What is the difference between Snort and Cisco FirePOWER?
I often hear that there is not much point in acquiring Cisco FirePOWER, it is the same Snort, only in a hardware shell. And after the recent release of Snort on the Cisco ISR 4000 series routers, this question has again sounded with a new force. Therefore, I would like in this article to briefly review the key differences between the free distributed Snort intrusion detection system and the Cisco solution family, united under the umbrella name FirePOWER (not to be confused with the Firepower 9300, which is a new Cisco high-performance hardware and modular security platform). This issue has become particularly relevant recently, when a number of Russian developers began to use Snort as the basis for their own intrusion detection systems, after being certified by the FSTEC or the FSB.
Snort
Let's start with a brief background. Snort was created by Martin Reshm in 1998 and very quickly gained popularity as a free intrusion detection system that allows you to write the rules for detecting attacks on your own and without much effort. In fact, the Snort signature description language has become the de facto standard for many intrusion detection systems that have begun to use it in their engines.
The basis of Snort is an engine consisting of five modules:
')
Both before and after Snort, attack detection systems appeared, but it was Snort that earned fame as a de facto standard, which is confirmed by over 4 million downloads of this software from www.snort.org and over 500 thousand registered in the official user community. What caused such a love for Snort? Its language is a description of network security policy violations. On the one hand, this language is very simple and the rule for detecting an attack or other violation of security policies can be written in just a couple of minutes (or even faster). On the other hand, filters, complex queries, combining rules, setting thresholds, taking into account time intervals allow you to write really very complex network event handlers.
At the end of 2014, an alpha version of Snort 3.0 (also known as Snort ++) was announced, in which many ideas that had previously been dusting on the shelf were implemented. In particular, the design of systems has been redesigned, which has become more user-friendly. There was also a mechanism for automatic identification of protocols on all ports, support for parallel packet processing, and the rule description language has become even simpler.
At the end of 2014, another major change in Snort was made, which entered into the release of the 2.9.7 system, without waiting for Snort 3.0 to go into commercial operation. We are talking about OpenAppID, that is, the language for recognition of application protocols and the implementation of what Cisco has called Application Visibility and Control. In essence, we are talking about the mechanism (as a separate preprocessor) of signature description for own applications and their use in decision rules (attack signatures). So far, Snort with OpenAppID is ahead of Cisco FirePOWER in this capability. Now, to describe your applications in Cisco FirePOWER, you need to use either a HEX editor, or give the system a pre-recorded PCAP file with the traffic of the application of interest. This is not very convenient and requires certain skills. The OpenAppID language, which will be supported in Cisco solutions by the end of 2015, makes it easier to implement this task.
Firepower
Three years later, in 2001, Martin Resch founded the commercial company Sourcefire, within which a commercial version of Snort was created, called 3D Sensor, FirePOWER, etc. at various times. Martin Resch’s main goal was to offer customers a ready and automated solution, not requiring great effort on customization and implementation. The second goal was to create a high-performance solution capable of detecting attacks at high speeds of tens of gigabits per second. That was the first generation of Sourcefire devices. Then came the second series of devices, in which the application identification function appeared (in Snort it appeared only last year), the FireAMP malicious code detection mechanism, firewalling, and a number of other functions. In the third generation, a full-fledged ITU of the next generation (NGFW) appeared. In 2011, Cisco announced its intention to acquire Sourcefire (several years earlier, Check Point did not succeed) and from that moment a new life began on the FirePOWER platform.
Currently, this platform is presented in the form of 6 options for implementation:
What is the difference between commercial software of these six platforms and Snort, which can be freely downloaded from the Internet?
What are the differences?
Let me try to highlight the key features that are present in FirePOWER technologies:
We could stop at this by completing a comparison of protective sensors based on Snort and FirePOWER. But this is not all that is needed for a complete protection system, especially in a corporate environment. Let's see which control functions, incl. and centralized, offered along with Snort or FirePOWER.
