Source fire Sourcefire 3d system User manual

Version 5.2 Sourcefire 3D System Installation Guide 1

Sourcefire 3D System

Installation Guide

Version 5.2

The legal notices, disclaimers, terms of use, and other information contained herein (the "terms") apply only to

the information discussed in this documentation (the "Documentation") and your use of it. These terms do not

apply to or govern the use of websites controlled by Sourcefire, Inc. or its subsidiaries (collectively, "Sourcefire")

or any Sourcefire-provided products. Sourcefire products are available for purchase and subject to a separate

license agreement and/or terms of use containing very different terms and conditions.

The copyright in the Documentation is owned by Sourcefire and is protected by copyright and other intellectual

property laws of the United States and other countries. You may use, print out, save on a retrieval system, and

otherwise copy and distribute the Documentation solely for non-commercial use, provided that you (i) do not

modify the Documentation in any way and (ii) always include Sourcefire's copyright, trademark, and other

proprietary notices, as well as a link to, or print out of, the full contents of this page and its terms.

No part of the Documentation may be used in a compilation or otherwise incorporated into another work or with

or into any other documentation or user manuals, or be used to create derivative works, without the express

prior written permission of Sourcefire. Sourcefire reserves the right to change the terms at any time, and your

continued use of the Documentation shall be deemed an acceptance of those terms.

Sourcefire, the Sourcefire logo, Snort, the Snort and Pig logo, Immunet, ClamAV and certain other trademarks

and logos are trademarks or registered trademarks of Sourcefire, Inc. in the United States and other countries.

Other company, product and service names may be trademarks or service marks of others.

Disclaimers

THE DOCUMENTATION AND ANY INFORMATION AVAILABLE FROM IT MAY INCLUDE INACCURACIES OR

TYPOGRAPHICAL ERRORS. SOURCEFIRE MAY CHANGE THE DOCUMENTATION FROM TIME TO TIME.

SOURCEFIRE MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE ACCURACY OR SUITABILITY OF

ANY SOURCEFIRE-CONTROLLED WEBSITE, THE DOCUMENTATION AND/OR ANY PRODUCT INFORMATION.

SOURCEFIRE-CONTROLLED WEBSITES, THE DOCUMENTATION AND ALL PRODUCT INFORMATION ARE

PROVIDED "AS IS" AND SOURCEFIRE DISCLAIMS ANY AND ALL EXPRESS AND IMPLIED WARRANTIES,

INCLUDING BUT NOT LIMITED TO WARRANTIES OF TITLE AND THE IMPLIED WARRANTIES OF

MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL SOURCEFIRE BE

LIABLE TO YOU FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE, OR

CONSEQUENTIAL DAMAGES (INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR

SERVICES, LOSS OF DATA, LOSS OF PROFITS, AND/OR BUSINESS INTERRUPTIONS), ARISING OUT OF OR IN

ANY WAY RELATED TO SOURCEFIRE-CONTROLLED WEBSITES OR THE DOCUMENTATION, NO MATTER HOW

CAUSED AND/OR WHETHER BASED ON CONTRACT, STRICT LIABILITY, NEGLIGENCE OR OTHER TORTUOUS

ACTIVITY, OR ANY OTHER THEORY OF LIABILITY, EVEN IF SOURCEFIRE IS ADVISED OF THE POSSIBILITY OF

SUCH DAMAGES. BECAUSE SOME STATES/JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION

OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATIONS MAY NOT APPLY TO

YOU.

The Documentation may contain "links" to websites that are not created by, or under the control of Sourcefire.

Sourcefire provides such links solely for your convenience, and assumes no responsibility for the availability or

content of such other sites.

2013-Oct-18 16:20

Version 5.2 Sourcefire 3D System Installation Guide 3

Table of Contents

Chapter 1: Introduction to the Sourcefire 3D System ............................... 8

Sourcefire 3D System Appliances ........................................................................ 9

Defense Centers...................................................................................... 9

Managed Devices .................................................................................. 10

Understanding Appliance Series, Models, and Capabilities................... 10

Sourcefire 3D System Components ................................................................... 16

Licensing the Sourcefire 3D System .................................................................. 19

Using Legacy RNA Host and RUA User Licenses ................................. 22

Security, Internet Access, and Communication Ports......................................... 23

Internet Access Requirements .............................................................. 23

Open Communication Ports Requirements ........................................... 24

Chapter 2: Understanding Deployment ..................................................... 27

Understanding Deployment Options .................................................................. 28

Understanding Interfaces ................................................................................... 28

