IPS Tech Talk – Global Correlation 2010 November 18

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1

Thanks for joining!

We will begin in just a few minutes as more people come on line.

This event will be recorded.


IPS Tech Talk – Global Correlation2010 November 18

Robert Albach, James Kasper, Chad Rhyner


Agenda

:00

Welcome to Tech Talks

:03

Global Correlation@ :30

Question and Answer

Mechanics of Tech Talks Introduction and Definitions

What you can do with it and how

Where found in product

Details to consider


Tech Talk MechanicsHow these events will operate

With many people on-line we will mute all but the presenters

We will try to answer questions at the endPlease use the “Question and Answer” feature for questions

If we don’t get to your question, we will try to answer them off-line

The presentation and recording will be placed on the Community support site:

https://supportforums.cisco.com/

https://supportforums.cisco.com/docs/DOC-13516


Global Correlation – Simple View

CiscoSensorBase Akamai

Cisco IPS


Cisco Global CorrelationSensorBase: World’s Largest Traffic Monitoring Network

700,000+ sensors deployed globally

Over 500GB of data per day

Over 30% of the world’s email traffic

8 of the top 10 global ISPs

152 third party feeds

Cisco SensorBase


Cisco Global CorrelationSensor Contribution

Email Security

Web Security

IPS

Firewall

Identifying a global botnet requires complete visibility across all threat vectors


IPS 7.x Global Correlation - Support Released Spring 2009 as version 7.0(1)

Which Devices Can Use Global Correlation:• 4240, 4255, 4260, 4270 IPS appliances • IDSM2 Cisco Catalyst blades • IPS-AIM and IPS-NME ISR modules • AIP modules for ASA appliances

Which Devices CAN NOT Use Global Correlation:• Cisco IOS IPS• ASA 5505 with AIP-SSC5 card• IPS 4215


●

Global Correlation Inspection (GC)Use “Reputation” knowledge of Attackers to influence Alarm handling and Denies when there are “Bad Score” attackers seen on the sensor.

Reputation Filter (RF)Apply automatic deny of packets from known malicious sites.

Network Participation (NP)Sensor sends sampled and condensed alarm data and statistics to central “IBNP server” for global analysis.

IPS 7.0 Global Correlation - Activities


Quick Poll

Global Correlation and You…


Global Correlation in the IPS Fully automatic handling of sensor’s uploads and

downloads of this Global Correlation and participation data.

Apply intelligent handling to alarms Improve efficacy - the effectiveness of our defensive

action handling. Improve protection against known malicious sites (by

IP address range) with a fully automatic ingress filter.

Share telemetry data with Cisco back-end processing to improve visibility of alarms and sensor actions on a global scale. This feeds various analysis tools.


GLOBAL CORRELATION IN THE IPS


Event views – Reputation


Global Correlation in IPS Monitoring


Global Correlation / Reputation - Events


Reporting Criteria


Global Correlation / Reputation - Reports


CONFIGURING GLOBAL CORRELATION


Configuration Options Service host / network-settings

DNS-server (primary, secondary, tertiary) ORHTTP-Proxy (address and port)

Service global-correlationNetwork Participation

On / OffParticipation Mode (Partial or Full)

Global Correlation InspectionOn / OffInfluence (parameter to set how aggressive the function behaves)

Reputation FilterOn / Off

Test Global Correlation (audit mode)On / Off


Configuration by CLI


Global Correlation Configuration in IPS


Global Correlation Configuration via –Cisco Security Manager


CONNECTIVITY SIDE OF GLOBAL CORRELATION


Automatic GC updates Fully automatic beyond configuration

Cisco distributes the update files via Akamai caches for load balancing, redundancy, and locality.

Update interval can happen every 5 minutes, as needed.

Sensor first gets a “FULL” update of components, then applies “INCREMENTAL” updates periodically (as new updates are available)

Initial Full updates range upwards from 2G in size Incremental are typically 100K in size

Each data set has a serial #, displayed in the GC stats. This serial # represents the latest dataset loaded by the sensor. This is informational and does not require any user interaction.


