Snort: IDS Done Well (and Good)
The Joys of Success
A few years ago, when we spoke of network intrusion security systems, we spoke of IDS (Intrusion Detection System) appliances. Recently, as the emphasis has shifted from detection to prevention, IDS has become IPS (Intrusion Prevention Systems).
The compelling force behind this change is the same one that has thrust an open source software company named SourceFire to the front of the Network Intrusion Prevention System Appliances market sector; that is, a fast changing threat environment. In an article for Military Information Technology, Deputy Undersecretary of Defense Sue Payton writes that "if the boots-on-the-ground community is urged to 'train as you fight,' the technology community that supports warfighters must similarly be urged to code as we fight," which is her way of saying that rapidly changing threats requires the agility of rapidly modifiable and accessible source code.
In other words, open source.
There are many reasons why open source software is finding a home in this country's most security-conscious departments of government. Payton is inspired by an oft-quoted truism in the open source community known as Linus' Law: "Given enough eyeballs, all bugs are shallow." This truism has been proven to the satisfaction of decision makers at DARPA, GSA, NIST, NSA as well as the Armed Forces, all of whom are implementing open source solutions for their software needs--Snort among them.
The open source part of SourceFire is known as Snort. It started out as a weekend project for a software engineer named Martin Roesch in 1998. Martin was looking to develop a "light-weight intrusion detection technology." In 2001, Roesch decided to expand on what he had accomplished with Snort and added some proprietary tools that would improve ease of operation for network administrators. The new company was named SourceFire. While Snort remained an open source, rules-based detection engine, SourceFire added proprietary modules that dramatically improved Snort's capabilities.
In 2006, Check Point Software Technologies, an Israeli enterprise security company that owns Zone Alarm, tried to acquire SourceFire for $225 million dollars. The deal never happened due to red flags raised by FBI and Pentagon officials. Check Point voluntarily withdrew its offer to purchase SourceFire. Seven months later, SourceFire announced that it had filed papers with the SEC to become a publicly traded company. This news has generated a lot of excitement in the security software community for two reasons: one, because it's the first security IPO to come along in a very long time, and two--because it would validate the open source model as a commercially viable one. The latest news on the SourceFire IPO is that it will offer 5.77 million shares of stock at an estimated $12-$14 per share.
Gartner's Magic Quadrant for Network Intrusion Prevention System Appliances (2006) lists SourceFire as one of 5 leaders in this market sector; 3com's TippingPoint, IBM, McAfee, and Juniper Networks make up the other 4.
Gartner defines Intrusion Protection appliances as "in-line devices that perform full-stream assembly of network traffic, and they provide detection using several methods including signatures, protocol anomaly detection, and behavioral or heuristics." In other words, where simple attack signature detection used to be the norm, an IPS system must be able to block vulnerability-based signatures, recognize a variety of anomalies as attacks, and let everything else through.