Passive Interfaces.................................................................................. 29

Inline Interfaces ..................................................................................... 29

Switched Interfaces ............................................................................... 30

Routed Interfaces .................................................................................. 31

Hybrid Interfaces ................................................................................... 32

Version 5.2 Sourcefire 3D System Installation Guide 4

Table of Contents

Connecting Devices to Your Network ................................................................. 32

Using a Hub ........................................................................................... 33

Using a Span Port .................................................................................. 33

Using a Network Tap.............................................................................. 33

Cabling Inline Deployments on Copper Interfaces................................. 34

Special Cases......................................................................................... 36

Deployment Options........................................................................................... 36

Deploying with a Virtual Switch.............................................................. 37

Deploying with a Virtual Router ............................................................. 38

Deploying with Hybrid Interfaces........................................................... 40

Deploying a Gateway VPN ..................................................................... 41

Deploying with Policy-Based NAT .......................................................... 42

Deploying with Access Control.............................................................. 43

Using a Multi-Port Managed Device ................................................................... 48

Complex Network Deployments ........................................................................ 50

Integrating with VPNs............................................................................ 51

Detecting Intrusions on Other Points of Entry....................................... 51

Deploying in Multi-Site Environments.................................................... 53

Integrating Managed Devices within Complex Networks ..................... 55

Chapter 3: Installing a Sourcefire 3D System Appliance ....................... 57

Included Items .................................................................................................... 58

Security Considerations ...................................................................................... 58

Identifying the Management Interfaces ............................................................. 58

Sourcefire Defense Center 750 ............................................................. 59

Sourcefire Defense Center 1500 ........................................................... 59

Sourcefire Defense Center 3500 ........................................................... 60

Sourcefire 3D500/1000/2000................................................................. 60

Sourcefire 7000 Series .......................................................................... 60

Sourcefire 8000 Series .......................................................................... 61

Identifying the Sensing Interfaces ...................................................................... 61

Sourcefire 3D500/1000/2000................................................................. 62

Sourcefire 7000 Series .......................................................................... 63

Sourcefire 8000 Series .......................................................................... 67

Using Devices in a Stacked Configuration .......................................................... 74

Connecting the 3D8140 ......................................................................... 75

Connecting the 3D8250/8260/8270/8290.............................................. 75

Using the 8000 Series Stacking Cable................................................... 79

Managing Stacked Devices.................................................................... 79

Installing the Appliance in a Rack ....................................................................... 80

Redirecting Console Output ............................................................................... 82

Testing an Inline Bypass Interface Installation .................................................... 83

Version 5.2 Sourcefire 3D System Installation Guide 5

Table of Contents

Chapter 4: Setting Up a Sourcefire 3D System Appliance ..................... 86

Understanding the Setup Process ...................................................................... 87

Setting Up a Series 2 Appliance or Series 3 Defense Center ................ 88

Setting Up a Series 3 Device ................................................................. 89

Configuring Network Settings Using a Script ..................................................... 90

Performing Initial Setup on a Series 3 Device Using the CLI .............................. 91

Registering a Series 3 Device to a Defense Center Using the CLI........ 92

Initial Setup Page: Devices ................................................................................. 93

Initial Setup Page: Defense Centers ................................................................. 100

Next Steps ........................................................................................................ 109

Chapter 5: Using the LCD Panel on a Series 3 Device .......................... 111

Understanding LCD Panel Components ........................................................... 112

Using the LCD Multi-Function Keys.................................................................. 113

Idle Display Mode ............................................................................................. 114

Network Configuration Mode ........................................................................... 115

Allowing Network Reconfiguration Using the LCD Panel ..................... 117

System Status Mode ........................................................................................ 118

Information Mode ............................................................................................. 119

Error Alert Mode ............................................................................................... 121

Chapter 6: Hardware Specifications........................................................ 122

Rack and Cabinet Mounting Options ................................................................ 122

Sourcefire Defense Centers ............................................................................. 123

Sourcefire DC750 ................................................................................ 123

Sourcefire DC1500 .............................................................................. 129

Sourcefire DC3500 .............................................................................. 135

Sourcefire Series 2 Devices.............................................................................. 142

Sourcefire 3D500, 3D1000 and 3D2000 Devices ................................ 142

3D500/1000/2000 Physical and Environmental Parameters ................ 145

Sourcefire 7000 Series Devices ....................................................................... 146

Sourcefire 3D7010, 3D7020, and 3D7030 ........................................... 146

