Source fire Sourcefire 3D System Installation Manual
Sourcefire 3D System
Installation Guide
Version 5.2 Sourcefire 3D System Installation Guide 1
Version 5.2
Terms of Use Applicable to the User Documentation
The legal notices, disclaimers, terms of use, and other information contained herein (the "terms") apply only to
the information discussed in this documentation (the "Documentation") and your use of it. These terms do not
apply to or govern the use of websites controlled by Sourcefire, Inc. or its subsidiaries (collectively, "Sourcefire")
or any Sourcefire-provided products. Sourcefire products are available for purchase and subject to a separate
license agreement and/or terms of use containing very different terms and conditions.
Terms of Use and Copyright and Trademark Notices
The copyright in the Documentation is owned by Sourcefire and is protected by copyright and other intellectual
property laws of the United States and other countries. You may use, print out, save on a retrieval system, and
otherwise copy and distribute the Documentation solely for non-commercial use, provided that you (i) do not
modify the Documentation in any way and (ii) always include Sourcefire's copyright, trademark, and other
proprietary notices, as well as a link to, or print out of, the full contents of this page and its terms.
No part of the Documentation may be used in a compilation or otherwise incorporated into another work or with
or into any other documentation or user manuals, or be used to create derivative works, without the express
prior written permission of Sourcefire. Sourcefire reserves the right to change the terms at any time, and your
continued use of the Documentation shall be deemed an acceptance of those terms.
Sourcefire, the Sourcefire logo, Snort, the Snort and Pig logo, Immunet, ClamAV and certain other trademarks
and logos are trademarks or registered trademarks of Sourcefire, Inc. in the United States and other countries.
Other company, product and service names may be trademarks or service marks of others.
© 2004 - 2013 Sourcefire, Inc. All rights reserved.
Disclaimers
THE DOCUMENTATION AND ANY INFORMATION AVAILABLE FROM IT MAY INCLUDE INACCURACIES OR
TYPOGRAPHICAL ERRORS. SOURCEFIRE MAY CHANGE THE DOCUMENTATION FROM TIME TO TIME.
SOURCEFIRE MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE ACCURACY OR SUITABILITY OF
ANY SOURCEFIRE-CONTROLLED WEBSITE, THE DOCUMENTATION AND/OR ANY PRODUCT INFORMATION.
SOURCEFIRE-CONTROLLED WEBSITES, THE DOCUMENTATION AND ALL PRODUCT INFORMATION ARE
PROVIDED "AS IS" AND SOURCEFIRE DISCLAIMS ANY AND ALL EXPRESS AND IMPLIED WARRANTIES,
INCLUDING BUT NOT LIMITED TO WARRANTIES OF TITLE AND THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL SOURCEFIRE BE
LIABLE TO YOU FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE, OR
CONSEQUENTIAL DAMAGES (INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES, LOSS OF DATA, LOSS OF PROFITS, AND/OR BUSINESS INTERRUPTIONS), ARISING OUT OF OR IN
ANY WAY RELATED TO SOURCEFIRE-CONTROLLED WEBSITES OR THE DOCUMENTATION, NO MATTER HOW
CAUSED AND/OR WHETHER BASED ON CONTRACT, STRICT LIABILITY, NEGLIGENCE OR OTHER TORTUOUS
ACTIVITY, OR ANY OTHER THEORY OF LIABILITY, EVEN IF SOURCEFIRE IS ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES. BECAUSE SOME STATES/JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION
OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATIONS MAY NOT APPLY TO
YOU.
The Documentation may contain "links" to websites that are not created by, or under the control of Sourcefire.
Sourcefire provides such links solely for your convenience, and assumes no responsibility for the availability or
content of such other sites.
2013-Oct-18 16:20
Table of Contents
Chapter 1: Introduction to the Sourcefire 3D System ............................... 8
Sourcefire 3D System Appliances ........................................................................ 9
Defense Centers...................................................................................... 9
Managed Devices .................................................................................. 10
Understanding Appliance Series, Models, and Capabilities ................... 10
Sourcefire 3D System Components ................................................................... 16
Licensing the Sourcefire 3D System .................................................................. 19
Using Legacy RNA Host and RUA User Licenses ................................. 22
Security, Internet Access, and Communication Ports......................................... 23
Internet Access Requirements .............................................................. 23
Open Communication Ports Requirements ........................................... 24
Chapter 2: Understanding Deployment ..................................................... 27
Understanding Deployment Options .................................................................. 28
Understanding Interfaces ................................................................................... 28
Passive Interfaces.................................................................................. 29
Inline Interfaces ..................................................................................... 29
Switched Interfaces ............................................................................... 30
Routed Interfaces .................................................................................. 31
Hybrid Interfaces ................................................................................... 32
Version 5.2 Sourcefire 3D System Installation Guide 3
Table of Contents
Connecting Devices to Your Network................................................................. 32
Using a Hub ........................................................................................... 33
Using a Span Port .................................................................................. 33
Using a Network Tap.............................................................................. 33
Cabling Inline Deployments on Copper Interfaces................................. 34
Special Cases......................................................................................... 36
Deployment Options........................................................................................... 36
Deploying with a Virtual Switch.............................................................. 37
Deploying with a Virtual Router ............................................................. 38
Deploying with Hybrid Interfaces........................................................... 40
Deploying a Gateway VPN ..................................................................... 41
Deploying with Policy-Based NAT.......................................................... 42
Deploying with Access Control.............................................................. 43
Using a Multi-Port Managed Device ................................................................... 48
Complex Network Deployments ........................................................................ 50
Integrating with VPNs ............................................................................ 51
Detecting Intrusions on Other Points of Entry ....................................... 51
Deploying in Multi-Site Environments.................................................... 53
Integrating Managed Devices within Complex Networks ..................... 55
Chapter 3: Installing a Sourcefire 3D System Appliance ....................... 57
Included Items .................................................................................................... 58
Security Considerations ...................................................................................... 58
Identifying the Management Interfaces ............................................................. 58
Sourcefire Defense Center 750 ............................................................. 59
Sourcefire Defense Center 1500 ........................................................... 59
Sourcefire Defense Center 3500 ........................................................... 60
Sourcefire 3D500/1000/2000................................................................. 60
Sourcefire 7000 Series .......................................................................... 60
Sourcefire 8000 Series .......................................................................... 61
Identifying the Sensing Interfaces ...................................................................... 61
Sourcefire 3D500/1000/2000................................................................. 62
Sourcefire 7000 Series .......................................................................... 63
Sourcefire 8000 Series .......................................................................... 67
Using Devices in a Stacked Configuration .......................................................... 74
Connecting the 3D8140 ......................................................................... 75
Connecting the 3D8250/8260/8270/8290.............................................. 75
Using the 8000 Series Stacking Cable................................................... 79
Managing Stacked Devices.................................................................... 79
Installing the Appliance in a Rack ....................................................................... 80
Redirecting Console Output ............................................................................... 82
Testing an Inline Bypass Interface Installation .................................................... 83
Version 5.2 Sourcefire 3D System Installation Guide 4
Table of Contents
Chapter 4: Setting Up a Sourcefire 3D System Appliance ..................... 86
Understanding the Setup Process ...................................................................... 87
