and connect the device’s management interface to
the management network. If you need to access the device’s web interface
at any time, direct a browser on a computer on the management network to
the IP address or host name that you configured during setup.
Change Password
You must change the password for the admin account. This account has
Administrator privileges and cannot be deleted.
Chapter 4
Sourcefire recommends that you use a strong password that is at least eight
alphanumeric characters of mixed case and includes at least one numeric
character. Avoid using words that appear in a dictionary.
Version 5.2 Sourcefire 3D System Installation Guide 95
Setting Up a Sourcefire 3D System Appliance
Initial Setup Page: Devices
Network Settings
A device’s network settings allow it to communicate on your management
network. If you already configured the device’s network settings, this section of
the page may be pre-populated.
Chapter 4
The Sourcefire 3D System provides a dual stack implementation for both IPv4 and
IPv6 management environments. You must specify the management network
protocol (IPv4, IPv6, or Both). Depending on your choice, the setup page displays
various fields where you must set the IPv4 or IPv6 management IP address,
netmask or prefix length, and default gateway:
• For IPv4, you must set the address and netmask in dotted decimal form (for
example: a netmask of 255.255.0.0).
• For IPv6 networks, you can select the Assign the IPv6 address using router
autoconfiguration check box to automatically assign IPv6 network settings.
Otherwise, you must set the address in colon-separated hexadecimal form
and the number of bits in the prefix (for example: a prefix length of 112).
You can also specify up to three DNS servers, as well as the host name and
domain for the device.
Version 5.2 Sourcefire 3D System Installation Guide 96
Setting Up a Sourcefire 3D System Appliance
Initial Setup Page: Devices
Series 3 Device LCD Panel Configuration
SUPPORTED DEVICES: Series 3
If you are configuring a Series 3 device, select whether you want to allow
changing of the device’s network settings using the LCD panel.
WARNING! Enabling this option can represent a security risk. You need only
physical access, not authentication, to configure network settings using the LCD
panel. For more information, see Using the LCD Panel on a Series 3 Device on
page 111.
Remote Management
Chapter 4
You must manage a Sourcefire device with a Defense Center. For your
convenience, the setup page allows you to preregister the device to the Defense
Center that will manage it.
Leave the Register This Device Now check box enabled, then specify the IP address
or fully qualified domain name of the managing Defense Center as the
Management Host. Also, type the alphanumeric Registration Key you will later use to
register the device to the Defense Center. Note that this is a simple key that you
specify, and is not the same as the license key.
IMPORTANT! If the device and Defense Center are separated by a network
address translation (NAT) device, defer device registration until after you complete
the initial setup. See the Managing Devices chapter in the Sourcefire 3D System
User Guide for more information.
Version 5.2 Sourcefire 3D System Installation Guide 97
Setting Up a Sourcefire 3D System Appliance
Initial Setup Page: Devices
Time Settings
You can set the time for a device either manually or via network time protocol
(NTP) from an NTP server, including the Defense Center. Sourcefire recommends
that you use the Defense Center as the NTP server for its managed devices.
You can also specify the time zone used on the local web interface for the admin
account. Click the current time zone to change it using a pop-up window.
Detection Mode
Chapter 4
The detection mode you choose for a device determines how the system initially
configures the device’s interfaces, and whether those interfaces belong to an
inline set or security zone.
The detection mode is not a setting you can change later; it is simply an option
you choose during setup that helps the system tailor the device’s initial
configurations. In general, you should choose a detection mode based on how
your device is deployed:
Passive
Choose this mode if your device is deployed passively, as an intrusion
detection system (IDS). In a passive deployment, you can perform file and
malware detection, Security Intelligence monitoring, as well as network
discovery.
Inline
Choose this mode if your device is deployed inline, as an intrusion prevention
system (IPS). An IPS usually fails open and allows non-matching traffic.
Version 5.2 Sourcefire 3D System Installation Guide 98
Setting Up a Sourcefire 3D System Appliance
Initial Setup Page: Devices
In an inline deployment, you can also perform network-based advanced
malware protection (AMP), file control, Security Intelligence filtering, and
network discovery.
Although you can select the inline mode for any device, keep in mind that
inline sets using the following interfaces lack bypass capability:
• non-bypass NetMods on 8000 Series devices
• SFP transceivers on 71xx Family devices
IMPORTANT! Reimaging resets devices in inline deployments to a non-bypass
configuration; this disrupts traffic on your network until you reconfigure bypass
mode. For more information, see Traffic Flow During the Restore Process on
page 199.
Access Control
Choose this mode if your device is deployed inline as part of an access
control deployment, that is, if you want to perform application, user, and URL
control. A device configured to perform access control usually fails closed and
blocks non-matching traffic. Rules explicitly specify the traffic to pass.
You should also choose this mode if you want to take advantage of your
device’s specific hardware-based capabilities, which include (depending on
model): clustering, strict TCP enforcement, fast-path rules, switching,
routing, DHCP, NAT, and VPN.
In an access control deployment, you can also perform malware protection,
file control, Security Intelligence filtering, and network discovery.
Chapter 4
Network Discovery
Choose this mode if your device is deployed passively, to perform host,
application, and user discovery only.
The following table lists the interfaces, inline sets, and zones that the system
creates depending on the detection mode you choose.
Initial Configurations Based on Detection Mode
DETECTION MODE SECURITY ZONES INLINE SETS INTERFACES
Inline Internal and
External
Passive Passive none first pair assigned to
Default
Inline Set
first pair added to Default
Inline Set—one to the
Internal and one to the
External zone
Passive zone
Version 5.2 Sourcefire 3D System Installation Guide 99
Setting Up a Sourcefire 3D System Appliance
Initial Setup Page: Defense Centers
Initial Configurations Based on Detection Mode (Continued)
DETECTION MODE SECURITY ZONES INLINE SETS INTERFACES
Access Control none none none
Chapter 4
Network
Discovery
Note that security zones are a Defense Center-level configuration which the
system does not create until you actually register the device to the Defense
Center. Upon registration, if the appropriate zone (Internal, External, or Passive)
already exists on the Defense Center, the registration process adds the listed
interfaces to the existing zone. If the zone does not exist, the system creates it
and adds the interfaces. For detailed information on interfaces, inline sets, and
security zones, see the Sourcefire 3D System User Guide.
Passive none first pair assigned to
Passive zone
Automatic Backups
The device provides a mechanism for archiving data so that configuration and
event data can be restored in case of failure. As part of the initial setup, you can
Enable Automatic Backups.
Enabling this setting creates a scheduled task that creates a weekly backup of the
configurations on the device.
End User License Agreement
Read the EULA carefully and, if you agree to abide by its provisions, select the
check box. Make sure that all the information you provided is correct, and click
Apply. The device is configured according to your selections and is ready to be
added to its managing Defense Center.
Initial Setup Page: Defense Centers
For all Defense Centers, you must complete the setup process by logging into the
Defense Center’s web interface and specifying initial configuration options on a
setup page. You must change the administrator password, specify network
settings if you haven’t already, and accept the EULA.
Version 5.2 Sourcefire 3D System Installation Guide 100
Loading...