Sourcefire 3D7110 and 3D7120 ........................................................... 153

Sourcefire 3D7115 and 3D7125 ........................................................... 162

Sourcefire 8000 Series Devices ....................................................................... 172

8000 Series Chassis Front View .......................................................... 173

8000 Series Chassis Rear View ........................................................... 178

8000 Series Physical and Environmental Parameters.......................... 181

8000 Series Modules........................................................................... 185

Version 5.2 Sourcefire 3D System Installation Guide 6

Table of Contents

Chapter 7: Restoring a Sourcefire Appliance to Factory Defaults...... 198

Before You Begin .............................................................................................. 198

Configuration and Event Backup Guidelines ........................................ 199

Traffic Flow During the Restore Process.............................................. 199

Understanding the Restore Process................................................................. 199

Obtaining the Restore ISO and Update Files.................................................... 201

Beginning the Restore Process ........................................................................ 203

Starting the Restore Utility Using KVM or Physical Serial.................... 203

Starting the Restore Utility Using Lights-Out Management ................ 205

Using the Interactive Menu to Restore an Appliance ....................................... 207

Identifying the Appliance’s Management Interface ............................. 209

Specifying ISO Image Location and Transport Method ....................... 210

Updating System Software and Intrusion Rules During Restore ......... 211

Downloading the ISO and Update Files and Mounting the Image ...... 212

Invoking the Restore Process .............................................................. 213

Saving and Loading Restore Configurations ........................................ 215

Restoring a DC1000 or DC3000 Using a CD .................................................... 217

Next Steps ........................................................................................................ 218

Scrubbing the Contents of the Hard Drive........................................................ 219

Setting up Lights-Out Management ................................................................. 219

Enabling LOM and LOM Users............................................................ 221

Installing an IPMI Utility....................................................................... 222

Chapter 8: Safety and Regulatory Information....................................... 224

General Safety Guidelines ................................................................................ 224

Safety Warning Statements.............................................................................. 226

Regulatory Information ..................................................................................... 229

Sourcefire Defense Center 750/1500/3500 Information ...................... 229

Sourcefire 3D500 Information ............................................................. 230

Sourcefire Series 3 Information ........................................................... 232

Waste Electrical and Electronic Equipment Directive (WEEE).......................... 238

Appendix A: Power Requirements for Sourcefire Devices ..................... 240

Warnings and Cautions..................................................................................... 240

Interface Connections.......................................................................... 240

Static Control ....................................................................................... 241

3D7010/7020/7030............................................................................................ 241

Installation............................................................................................ 241

Grounding/Earthing Requirements ...................................................... 242

Version 5.2 Sourcefire 3D System Installation Guide 7

Table of Contents

3D7110/7120 and 3D7115/7125 ........................................................................ 243

Installation............................................................................................ 243

Grounding/Earthing Requirements ...................................................... 244

3D8120/8130/8140 and 3D8250/8260/8270/8290 ............................................ 245

AC Installation...................................................................................... 245

DC Installation...................................................................................... 247

Grounding/Earthing Requirements ...................................................... 249

Appendix B: Using SFP Transceivers on a 3D7115 or 3D7125................. 251

3D7115 and 3D7125 SFP Sockets and Transceivers ......................................... 251

Inserting an SFP Transceiver............................................................................. 253

Removing an SFP Transceiver........................................................................... 254

Appendix C: Inserting and Removing 8000 Series Modules.................... 255

Module Slots on the 8000 Series Appliances................................................... 255

81xx Family.......................................................................................... 256

82xx Family.......................................................................................... 256

Included Items .................................................................................................. 257

Identifying the Module Parts ............................................................................ 258

Before You Begin .............................................................................................. 259

Removing a Module or Slot Cover .................................................................... 259

Inserting a Module or Slot Cover ...................................................................... 260

Glossary .....................................................................................................................264

Version 5.2 Sourcefire 3D System Installation Guide 8

CHAPTER 1

INTRODUCTION TO THE SOURCEFIRE 3D

SYSTEM

The Sourcefire 3D® System combines the security of an industry-leading

network intrusion protection system with the power to control access to your

network based on detected applications, users, and URLs. You can also use

Sourcefire appliances to serve in a switched, routed, or hybrid (switched and

routed) environment; to perform network address translation (NAT); and to build

secure virtual private network (VPN) tunnels among the virtual routers on

Sourcefire managed devices, or from managed devices to remote devices or

other third-party VPN endpoints.

The Sourcefire Defense Center® provides a centralized management console and

database repository for the Sourcefire 3D System. Managed devices installed on

network segments monitor traffic for analysis.