Setting Up a Series 2 Appliance or Series 3 Defense Center ................ 88
Setting Up a Series 3 Device ................................................................. 89
Configuring Network Settings Using a Script ..................................................... 90
Performing Initial Setup on a Series 3 Device Using the CLI .............................. 91
Registering a Series 3 Device to a Defense Center Using the CLI........ 92
Initial Setup Page: Devices ................................................................................. 93
Initial Setup Page: Defense Centers ................................................................. 100
Next Steps ........................................................................................................ 109
Chapter 5: Using the LCD Panel on a Series 3 Device .......................... 111
Understanding LCD Panel Components ........................................................... 112
Using the LCD Multi-Function Keys.................................................................. 113
Idle Display Mode ............................................................................................. 114
Network Configuration Mode ........................................................................... 115
Allowing Network Reconfiguration Using the LCD Panel ..................... 117
System Status Mode ........................................................................................ 118
Information Mode ............................................................................................. 119
Error Alert Mode ............................................................................................... 121
Chapter 6: Hardware Specifications........................................................ 122
Rack and Cabinet Mounting Options ................................................................ 122
Sourcefire Defense Centers ............................................................................. 123
Sourcefire DC750 ................................................................................ 123
Sourcefire DC1500 .............................................................................. 129
Sourcefire DC3500 .............................................................................. 135
Sourcefire Series 2 Devices.............................................................................. 142
Sourcefire 3D500, 3D1000 and 3D2000 Devices ................................ 142
3D500/1000/2000 Physical and Environmental Parameters ................ 145
Sourcefire 7000 Series Devices ....................................................................... 146
Sourcefire 3D7010, 3D7020, and 3D7030 ........................................... 146
Sourcefire 3D7110 and 3D7120 ........................................................... 153
Sourcefire 3D7115 and 3D7125 ........................................................... 162
Sourcefire 8000 Series Devices ....................................................................... 172
8000 Series Chassis Front View .......................................................... 173
8000 Series Chassis Rear View........................................................... 178
8000 Series Physical and Environmental Parameters .......................... 181
8000 Series Modules........................................................................... 185
Version 5.2 Sourcefire 3D System Installation Guide 5
Table of Contents
Chapter 7: Restoring a Sourcefire Appliance to Factory Defaults...... 198
Before You Begin .............................................................................................. 198
Configuration and Event Backup Guidelines ........................................ 199
Traffic Flow During the Restore Process.............................................. 199
Understanding the Restore Process ................................................................. 199
Obtaining the Restore ISO and Update Files .................................................... 201
Beginning the Restore Process ........................................................................ 203
Starting the Restore Utility Using KVM or Physical Serial.................... 203
Starting the Restore Utility Using Lights-Out Management ................ 205
Using the Interactive Menu to Restore an Appliance ....................................... 207
Identifying the Appliance’s Management Interface ............................. 209
Specifying ISO Image Location and Transport Method ....................... 210
Updating System Software and Intrusion Rules During Restore ......... 211
Downloading the ISO and Update Files and Mounting the Image ...... 212
Invoking the Restore Process .............................................................. 213
Saving and Loading Restore Configurations ........................................ 215
Restoring a DC1000 or DC3000 Using a CD .................................................... 217
Next Steps ........................................................................................................ 218
Scrubbing the Contents of the Hard Drive........................................................ 219
Setting up Lights-Out Management ................................................................. 219
Enabling LOM and LOM Users............................................................ 221
Installing an IPMI Utility ....................................................................... 222
Chapter 8: Safety and Regulatory Information....................................... 224
General Safety Guidelines ................................................................................ 224
Safety Warning Statements.............................................................................. 226
Regulatory Information ..................................................................................... 229
Sourcefire Defense Center 750/1500/3500 Information ...................... 229
Sourcefire 3D500 Information ............................................................. 230
Sourcefire Series 3 Information ........................................................... 232
Waste Electrical and Electronic Equipment Directive (WEEE) .......................... 238
Appendix A: Power Requirements for Sourcefire Devices ..................... 240
Warnings and Cautions..................................................................................... 240
Interface Connections.......................................................................... 240
Static Control ....................................................................................... 241
3D7010/7020/7030............................................................................................ 241
Installation............................................................................................ 241
Grounding/Earthing Requirements ...................................................... 242
Version 5.2 Sourcefire 3D System Installation Guide 6
Table of Contents
3D7110/7120 and 3D7115/7125 ........................................................................ 243
Installation............................................................................................ 243
Grounding/Earthing Requirements ...................................................... 244
3D8120/8130/8140 and 3D8250/8260/8270/8290 ............................................ 245
AC Installation...................................................................................... 245
DC Installation...................................................................................... 247
Grounding/Earthing Requirements ...................................................... 249
Appendix B: Using SFP Transceivers on a 3D7115 or 3D7125 ................. 251
3D7115 and 3D7125 SFP Sockets and Transceivers ......................................... 251
Inserting an SFP Transceiver............................................................................. 253
Removing an SFP Transceiver........................................................................... 254
Appendix C: Inserting and Removing 8000 Series Modules.................... 255
Module Slots on the 8000 Series Appliances ................................................... 255
81xx Family.......................................................................................... 256
82xx Family.......................................................................................... 256
Included Items .................................................................................................. 257
Identifying the Module Parts ............................................................................ 258
Before You Begin .............................................................................................. 259
Removing a Module or Slot Cover .................................................................... 259
Inserting a Module or Slot Cover ...................................................................... 260
Glossary .....................................................................................................................264
Version 5.2 Sourcefire 3D System Installation Guide 7
CHAPTER 1
INTRODUCTION TO THE SOURCEFIRE 3D
YSTEM
S
The Sourcefire 3D® System combines the security of an industry-leading
network intrusion protection system with the power to control access to your
network based on detected applications, users, and URLs. You can also use
Sourcefire appliances to serve in a switched, routed, or hybrid (switched and
routed) environment; to perform network address translation (NAT); and to build
secure virtual private network (VPN) tunnels among the virtual routers on
Sourcefire managed devices, or from managed devices to remote devices or
other third-party VPN endpoints.
