Sourcefire: Don't Snort at open-source security

Martin Roesch, the man behind the Snort open-source intrusion-detection technology, talks about the latest version and how Sourcefire plans to avoid being eaten up by Barracuda
Written by Peter Judge, Contributor

Sourcefire has an enviable position in the security world. Its open-source software is widely used for intrusion detection and prevention, and its hardware appliances brought in revenues of around $56m (£28m) last year.

The company is also preparing for a major expansion, based on a rebuild of its core technology aimed at making it run better on modern hardware. At the same time, it is fighting off a hostile takeover bid from antivirus company Barracuda Networks.

As chief technology officer of Sourcefire, Martin Roesch is the man behind plans focusing on a new version of Snort, an open-source intrusion-detection and prevention (IDS/IPS) system.

Roesch had another job when he developed Snort in the 1990s, but found himself spending all his spare time on the project, so he founded Sourcefire in 2001 to build a commercial business around it: "I was working on Snort 40 hours a week, between 10pm and 3am. I thought I should maybe get paid for it," he says.

Sourcefire sells appliances that ease deployment of Snort in large enterprises with a lot of network traffic to monitor. "Snort is the pre-eminent IPS technology, but it's a pain in the butt to deploy," admits Roesch. "Sourcefire decided to solve that. We built an appliance and put all the stuff together to make an enterprise-grade system." The appliances are sold with a perpetual licence and Sourcefire charges for maintenance and services.

With around $50m in investment, Sourcefire grew rapidly and went public in 2007. Its technology developed too, with the notable additions of Real-Time Network Awareness (RNA), which keeps an active profile of everything on the user network, and Real-Time User Awareness, which links network activity with users rather than just the system they use: "It spots if Bob in accounts is suddenly sending stuff to China," says Roesch. "That's very meaningful in IT security."

Roesch claims to be comfortable competing against Cisco, IBM, McAfee, and 3Com TippingPoint: "We're never going to be bigger than them, so we've got to be smarter than them. We're in the Gartner 'magic quadrant'; we're capable of executing."

Keeping analysts onside could be challenging, as the company faces increased competition from hardware and software rivals, as well as meeting the demands of integration with other technologies. However, Roesch argues that his appliances, designed for scaling up, are able to handle changes in technology: "We're well suited as dynamism increases."

Roesch is more cautious when it comes to virtualisation: "Do we need to virtualise the IPS? My theory is that it doesn't make sense. Don't put the IPS on the hypervisor." Instead, given enough resources, one IPS should be able to handle all the virtualised systems on a network, he says.

But those resources are an issue, says Roesch: "IPS is a needy technology." It has to examine activity in real-time and its rules need to be kept up-to-date.

Roesch wants to integrate the IPS with other technologies. "Threat management has three phases," he says. "Before the threat, the firewall and patch management should prevent threats; during the attack, the IPS should block them; and, afterwards, network-behaviour analysis [NBA] should reveal damage and remedy it."

"These tend to be stove-piped technologies, where nobody talks to anyone," he says. It takes human effort to get threat data from one security product to another, and human effort is at a premium, says Roesch: "There are not enough people. You have got to get people out of the equation. You have to automate."

Sourcefire's products have open APIs, which can integrate with other security and network products. It may be useful, for instance, to shut down a switch port if there is suspicious activity, but that requires integration with the hardware.

One way to get products working together is to buy them in. In 2007, Sourcefire bought the ClamAV open-source antivirus project. "It's the Snort of the antivirus world," says Roesch. It also complements Snort, since antivirus software operates on files, while IPS operates on packets in real-time.

Roesch claims not to be in a hurry to buy in other technology, however, and is particularly sceptical about firewalls. "Firewalling just pushes attacks to ports 80, 25 and 53," he says, warning that attackers will use the same tunnels that users and IT managers keep open to get their own applications through the firewall.

Roesch is working on version 3.0 of Snort, a fundamental re-architecting of the IPS technology that should be available as a beta version in about three weeks. "Beyond that, we don't have a planned date to finalise the code. There is about a quarter of a million lines there."

"The main focus is on improving the performance on modern hardware," says Roesch. "That's the major issue for an in-line system." Snort was first designed on Pentium systems and was not built to handle multicore architectures. It will be multithreaded and operate continuously, so users can update the rule base without shutting down the system. Snort 3.0 will handle VoIP better, with more intelligent flow management, Roesch adds.

"We will have a lot of beta users and a lot of new stuff," he says. Snort 3.0 will include a new packet decoder and the higher layers will be modularised, with separate modules for different tasks. These could include DNS blacklisting and URL filtering, and could even include a firewall module, if Roesch decides Sourcefire can improve on firewall technology.

While all that is happening, the company is fighting off a hostile bid from antivirus company Barracuda. The bid values the company at $187m, or $7.50 a share, which is 13 percent higher than the stock-market price, but still only half of what the company was worth a year ago.

Roesch takes exception to news reports that Sourcefire is "ailing". "It's a reflection of the macro environment," he says, mentioning mortgages and signs of a recession.

Barracuda has also made much of how antivirus and IPS technologies complement each other. The company makes antivirus appliances that it says would work well alongside Sourcefire's IPS boxes. Ironically enough, Barracuda already uses Sourcefire's open-source ClamAV antivirus software, a fact cited in a patent lawsuit filed by Trend Micro.

Roesch thinks Sourcefire is stronger on its own. "We're bullish," he says. "We have a big base of large customers and they love us."

Editorial standards