Sourcefire 3D IPS/IDS/NAC/NBA suite

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Is anyone here running any of Sourcefire's stuff on their network? (other than a home-rolled Snort box)

I went to one of their briefings at Old Trafford today (walked right past fergie's office on the ground tour and went in the changing rooms too - but didn't have the cojones to take a piss in the corner

I was mightily impressed - I've been doing a bit of research on them for the past few months cos I have installation of an enterprise-class IDS system on my roadmap at work for Q4 this year or Q1 next so i sort of knew what to expect, but it was still really good to see it demonstrated in real-time, with Sourcefire's nerds there rather than a load of salesmen.

However, a lot of NAC stuff is snake oil - you can spend months setting it up and monitoring it can easily be a full time job in and of itself, so if anybody runs any of their stuff at work I'd really like to know how it performs in the real world. We've got our own NAC in place at the moment, but its hideously complex (Mirage), so its only in Learning mode still - i haven't had the nerve to switch it over to mitigation mode yet cos I don't much fancy someone ringing me up at 3 AM to tell me a server's not working because its been placed in a 'deny comms' blacklist

I'm specifically interested in the NBA (Network Behaviour Analysis) features - when they were demonstrated I could instantly see numerous benefits to them as they allow you to baseline your network for a while - which allows you to see any incongruities and mitigate against them ahead of time before everything settles down, giving you a 'static picture' of what your network should look like. This looks like it would really aid me when i come to deploying it - and hopefully eliminate the 'nasty surprise' factor of dropping a NAC box into a network then crying as it tarpits all your servers!

Any advice or feedback would be greatly appreciated.

Cheers!