Devices in a passive deployment monitor traffic flowing across a network, for

example, using a switch SPAN, virtual switch, or mirror port. Passive sensing

interfaces receive all traffic unconditionally and no traffic received on these

interfaces is retransmitted.

Devices in an inline deployment allow you to protect your network from attacks

that might affect the availability, integrity, or confidentiality of hosts on the

network. Inline interfaces receive all traffic unconditionally, and traffic received on

these interfaces is retransmitted unless explicitly dropped by some configuration

in your deployment. Inline devices can be deployed as a simple intrusion

prevention system. You can also configure inline devices to perform access

control as well as manage network traffic in other ways.

This installation guide provides information about deploying, installing, and setting

up Sourcefire appliances (devices and Defense Centers). It also contains

Version 5.2 Sourcefire 3D System Installation Guide 9

Introduction to the Sourcefire 3D System

Sourcefire 3D System Appliances Chapter 1

hardware specifications and safety and regulatory information for Sourcefire

appliances.

TIP! You can host virtual Defense Centers and devices, which can manage and

be managed by physical appliances. However, virtual appliances do not support

any of the system’s hardware-based features: redundancy, switching, routing, and

so on. For detailed information, see the Sourcefire 3D System Virtual Installation

Guide.

The topics that follow introduce you to the Sourcefire 3D System and describe its

key components:

•Sourcefire 3D System Appliances on page 9

•Sourcefire 3D System Components on page 16

•Licensing the Sourcefire 3D System on page 19

•Security, Internet Access, and Communication Ports on page 23

Sourcefire 3D System Appliances

A Sourcefire appliance is either a traffic-sensing managed device or a managing

Defense Center:

Physical devices are fault-tolerant, purpose-built network appliances available with

a range of throughputs and capabilities. Defense Centers serve as central

management points for these devices, and automatically aggregate and correlate

the events they generate. There are several models of each physical appliance

type; these models are further grouped into series and family.

Many Sourcefire 3D System capabilities are appliance dependent. For more

information, see the following sections:

•Defense Centers on page 9

•Managed Devices on page 10

•Understanding Appliance Series, Models, and Capabilities on page 10

Defense Centers

The Defense Center provides a centralized management point and event

database for your Sourcefire 3D System deployment. Defense Centers, which

can be physical or virtual, aggregate and correlate intrusion, file, malware,

discovery, connection, and performance data. This allows you to monitor the

information that your devices report in relation to one another, and to assess and

control the overall activity that occurs on your network.

Version 5.2 Sourcefire 3D System Installation Guide 10

Introduction to the Sourcefire 3D System

Sourcefire 3D System Appliances Chapter 1

Key features of the Defense Center include:

•device, license, and policy management

•display of event and contextual information using tables, graphs, and charts

•health and performance monitoring

•external notification and alerting

•real-time threat response using correlation and remediation features

•reporting

For many physical Defense Centers, a high availability (redundancy) feature can

help you ensure continuity of operations.

Managed Devices

Physical Sourcefire devices are fault-tolerant, purpose-built network appliances

available in a range of throughputs. You can also host virtual devices. Devices

deployed passively help you gain insight into your network traffic. Deployed inline,

you can use Sourcefire devices to affect the flow of traffic based on multiple

criteria. You must manage Sourcefire devices with a Defense Center.

Depending on model and license, managed devices:

•gather detailed information about your organization’s hosts, operating

systems, applications, users, files, networks, and vulnerabilities

•block or allow network traffic based on various network-based criteria, as

well as other criteria including applications, users, URLs, IP address

reputations, and the results of intrusion or malware inspections

•have switching, routing, DHCP, NAT, and VPN capabilities, as well as

configurable bypass interfaces, fast-path rules, and strict TCP enforcement

•have clustering (redundancy) to help you ensure continuity of operations,

and stacking to combine resources from multiple devices

Understanding Appliance Series, Models, and Capabilities

Version 5.2 of the Sourcefire 3D System is available on two series of physical

appliances, as well as virtual appliances. Many Sourcefire 3D System capabilities

are appliance dependent. For more information, see:

•Series 2 Appliances on page 11

•Series 3 Appliances on page 11

•Virtual Appliances on page 12

•Appliances Delivered with Version 5.2 on page 12

•Supported Capabilities by Appliance Model on page 13

Version 5.2 Sourcefire 3D System Installation Guide 11

Introduction to the Sourcefire 3D System

Sourcefire 3D System Appliances Chapter 1

Series 2 Appliances

Series 2 is the second series of Sourcefire physical appliances. Because of

resource and architecture limitations, Series 2 devices support a restricted set of

Sourcefire 3D System features.

