Sourcefire DC3500 Defense Center
Centralized and Fully Customizable Management - Manage Up to 150 Sensors

Centralized Management:

Manage Your Security Network With A Powerful, Yet Easy-To-Use, Interface

The Sourcefire Defense Center® management console is the "nerve center" of the Sourcefire 3D® System. It provides a powerful, easy-to-use interface for categorizing events, generating recurring reports, scheduling automated Snort rule updates, configuring policies, and displaying customizable dashboards to quickly communicate sensor feedback.

We offer a range of IPS solutions to address different network needs, and we complement these solutions with tailored Defense Center management consoles.

Defense Centers for Sourcefire Next-Generation IPS (NGIPS) and IPS Environments

For larger networks with dedicated security teams, our DC750, DC1500, and DC3500 Defense Centers offer the robust features described below.

Aggregating and Monitoring Events for Centralized Network Defense
All intrusion events are sent securely from Sourcefire sensors to the Defense Center for centralized storage and analysis. Each Defense Center correlates attacks with real-time network and vulnerability intelligence to assign an “Impact Flag” rating denoting the relevance and severity of the attack. This enables IT Security to weed out false positives and irrelevant attacks, dramatically reducing—by up to 99%—the number of alerts requiring analysis, saving considerable time and effort.

All Sourcefire 3D events are sent securely from Sourcefire 3D Sensors to the Defense Center (DC) for centralized analysis and storage. Designed with enterprise deployments in mind, Defense Center is capable of collecting events from up to 100 sensors and handling a maximum of one hundred million events.

Defense Center includes a powerful, yet easy-to-use, Web-based interface for event viewing, reporting, and forensic analysis. Customizable workflows enable users to tailor the interface to fit the way they investigate and analyze security events. Users can choose from dozens of pre-confi gured event views, making it easy to view large volumes of events by a wide range of criteria. Event views are easily customized and can be stored for later reuse.

Sensor Management and Health Monitoring
Depending on the Defense Center appliance model, a maximum of 3, 25, or 100 3D Sensors can be administered from a single DC interface. Once a sensor is assigned to a DC, an Admin can view its connection status, edit sensor properties, delete sensors, and create/manage/edit sensor groups.

In addition to collecting and taking action on security events, Defense Center provides centralized health monitoring for all sensors. You can be alerted when sensors are offline or overloaded, and the DC can alert users of critical sensor metrics like temperature, CPU utilization, and available disk capacity.

Customizable Dashboards, Reports, and Alerts 
Each Defense Center features an individually customizable, portal-like dashboard with dozens of pre-defined and customizable drag-and-drop “widgets” displaying critical information in the form of tables and graphs. Dashboard benefits include interactive drill-down, granular administrative privileges, and dashboard tab cycling. Users can tailor the dashboard to their role within the organization and share their dashboard with peers. Defense Center also provides customers with fully customizable reports and alerts. Users can choose from a variety of pre-defined report templates or create custom reports to meet their reporting needs. Reports can be generated in PDF, HTML, and CSV formats, while alerts can be sent via syslog, SNMP, and email.

The Sourcefire Defense Center dashboard is fully customizable and provides numerous drag-and-drop widgets that display critical security, compliance, and health events.

Centralized Policy Management 
With Defense Center, users have complete control over policies and configuration of up to 150 3D Sensors from a single management console. Sourcefire IPS™ (Intrusion Prevention System) and Sourcefire RNA® (Real-time Network Awareness) policies can be distributed down to all underlying sensors, to individual sensors, or to sensor groups. The policy management facility on the Defense Center gives users the ability to create, modify, and review Sourcefire IPS policies. Locating individual rules for examination is aided by an expanded keyword search capability, and understanding changes between two policy versions occurs with a side-by-side comparison view that highlights changes. Our innovative policy layering enables users to make changes that affect many or all Sourcefire intrusion policies. It also enables users to determine a hierarchy of policy layers that is most relevant for their organization and network.

Powerful Integration with Third-party Systems
Sourcefire offers more ways to integrate with third-party security and network management products than any other IPS vendor. Our remediation API can communicate with firewalls, routers, vulnerability scanners, patch managers, and other systems based on triggered events. The eStreamer™ interface can stream security, compliance, and sensor health events to SIEMs, log managers, and network management systems. Additionally, our event database can be accessed via a JDBC connector to generate reports from third-party reporting tools such as Crystal Reports™. The host input API can accept endpoint intelligence into its RNA host database to improve accuracy. Sourcefire also provides a selection of other third-party interfaces, including syslog, SNMP, and more.