The Sourcefire Defense Center® provides a centralized management console and
database repository for the Sourcefire 3D System. Managed devices installed on
network segments monitor traffic for analysis.
Devices in a passive deployment monitor traffic flowing across a network, for
example, using a switch SPAN, virtual switch, or mirror port. Passive sensing
interfaces receive all traffic unconditionally and no traffic received on these
interfaces is retransmitted.
Devices in an inline deployment allow you to protect your network from attacks
that might affect the availability, integrity, or confidentiality of hosts on the
network. Inline interfaces receive all traffic unconditionally, and traffic received on
these interfaces is retransmitted unless explicitly dropped by some configuration
in your deployment. Inline devices can be deployed as a simple intrusion
prevention system. You can also configure inline devices to perform access
control as well as manage network traffic in other ways.
This installation guide provides information about deploying, installing, and setting
up Sourcefire appliances (devices and Defense Centers). It also contains
Version 5.2 Sourcefire 3D System Installation Guide 8
Introduction to the Sourcefire 3D System
Sourcefire 3D System Appliances
hardware specifications and safety and regulatory information for Sourcefire
appliances.
TIP! You can host virtual Defense Centers and devices, which can manage and
be managed by physical appliances. However, virtual appliances do not support
any of the system’s hardware-based features: redundancy, switching, routing, and
so on. For detailed information, see the Sourcefire 3D System Virtual Installation
Guide.
The topics that follow introduce you to the Sourcefire 3D System and describe its
key components:
• Sourcefire 3D System Appliances on page 9
• Sourcefire 3D System Components on page 16
• Licensing the Sourcefire 3D System on page 19
• Security, Internet Access, and Communication Ports on page 23
Chapter 1
Sourcefire 3D System Appliances
A Sourcefire appliance is either a traffic-sensing managed device or a managing
Defense Center:
Physical devices are fault-tolerant, purpose-built network appliances available with
a range of throughputs and capabilities. Defense Centers serve as central
management points for these devices, and automatically aggregate and correlate
the events they generate. There are several models of each physical appliance
type; these models are further grouped into series and family.
Many Sourcefire 3D System capabilities are appliance dependent. For more
information, see the following sections:
• Defense Centers on page 9
• Managed Devices on page 10
• Understanding Appliance Series, Models, and Capabilities on page 10
Defense Centers
The Defense Center provides a centralized management point and event
database for your Sourcefire 3D System deployment. Defense Centers, which
can be physical or virtual, aggregate and correlate intrusion, file, malware,
discovery, connection, and performance data. This allows you to monitor the
information that your devices report in relation to one another, and to assess and
control the overall activity that occurs on your network.
Version 5.2 Sourcefire 3D System Installation Guide 9
Introduction to the Sourcefire 3D System
Sourcefire 3D System Appliances
Key features of the Defense Center include:
• device, license, and policy management
• display of event and contextual information using tables, graphs, and charts
• health and performance monitoring
• external notification and alerting
• real-time threat response using correlation and remediation features
• reporting
For many physical Defense Centers, a high availability (redundancy) feature can
help you ensure continuity of operations.
Managed Devices
Physical Sourcefire devices are fault-tolerant, purpose-built network appliances
available in a range of throughputs. You can also host virtual devices. Devices
deployed passively help you gain insight into your network traffic. Deployed inline,
you can use Sourcefire devices to affect the flow of traffic based on multiple
criteria. You must manage Sourcefire devices with a Defense Center.
Chapter 1
Depending on model and license, managed devices:
• gather detailed information about your organization’s hosts, operating
systems, applications, users, files, networks, and vulnerabilities
• block or allow network traffic based on various network-based criteria, as
well as other criteria including applications, users, URLs, IP address
reputations, and the results of intrusion or malware inspections
• have switching, routing, DHCP, NAT, and VPN capabilities, as well as
configurable bypass interfaces, fast-path rules, and strict TCP enforcement
• have clustering (redundancy) to help you ensure continuity of operations,
and stacking to combine resources from multiple devices
Understanding Appliance Series, Models, and Capabilities
Version 5.2 of the Sourcefire 3D System is available on two series of physical
appliances, as well as virtual appliances. Many Sourcefire 3D System capabilities
are appliance dependent. For more information, see:
• Series 2 Appliances on page 11
• Series 3 Appliances on page 11
• Virtual Appliances on page 12
• Appliances Delivered with Version 5.2 on page 12
• Supported Capabilities by Appliance Model on page 13
Version 5.2 Sourcefire 3D System Installation Guide 10
Introduction to the Sourcefire 3D System
Sourcefire 3D System Appliances
Series 2 Appliances
Series 2 is the second series of Sourcefire physical appliances. Because of
resource and architecture limitations, Series
Sourcefire 3D System features.
Although Sourcefire does not deliver Version 5.2 on Series 2 appliances other
than 3D500/1000/2000 devices, you can restore the following Series
and Defense Centers to Version 5.2:
• 3D2100/2500/3500/4500
• 3D6500
• 3D9900
• DC500/1000/3000
There is no update path from Version 4.10.x to Version 5.2; you must use an ISO
image to restore your appliances. Reimaging results in the loss of all
configuration and event data on the appliance. You cannot import this data onto
an appliance after a reimage. For more information, see
Appliance to Factory Defaults on page 198.
Chapter 1
2 devices support a restricted set of
2 devices
Restoring a Sourcefire
IMPORTANT! Only reimage your appliances during a maintenance window.
Reimaging resets devices in inline deployments to a non-bypass configuration
and disrupts traffic on your network. For more information, see Traffic Flow During
the Restore Process on page 199.
When running Version 5.2, Series 2 devices automatically have most of the
capabilities associated with a Protection license: intrusion detection and
prevention, file control, and basic access control. However, Series
cannot perform Security Intelligence filtering, advanced access control, or
advanced malware protection. You also cannot enable other licensed capabilities
on a Series
rules, stacking, and tap mode, Series
hardware-based features associated with Series
NAT, and so on.
When running Version 5.2, DC1000 and DC3000 Series 2 Defense Centers
support all the features of the Sourcefire 3D System; the DC500 has more limited
capabilities.
2 device. With the exception of the 3D9900, which supports fast-path
2 devices do not support any of the
3 devices: switching, routing,
2 devices
Series 3 Appliances
Series 3 is the third series of Sourcefire physical appliances. All 7000 Series and
8000
Series devices are Series 3 appliances. 8000 Series devices are more
powerful and support a few features that 7000
Series devices do not.