Although Sourcefire does not deliver Version 5.2 on Series 2 appliances other

than 3D500/1000/2000 devices, you can restore the following Series 2 devices

and Defense Centers to Version 5.2:

•3D2100/2500/3500/4500

•3D6500

•3D9900

•DC500/1000/3000

There is no update path from Version 4.10.x to Version 5.2; you must use an ISO

image to restore your appliances. Reimaging results in the loss of all

configuration and event data on the appliance. You cannot import this data onto

an appliance after a reimage. For more information, see Restoring a Sourcefire

Appliance to Factory Defaults on page 198.

IMPORTANT! Only reimage your appliances during a maintenance window.

Reimaging resets devices in inline deployments to a non-bypass configuration

and disrupts traffic on your network. For more information, see Traffic Flow During

the Restore Process on page 199.

When running Version 5.2, Series 2 devices automatically have most of the

capabilities associated with a Protection license: intrusion detection and

prevention, file control, and basic access control. However, Series 2 devices

cannot perform Security Intelligence filtering, advanced access control, or

advanced malware protection. You also cannot enable other licensed capabilities

on a Series 2 device. With the exception of the 3D9900, which supports fast-path

rules, stacking, and tap mode, Series 2 devices do not support any of the

hardware-based features associated with Series 3 devices: switching, routing,

NAT, and so on.

When running Version 5.2, DC1000 and DC3000 Series 2 Defense Centers

support all the features of the Sourcefire 3D System; the DC500 has more limited

capabilities.

Series 3 Appliances

Series 3 is the third series of Sourcefire physical appliances. All 7000 Series and

8000 Series devices are Series 3 appliances. 8000 Series devices are more

powerful and support a few features that 7000 Series devices do not.

Version 5.2 Sourcefire 3D System Installation Guide 12

Introduction to the Sourcefire 3D System

Sourcefire 3D System Appliances Chapter 1

Virtual Appliances

You can host 64-bit virtual Defense Centers and devices on VMware ESX/ESXi.

Virtual Defense Centers can manage up to 25 physical or virtual devices; physical

Defense Centers can manage virtual devices.

Regardless of the licenses installed and applied, virtual appliances do not support

any of the system’s hardware-based features: redundancy, switching, routing, and

so on. Also, virtual devices do not have web interfaces. For detailed information

on virtual appliances, see the Sourcefire 3D System Virtual Installation Guide.

Appliances Delivered with Version 5.2

The following table lists the appliances that Sourcefire delivers with Version 5.2 of

the Sourcefire 3D System.

Although Sourcefire does not deliver Version 5.2 on Series 2 appliances other

than 3D500, 3D1000m and 3D2000 devices, you can reimage the following

Series 2 devices and Defense Centers to Version 5.2:

•3D2100/2500/3500/4500

•3D6500

Version 5.2 Sourcefire Appliances

MODELS/FAMILY SERIES TYPE

Series 2 devices:

3D500, 3D1000, and 3D2000

Series 2 device

70xx Family:

3D7010, 3D7020 and 3D7030

Series 3 (7000 Series) device

71xx Family:

3D7110, 3D7115, 3D7120m

and 3D7125

Series 3 (7000 Series) device

81xx Family:

3D8120/8130/8140

Series 3 (8000 Series) device

82xx Family:

3D8250, 3D8260, 3D8270,

and 3D8290

Series 3 (8000 Series) device

virtual devices none device

Series 3 Defense Centers:

DC750/1500/3500

Series 3 Defense Center

virtual Defense Centers none Defense Center

Version 5.2 Sourcefire 3D System Installation Guide 13

Introduction to the Sourcefire 3D System

Sourcefire 3D System Appliances Chapter 1

•3D9900

•DC500/1000/3000

Reimaging results in the loss of all configuration and event data on the appliance.

See Restoring a Sourcefire Appliance to Factory Defaults on page 198 for more

information.

Supported Capabilities by Appliance Model

Many Sourcefire 3D System capabilities are appliance dependent. The table

below matches the major capabilities of the system with the appliances that

support those capabilities, assuming you have the correct licenses installed and

applied. For a brief summary of these features and licenses, see Supported

Capabilities by Appliance Model on page 13 and Licensing the Sourcefire 3D

System on page 19.