Sourcefire Master Defense Center for Enterprise Scalability 
For large enterprises or organizations with distributed IT personnel, a single DC3500 appliance can be configured in Master Defense Center (MDC) mode to manage up to 10 subordinate Defense Centers, effectively enabling the management of hundreds of Sourcefire sensors from a single management console.

Packet-level Forensics
With Defense Center, customers can easily investigate the source and nature of an attack and what steps to take in response. Defense Center gives users sophisticated, highly customizable, easy-to-use workfl ows for investigating security events down to the packet level. Unlike most other IPSes, Sourcefire's packet-level forensics are enabled by default and do not affect sensor performance.

Automated System Maintenance
Customers can schedule automated system maintenance tasks to occur at the Defense Center at user-defi ned intervals, including:

• Performing backups
• Generating reports
• Downloading and applying software updates
• Downloading and applying Snort® rules
• Applying recommendations from RNA-Recommended Rules

Features and Benefits:

Sourcefire Defense Center Capabilities

• Store up to 150,000,000 security & host events, including packet data
• Centralized policy & sensor management
  • Centralized audit logging of configuration & security policy changes
  • Easy registration of new sensors
  • Sensor grouping for easy policy management in large enterprises
  • Secure communication with all sensors
  • Manage up to 100 Sourcefire 3D Sensors with a single Defense Center
  • MDC mode for managing up to 10 subordinate DC appliances— manage many hundreds of sensors from one DC
• Centralized health monitoring of all Sourcefire appliances
• Powerful reports, alerts, & dashboards
  • Generate enterprise- or sitespecifi c reports, graphs, & charts
  • Create incident reports & bookmarks to direct others to specific events
  • Report Designer for full report customization
  • Customized alerts & responses
  • Customized "dashboard" view of enterprise & event data
  • Dozens of pre-defined or customized drag-and-drop dashboard widgets
• Detailed packet-level forensics
• Automated event & sensor maintenance tasks
  • Centralized updating & deployment of security content
• High Availability options
• RADIUS & LDAP-based authentication capability

Sourcefire Defense Center Enables Automated IPS with Real-Time Network Intelligence

• 24x7, passive network discovery provided by Sourcefire RNA
  • Know what hosts you're protecting on a continuous basis
  • Obtain a real-time inventory of all OSes, services, applications, protocols, & potential vulnerabilities on your network
• Impact Flags assessment (powered by RNA) for determining event relevance
  • Real-time asset tracking & potential vulnerability assessment
  • Event impact analysis based on your dynamic network
  • False positive reduction by up to 99%
• Adaptive IPS
  • RNA-Recommended Rules takes guesswork out of determining which IPS rules to enable & disable
  • Non-Standard Port Handling helps to prevent possible IPS evasions by inspecting traffic on non-standard ports
  • Adaptive Traffic Profi les helps to prevent possible IPS evasions attempted through traffic fragmentation

Sourcefire Defense Center Enables Numerous Enterprise Tools

• Compliance white lists & P&R rules to monitor & enforce IT policy compliance
• Network Behavior Analysis (NBA)
  • Detect & quarantine internal threats by establishing traffic baselines & detecting anomalies
  • Monitor bandwidth consumption across the network
  • Troubleshoot network outages & performance degradations
• Sourcefire RUA for linking user identity to security & compliance events
  • Click on username to access full contact info
    • First & last name
    • Department
    • E-mail address
    • Phone number
  • Support for Active Directory & LDAP
• Third-Party System Integration Options
  • eStreamer API for offloading host & event data to 3rd-party applications
  • Remediation API for integrating Sourcefire event data into 3rd-party applications
  • Direct active scanning instances using NMAP & Nessus
• Sourcefire MDC mode for managing up to 10 subordinate DC appliances

Technical Specification:

