Thanks for joining! We will begin in just a few minutes as more people come on line. This event will be recorded. IPS Tech Talk – Global Correlation 2010 November 18. Robert Albach, James Kasper, Chad Rhyner. Agenda. Tech Talk Mechanics How these events will operate.
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Thanks for joining!We will begin in just a few minutes as more people come on line. This event will be recorded.
IPS Tech Talk – Global Correlation2010 November 18 Robert Albach, James Kasper, Chad Rhyner
Tech Talk MechanicsHow these events will operate • With many people on-line we will mute all but the presenters • We will try to answer questions at the end • Please use the “Question and Answer” feature for questions • If we don’t get to your question, we will try to answer them off-line • The presentation and recording will be placed on the Community support site: https://supportforums.cisco.com/
Global Correlation – Simple View Cisco SensorBase Akamai Cisco IPS
Cisco Global CorrelationSensorBase: World’s Largest Traffic Monitoring Network Cisco SensorBase • 700,000+ sensors deployed globally • 8 of the top 10 global ISPs • Over 500GB of data per day • 152 third party feeds • Over 30% of the world’s email traffic
Cisco Global CorrelationSensor Contribution Email Security IPS Web Security Firewall Identifying a global botnet requires complete visibility across all threat vectors
IPS 7.x Global Correlation - Support • Released Spring 2009 as version 7.0(1) • Which Devices Can Use Global Correlation: • 4240, 4255, 4260, 4270 IPS appliances • IDSM2 Cisco Catalyst blades • IPS-AIM and IPS-NMEISR modules • AIP modules for ASA appliances • Which Devices CAN NOT Use Global Correlation: • Cisco IOS IPS • ASA 5505 with AIP-SSC5 card • IPS 4215
IPS 7.0 Global Correlation - Activities ● • Global Correlation Inspection (GC) Use “Reputation” knowledge of Attackers to influence Alarm handling and Denies when there are “Bad Score” attackers seen on the sensor. • Reputation Filter (RF) Apply automatic deny of packets from known malicious sites. • Network Participation (NP) Sensor sends sampled and condensed alarm data and statistics to central “IBNP server” for global analysis.
Quick Poll • Global Correlation and You…
Global Correlation in the IPS • Fully automatic handling of sensor’s uploads and downloads of this Global Correlation and participation data. • Apply intelligent handling to alarms • Improve efficacy - the effectiveness of our defensive action handling. • Improve protection against known malicious sites (by IP address range) with a fully automatic ingress filter. • Share telemetry data with Cisco back-endprocessing to improve visibility of alarms and sensor actions on a global scale. This feeds various analysis tools.
Configuration Options • Service host / network-settings DNS-server (primary, secondary, tertiary) OR HTTP-Proxy (address and port) • Service global-correlation Network Participation On / Off Participation Mode (Partial or Full) Global Correlation Inspection On / Off Influence (parameter to set how aggressive the function behaves) Reputation Filter On / Off Test Global Correlation (audit mode) On / Off
Global Correlation Configuration via – Cisco Security Manager
Automatic GC updates • Fully automatic beyond configuration • Cisco distributes the update files via Akamai caches for load balancing, redundancy, and locality. • Update interval can happen every 5 minutes, as needed. • Sensor first gets a “FULL” update of components, then applies “INCREMENTAL” updates periodically (as new updates are available) • Initial Full updates range upwards from 2G in size • Incremental are typically 100K in size • Each data set has a serial #, displayed in the GC stats. This serial # represents the latest dataset loaded by the sensor. This is informational and does not require any user interaction.
Global Correlation Reputation Updates Initiate request to update reputation data through HTTPS request Sensor gets back a manifest containing the DNS name of a server to get the data from DNS request returns the nearest Akamai server Initiate actual data download using HTTP from the Akamai server CSIO CiscoCallManager Servers Desktop 2 URL list of local Akamai servers is returned HTTPS://update-manifest.ironport.com 3 ‘Akamaized’ DNS request for nearest server Internet 1 IPS initiates request to update reputation data 4 IPS initiates actual data download over HTTP Cisco IPS demosensor1# show statistics global . . . . Update Server = update-manifests.ironport.com Update Server Address = 184.108.40.206 Current Versions: config = 1236210407 drop = 1245425355 ip = 1245424447 rule = 1245348807 Reputation data comes in the form of multiple files (config, drop, ip, rule) that get downloaded as needed during updates
Network Participation • Per Alarm shows: The partial mode telemetry data includes: SIGID Attacker Address and Port Signature Version GC Reputation Score Risk Rating fields • AnalysisEngine GC Stats Alerts Hits/Miss GC Reputation actions Packet Denies counters • FULL mode adds: Victim IP and Port
Reputation Filtering: Deny Filter Processor • Deny Attacker addresses registered here. • GlobalCorrelationReputationFilter registered here. • This is an INGRESS filter, and will drop packets matching deny attacker or RF. • Deny Attacker is most aggressive action. • Deny Attacker can come from SigEvent action, manual user command, and GC alarm feature. • Deny Attacker modes: • Axxx: deny-attacker • AxBx: deny-attacker-victim-pair • Axxb: deny-attacker-service-pair
How is Risk Rating Determined? • Risk Rating has multiple contributing inputs. • Attack Severity Rating – derived from other inputs (more to come) • Target Value Rating – configurable by user • Signature Fidelity Rating – pre-set by Cisco for each signature • Attack Relevance Rating – derived from other inputs (more to come) • Promiscuous Delta – derived value – impacted by IDS mode • Watch List Rating – derived from internal list data (more to come) • *Global Correlation – (7.0 and later) + Risk Delta
Global Correlation and Risk Rating • For 7.0+ releases you have access to Cisco Global Correlation Reputation data • There are three modes that let you determine how aggressively the sensor uses global correlation information to initiate deny actions: • Permissive: Modifies standard Risk Rating w Risk Delta (below). • Standard: Permissive but uses lower internal overide thresholds. • Deny Packet – 86 Deny Attacker - 100 • Aggressive: Standard but uses even lower override thresholds. • Deny Packet – 83 Deny Attacker - 95 + Risk Delta
Some Debugging Information • local network devices May have to open up port 443 or proxy port at gateway • Statistics of interest Show stat analysis-engine Show stat global-correlation • Show version displays license information. • GC license feature requires proper time/date setting. • ReputationFilter drops are seen in analysis-engine statistics.
What might be some limitations? • IPS location may make a difference. • Example: • If inspecting only internal traffic then external reputation data may not have much meaning (Global Correlation) less impact but my internal watch list info is a better fit.
Global Correlation Summary • Global Correlation helps you to: • Reduces traffic with Reputation Filters prior to deep inspection • Influences actions taken by the IPS by altering Risk Ratings • Global Correlation is easy: • Downloads are automated and simple to set up • Global Correlation is made better by you! • Your participation improves yours and others identification of attackers and bad sites
Quick Poll • Global Correlation and You…
Before the Q&A Session • Thanks for attending. • Let us know: • Was this session worth while to you? • What future topics would you like to see? • How might we improve these events? • Send an email to: • Robert Albach • firstname.lastname@example.org