The Defense Center column for device-based capabilities (such as stacking,

switching, and routing) indicates whether that Defense Center can manage and

configure devices to perform their functions. For example, you can use a Series 2

DC1000 to manage NAT on Series 3 devices. Also, a blank cell means the feature

is unsupported, while n/a marks certain Defense Center-based features that are

not relevant to managed devices.

Supported Capabilities by Appliance Model

FEATURE SERIES 2

DEVICE

SERIES 2

DEFENSE

CENTER

SERIES 3

DEVICE

SERIES 3

DEFENSE

CENTER

VIRTUAL

DEVICE

VIRTUAL

DEFENSE

CENTER

network discovery:

host, application, and

user



geolocation data DC1000,

DC3000



intrusion detection

and prevention (IPS)



Security Intelligence

filtering

DC1000,

DC3000



access control: basic

network control



access control:

applications

 

access control: users DC1000,

DC3000



Version 5.2 Sourcefire 3D System Installation Guide 14

Introduction to the Sourcefire 3D System

Sourcefire 3D System Appliances Chapter 1

access control: literal

URLs

 

access control: URL

filtering by category

and reputation

DC1000,

DC3000



file control: by file

type



network-based

advanced malware

protection (AMP)

DC1000,

DC3000



FireAMP integration n/a n/a n/a 

fast-path rules 3D9900 8000 Series 

strict TCP

enforcement

  

configurable bypass

interfaces

except

where

hardware

limited



tap mode 3D9900   

switching and

routing

  

NAT policies   

VPN   

high availability n/a DC1000,

DC3000

n/a DC1500,

DC3500

n/a

device stacking 3D9900 3D8140,

82xx Family



Supported Capabilities by Appliance Model (Continued)

FEATURE SERIES 2

DEVICE

SERIES 2

DEFENSE

CENTER

SERIES 3

DEVICE

SERIES 3

DEFENSE

CENTER

VIRTUAL

DEVICE

VIRTUAL

DEFENSE

CENTER

Version 5.2 Sourcefire 3D System Installation Guide 15

Introduction to the Sourcefire 3D System

Sourcefire 3D System Appliances Chapter 1

Series 3 Device Chassis Designations

The following section lists the 7000 Series and 8000 Series devices and their

respective chassis hardware codes. The chassis code appears on the regulatory

label on the outside of the chassis, and is the official reference code for hardware

certifications and safety.

7000 Series Chassis Designations

The 7000 Series Chassis Models table lists the chassis designations for the

7000 Series models available world-wide.

device clustering   

clustered stacks 3D8140,

82xx Family



interactive CLI 

Supported Capabilities by Appliance Model (Continued)

FEATURE SERIES 2

DEVICE

SERIES 2

DEFENSE

CENTER

SERIES 3

DEVICE

SERIES 3

DEFENSE

CENTER

VIRTUAL

DEVICE

VIRTUAL

DEFENSE

CENTER

7000 Series Chassis Models

3D DEVICE MODEL HARDWARE CHASSIS CODE

3D7010, 3D7020, and 3D7030 CHRY-1U-AC

3D7110 and 3D7120 (Copper) GERY-1U-8-C-AC

3D7110 and 3D7120 (Fiber) GERY-1U-8-FM-AC

3D7115 and 3D7125 GERY-1U-4C8S-AC

Version 5.2 Sourcefire 3D System Installation Guide 16

Introduction to the Sourcefire 3D System

Sourcefire 3D System Components Chapter 1

8000 Series Chassis Designations

The 8000 Series Chassis Models table lists the chassis designations for the

Series 3 models available world-wide.

Sourcefire 3D System Components

The sections that follow describe some of the key capabilities of the Sourcefire

3D System that contribute to your organization’s security, acceptable use policy,

and traffic management strategy.

TIP! Many Sourcefire 3D System capabilities are appliance model, license, and

user role dependent. Where needed, Sourcefire documentation outlines the

requirements for each feature and task.

Redundancy and Resource Sharing

The redundancy and resource-sharing features of the Sourcefire 3D System allow

you to ensure continuity of operations and to combine the processing resources

of multiple physical devices:

•Defense Center high availability allows you to designate redundant DC1000,

DC1500, DC3000, or DC3500 Defense Centers to manage devices.

•Device stacking allows you to increase the amount of traffic inspected on a

network segment by connecting two to four physical devices in a stacked

configuration.

•Device clustering allows you to establish redundancy of networking

functionality and configuration data between two or more Series 3 devices

or stacks.