Version 5.2 Sourcefire 3D System Installation Guide 11
Introduction to the Sourcefire 3D System
Sourcefire 3D System Appliances
Virtual Appliances
You can host 64-bit virtual Defense Centers and devices on VMware ESX/ESXi.
Virtual Defense Centers can manage up to 25 physical or virtual devices; physical
Defense Centers can manage virtual devices.
Regardless of the licenses installed and applied, virtual appliances do not support
any of the system’s hardware-based features: redundancy, switching, routing, and
so on. Also, virtual devices do not have web interfaces. For detailed information
on virtual appliances, see the Sourcefire 3D System Virtual Installation Guide.
Appliances Delivered with Version 5.2
The following table lists the appliances that Sourcefire delivers with Version 5.2 of
the Sourcefire 3D System.
Version 5.2 Sourcefire Appliances
MODELS/FAMILY SERIES TYPE
Chapter 1
Series 2 devices:
3D500, 3D1000, and 3D2000
70xx Family:
3D7010, 3D7020 and 3D7030
71xx Family:
3D7110, 3D7115, 3D7120m
and 3D7125
81xx Family:
3D8120/8130/8140
82xx Family:
3D8250, 3D8260, 3D8270,
and 3D8290
virtual devices none device
Series 3 Defense Centers:
DC750/1500/3500
virtual Defense Centers none Defense Center
Although Sourcefire does not deliver Version 5.2 on Series 2 appliances other
than 3D500, 3D1000m and 3D2000 devices, you can reimage the following
Series
2 devices and Defense Centers to Version 5.2:
• 3D2100/2500/3500/4500
• 3D6500
Series 2 device
Series 3 (7000 Series) device
Series 3 (7000 Series) device
Series 3 (8000 Series) device
Series 3 (8000 Series) device
Series 3 Defense Center
Version 5.2 Sourcefire 3D System Installation Guide 12
Introduction to the Sourcefire 3D System
Sourcefire 3D System Appliances
• 3D9900
• DC500/1000/3000
Reimaging results in the loss of all configuration and event data on the appliance.
See
Restoring a Sourcefire Appliance to Factory Defaults on page 198 for more
information.
Supported Capabilities by Appliance Model
Many Sourcefire 3D System capabilities are appliance dependent. The table
below matches the major capabilities of the system with the appliances that
support those capabilities, assuming you have the correct licenses installed and
applied. For a brief summary of these features and licenses, see
Capabilities by Appliance Model on page 13 and Licensing the Sourcefire 3D
System on page 19.
The Defense Center column for device-based capabilities (such as stacking,
switching, and routing) indicates whether that Defense Center can manage and
configure devices to perform their functions. For example, you can use a Series
DC1000 to manage NAT on Series
is unsupported, while
not relevant to managed devices.
Chapter 1
Supported
2
3 devices. Also, a blank cell means the feature
n/a marks certain Defense Center-based features that are
Supported Capabilities by Appliance Model
FEATURE SERIES 2
network discovery:
host, application, and
user
geolocation data DC1000,
intrusion detection
and prevention (IPS)
Security Intelligence
filtering
access control: basic
network control
access control:
applications
access control: users DC1000,
DEVICE
SERIES 2
DEFENSE
C
ENTER
DC3000
DC1000,
DC3000
DC3000
SERIES 3
DEVICE
SERIES 3
DEFENSE
C
ENTER
VIRTUAL
DEVICE
VIRTUAL
DEFENSE
C
ENTER
Version 5.2 Sourcefire 3D System Installation Guide 13
Introduction to the Sourcefire 3D System
Sourcefire 3D System Appliances
Supported Capabilities by Appliance Model (Continued)
Chapter 1
FEATURE SERIES 2
access control: literal
URLs
access control: URL
filtering by category
and reputation
file control: by file
type
network-based
advanced malware
protection (AMP)
FireAMP integration n/a n/a n/a
fast-path rules 3D9900 8000 Series
strict TCP
enforcement
configurable bypass
interfaces
DEVICE
except
SERIES 2
DEFENSE
C
ENTER
DC1000,
DC3000
DC1000,
DC3000
SERIES 3
DEVICE
where
hardware
limited
SERIES 3
DEFENSE
C
ENTER
VIRTUAL
DEVICE
VIRTUAL
DEFENSE
C
ENTER
tap mode 3D9900
switching and
routing
NAT policies
VPN
high availability n/a DC1000,
device stacking 3D9900 3D8140,
DC3000
n/a DC1500,
DC3500
82xx Family
n/a
Version 5.2 Sourcefire 3D System Installation Guide 14
Introduction to the Sourcefire 3D System
Sourcefire 3D System Appliances
Supported Capabilities by Appliance Model (Continued)
Chapter 1
FEATURE SERIES 2
DEVICE
device clustering
clustered stacks 3D8140,
interactive CLI
SERIES 2
DEFENSE
C
ENTER
SERIES 3
DEVICE
82xx Family
SERIES 3
DEFENSE
C
ENTER
VIRTUAL
DEVICE
VIRTUAL
DEFENSE
C
ENTER
Series 3 Device Chassis Designations
The following section lists the 7000 Series and 8000 Series devices and their
respective chassis hardware codes. The chassis code appears on the regulatory
label on the outside of the chassis, and is the official reference code for hardware
certifications and safety.
7000 Series Chassis Designations
The 7000 Series Chassis Models table lists the chassis designations for the
7000 Series models available world-wide.
7000 Series Chassis Models
3D DEVICE MODEL HARDWARE CHASSIS CODE
3D7010, 3D7020, and 3D7030 CHRY-1U-AC
3D7110 and 3D7120 (Copper) GERY-1U-8-C-AC
3D7110 and 3D7120 (Fiber) GERY-1U-8-FM-AC
3D7115 and 3D7125 GERY-1U-4C8S-AC
Version 5.2 Sourcefire 3D System Installation Guide 15
Introduction to the Sourcefire 3D System
Sourcefire 3D System Components
8000 Series Chassis Designations
The 8000 Series Chassis Models table lists the chassis designations for the
Series 3 models available world-wide.
8000 Series Chassis Models
3D DEVICE MODEL HARDWARE CHASSIS CODE
Chapter 1
3D8120, 3D8130, and 3D8140
(AC power)
3D8120, 3D8130, and 3D8140
(DC power)
3D8250, 3D8260, 3D8270, and 3D8290
(AC power)
3D8250, 3D8260, 3D8270, and 3D8290
(DC power)
Sourcefire 3D System Components
The sections that follow describe some of the key capabilities of the Sourcefire
3D System that contribute to your organization’s security, acceptable use policy,
and traffic management strategy.
