Sourcefire Snorts Virtual Security

As virtualization usage grows in datacenters and enterprise deployments, so too does the need to ensure that virtual assets are protected from real security threats.

In response, Sourcefire, the lead commercial vendor behind the open source Snort Intrusion Prevention System (IPS), is now ramping up a new virtual security offering for VMware virtual environments.

Sourcefire’s (NASDAQ: FIRE) new 3D System version 4.9 includes virtual sensors and a virtual defense center, enabling users to deploy a virtual IPS to protect their virtual machines. The virtual IPS is intended to help monitor and inspect traffic between virtual machines.

While virtualization environments may be new for many enterprises, the threats are, in some cases, the same as those that face physical assets.

“In the past, a lot of people made a big deal about not having visibility into virtual machines,” Richard Park, senior product manager at Sourcefire, told InternetNews.com. “But most people don’t put physical IPS sensors on every physical port, so obviously there are blind spots in the physical world, too. Just because it’s virtual doesn’t mean there is a whole new world of threats.”

However, Park added that there are some risks that do tend to occur more often with virtual machines and servers than physical ones. For one thing, he said users make configuration errors, connecting test hosts to production networks.

“Initially I was a skeptic when it came to using a virtual sensor for traffic between virtual machines,” Park said. “But as I started to see the possibilities for configuration errors and traffic problems, it has become clear that having a virtual sensor gives an extra layer of confidence.”

Another issue that happens more often in virtual environments is that users deploy the virtual machines without firewalls or antivirus protections. In Park’s view, what often happens is that someone just spins up the virtual machine because they can secure it.

Park added that VMware (NYSE: VMW) now has vShield, which is a simple firewall and that should help to protect users and provide basic access control.

The difference between physical and virtual

Though Sourcefire 3D 4.9 now supports virtual deployments, it doesn’t mean that the core IPS needed to be re-engineered from previous versions.

“From a pure detection and networking monitoring perspective, it’s really the same,” Park said. “As long as we have a network driver that can support the virtual network adapter, it’s really not an issue. The engineering issues are really about the fact that we do not have control over the hardware, or if other virtual machines are running.”

Also, the fact that Sourcefire’s virtual IPS does not have the same degree of control as a physical IPS device means that Sourcefire cannot offer any throughput guarantees for the IPS.

“We’ve been able to offer guarantees on throughput in the physical world, but in the virtual world, pretty much all bets are off — since so much of the environment is not under our direct control for monitoring,” Park said.

Sourcefire 3D vs. Snort

At the heart of the Sourcefire 3D product is the open source Snort IPS, which recently celebrated its 10th anniversary.

Park explained that Sourcefire’s core open source Snort engineering team takes the work that they do and then folds it into the 3D product.

“Sourcefire 3D is really the same engine as Snort, we take it and just add a management engine on top,” Park said.

While Sourcefire 3D 4.9 is set for general availability in the second half of 2009, that doesn’t mean that Snort users can’t roll their own virtual sensor today.

“You’re free to use Snort in a virtual environment, too,” Park said. “If you wanted to, you could create a virtual machine running Linux, put Snort on it and then just deploy it in a virtual environment.”

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web