Upload
mauve
View
54
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Thanks for joining! We will begin in just a few minutes as more people come on line. This event will be recorded. IPS Tech Talk – Global Correlation 2010 November 18. Robert Albach, James Kasper, Chad Rhyner. Agenda. Tech Talk Mechanics How these events will operate. - PowerPoint PPT Presentation
Citation preview
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1
Thanks for joining!
We will begin in just a few minutes as more people come on line.
This event will be recorded.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2
IPS Tech Talk – Global Correlation2010 November 18
Robert Albach, James Kasper, Chad Rhyner
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3
Agenda
:00
Welcome to Tech Talks
:03
Global Correlation@ :30
Question and Answer
Mechanics of Tech Talks Introduction and Definitions
What you can do with it and how
Where found in product
Details to consider
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 4
Tech Talk MechanicsHow these events will operate
With many people on-line we will mute all but the presenters
We will try to answer questions at the endPlease use the “Question and Answer” feature for questions
If we don’t get to your question, we will try to answer them off-line
The presentation and recording will be placed on the Community support site:
https://supportforums.cisco.com/
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 5
Global Correlation – Simple View
CiscoSensorBase Akamai
Cisco IPS
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6
Cisco Global CorrelationSensorBase: World’s Largest Traffic Monitoring Network
700,000+ sensors deployed globally
Over 500GB of data per day
Over 30% of the world’s email traffic
8 of the top 10 global ISPs
152 third party feeds
Cisco SensorBase
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 7
Cisco Global CorrelationSensor Contribution
Email Security
Web Security
IPS
Firewall
Identifying a global botnet requires complete visibility across all threat vectors
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 8
IPS 7.x Global Correlation - Support Released Spring 2009 as version 7.0(1)
Which Devices Can Use Global Correlation:• 4240, 4255, 4260, 4270 IPS appliances • IDSM2 Cisco Catalyst blades • IPS-AIM and IPS-NME ISR modules • AIP modules for ASA appliances
Which Devices CAN NOT Use Global Correlation:• Cisco IOS IPS• ASA 5505 with AIP-SSC5 card• IPS 4215
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 9
●
Global Correlation Inspection (GC)Use “Reputation” knowledge of Attackers to influence Alarm handling and Denies when there are “Bad Score” attackers seen on the sensor.
Reputation Filter (RF)Apply automatic deny of packets from known malicious sites.
Network Participation (NP)Sensor sends sampled and condensed alarm data and statistics to central “IBNP server” for global analysis.
IPS 7.0 Global Correlation - Activities
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 10
Quick Poll
Global Correlation and You…
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 11
Global Correlation in the IPS Fully automatic handling of sensor’s uploads and
downloads of this Global Correlation and participation data.
Apply intelligent handling to alarms Improve efficacy - the effectiveness of our defensive
action handling. Improve protection against known malicious sites (by
IP address range) with a fully automatic ingress filter.
Share telemetry data with Cisco back-end processing to improve visibility of alarms and sensor actions on a global scale. This feeds various analysis tools.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 12
GLOBAL CORRELATION IN THE IPS
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 13
Event views – Reputation
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 14
Global Correlation in IPS Monitoring
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 15
Global Correlation / Reputation - Events
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 16
Reporting Criteria
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 17
Global Correlation / Reputation - Reports
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 18
CONFIGURING GLOBAL CORRELATION
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 19
Configuration Options Service host / network-settings
DNS-server (primary, secondary, tertiary) ORHTTP-Proxy (address and port)
Service global-correlationNetwork Participation
On / OffParticipation Mode (Partial or Full)
Global Correlation InspectionOn / OffInfluence (parameter to set how aggressive the function behaves)
Reputation FilterOn / Off
Test Global Correlation (audit mode)On / Off
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 20
Configuration by CLI
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 21
Global Correlation Configuration in IPS
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 22
Global Correlation Configuration via –Cisco Security Manager
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 23
CONNECTIVITY SIDE OF GLOBAL CORRELATION
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 24
Automatic GC updates Fully automatic beyond configuration
Cisco distributes the update files via Akamai caches for load balancing, redundancy, and locality.
Update interval can happen every 5 minutes, as needed.
