• 3D System
  • Defense Center
  • IPS
  • RNA
  • RUA
  • Intrusion Agent
• Snort
• ClamAV

Sourcefire Defense Center

Sourcefire Defense Center is the nerve center of the Sourcefire 3D system. Defense Center unifies critical network security functions including event monitoring, forensic analysis, and reporting. It can correlate security events with characteristics of the target devices and prioritize security events based on real business impact.

Event Monitoring

A single Defense Center appliance can collect events from up to 100 sensors, providing users with a centralized security event view. Dozens of pre-configured workflows and reports make it easy to view large numbers of events by a wide range of criteria. Designed with enterprise deployments in mind, Defense Center is capable of handling up to one hundred million events. Its event viewing capabilities allow both identification of long-term security trends and packet-level forensic analysis.

Enterprise Policy Configuration and Health Monitoring

With Defense Center, users have complete control of policies and configuration on up to 100 sensors from a single management console. In addition to collecting and taking action upon security events, Defense Centers can alert users of critical sensor metrics like CPU utilization and available disk capacity. Alerts and actions can be triggered if a sensor fails to forward events or loses communication unexpectedly for any reason.

Unrivaled Correlation

By leveraging Sourcefire RNA's contextual information, Defense Center solves one of the most challenging problems facing security analysts – determining which events from the many thousands of events generated daily warrant detailed investigation and which can be ignored. Defense Center correlates each Sourcefire IPS event with the target device's set of potential vulnerabilities determined by Sourcefire RNA and generates an 'Impact Flag'. For example, a Linux-only exploit targeting a Microsoft server would have a reduced potential impact on a network, because it had no chance of actually succeeding. An exploit targeting a server that is vulnerable to that exploit would have a more serious impact. Users can quickly focus on the relatively small number of events that really matter.

Open Architecture

Defense Center has an open architecture, which allows it to interface with existing management consoles, such as IBM Tivoli and HP OpenView. Comprised of an API and reference client, Sourcefire eStreamer provides an output capability that can be leveraged by third party applications for event analysis and archiving. Popular Security Event Management and Security Information Management (SIM and SEM) systems can leverage eStreamer's event output in either a raw or correlated format.

Customize Your Response to Critical Events

Defense Center's Policy and Response engine allows the creation and configuration of powerful, event-driven rules and actions. For example, a user may want an email sent if a particular security event targets any system running a particular operating system in a specific location. Users can use the Sourcefire Remediation API to reconfigure network infrastructure and disconnect or block systems that violate policy. Organizations can confidently defend their network by analyzing events in real-time and enabling automated response according to the ABCs of Defense:

• Alert – Defense Centers can send automated warnings to individuals and other management systems, via syslog, email, or SNMP.
• Block – Threats can be blocked or contained via techniques such as dropping traffic, disrupting sessions between devices, and integrating with network devices such as firewalls, routers and switches.
• Correct – New vulnerabilities and threats can be automatically mitigated by integrating with patch or configuration management systems to apply configuration or code changes to eliminate possible exploitation.

Real-time and Forensic Reporting and Analysis

The Sourcefire Defense Center includes a powerful, easy-to-use, web-based interface for real-time reporting and forensic analysis. Customizable workflows enable users to tailor the interface to fit the way they investigate and analyze security events. In addition, users can easily create standard or customized reports in PDF, HTML, and CSV formats that can be automatically emailed for easy distribution.

System Maintenance

Customers can schedule automated event and sensor maintenance tasks to occur at the Defense Center, including:

• Performing backups
• Generating reports
• Downloading and applying software updates
• Downloading and applying rule packs
• Applying intrusion prevention and detection policies

Master Defense Center Mode

By using the Master Defense Center mode on a dedicated appliance, users with multiple Defense Centers can aggregate events centrally for analysis and reporting. Filtering of events can be configured at the Defense Center level so that only the most critical events are forwarded to the Master Defense Center.