Model	DC750	DC1500	DC3500
Performance and Functionality
Management Interfaces (copper)	10*	35*	150*
Maximum IPS Event Storage	20 million	30 million	150 million
Maximum IPS Event Rate (per second)	2,000	6,000	10,000
Maximum Flow Data Rate (per second)	2,000	6,000	10,000
Management Interface Speed	10/100/1000	10/100/1000	10/100/1000
Management Interface	RJ45	RJ45	RJ45
Memory (RAM)	2GB	6GB	12GB
Events Storage Space	100GB	125GB	400GB
Lights Out Management	Yes	Yes	Yes
Can function as Master Defense Center	No	No	Yes
Redundancy Features
Dual Power Supplies	No	No	Yes
RAID Support	No	RAID 1	RAID 5
Cooling Fans	Front to back	Front to back	Front to back
Physical and Environmental
Form Factor	1U	1U	1U
Dimensions (D x W x H)	27.19 x 16.9 x 1.7 inches	27.19 x 16.9 x 1.7 inches	27.19 x 16.9 x 1.7 inches
Shipping Weight (lbs)	33lbs	34lbs	38lbs
Power Supply	9.5 Amp max at 110V, 50/60 Hz 4.75 Amp max at 220V, 50/60 Hz	9.5 Amp max at 110V, 50/60 Hz 4.75 Amp max at 220V, 50/60 Hz	12 Amp max at 110V, 50/60 Hz 6 Amp max at 220V, 50/60 Hz
BTU Rating (per hour)	1660	2550	2550
Operating Temperature 10°C	10°C - 35°C	10°C - 35°C	10°C - 35°C
RoHS	Yes	Yes	Yes

*Maxiumum number of sensors is dependent upon sensor type and event rate.

Enabling Automated IPS With Real-Time Network Intelligence:

Network Discovery

Defense Center is far more than a management solution. Customers who use Sourcefire RNA can build a complete "network map" of their environment. RNA provides 24x7 network intelligence, storing a real-time inventory of all operating systems (OSes), services, applications, protocols, and potential vulnerabilities that exist on the network. The network map is maintained in real time on the DC, and alerts can be generated when a change occurs or when a new device is installed on the network.

Event Correlation

RNA discovers each asset's OS and its active services, protocols, and client applications, and then determines its potential vulnerabilities. Snort-based security alerts are generated at the sensor and forwarded to the DC. The DC evaluates each threat against RNA's asset data, forming the context from which the "impact" of the attack can be determined. The DC instantly correlates attack relevance based on the nature of the attack and the characteristics of the target asset. The result is real-time impact assessment and prioritization shown via Impact Flags to focus security analysts on the relatively small number of events that really matter, saving valuable time and maximizing network protection.

• Real-time asset tracking and change detection
• Event impact analysis
• False positive reduction by up to 99%

Adaptive IPS

We have explained how Defense Center performs event correlation for the Impact Flags feature of Sourcefire's Adaptive IPS strategy, which provides automated impact assessment and IPS tuning. Now let's discuss the DC's role in the remaining Adaptive IPS features—RNA-Recommended Rules, Non-Standard Port Handling, and Adaptive Traffic Profiles.

The RNA-Recommended Rules (RRR) feature takes the guesswork out of determining which IPS rules to enable and disable by recommending only those rules that pertain to potential vulnerabilities associated with the host and service information contained in the network map maintained on the DC. As new devices join or leave the network, RRR can prompt policy personnel that new rules are needed or can be disabled. The Non-Standard Port Handling feature helps to prevent possible IPS evasions by inspecting traffi c on non-standard ports. RNA identifies the ports and services on the hosts it's monitoring and adds this information to the network map. The DC then confi gures the IPS to dynamically apply the correct rules for any nonstandard ports. The Adaptive Traffi c Profi les feature helps to prevent possible IPS evasions attempted through traffic fragmentation. Via the DC, RNA provides OS data about each host to the 3D Sensor so that the sensor can dynamically adjust the traffic reassembly process in a manner consistent with different target OSes.

None of the aforementioned Adaptive IPS features are possible without the powerful aggregation and correlation capabilities of Defense Center.

Tools For The Enterprise:

Compliance White Lists and Policy and Response Rules

Compliance "white lists" and Policy and Response (P&R) rules can be used to monitor and enforce IT policy compliance. Armed with the real-time network map powered by RNA, Admins can create compliance white lists of approved host assets by simply checking and un-checking those OSes, services, applications, and protocols that can and/or cannot be used on a particular network. Defense Center will then generate alerts if RNA sees changes that indicate the violation of a compliance policy, such as introduction of unauthorized OSes, services, or applications. These alerts can be used to trigger automated responses including quarantining assets from the network.

