IPS Tech Talk – Global Correlation 2010 November 18 - PowerPoint PPT Presentation

Thanks for joining!
1 / 49

  • Uploaded on
  • Presentation posted in: General

Thanks for joining! We will begin in just a few minutes as more people come on line. This event will be recorded. IPS Tech Talk – Global Correlation 2010 November 18. Robert Albach, James Kasper, Chad Rhyner. Agenda. Tech Talk Mechanics How these events will operate.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

IPS Tech Talk – Global Correlation 2010 November 18

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Ips tech talk global correlation 2010 november 18

Thanks for joining!We will begin in just a few minutes as more people come on line. This event will be recorded.

Ips tech talk global correlation 2010 november 18

IPS Tech Talk – Global Correlation2010 November 18

Robert Albach, James Kasper, Chad Rhyner



Tech talk mechanics how these events will operate

Tech Talk MechanicsHow these events will operate

  • With many people on-line we will mute all but the presenters

  • We will try to answer questions at the end

    • Please use the “Question and Answer” feature for questions

    • If we don’t get to your question, we will try to answer them off-line

  • The presentation and recording will be placed on the Community support site:


Global correlation simple view

Global Correlation – Simple View




Cisco IPS

Cisco global correlation sensorbase world s largest traffic monitoring network

Cisco Global CorrelationSensorBase: World’s Largest Traffic Monitoring Network

Cisco SensorBase

  • 700,000+ sensors deployed globally

  • 8 of the top 10 global ISPs

  • Over 500GB of data per day

  • 152 third party feeds

  • Over 30% of the world’s email traffic

Cisco global correlation sensor contribution

Cisco Global CorrelationSensor Contribution

Email Security


Web Security


Identifying a global botnet requires complete visibility across all threat vectors

Ips tech talk global correlation 2010 november 18

IPS 7.x Global Correlation - Support

  • Released Spring 2009 as version 7.0(1)

  • Which Devices Can Use Global Correlation:

  • 4240, 4255, 4260, 4270 IPS appliances

  • IDSM2 Cisco Catalyst blades

  • IPS-AIM and IPS-NMEISR modules

  • AIP modules for ASA appliances

  • Which Devices CAN NOT Use Global Correlation:

  • Cisco IOS IPS

  • ASA 5505 with AIP-SSC5 card

  • IPS 4215

Ips tech talk global correlation 2010 november 18

IPS 7.0 Global Correlation - Activities

  • Global Correlation Inspection (GC)

    Use “Reputation” knowledge of Attackers to influence Alarm handling and Denies when there are “Bad Score” attackers seen on the sensor.

  • Reputation Filter (RF)

    Apply automatic deny of packets from known malicious sites.

  • Network Participation (NP)

    Sensor sends sampled and condensed alarm data and statistics to central “IBNP server” for global analysis.

Quick poll

Quick Poll

  • Global Correlation and You…

Ips tech talk global correlation 2010 november 18

Global Correlation in the IPS

  • Fully automatic handling of sensor’s uploads and downloads of this Global Correlation and participation data.

  • Apply intelligent handling to alarms

  • Improve efficacy - the effectiveness of our defensive action handling.

  • Improve protection against known malicious sites (by IP address range) with a fully automatic ingress filter.

  • Share telemetry data with Cisco back-endprocessing to improve visibility of alarms and sensor actions on a global scale. This feeds various analysis tools.

Global correlation in the ips

GLOBAL Correlation in the IPS

Event views reputation

Event views – Reputation

Global correlation in ips monitoring

Global Correlation in IPS Monitoring

Global correlation reputation events

Global Correlation / Reputation - Events

Reporting criteria

Reporting Criteria

Global correlation reputation reports

Global Correlation / Reputation - Reports

Configuring global correlation

Configuring global Correlation

Ips tech talk global correlation 2010 november 18

Configuration Options

  • Service host / network-settings

    DNS-server (primary, secondary, tertiary) OR

    HTTP-Proxy (address and port)

  • Service global-correlation

    Network Participation

    On / Off

    Participation Mode (Partial or Full)

    Global Correlation Inspection

    On / Off

    Influence (parameter to set how aggressive the function behaves)

    Reputation Filter

    On / Off

    Test Global Correlation (audit mode)

    On / Off

Configuration by cli

Configuration by CLI

Global correlation configuration in ips

Global Correlation Configuration in IPS

Ips tech talk global correlation 2010 november 18

Global Correlation Configuration via –

Cisco Security Manager

Connectivity side of global correlation

Connectivity side of Global Correlation

Ips tech talk global correlation 2010 november 18

Automatic GC updates

  • Fully automatic beyond configuration

  • Cisco distributes the update files via Akamai caches for load balancing, redundancy, and locality.

  • Update interval can happen every 5 minutes, as needed.

  • Sensor first gets a “FULL” update of components, then applies “INCREMENTAL” updates periodically (as new updates are available)

    • Initial Full updates range upwards from 2G in size

    • Incremental are typically 100K in size

  • Each data set has a serial #, displayed in the GC stats. This serial # represents the latest dataset loaded by the sensor. This is informational and does not require any user interaction.