TIP! Many Sourcefire 3D System capabilities are appliance model, license, and
user role dependent. Where needed, Sourcefire documentation outlines the
requirements for each feature and task.
CHAS-1U-AC
CHAS-1U-DC
CHAS-2U-AC
CHAS-2U-DC
Redundancy and Resource Sharing
The redundancy and resource-sharing features of the Sourcefire 3D System allow
you to ensure continuity of operations and to combine the processing resources
of multiple physical devices:
• Defense Center high availability allows you to designate redundant DC1000,
DC1500, DC3000, or DC3500 Defense Centers to manage devices.
• Device stacking allows you to increase the amount of traffic inspected on a
network segment by connecting two to four physical devices in a stacked
configuration.
• Device clustering allows you to establish redundancy of networking
functionality and configuration data between two or more Series 3 devices
or stacks.
Version 5.2 Sourcefire 3D System Installation Guide 16
Introduction to the Sourcefire 3D System
Sourcefire 3D System Components
Network Traffic Management
The Sourcefire 3D System’s network traffic management features allow Series 3
devices to act as part of your organization’s network infrastructure. You can:
• configure a Layer 2 deployment to perform packet switching between two
or more network segments
• configure a Layer 3 deployment to route traffic between two or more
interfaces
• perform network address translation (NAT)
• build secure VPN tunnels from virtual routers on managed devices to
remote devices or other third-party VPN endpoints
FireSIGHT
FireSIGHT™ is Sourcefire’s discovery and awareness technology that collects
information about hosts, operating systems, applications, users, files, networks,
geolocation information, and vulnerabilities, in order to provide you with a
complete view of your network.
You can use the Defense Center’s web interface to view and analyze data
collected by FireSIGHT. You can also use this data to help you perform access
control and modify intrusion rule states.
Chapter 1
Access Control
Access control is a policy-based feature that allows you to specify, inspect, and
log the traffic that traverses your network. As part of access control, the Security
Intelligence feature allows you to blacklist—deny traffic to and from—specific IP
addresses before the traffic is subjected to deeper analysis.
After Security Intelligence filtering occurs, you can define which and how traffic is
handled by targeted devices, from simple IP address matching to complex
scenarios involving different users, applications, ports, and URLs. You can trust,
monitor, or block traffic, or perform further analysis, such as:
• intrusion detection and prevention
• file control
• file tracking and network-based advanced malware protection (AMP)
Intrusion Detection and Prevention
Intrusion detection and prevention is a policy-based feature, integrated into
access control, that allows you to monitor your network traffic for security
violations and, in inline deployments, to block or alter malicious traffic. An
intrusion policy contains a variety of components, including:
• rules that inspect the protocol header values, payload content, and certain
packet size characteristics
• rule state configuration based on FireSIGHT recommendations
Version 5.2 Sourcefire 3D System Installation Guide 17
Introduction to the Sourcefire 3D System
Sourcefire 3D System Components
• advanced settings, such as preprocessors and other detection and
performance features
• preprocessor rules that allow you to generate events for associated
preprocessors and preprocessor options
File Tracking, Control, and Malware Protection
To help you identify and mitigate the effects of malware, the Sourcefire 3D
System’s file control, network file trajectory, and advanced malware protection
components can detect, track, and optionally block the transmission of files
(including malware files) in network traffic.
File control is a policy-based feature, integrated into access control, that allows
managed devices to detect and block your users from uploading (sending) or
downloading (receiving) files of specific types over specific application protocols.
Network-based advanced malware protection (AMP) allows the system to inspect
network traffic for malware in specific types of files. When a managed device
detects one of these file types, the Defense Center obtains the file’s disposition
from the Sourcefire cloud. The managed device uses this information to track and
then block or allow the file.
FireAMP is Sourcefire’s enterprise-class, endpoint-based AMP solution. If your
organization has a FireAMP subscription, individual users install FireAMP
Connectors on their computers and mobile devices. These lightweight agents
communicate with the Sourcefire cloud, which in turn communicates with the
Defense Center. In this way, you can use the Defense Center to view malware
detection and quarantines on the endpoints in your organization, as well as to
track the malware’s trajectory.
Chapter 1
Application Programming Interfaces
There are several ways to interact with the system using application programming
interfaces (APIs):
• The Event Streamer (eStreamer) allows you to stream several kinds of event
data from a Sourcefire appliance to a custom-developed client application.
• The database access feature allows you to query several database tables on
a Defense Center, using a third-party client that supports JDBC SSL
connections.
• The host input feature allows you to augment the information in the
network map by importing data from third-party sources using scripts or
command-line files.
• Remediations are programs that your Defense Center can automatically
launch when certain conditions on your network are met. This can not only
automatically mitigate attacks when you are not immediately available to
address them, but can also ensure that your system remains compliant with
your organization’s security policy.
Version 5.2 Sourcefire 3D System Installation Guide 18
Introduction to the Sourcefire 3D System
Licensing the Sourcefire 3D System
Licensing the Sourcefire 3D System
You can license a variety of features to create an optimal Sourcefire 3D System
deployment for your organization. You must use the Defense Center to control
licenses for itself and the devices it manages.
Sourcefire recommends you add the licenses your organization has purchased
during the initial setup of your Defense Center. Otherwise, any devices you
register during initial setup are added to the Defense Center as unlicensed. You
must then enable licenses on each device individually after the initial setup
process is over. For more information, see
Appliance on page 86.
A FireSIGHT license is included with each Defense Center purchase, and is
required to perform host, application, and user discovery. The FireSIGHT license
on your Defense Center also determines how many individual hosts and users
you can monitor with the Defense Center and its managed devices, as well as
how many users you can use to perform user control. FireSIGHT host and user
license limits are model specific, as listed in the following table.
Chapter 1
Setting Up a Sourcefire 3D System
FireSIGHT Limits by Defense Center Model
DEFENSE CENTER MODEL FIRESIGHT HOST AND USER LIMIT
DC500 1000 (no user control)
DC750 2000
DC1000 20,000
DC1500 50,000
DC3000 100,000
DC3500 300,000
If your Defense Center was previously running Version 4.10.x, you may be able to
use legacy RNA Host and RUA User licenses instead of a FireSIGHT license. For
more information, see
page 22.