Snort itself has no control system. However, the output module allows you to give the results of work to external systems, which the developers who offered the market several different systems to manage, generate reports, analyze and visualize Snort security events did not fail to take advantage of. Among them, ACID (not updated for a long time), BASE , Snorby , Sguil , Aanval (commercial solution). I worked with ACID very, very long time ago when I wrote the book “Detection of attacks”. Moreover, like BASE, ACID does not have advanced analytical capabilities for working with data. I didn’t work with Aanval, and commercial third-party management systems for free Snort are not exactly what you need (although in some cases it is possible). But as for Snorby and Sguil, I can say that the second is more popular. Let's try to compare it with the “native” sensor control system FirePOWER - FireSIGHT Management Center (formerly called Defense Center).
What is Sguil? In essence, this is an event aggregation system from Snort that allows you to visualize that the output module of Snort issues externally — an alarm, a packet's content, and other related information. Next, Sguil allows you to run other tools through it for a more detailed investigation of recorded events. These tools may include:
In principle, if you have the qualifications and time, you can build a good event management system that Snort gives us from a bunch of Sguil and other monitoring tools (for example, those included in Security Onion). But only ... Rules management, sensor configuration, status tracking, updating, backing up the event database, role-based access control, hierarchical management system, report generation ... All this remains inaccessible to Sguil users.
The “native” FireSIGHT Management Center is devoid of these shortcomings. Among its functions:
In fact, FireSIGHT is a means of automating routine tasks that used to be so valuable when responding to incidents. For example, in Snort and FirePOWER, there is a HAT (Host Attribute Table) - an XML file that associates with each IP address the operating systems used on it, as well as the “service port” associations. Snort creates this file manually, which can present some difficulties on a large network. In FirePOWER, this file is created automatically by the RNA and does not require manual work. And there are many such examples.
SGUIL has two advantages over the native management system of the FireSIGHT Management Center. First, it is free. And secondly, it displays data from the sensors in real time; FireSIGHT has a maximum data refresh rate of once per minute. But FireSIGHT allows you to integrate FirePOWER sensors with various external security systems used in the corporate segment — security scanners, firewalls, routers and switches, packet capture systems, security event visualization systems, SIEM, etc. This is done through special APIs that are also missing from the same Snort (although with the help of various scripts you can try to integrate it with a number of similar free protection tools).
Summary
As a conclusion, I would not like to draw any conclusions except one. Statements that FirePOWER technologies, previously owned by Sourcefire, and later acquired by Cisco, and Snort’s free attack detection system, once the basis of Sourcefire solutions, are not the same thing. Well, that is not the same at all. Yes, Snort remains the de facto standard for attack detection systems, but Cisco FirePOWER is much more than just IDS. Here you will find an application-level firewall, URL filtering, malicious code neutralization, built-in event correlation, incident investigation, integration with security scanners, and many other functions that automate routine security tasks.
Snort
Let's start with a brief background. Snort was created by Martin Reshm in 1998 and very quickly gained popularity as a free intrusion detection system that allows you to write the rules for detecting attacks on your own and without much effort. In fact, the Snort signature description language has become the de facto standard for many intrusion detection systems that have begun to use it in their engines.
The basis of Snort is an engine consisting of five modules:
- Sniffer packages. As the name implies, this module is responsible for capturing the data transmitted over the network for subsequent transfer to the decoder. He does this using the DAQ (Data AcQuisition) library. This sniffer can work “in a gap”, in a passive mode, or read network data from a previously prepared file.
- Packet decoder This module is engaged in the analysis of the headers of captured packets, their analysis, the search for anomalies and deviations from the RFC, the analysis of TCP flags, the exclusion of individual protocols from further analysis and other similar work. This decoder focuses on the TCP / IP stack.