Global correlation reputation updates

Global Correlation Reputation Updates

Initiate request to update reputation data through HTTPS request

Sensor gets back a manifest containing the DNS name of a server to get the data from

DNS request returns the nearest Akamai server

Initiate actual data download using HTTP from the Akamai server





2 URL list of local Akamai servers is returned


3 ‘Akamaized’ DNS request for nearest server


1 IPS initiates request to update reputation data

4 IPS initiates actual data download over HTTP



demosensor1# show statistics global

. . . .

Update Server = update-manifests.ironport.com

Update Server Address =

Current Versions:

config = 1236210407

drop = 1245425355

ip = 1245424447

rule = 1245348807

Reputation data comes in the form of multiple files (config, drop, ip, rule) that get downloaded as needed during updates

Contributing to global correlation success

Contributing to Global Correlation Success

Ips tech talk global correlation 2010 november 18

Network Participation

  • Per Alarm shows:

    The partial mode telemetry data includes:


    Attacker Address and Port

    Signature Version

    GC Reputation Score

    Risk Rating fields

  • AnalysisEngine GC Stats

    Alerts Hits/Miss

    GC Reputation actions

    Packet Denies counters

  • FULL mode adds: Victim IP and Port

Ips tech talk global correlation 2010 november 18

Network Participation – Configuration via CSM

Csm network participation explanation

CSM Network Participation Explanation

Reputation filtering

Reputation Filtering

Reputation filtering configuration

Reputation Filtering - Configuration

Ips tech talk global correlation 2010 november 18

Reputation Filtering: Deny Filter Processor

  • Deny Attacker addresses registered here.

  • GlobalCorrelationReputationFilter registered here.

  • This is an INGRESS filter, and will drop packets matching deny attacker or RF.

  • Deny Attacker is most aggressive action.

  • Deny Attacker can come from SigEvent action, manual user command, and GC alarm feature.

  • Deny Attacker modes:

    • Axxx: deny-attacker

    • AxBx: deny-attacker-victim-pair

    • Axxb: deny-attacker-service-pair

Global correlation and risk ratings actions

Global Correlation and Risk Ratings / Actions

How is risk rating determined

How is Risk Rating Determined?

  • Risk Rating has multiple contributing inputs.

    • Attack Severity Rating – derived from other inputs (more to come)

    • Target Value Rating – configurable by user

    • Signature Fidelity Rating – pre-set by Cisco for each signature

    • Attack Relevance Rating – derived from other inputs (more to come)

    • Promiscuous Delta – derived value – impacted by IDS mode

    • Watch List Rating – derived from internal list data (more to come)

    • *Global Correlation – (7.0 and later)

+ Risk Delta

Reputation effect on risk rating

Reputation Effect on Risk Rating

Global correlation and risk rating

Global Correlation and Risk Rating

  • For 7.0+ releases you have access to Cisco Global Correlation Reputation data

  • There are three modes that let you determine how aggressively the sensor uses global correlation information to initiate deny actions:

    • Permissive: Modifies standard Risk Rating w Risk Delta (below).

    • Standard: Permissive but uses lower internal overide thresholds.

    • Deny Packet – 86Deny Attacker - 100

    • Aggressive: Standard but uses even lower override thresholds.

    • Deny Packet – 83Deny Attacker - 95

+ Risk Delta

How to global correlation and risk rating

How To:Global Correlation and Risk Rating

Configuring through csm

Configuring Through - CSM

Debugging and detailed metrics

Debugging and Detailed metrics

Ips tech talk global correlation 2010 november 18

Some Debugging Information

  • local network devices

    May have to open up port 443 or proxy port at gateway

  • Statistics of interest

    Show stat analysis-engine

    Show stat global-correlation

  • Show version displays license information.

  • GC license feature requires proper time/date setting.

  • ReputationFilter drops are seen in analysis-engine statistics.

Device detail information global correlation reputation

Device Detail Information – Global Correlation / Reputation

Device detail information global correlation reputation1

Device Detail Information – Global Correlation / Reputation

What might be some limitations

What might be some limitations?

  • IPS location may make a difference.

  • Example:

    • If inspecting only internal traffic then external reputation data may not have much meaning (Global Correlation) less impact but my internal watch list info is a better fit.

Global correlation summary

Global Correlation Summary

  • Global Correlation helps you to:

    • Reduces traffic with Reputation Filters prior to deep inspection

    • Influences actions taken by the IPS by altering Risk Ratings

    • Global Correlation is easy:

      • Downloads are automated and simple to set up

    • Global Correlation is made better by you!

      • Your participation improves yours and others identification of attackers and bad sites

Quick poll1

Quick Poll

  • Global Correlation and You…

Before the q a session

Before the Q&A Session

  • Thanks for attending.

  • Let us know:

    • Was this session worth while to you?

    • What future topics would you like to see?

    • How might we improve these events?

  • Send an email to:

    • Robert Albach

    • ralbach@cisco.com

Ips tech talk global correlation 2010 november 18

Please use the Question and Answer section of WebEx




  • Login