Additional model-specific licenses allow your managed devices to perform a
variety of functions, as follows:
Using Legacy RNA Host and RUA User Licenses on
Protection
A Protection license allows managed devices to perform intrusion detection
and prevention, file control, and Security Intelligence filtering.
Version 5.2 Sourcefire 3D System Installation Guide 19
Introduction to the Sourcefire 3D System
Licensing the Sourcefire 3D System
Control
A Control license allows managed devices to perform user and application
control. It also allows devices to perform switching and routing (including
DHCP relay), NAT, and to cluster devices and stacks. A Control license
requires a Protection license.
URL Filtering
A URL Filtering license allows managed devices to use regularly updated
cloud-based category and reputation data to determine which traffic can
traverse your network, based on the URLs requested by monitored hosts. A
URL Filtering license requires Protection and Control licenses.
Malware
A Malware license allows managed devices to perform network-based
advanced malware protection (AMP), that is, to detect and block malware in
files transmitted over your network. It also allows you to view trajectories,
which track files transmitted over your network. A Malware license requires a
Protection license.
Chapter 1
VPN
A VPN license allows you to build secure VPN tunnels among the virtual
routers on Sourcefire managed devices, or from managed devices to remote
devices or other third-party VPN endpoints. A VPN license requires Protection
and Control licenses.
Because of architecture and resource limitations, not all licenses can be applied to
all managed devices. In general, you cannot license a capability that a device does
not support; see
The following table summarizes which licenses you can add to your Defense
Center and apply to each device model. The Defense Center rows (for all licenses
except FireSIGHT) indicate whether that Defense Center can manage devices
using those licenses. For example, you can use a Series
VPN deployment using Series
category and reputation-based URL filtering, regardless of the devices it
Supported Capabilities by Appliance Model on page 13.
2 DC1000 to create a
3 devices, but you cannot use a DC500 to perform
Version 5.2 Sourcefire 3D System Installation Guide 20
Introduction to the Sourcefire 3D System
Licensing the Sourcefire 3D System
manages. Also, a blank cell means the license is unsupported, while n/a marks
Defense Center-based licenses that are not relevant to managed devices.
Supported Licenses by Model
Chapter 1
MODELS FIRESIGHT PROTECTION CONTROL URL
F
ILTERING
Series 2 devices:
• 3D500/1000/2000
• 3D2100/2500/
3500/4500
• 3D6500
• 3D9900
Series 3 devices:
• 7000 Series
• 8000 Series
virtual devices n/a no support
DC500 Series 2
Defense Center
DC1000/3000
Series 2 Defense
Centers
DC750/1500/3500
Series 3 Defense
Centers
n/a automatic,
no Security
Intelligence
n/a
for hardware
features
no Security
Intelligence
no user
control
MALWARE VPN
virtual Defense
Centers
In addition to the information in the table, note that:
• Series 2 devices automatically have Protection capabilities, with the
exception of Security Intelligence filtering.
• Although you can enable a Control license on a virtual device, a virtual
device does not support any of the hardware-based features granted by that
license, such as switching or routing.
• Although the DC500 can manage devices with Protection and Control
licenses, you cannot perform Security Intelligence filtering or user control.
For detailed information on licensing, see the Licensing the Sourcefire 3D System
chapter in the Sourcefire 3D System User Guide.
Version 5.2 Sourcefire 3D System Installation Guide 21
Introduction to the Sourcefire 3D System
Licensing the Sourcefire 3D System
Using Legacy RNA Host and RUA User Licenses
In Version 4.10.x of the Sourcefire 3D System, RNA Host and RUA User feature
licenses determined your monitored host and user limits, respectively. If your
Defense Center was previously running Version 4.10.x, you can use your legacy
host and user licenses instead of a FireSIGHT license.
Version 5.2 Defense Centers using legacy licenses use the RNA Host limit as the
FireSIGHT host limit and the RUA User limit as both the FireSIGHT user and
authoritative user limit. The FireSIGHT Host License Limit health module alerts
appropriately for your licensed limit.
Note that RNA Host and RUA User limits are cumulative. That is, you can add
multiple licenses of each type to the Defense Center to monitor the total number
of hosts or users allowed by the licenses.
If you later add a FireSIGHT license, the Defense Center uses the higher of the
limits. For example, the FireSIGHT license on the DC1500 supports up to 50,000
hosts and users. If the RNA Host limit on your Version 4.10.x DC1500 was higher
than 50,000, using that legacy host license on the same Defense Center running
Version 5.2 gives you the higher limit. For your convenience, the web interface
displays only the licenses that represent the higher limits.
Chapter 1
IMPORTANT! Because FireSIGHT license limits are matched to the hardware
capabilities of Defense Centers, Sourcefire does not recommend exceeding
them when using legacy licensing. For guidance, contact Sourcefire Support.
Because there is no update path from Version 4.10.x to Version 5.2, you must use
an ISO image to “restore” the Defense Center. Note that reimaging results in the
loss of all configuration and event data on the appliance. You cannot import this
data onto an appliance after a reimage. For more information, see
Sourcefire Appliance to Factory Defaults on page 198.
IMPORTANT! Only reimage your appliances during a maintenance window.
Reimaging resets devices in an inline deployment to a non-bypass configuration
and disrupts traffic on your network until you reconfigure bypass mode. For more
information, see Traffic Flow During the Restore Process on page 199.
During the restore process, you are prompted to delete license and network
settings. Keep these settings, although you can re-add them later if you
accidentally delete them. Note that Version 5.2 Defense Centers cannot manage
Version 4.10.x devices. You can, however, restore and update supported Version
4.10.x devices to the latest version. For more information, see
Sourcefire Appliance to Factory Defaults on page 198.
Restoring a
Restoring a
Version 5.2 Sourcefire 3D System Installation Guide 22
Introduction to the Sourcefire 3D System
Security, Internet Access, and Communication Ports
Security, Internet Access, and Communication Ports
To safeguard the Defense Center, you must install the Defense Center on a
protected internal network. Although the Defense Center is configured to have
only the necessary services and ports available, you must make sure that attacks
cannot reach it from outside the firewall.
If the Defense Center and the managed device reside on the same network, you
can connect the management interface on the device to the same protected
internal network as the Defense Center. This allows you to securely control the
device from the Defense Center and aggregate the event data generated on the
managed device’s network segment. By using the Defense Center’s filtering
capabilities, you can analyze and correlate data from attacks across your network
to evaluate how well your security policies are being implemented.