8000 Series Chassis Models

3D DEVICE MODEL HARDWARE CHASSIS CODE

3D8120, 3D8130, and 3D8140

(AC power)

CHAS-1U-AC

3D8120, 3D8130, and 3D8140

(DC power)

CHAS-1U-DC

3D8250, 3D8260, 3D8270, and 3D8290

(AC power)

CHAS-2U-AC

3D8250, 3D8260, 3D8270, and 3D8290

(DC power)

CHAS-2U-DC

Version 5.2 Sourcefire 3D System Installation Guide 17

Introduction to the Sourcefire 3D System

Sourcefire 3D System Components Chapter 1

Network Traffic Management

The Sourcefire 3D System’s network traffic management features allow Series 3

devices to act as part of your organization’s network infrastructure. You can:

•configure a Layer 2 deployment to perform packet switching between two

or more network segments

•configure a Layer 3 deployment to route traffic between two or more

interfaces

•perform network address translation (NAT)

•build secure VPN tunnels from virtual routers on managed devices to

remote devices or other third-party VPN endpoints

FireSIGHT

FireSIGHT™ is Sourcefire’s discovery and awareness technology that collects

information about hosts, operating systems, applications, users, files, networks,

geolocation information, and vulnerabilities, in order to provide you with a

complete view of your network.

You can use the Defense Center’s web interface to view and analyze data

collected by FireSIGHT. You can also use this data to help you perform access

control and modify intrusion rule states.

Access Control

Access control is a policy-based feature that allows you to specify, inspect, and

log the traffic that traverses your network. As part of access control, the Security

Intelligence feature allows you to blacklist—deny traffic to and from—specific IP

addresses before the traffic is subjected to deeper analysis.

After Security Intelligence filtering occurs, you can define which and how traffic is

handled by targeted devices, from simple IP address matching to complex

scenarios involving different users, applications, ports, and URLs. You can trust,

monitor, or block traffic, or perform further analysis, such as:

•intrusion detection and prevention

•file control

•file tracking and network-based advanced malware protection (AMP)

Intrusion Detection and Prevention

Intrusion detection and prevention is a policy-based feature, integrated into

access control, that allows you to monitor your network traffic for security

violations and, in inline deployments, to block or alter malicious traffic. An

intrusion policy contains a variety of components, including:

•rules that inspect the protocol header values, payload content, and certain

packet size characteristics

•rule state configuration based on FireSIGHT recommendations

Version 5.2 Sourcefire 3D System Installation Guide 18

Introduction to the Sourcefire 3D System

Sourcefire 3D System Components Chapter 1

•advanced settings, such as preprocessors and other detection and

performance features

•preprocessor rules that allow you to generate events for associated

preprocessors and preprocessor options

File Tracking, Control, and Malware Protection

To help you identify and mitigate the effects of malware, the Sourcefire 3D

System’s file control, network file trajectory, and advanced malware protection

components can detect, track, and optionally block the transmission of files

(including malware files) in network traffic.

File control is a policy-based feature, integrated into access control, that allows

managed devices to detect and block your users from uploading (sending) or

downloading (receiving) files of specific types over specific application protocols.

Network-based advanced malware protection (AMP) allows the system to inspect

network traffic for malware in specific types of files. When a managed device

detects one of these file types, the Defense Center obtains the file’s disposition

from the Sourcefire cloud. The managed device uses this information to track and

then block or allow the file.

FireAMP is Sourcefire’s enterprise-class, endpoint-based AMP solution. If your

organization has a FireAMP subscription, individual users install FireAMP

Connectors on their computers and mobile devices. These lightweight agents

communicate with the Sourcefire cloud, which in turn communicates with the

Defense Center. In this way, you can use the Defense Center to view malware

detection and quarantines on the endpoints in your organization, as well as to

track the malware’s trajectory.

Application Programming Interfaces

There are several ways to interact with the system using application programming

interfaces (APIs):

•The Event Streamer (eStreamer) allows you to stream several kinds of event

data from a Sourcefire appliance to a custom-developed client application.

•The database access feature allows you to query several database tables on

a Defense Center, using a third-party client that supports JDBC SSL

connections.

•The host input feature allows you to augment the information in the

network map by importing data from third-party sources using scripts or

command-line files.

•Remediations are programs that your Defense Center can automatically

launch when certain conditions on your network are met. This can not only

automatically mitigate attacks when you are not immediately available to

address them, but can also ensure that your system remains compliant with

your organization’s security policy.