Network Behavior Analysis

RNA's built-in RNA Flow capability, and/or the optional Sourcefire NetFlow Analysis module, can be used to perform Network Behavior Analysis (NBA). Sourcefire's NBA solution benefi ts both Information Security and Network Operations groups. RNA or NetFlow Analysis enables Information Security to guard against attacks that originate from the inside by establishing "normal" traffi c baselines and detecting network anomalies. When anomalies are detected, Defense Center can send real-time alerts via e-mail or SNMP. With information from RNA or NetFlow Analysis, the DC also enables Network Operations to monitor bandwidth consumption across the network and troubleshoot network outages and performance degradations.

Sourcefire RUA—Link User Identity to Security and Compliance Events

Sourcefire is the only IPS provider to link user identity to security and compliance events. Sourcefire RUA™ (Real-time User Awareness) passively detects Active Directory (AD) and LDAP logons, pairs usernames with their corresponding host IP address, and forwards the information to Defense Center. For each username shown on the DC's Table View of Users, the security analyst can see the corresponding IP address and the user's first and last name, department, e-mail address, and phone number. RUA drastically reduces the time and effort to determine users affected by security and compliance events, when time is of the essence.

Sourcefire RUA immediately provides full contact information for a username associated with a security or compliance event.

Powerful Integration with Third-Party Systems

Sourcefire offers more ways to integrate with third-party security and network management products than any other IPS vendor. Defense Center provides a number of remediation options, and virtually any kind of event, including IPS events, RNA events, and 3D health alerts, can be used to initiate a number of responses. Responses include the creation of syslog events, SNMP alerts, event logging, or the initiation of a custom response by leveraging the DC's Remediation API. The Remediation API ships with a number of pre-built response modules for passing critical alert data to third-party products, including Cisco routers and PIX fi rewalls, OPSEC for Check Point's VPN-1/FW-1, NMAP, and Nessus. Admins can build their own modules and achieve additional integration with a variety of other third-party applications, including helpdesk, NAC, and patch management solutions.

In addition, all IPS, RNA, and 3D Sensor health events on the DC can be forwarded via the eStreamer™ API to other applications, such as SIEM and network management platforms. The eStreamer API includes a "reference client" that allows customers to format and integrate precisely the data from Sourcefire 3D that they need. eStreamer can also be queried by third-party applications to provide host data stored in the DC's network map.

Sourcefire Master Defense Center—Enterprise Scalability

For very large organizations or organizations with distributed IT personnel, a single DC3000 can be confi gured in Master Defense Center (MDC) mode to manage up to 10 subordinate DCs, effectively allowing the management of many hundreds of sensors from a single management console. Sourcefire is the only IPS vendor to offer this powerful management capability.

Subordinate DCs can forward and aggregate selected events to the MDC for further analysis and alerting. IPS, RNA, system, and health policies can also be pushed down from the MDC to subordinate DCs and/or sensors from one centralized MDC console.

Sourcefire's Master Defense Center (MDC) capability allows management of up to 10 subordinate DC appliances.

With the MDC capability, enterprises of all shapes and sizes can reduce operating costs and achieve economies of scale when multiple DC appliances are spread throughout their organization.

Take The Next Step to Protect Your Network:

Sourcefire Defense Center is a highly customizable centralized management console for basic security and operational tasks, but it also does so much more. Below is a summary of Defense Center's key capabilities.

• Centralized event monitoring and sensor management
• Customizable dashboards with numerous drag-and-drop widgets
• Sophisticated and customizable reporting
• E-mail and SNMP alerts
• Automated Sourcefire VRT rules updates
• Enables real-time network intelligence, automated impact assessment, automated IPS tuning, IT policy compliance, NBA, and user identifi cation
• Store up to 100,000,000 events and manage up to 100 3D Sensors from a single DC
• Master Defense Center (MDC) capability for managing up to 10 subordinate DC appliances

Documentation:

Download the Sourcefire Defense Center Datasheet (PDF).

Download the Sourcefire 3D System and SSL Appliance Specifications Datasheet (PDF).