Note, however, that Sourcefire appliances are configured to directly connect to
the Internet. Specific features of the Sourcefire 3D System require this direct
connection, and others support use of a proxy server. Additionally, the system
requires that certain ports remain open for basic intra-appliance communication,
as well as to allow you to access appliances’ web interfaces. By default, several
other ports are open to allow the system to take advantage of additional features
and functionality.
For more information, see:
• Internet Access Requirements on page 23
• Open Communication Ports Requirements on page 24
Chapter 1
Internet Access Requirements
By default, Sourcefire appliances are configured to directly connect to the
Internet. Specific features of the Sourcefire 3D System require this direct
connection, while others support use of a proxy server; see the Configuring s
chapter in the Sourcefire 3D System User Guide.
TIP! You can manually upload system software, intrusion rule, GeoDB, and VDB
updates to appliances.
To ensure continuity of operations, both Defense Centers in a high availability pair
must have Internet access. For specific features, the primary Defense Center
contacts the Internet, then shares information with the secondary during the
synchronization process. Therefore, if the primary fails, you should promote the
secondary to primary as described in the Managing Devices chapter in the
Sourcefire 3D System User Guide.
Version 5.2 Sourcefire 3D System Installation Guide 23
Introduction to the Sourcefire 3D System
Security, Internet Access, and Communication Ports
The following table describes the Internet access requirements of the Sourcefire
3D System.
Sourcefire 3D System Internet Access Requirements
FOR... INTERNET ACCESS IS REQUIRED TO... HIGH AVAILABILITY CONSIDERATIONS PROXY?
Chapter 1
RSS Feed dashboard
widget
Security Intelligence
feeds
URL filtering data download cloud-based URL
malware cloud lookups
(Malware licensed)
FireAMP integration
(FireAMP subscription)
system, intrusion rule,
GeoDB, and VDB
updates
download RSS feed data from
an external source, including
Sourcefire.
download Security Intelligence
feed data from an external
source, including the
Sourcefire Intelligence Feed.
category and reputation data
for access control, and
perform lookups for
uncategorized URLs.
perform cloud lookups to
determine if files detected in
network traffic contain
malware.
receive endpoint-based
malware events from the
Sourcefire cloud.
download or schedule the
download of an intrusion rule,
GeoDB, VDB, or system
update directly to the
appliance.
Feed data is not synchronized.
The primary Defense Center
downloads feed data and
shares it with the secondary.
In case of primary failure, you
must switch roles.
The primary Defense Center
downloads URL filtering data
and shares it with the
secondary. In case of primary
failure, you must switch roles.
Paired Defense Centers
perform cloud lookups
independently, although file
policies are synchronized.
Cloud connections are not
synchronized. Configure them
on both Defense Centers.
Rule, GeoDB, and VDB
updates are synchronized;
system updates are not. All
appliances that download
updates must have Internet
access.
obtaining whois
information using the IP
address context menu
obtain whois information. Any appliance requesting
whois information must have
Internet access.
Open Communication Ports Requirements
The Sourcefire 3D System requires that ports 443 (inbound) and 8305 (inbound
and outbound) remain open for basic intra-appliance communication, as well as to
allow you to access appliances’ web interfaces.
Version 5.2 Sourcefire 3D System Installation Guide 24
Introduction to the Sourcefire 3D System
Security, Internet Access, and Communication Ports
By default, several other ports are open to allow the system to take advantage of
additional features and functionality. The following table lists these ports. Note
that DHCP is disabled by default on ports 67 and 68.
Sourcefire 3D System Open Communication Ports Requirements
PORTS DESCRIPTION PROTOCOL DIRECTION OPEN THE PORT TO...
22 SSH/SSL TCP Bidirectional allow a secure remote connection to the
appliance.
25 SMTP TCP Outbound send email notices and alerts from the
appliance.
53 DNS TCP Outbound use DNS.
67, 68 DHCP UDP Outbound use DHCP. Disabled by default.
Chapter 1
80 HTTP TCP Outbound or
Bidirectional
161, 162 SNMP UDP Bidirectional
(161);
Outbound
(162)
389, 636 LDAP TCP Outbound track user activity and for authentication.
443 HTTPS/AMPQ TCP Inbound or
Bidirectional
514 syslog UDP Outbound send alerts to a remote syslog server.
allow the RSS Feed dashboard widget to
connect to a remote web server; use for
auto-update.
Adding inbound access allows the
Defense Center to update custom and
third-party Security Intelligence feeds via
HTTP, and to download URL filtering
information.
provide access if you enabled SNMP
polling (inbound) and SNMP traps
(outbound).
access the appliance. Required.
Adding outbound access allows the
Defense Center to download or receive
software updates, VDB and GeoDB
updates, URL filtering information,
secure Security Intelligence feeds, and
endpoint-based (FireAMP) malware
events.
623 SOL/LOM UDP Bidirectional allow you to perform Lights-Out
Management (LOM) using a Serial Over
LAN (SOL) connection on a Series 3
appliance.
Version 5.2 Sourcefire 3D System Installation Guide 25
Introduction to the Sourcefire 3D System
Security, Internet Access, and Communication Ports
Sourcefire 3D System Open Communication Ports Requirements (Continued)
PORTS DESCRIPTION PROTOCOL DIRECTION OPEN THE PORT TO...
Chapter 1
1500, 2000 database
access
1812, 1813 RADIUS UDP Outbound or
3306 Sourcefire
User Agent
8302 eStreamer TCP Bidirectional use for an eStreamer client.
8305 device
management
8307 Host Input
Client API
32137 malware cloud
lookups
TCP Inbound access the Defense Center if external
Bidirectional
TCP Inbound allow communication between the
TCP Bidirectional communicate between the Defense
TCP Bidirectional communicate with the Defense Center
TCP Outbound allow the Defense Center to perform
database access is enabled.
use RADIUS. Adding inbound access
ensures that RADIUS authentication and
accounting function correctly.
Ports 1812 and 1813 are the default, but
you can configure RADIUS to use other
ports instead. For more information, see
the Sourcefire 3D System User Guide.
Defense Center and Sourcefire User
Agents.
Center and managed devices. Required.
during client/server authentication.
cloud lookups to determine if a file
detected in network traffic contains
malware, and to track file trajectories.
Version 5.2 Sourcefire 3D System Installation Guide 26
CHAPTER 2
UNDERSTANDING DEPLOYMENT
The Sourcefire 3D System can be deployed to accommodate the needs of each
unique network architecture. The Defense Center provides a centralized
management console and database repository for the Sourcefire 3D System.
Devices are installed on network segments to collect traffic connections for
analysis.