- Preprocessors. If the decoder parsed traffic on the 2nd and 3rd level of the reference model, the preprocessors are designed for more detailed analysis and normalization of protocols on the 3rd, 4th and 7th levels. The most popular preprocessors include frag3 (working with fragmented traffic), stream5 (reconstructing TCP streams), http_inspect_ (normalizing HTTP traffic), DCE / RPC2, sfPortscan (used for detecting port scans) and various decoders for Telnet and FTP protocols , SMTP, SIP, SSL, SSH, IMAP, etc. Some Russian developers write their preprocessors (for example, for industrial protocols) and add to their own intrusion detection systems (IDS), built on the basis of Snort.
- Attack detection engine. This engine consists of two parts. The rule designer assembles many different decision rules (attack signatures) into a single set optimized for subsequent use by the subsystem of inspection of captured and processed traffic in search of certain violations.
- Output module. Upon detection of an attack, Snort can issue (record or display) a corresponding message in various formats - file, syslog, ASCII, PCAP, Unified2 (binary format for accelerated and lightweight processing).
')
Both before and after Snort, attack detection systems appeared, but it was Snort that earned fame as a de facto standard, which is confirmed by over 4 million downloads of this software from www.snort.org and over 500 thousand registered in the official user community. What caused such a love for Snort? Its language is a description of network security policy violations. On the one hand, this language is very simple and the rule for detecting an attack or other violation of security policies can be written in just a couple of minutes (or even faster). On the other hand, filters, complex queries, combining rules, setting thresholds, taking into account time intervals allow you to write really very complex network event handlers.
At the end of 2014, an alpha version of Snort 3.0 (also known as Snort ++) was announced, in which many ideas that had previously been dusting on the shelf were implemented. In particular, the design of systems has been redesigned, which has become more user-friendly. There was also a mechanism for automatic identification of protocols on all ports, support for parallel packet processing, and the rule description language has become even simpler.
At the end of 2014, another major change in Snort was made, which entered into the release of the 2.9.7 system, without waiting for Snort 3.0 to go into commercial operation. We are talking about OpenAppID, that is, the language for recognition of application protocols and the implementation of what Cisco has called Application Visibility and Control. In essence, we are talking about the mechanism (as a separate preprocessor) of signature description for own applications and their use in decision rules (attack signatures). So far, Snort with OpenAppID is ahead of Cisco FirePOWER in this capability. Now, to describe your applications in Cisco FirePOWER, you need to use either a HEX editor, or give the system a pre-recorded PCAP file with the traffic of the application of interest. This is not very convenient and requires certain skills. The OpenAppID language, which will be supported in Cisco solutions by the end of 2015, makes it easier to implement this task.
Firepower
Three years later, in 2001, Martin Resch founded the commercial company Sourcefire, within which a commercial version of Snort was created, called 3D Sensor, FirePOWER, etc. at various times. Martin Resch’s main goal was to offer customers a ready and automated solution, not requiring great effort on customization and implementation. The second goal was to create a high-performance solution capable of detecting attacks at high speeds of tens of gigabits per second. That was the first generation of Sourcefire devices. Then came the second series of devices, in which the application identification function appeared (in Snort it appeared only last year), the FireAMP malicious code detection mechanism, firewalling, and a number of other functions. In the third generation, a full-fledged ITU of the next generation (NGFW) appeared. In 2011, Cisco announced its intention to acquire Sourcefire (several years earlier, Check Point did not succeed) and from that moment a new life began on the FirePOWER platform.
Currently, this platform is presented in the form of 6 options for implementation:
- Separate high-performance Cisco FirePOWER Appliance devices. In fact, these are the same devices that Sourcefire produced.
- Cisco ASA with FirePOWER Services firewall , which, in addition to traditional ITU and VPN functionality (Site-to-Site and Remote Access), received the capabilities of the next-generation ITU (NGFW), intrusion prevention systems (NGIPS), content filtering systems, malware neutralization systems and a number of other functions.
- Cisco FirePOWER Threat Defense for ISR router, which allows you to run all of the above features on the basis of the router.
- Virtual versions of all the mentioned features, launched on the basis of VMware.