Version 5.2 Sourcefire 3D System Installation Guide 19

Introduction to the Sourcefire 3D System

Licensing the Sourcefire 3D System Chapter 1

Licensing the Sourcefire 3D System

You can license a variety of features to create an optimal Sourcefire 3D System

deployment for your organization. You must use the Defense Center to control

licenses for itself and the devices it manages.

Sourcefire recommends you add the licenses your organization has purchased

during the initial setup of your Defense Center. Otherwise, any devices you

must then enable licenses on each device individually after the initial setup

process is over. For more information, see Setting Up a Sourcefire 3D System

Appliance on page 86.

A FireSIGHT license is included with each Defense Center purchase, and is

required to perform host, application, and user discovery. The FireSIGHT license

on your Defense Center also determines how many individual hosts and users

you can monitor with the Defense Center and its managed devices, as well as

how many users you can use to perform user control. FireSIGHT host and user

license limits are model specific, as listed in the following table.

If your Defense Center was previously running Version 4.10.x, you may be able to

use legacy RNA Host and RUA User licenses instead of a FireSIGHT license. For

more information, see Using Legacy RNA Host and RUA User Licenses on

page 22.

Additional model-specific licenses allow your managed devices to perform a

variety of functions, as follows:

Protection

A Protection license allows managed devices to perform intrusion detection

and prevention, file control, and Security Intelligence filtering.

FireSIGHT Limits by Defense Center Model

DEFENSE CENTER MODEL FIRESIGHT HOST AND USER LIMIT

DC500 1000 (no user control)

DC750 2000

DC1000 20,000

DC1500 50,000

DC3000 100,000

DC3500 300,000

Version 5.2 Sourcefire 3D System Installation Guide 20

Introduction to the Sourcefire 3D System

Licensing the Sourcefire 3D System Chapter 1

Control

A Control license allows managed devices to perform user and application

control. It also allows devices to perform switching and routing (including

DHCP relay), NAT, and to cluster devices and stacks. A Control license

requires a Protection license.

URL Filtering

A URL Filtering license allows managed devices to use regularly updated

cloud-based category and reputation data to determine which traffic can

traverse your network, based on the URLs requested by monitored hosts. A

URL Filtering license requires Protection and Control licenses.

Malware

A Malware license allows managed devices to perform network-based

advanced malware protection (AMP), that is, to detect and block malware in

files transmitted over your network. It also allows you to view trajectories,

which track files transmitted over your network. A Malware license requires a

Protection license.

VPN

A VPN license allows you to build secure VPN tunnels among the virtual

routers on Sourcefire managed devices, or from managed devices to remote

devices or other third-party VPN endpoints. A VPN license requires Protection

and Control licenses.

Because of architecture and resource limitations, not all licenses can be applied to

all managed devices. In general, you cannot license a capability that a device does

not support; see Supported Capabilities by Appliance Model on page 13.

The following table summarizes which licenses you can add to your Defense

Center and apply to each device model. The Defense Center rows (for all licenses

except FireSIGHT) indicate whether that Defense Center can manage devices

using those licenses. For example, you can use a Series 2 DC1000 to create a

VPN deployment using Series 3 devices, but you cannot use a DC500 to perform

category and reputation-based URL filtering, regardless of the devices it

Table of contents

Popular Firewall manuals by other brands

Stonesoft

Stonesoft SSL-3200 Series Appliance installation guide

McAfee

McAfee NS Series Product guide

tufin

tufin T-800 quick start guide

Cisco

Cisco 5505 - ASA Firewall Edition Bundle Getting started guide

Draytek

Draytek Vigor2830 Series quick start guide

Trend Micro

Trend Micro Network VirusWall Enforcer 1200 Getting started guide

Fortinet

Fortinet FortiGate FMC-C20 quick start guide

Nokia

Nokia IP30 - Satellite Plus - Security Appliance user guide

Fortinet

Fortinet FortiGate FortiGate-800 Technical note

ZyXEL Communications

ZyXEL Communications ZyWALL 110 Series user guide

Cisco

Cisco ISA3000-4C-K9 Hardware installation guide

Juniper

Juniper Advanced Threat Prevention Appliance Cli command reference guide

HP A-F1000-E Getting started guide

Cisco

Cisco ASA 5550 Series Getting started guide

NETGEAR

NETGEAR FVS338 - ProSafe VPN Firewall 50 Router installation guide

One Identity

One Identity Safeguard 2000 Setup guide

NETGEAR

NETGEAR ProSafe FVS114 installation guide

Bitdefender

Bitdefender BOX user guide

Source fire Sourcefire 3D System User manual

Popular Firewall manuals by other brands