Devices in a passive deployment monitor traffic flowing across a network using a
switch SPAN, virtual switch, or mirror port to collect data about the nature of the
traffic traversing your network. Devices in an inline deployment allow you to
monitor your network for attacks that might affect the availability, integrity, or
confidentiality of hosts on the network. A device can be deployed in an inline,
switched, routed, or hybrid (Layer 2/Layer3) environment.
To learn more about your deployment options, see the following sections for
more information:
• Understanding Deployment Options on page 28 provides some factors to
consider when designing your deployment.
• Understanding Interfaces on page 28 explains the different between
interfaces and how they function in your deployment.
• Connecting Devices to Your Network on page 32 describes how to use a
hub, span, and network tap in your deployment.
• Deployment Options on page 36 describes a basic deployment and
identifies the primary functional locations within it.
• Deploying with Access Control on page 43 describes the advantages of
using access control in an inline deployment.
Version 5.2 Sourcefire 3D System Installation Guide 27
Understanding Deployment
Understanding Deployment Options
• Using a Multi-Port Managed Device on page 48 explains how to use a
managed device for multiple networks or for use as a virtual router or virtual
switch in your network deployment.
• Complex Network Deployments on page 50 explains advanced deployment
scenarios, such as using a VPN or having multiple entry points.
For additional information about deployments, consult the Best Practices Guide,
available from the Sourcefire sales department.
Understanding Deployment Options
Your deployment decisions will be based on a variety of factors. Answering these
questions can help you understand the vulnerable areas of your network and
clarify your intrusion detection and prevention needs:
• Will you be deploying your managed device with passive or inline
interfaces? Does your device support a mix of interfaces, some passive and
others inline? See Understanding Interfaces on page 28 for more
information.
• How will you connect the managed devices to the network? Hubs? Taps?
Spanning ports on switches? Virtual switches? See Connecting Devices to
Yo u r N et wo r k on page 32 for more information.
• Do you want to detect every attack on your network, or do you only want to
know about attacks that penetrate your firewall? Do you have specific
assets on your network such as financial, accounting, or personnel records,
production code, or other sensitive, protected information that require
special security policies? See Deployment Options on page 36 for more
information.
• Do you provide VPN or modem access for remote workers? Do you have
remote offices that also require an IPS deployment? Do you employ
contractors or other temporary employees? Are they restricted to specific
network segments? Do you integrate your network with the networks of
other organizations such as customers, suppliers, or business partners? See
Complex Network Deployments on page 50 for more information.
Chapter 2
Understanding Interfaces
The sections that follow describe how different interfaces affect the capabilities of
the Sourcefire 3D System. In addition to passive and inline interfaces, you can
Version 5.2 Sourcefire 3D System Installation Guide 28
Understanding Deployment
Understanding Interfaces
also have routed, switched, and hybrid interfaces. See the following sections for
more information:
• Passive Interfaces on page 29
• Inline Interfaces on page 29
• Switched Interfaces on page 30
• Routed Interfaces on page 31
• Hybrid Interfaces on page 32
Passive Interfaces
You can configure a passive IPS deployment to monitor traffic flowing across a
network using a switch SPAN, virtual switch, or mirror port, allowing traffic to be
copied from other ports on the switch. Passive interfaces allow you to inspect
traffic within the network without being in the flow of network traffic. When
configured in a passive deployment, the system cannot take certain actions such
as blocking or shaping traffic. Passive interfaces receive all traffic unconditionally
and do not retransmit received traffic.
LICENSE: Any
S
UPPORTED DEVICES: Any
Chapter 2
You can configure one or more physical ports on a managed device as passive
interfaces. For more information, see
page 32.
Inline Interfaces
LICENSE: Any
S
UPPORTED DEVICES: Any
You configure an inline IPS deployment transparently on a network segment by
binding two ports together. Inline interfaces allow you to install a device in any
network configuration without the configuration of adjacent network devices.
Inline interfaces receive all traffic unconditionally, then retransmit all traffic
received on these interfaces except traffic explicitly dropped.
You can configure one or more physical ports on a managed device as inline
interfaces. You must assign a pair of inline interfaces to an inline set before they
can handle traffic in an inline deployment.
IMPORTANT! If you configure an interface as an inline interface, the adjacent port
on its NetMod automatically becomes an inline interface as well to complete the
pair.
Configurable bypass inline sets allow you to select how your traffic is handled if
your hardware fails completely (for example, the device loses power). You may
determine that connectivity is critical on one network segment, and, on another
Connecting Devices to Your Network on
Version 5.2 Sourcefire 3D System Installation Guide 29
Understanding Deployment
Understanding Interfaces
network segment, you cannot permit uninspected traffic. Using configurable
bypass inline sets, you can manage the traffic flow of your network traffic in one
of the following ways:
• Bypass: an interface pair configured for bypass allows all traffic to flow if the
• Non-bypass: an interface pair configured for non-bypass stops all traffic if
Configure the inline set as bypass to ensure that traffic continues to flow if your
device fails. Configure the inline set as non-bypass to stop traffic if the device
fails. Note that reimaging resets appliances in bypass mode to a non-bypass
configuration and disrupts traffic on your network until you reconfigure bypass
mode. For more information, see
page 199.
Chapter 2
device fails. The traffic bypasses the device and any inspection or other
processing by the device. Bypass allows uninspected traffic across the
network segment, but ensures that the network connectivity is maintained.
the device fails. Traffic that reaches the failed device does not enter the
device. Non-bypass does not permit traffic to pass uninspected, but the
network segment loses connectivity if the device fails. Use non-bypass
interfaces in deployment situations where network security is more
important than loss of traffic.
Traffic Flow During the Restore Process on
All appliances can contain configurable bypass interfaces. The 8000 Series
appliances can also contain NetMods with interfaces that cannot be configured
for bypass. For more information on NetMods, see
page 185.
Advanced options vary by appliance and can include tap mode, propagate link
state, transparent inline mode, and strict TCP mode. For information on how to
configure your inline interface sets, see Configuring Inline Sets in the Sourcefire
3D System User Guide. For more information on using inline interfaces, see
Connecting Devices to Your Network on page 32.
Switched Interfaces
LICENSE: Control
S
UPPORTED DEVICES: Series 3
You can configure switched interfaces on a managed device in a Layer 2
deployment to provide packet switching between two or more networks. You can
also configure virtual switches on managed devices to operate as standalone
broadcast domains, dividing your network into logical segments. A virtual switch
uses the media access control (MAC) address from a host to determine where to
send packets.
8000 Series Modules on
Version 5.2 Sourcefire 3D System Installation Guide 30
Loading...