Sensor first gets a “FULL” update of components, then applies “INCREMENTAL” updates periodically (as new updates are available)
Initial Full updates range upwards from 2G in size Incremental are typically 100K in size
Each data set has a serial #, displayed in the GC stats. This serial # represents the latest dataset loaded by the sensor. This is informational and does not require any user interaction.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 25
Global Correlation Reputation Updates1. Initiate request to update
reputation data through HTTPS request
2. Sensor gets back a manifest containing the DNS name of a server to get the data from
3. DNS request returns the nearest Akamai server
4. Initiate actual data download using HTTP from the Akamai server
CSIO
CiscoCallManager ServersDesktop
Cisco IPS
Internet3 ‘Akamaized’ DNS request for nearest server 1 IPS initiates
request to update reputation data
HTTPS://update-manifest.ironport.com
2 URL list of local Akamai servers is returned
4 IPS initiates actual data
download over HTTP demosensor1# show statistics global
. . . .Update Server = update-manifests.ironport.com Update Server Address = 204.15.82.17 Current Versions: config = 1236210407 drop = 1245425355 ip = 1245424447 rule = 1245348807
Reputation data comes in the form of multiple files (config, drop, ip, rule) that get downloaded as needed during updates
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 26
CONTRIBUTING TO GLOBAL CORRELATION SUCCESS
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 27
Per Alarm shows:The partial mode telemetry data includes:SIGIDAttacker Address and PortSignature VersionGC Reputation ScoreRisk Rating fields
AnalysisEngine GC StatsAlerts Hits/MissGC Reputation actionsPacket Denies counters
FULL mode adds: Victim IP and Port
Network Participation
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 28
Network Participation – Configuration via CSM
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 29
CSM Network Participation Explanation
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 30
REPUTATION FILTERING
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 31
Reputation Filtering - Configuration
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 32
Reputation Filtering: Deny Filter Processor• Deny Attacker addresses registered here.
• GlobalCorrelation ReputationFilter registered here.
• This is an INGRESS filter, and will drop packets matching deny attacker or RF.
• Deny Attacker is most aggressive action.
• Deny Attacker can come from SigEvent action, manual user command, and GC alarm feature.
• Deny Attacker modes:
• Axxx: deny-attacker
• AxBx: deny-attacker-victim-pair
• Axxb: deny-attacker-service-pair
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 33
GLOBAL CORRELATION AND RISK RATINGS / ACTIONS
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 34
How is Risk Rating Determined?
Risk Rating has multiple contributing inputs. Attack Severity Rating – derived from other inputs (more to come)
Target Value Rating – configurable by user
Signature Fidelity Rating – pre-set by Cisco for each signature
Attack Relevance Rating – derived from other inputs (more to come)
Promiscuous Delta – derived value – impacted by IDS mode
Watch List Rating – derived from internal list data (more to come)
*Global Correlation – (7.0 and later)
+ Risk Delta
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 35
Reputation Effect on Risk Rating
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 36
Global Correlation and Risk Rating For 7.0+ releases you have access to Cisco Global
Correlation Reputation data There are three modes that let you determine how
aggressively the sensor uses global correlation information to initiate deny actions:
Permissive: Modifies standard Risk Rating w Risk Delta (below).
Standard: Permissive but uses lower internal overide thresholds.
Deny Packet – 86 Deny Attacker - 100
Aggressive: Standard but uses even lower override thresholds.
Deny Packet – 83 Deny Attacker - 95
+ Risk Delta
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 37
How To:Global Correlation and Risk Rating
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 38
Configuring Through - CSM
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 39
DEBUGGING AND DETAILED METRICS
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 40
local network devicesMay have to open up port 443 or proxy port at gateway
Statistics of interestShow stat analysis-engineShow stat global-correlation
Show version displays license information.
GC license feature requires proper time/date setting.
ReputationFilter drops are seen in analysis-engine statistics.
Some Debugging Information
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 41
Device Detail Information – Global Correlation / Reputation
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 42
Device Detail Information – Global Correlation / Reputation
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 43
What might be some limitations?
IPS location may make a difference. Example:
If inspecting only internal traffic then external reputation data may not have much meaning (Global Correlation) less impact but my internal watch list info is a better fit.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 44
Global Correlation Summary
Global Correlation helps you to:Reduces traffic with Reputation Filters prior to deep inspection
Influences actions taken by the IPS by altering Risk Ratings
Global Correlation is easy:Downloads are automated and simple to set up
Global Correlation is made better by you!Your participation improves yours and others identification of
attackers and bad sites
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 45
Quick Poll
Global Correlation and You…
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 46
Before the Q&A Session
Thanks for attending. Let us know:
Was this session worth while to you?
What future topics would you like to see?
How might we improve these events?
Send an email to:Robert Albach
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 47
Q&APlease use the Question and Answer section of WebEx
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 48
THANKS!
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 49