- New hardware platform Firepower 9300 , capable of performing many network security tasks (from ITU and VPN to combat malicious code and DDoS reflection) at speeds of hundreds of gigabits
- Industrial firewalls and Cisco ISA 3000 and Cisco ISA 4000 intrusion detection systems.
What is the difference between commercial software of these six platforms and Snort, which can be freely downloaded from the Internet?
What are the differences?
Let me try to highlight the key features that are present in FirePOWER technologies:
- One of the major changes that emerged in 2007 was the RNA (Real-Time Network Awareness) technology, which allows you to build an active profile of everything that happens in a controlled network, builds a network map, identifies hosts, protocols and applications by passively analyzing traffic. Later this information is compared with data on attacks and other violations of security policies.
- Similar to RNA (RUA) technology (Real-Time User Awareness), which links user data with network activity. It is always useful to see that the attack is implemented against the user “Ivanov II.”, And not against an impersonal node with an IP address 192.168.1.34.
- In 2007, Sourcefire bought the rights to ClamAV, a free antivirus that was integrated with an intrusion prevention system to analyze not network packets and connections, but files transferred over the network. Later, this decision, after the acquisition of Immunet in 2011, evolved into the AMP for Networks system, which allows identifying malicious code using seven different algorithms, as well as performing a retrospective analysis (post factum analysis) of files already in the network. By the way, the identification and blocking of files by their types appeared in Snort, starting with version 2.9.7.
- Martin Resch is skeptical about the idea of ​​firewalling, believing that the attackers are just using open ports on the ITU to encapsulate their unauthorized actions. Therefore, instead of the traditional firewall, the application-level firewall, also known as the next-generation firewall (NGFW), was implemented in Sourcefire solutions, which allows you to control violations in the use of applications, encapsulation of prohibited traffic in them, etc. By the way, for this very reason, NGFW is almost impossible to certify according to the Russian requirements for ITU - NGFW simply do not have this functionality; it is not their task.
- To implement the NGFW function, you must be able to identify applications running on the network. This is done using the AppID technology, which essentially became the basis for the development of the previously mentioned OpenAppID technology. In addition to the predefined application detectors, it is possible to describe your own applications (this is written above).
- But the implementation of the functions of the firewall in FirePOWER is still not done. In particular, in any of the six platforms that use FirePOWER technologies, when creating security policies, you can use zones, VLANs, IP, ports, as well as users and groups in ITU rules.
- In addition to blocking traffic by IP addresses, URL filtering technology was implemented in FirePOWER. In case of using SSL, its decryption is possible with subsequent inspection. Currently, SSL inspection is only available on the FirePOWER Appliance, but by the end of 2015 it will be implemented on other platforms.
- Having on board one sensor not only an intrusion detection system, but also a firewall, anti-malware system, URL filtering system and a number of other security technologies, it was logical to combine their capabilities in identifying indicators of compromise (IOC), which was done in one of the versions of FirePOWER.
- To reduce the load on the sensors, they implemented the so-called Security intelligence function, which consists in maintaining black and white lists of IP addresses. This allows you not to handle trusted traffic and block it initially malicious. This is done at the decoder level, which ultimately improves the performance of the entire system. Another integrated feature is geolocation support, which allows geo-referencing of addresses recorded in network packets and sessions.
- FirePOWER has built-in detection of protected content by checksums (it also appeared in Snort 2.9.7), which can be used as a lightweight version of the DLP system.
- In terms of network capabilities, FirePOWER supports NAT and routing, which is not found in Snort, as well as device stacking for improved performance (only for the FirePOWER Appliance) and clustering (only for Cisco ASA with FirePOWER Services) - up to 16 devices. In the case of clustering, the aggregate performance in the ITU mode will be 640 Gbit / s, and in the IPS mode - 160 Gbit / s.
- The commercial software code was optimized (instead of GCC. Intel C is used), and on the FirePOWER Appliance special network cards are also used, which allow to balance the load and processing of TCP flows between several cores on one device. With their help stacking of several devices is carried out. Support for multi-core processors should be implemented in Snort 3.0.