Global Correlation Reputation Updates1. Initiate request to update

reputation data through HTTPS request

2. Sensor gets back a manifest containing the DNS name of a server to get the data from

3. DNS request returns the nearest Akamai server

4. Initiate actual data download using HTTP from the Akamai server

CSIO

CiscoCallManager ServersDesktop

Cisco IPS

Internet3 ‘Akamaized’ DNS request for nearest server 1 IPS initiates

request to update reputation data

HTTPS://update-manifest.ironport.com

2 URL list of local Akamai servers is returned

4 IPS initiates actual data

download over HTTP demosensor1# show statistics global

. . . .Update Server = update-manifests.ironport.com Update Server Address = 204.15.82.17 Current Versions: config = 1236210407 drop = 1245425355 ip = 1245424447 rule = 1245348807

Reputation data comes in the form of multiple files (config, drop, ip, rule) that get downloaded as needed during updates


CONTRIBUTING TO GLOBAL CORRELATION SUCCESS


Per Alarm shows:The partial mode telemetry data includes:SIGIDAttacker Address and PortSignature VersionGC Reputation ScoreRisk Rating fields

AnalysisEngine GC StatsAlerts Hits/MissGC Reputation actionsPacket Denies counters

FULL mode adds: Victim IP and Port

Network Participation


Network Participation – Configuration via CSM


CSM Network Participation Explanation


REPUTATION FILTERING


Reputation Filtering - Configuration


Reputation Filtering: Deny Filter Processor• Deny Attacker addresses registered here.

• GlobalCorrelation ReputationFilter registered here.

• This is an INGRESS filter, and will drop packets matching deny attacker or RF.

• Deny Attacker is most aggressive action.

• Deny Attacker can come from SigEvent action, manual user command, and GC alarm feature.

• Deny Attacker modes:

• Axxx: deny-attacker

• AxBx: deny-attacker-victim-pair

• Axxb: deny-attacker-service-pair


GLOBAL CORRELATION AND RISK RATINGS / ACTIONS


How is Risk Rating Determined?

Risk Rating has multiple contributing inputs. Attack Severity Rating – derived from other inputs (more to come)

Target Value Rating – configurable by user

Signature Fidelity Rating – pre-set by Cisco for each signature

Attack Relevance Rating – derived from other inputs (more to come)

Promiscuous Delta – derived value – impacted by IDS mode

Watch List Rating – derived from internal list data (more to come)

*Global Correlation – (7.0 and later)

+ Risk Delta


Reputation Effect on Risk Rating


Global Correlation and Risk Rating For 7.0+ releases you have access to Cisco Global

Correlation Reputation data There are three modes that let you determine how

aggressively the sensor uses global correlation information to initiate deny actions:

Permissive: Modifies standard Risk Rating w Risk Delta (below).

Standard: Permissive but uses lower internal overide thresholds.

Deny Packet – 86 Deny Attacker - 100

Aggressive: Standard but uses even lower override thresholds.

Deny Packet – 83 Deny Attacker - 95

+ Risk Delta


How To:Global Correlation and Risk Rating


Configuring Through - CSM


DEBUGGING AND DETAILED METRICS


local network devicesMay have to open up port 443 or proxy port at gateway

Statistics of interestShow stat analysis-engineShow stat global-correlation

Show version displays license information.

GC license feature requires proper time/date setting.

ReputationFilter drops are seen in analysis-engine statistics.

Some Debugging Information


Device Detail Information – Global Correlation / Reputation


Device Detail Information – Global Correlation / Reputation


What might be some limitations?

IPS location may make a difference. Example:

If inspecting only internal traffic then external reputation data may not have much meaning (Global Correlation) less impact but my internal watch list info is a better fit.


Global Correlation Summary

Global Correlation helps you to:Reduces traffic with Reputation Filters prior to deep inspection

Influences actions taken by the IPS by altering Risk Ratings

Global Correlation is easy:Downloads are automated and simple to set up

Global Correlation is made better by you!Your participation improves yours and others identification of

attackers and bad sites


Quick Poll

Global Correlation and You…


Before the Q&A Session

Thanks for attending. Let us know:

Was this session worth while to you?

What future topics would you like to see?

How might we improve these events?

Send an email to:Robert Albach

[email protected]


Q&APlease use the Question and Answer section of WebEx


THANKS!


Documents

IPS Tech Talk – Global Correlation 2010 November 18