by Jose Krause
Cisco’s Sourcefire system is the IDS/IPS solution offered by this company after the acquisition of Sourcefire, including its network anomaly detection engine, Snort. This IPS solution is one of the most powerful systems available on the market.
The system is composed mainly by two appliances:
The sensor –FirePOWER–, is the IPS itself with Snort, the RNA –Real Network Awareness– engine, nmap, the signature database and all the stuff that makes sense on an IPS. This appliance is mainly physical but Cisco offers also a virtual appliance option available on the customer support portal.
The manager –FireSIGHT Management center (FSM)–, is the central administration console, one FSM can have attached multiple sensors, and all the configuration is done here, so as policy creation, firewall rules, object setup, rule edition, etc. Once configured or modified some policy the whole config/rule/stuff package is deployed to the paired sensors. This element can be run as a virtual appliance available on the Cisco customer support portal.
The main problem of Cisco’s Sourcefire system is that the hardware is completely useless without a valid license. After buying a sensor on Ebay or scavenging one from a death project or whatever, a license is still needed to make them to work, and yes, these licenses are not exactly cheap…
The laboratory setup used for the paper uses this setup:
But the bypass techniques exposed in the paper are also applicable to the latest versions of Sourcefire sensors and FSMs – Tested on FSM version 6-.
According to Cisco, neither its ASA nor the new Firepower Threat Defense (FTD) appliances are susceptible to the demonstrated license bypass. However, I am not able to confirm or deny this as I haven’t had the chance to test those systems.
Paper at the end
According to Cisco, these versions are susceptible to apply this cracking techniques.