We could stop at this by completing a comparison of protective sensors based on Snort and FirePOWER. But this is not all that is needed for a complete protection system, especially in a corporate environment. Let's see which control functions, incl. and centralized, offered along with Snort or FirePOWER.
Snort itself has no control system. However, the output module allows you to give the results of work to external systems, which the developers who offered the market several different systems to manage, generate reports, analyze and visualize Snort security events did not fail to take advantage of. Among them, ACID (not updated for a long time), BASE , Snorby , Sguil , Aanval (commercial solution). I worked with ACID very, very long time ago when I wrote the book “Detection of attacks”. Moreover, like BASE, ACID does not have advanced analytical capabilities for working with data. I didn’t work with Aanval, and commercial third-party management systems for free Snort are not exactly what you need (although in some cases it is possible). But as for Snorby and Sguil, I can say that the second is more popular. Let's try to compare it with the “native” sensor control system FirePOWER - FireSIGHT Management Center (formerly called Defense Center).
What is Sguil? In essence, this is an event aggregation system from Snort that allows you to visualize that the output module of Snort issues externally — an alarm, a packet's content, and other related information. Next, Sguil allows you to run other tools through it for a more detailed investigation of recorded events. These tools may include:
- Squert , a web application for organizing queries and displaying data stored in the Squil database.
- ELSA , a centralized log management system, a sort of lightweight SIEM.
- NetworkMiner , a network investigation tool based on the pcap file received from Snort.
- WireShark, which needs no introduction.
In principle, if you have the qualifications and time, you can build a good event management system that Snort gives us from a bunch of Sguil and other monitoring tools (for example, those included in Security Onion). But only ... Rules management, sensor configuration, status tracking, updating, backing up the event database, role-based access control, hierarchical management system, report generation ... All this remains inaccessible to Sguil users.
The “native” FireSIGHT Management Center is devoid of these shortcomings. Among its functions:
- Centrally manage and configure multiple FirePOWER sensors.
- Updating sensors without having to recompile the code (don't forget to specify the correct parameters).
- Correlation of events not only from several IDS sensors, but also from different types of protection means and technologies - ITU, AMP, RNA, RUA, etc.
- Creating security policies.
- Investigation of incidents.
- Manage profiles for each node (addresses, OS, applications, protocols, users).
- AD integration and centralized, hierarchical user management.
- Monitoring the status of remote sensors.
- Customizable dashboard to display various information.
- Report generation
- Backup database.
- Etc.
In fact, FireSIGHT is a means of automating routine tasks that used to be so valuable when responding to incidents. For example, in Snort and FirePOWER, there is a HAT (Host Attribute Table) - an XML file that associates with each IP address the operating systems used on it, as well as the “service port” associations. Snort creates this file manually, which can present some difficulties on a large network. In FirePOWER, this file is created automatically by the RNA and does not require manual work. And there are many such examples.
SGUIL has two advantages over the native management system of the FireSIGHT Management Center. First, it is free. And secondly, it displays data from the sensors in real time; FireSIGHT has a maximum data refresh rate of once per minute. But FireSIGHT allows you to integrate FirePOWER sensors with various external security systems used in the corporate segment — security scanners, firewalls, routers and switches, packet capture systems, security event visualization systems, SIEM, etc. This is done through special APIs that are also missing from the same Snort (although with the help of various scripts you can try to integrate it with a number of similar free protection tools).
Summary
As a conclusion, I would not like to draw any conclusions except one. Statements that FirePOWER technologies, previously owned by Sourcefire, and later acquired by Cisco, and Snort’s free attack detection system, once the basis of Sourcefire solutions, are not the same thing. Well, that is not the same at all. Yes, Snort remains the de facto standard for attack detection systems, but Cisco FirePOWER is much more than just IDS. Here you will find an application-level firewall, URL filtering, malicious code neutralization, built-in event correlation, incident investigation, integration with security scanners, and many other functions that automate routine security tasks.
Source: https://habr.com/ru/post/268207/
All Articles