Sourcefire's Real-time Network Awareness (RNA) Sensor 2000 is like a magic eye that watches everything happening on your network. By combining passive network analysis with a Web-based management system, Sourcefire delivers a wealth of information about the systems and services on your network, the downside is that it is up to you to make sense out of it all.
To help network managers understand the information from RNA Sensors and the alerts and events from the company's intrusion-detection system (Intrusion Sensor), Sourcefire offers the Defence Centre, which provides a central view of alerts and events, network configuration information and forensic data. If purchased collectively, Sourcefire calls the package its 3D Product Suite.
RNA Sensors sit passively on the network and watch the traffic pass by. The RNA Sensor we tested had four Ethernet interfaces, but we used only one, with virtual LAN-based monitoring to give RNA Sensor visibility into different parts of our production network. While this virtual LAN capability is a great feature for a network site, if you wanted to monitor multiple sites, you'd need to deploy multiple sensors.
Configuration is simple: once you tell RNA Sensor what networks to watch, it begins collecting data and populating its databases. As it watches the packets fly by, it builds a model of the network topology and pinpoints the hosts on your network, the network applications they are running, and the users and devices they are communicating with. Because RNA Sensor watches every connection to every host, it also collects information about specific network flows, such as a particular HTTP connection from a client to a server.
RNA Sensor's information about our network was quite accurate. Application identification was excellent, as the sensor found obscure mail servers on non-standard ports and managed to get product and version information for most products. When it came to guessing operating systems, the results were mixed. RNA Sensor collected the least amount of information for embedded systems, such as printers and time servers.
Strictly name, rank and number
RNA Sensor has piles of useful information - but it doesn't volunteer specific data if you don't ask for it. If you go to the dashboard, it doesn't have a big flashing light saying "Hey, look at this." This policy-free architecture is great for the sophisticated network professional, but you have to have an idea of what you want to know - or combine it with Sourcefire's Defence Centre management console - before it becomes a very useful tool .
For example, when we got a complaint about poor performance at a site, we made an educated guess to look at the flow summary to see the top 10 connection initiators. RNA Sensor showed us a list, and the system that sat at the top of the list far outweighed any other device in the network. It had been compromised by a hacker and was actively looking for other vulnerable systems, consuming lots of bandwidth. Looking at detailed flow data from that system provided by RNA Sensor, we quickly identified the scanning pattern and even the IP address it to which it reported. When you do know what you're looking for, RNA Sensor can provide the data.
Once you start asking questions, you can customise display screens to present and summarise information and generate reports. Read about a patch for an obscure FTP server and want to know if you're running the vulnerable version? RNA Sensor will give you that information in two clicks, even if the FTP server is running on a non-standard port. Need a table of all your BSD-based hosts, along with version numbers? That takes three clicks (plus you have to type "BSD").
There are limits, though: RNA Sensor doesn't show information such as patch levels or applications running within Web servers. And it only keeps track of network server applications, not client applications, so you can't find out what Web browsers or e-mail clients users have, for example.
Events and policy
RNA Sensor offers a limited policy-compliance tool kit. As the product gathers information about systems, it generates internal events. You can search the event logs at any time, or with the policy tool kit you can build rules that watch for particular combinations of events and values. When these incidents occur, RNA Sensor will send email, an SNMP trap or a syslog message.
The main problem with this policy-compliance tool kit is its limited vocabulary. For example, you can be alerted if a host suddenly starts running any new service, but you cannot specify that it be only a new mail service. Although you can be alerted about any RNA Sensor event, the detail is coarse enough that you'd need another tool, such as a security event manager.
The true power of RNA for policy compliance and monitoring comes in the Defence Centre, and this is where Sourcefire hits its stride. When RNA Sensors are connected to a Defence Centre console, policy-compliance rules are evaluated on the management console, which means you can combine the results from multiple sensors when writing policy rules. That provides a greater amount of information, but it still falls short of writing rules based on both RNA Sensor and Intrusion Sensor events.
Sourcefire's Defence Centre does some limited correlation of Intrusion Sensor and RNA Sensor information in a feature the company calls impact alerting. The idea sounds great: match up an Intrusion Sensor alert with RNA Sensor information, and send only the relevant alerts. Unfortunately, it doesn't work well.
Because RNA Sensor doesn't have perfect knowledge of what is and isn't vulnerable on the network, you have irrelevant impact alerts. While you can filter out the Intrusion Sensor alerts, which will keep the impact alerts from showing up, you can't do anything about RNA Sensor's knowledgebase, as there's no way to add or modify information to make RNA Sensor smarter about a host's services or vulnerabilities. So if RNA Sensor has misdetected an operating system or doesn't realise that a patch has been applied, you can't make it any smarter.
Unlike the Intrusion Sensor rules, which are fully customisable and visible, impact rules that correlate RNA Sensor information and Intrusion Sensor alerts together are opaque and can't be seen or individually enabled or disabled. The only detail you have is whether to receive alerts classified as "vulnerable," "potentially vulnerable," "currently not vulnerable," or "unknown." If you disagree with Sourcefire's embedded analysis, you have to suppress the Intrusion Sensor alert so that it never gets to the impact-alerting part of your management console. Sourcefire engineers acknowledge this and are working to improve impact alerts, company officials say.
By itself, or integrated with Sourcefire's Defence Centre, RNA Sensor is a powerful tool for discovering and reporting on what is happening on your network. However, like many tools, what you get out of it depends on the skill of the craftsman.