The Cisco Intrusion Prevention System (IPS) includes Global Correlation capabilities that utilize real-world data from Cisco Security Intelligence Operations (SIO). We have seen on this blog before how IPS Global Correlation can be used to detect and validate the urgency of emergent threats as well as allow our team to hone the protection capabilities of our IPS Sensors.
Perhaps more fundamentally however, Global Correlation allows Cisco IPS Sensors to filter network traffic using the “reputation” of a packet’s source IP address. The reputation of an IP address is computed by Cisco SensorBase using the past actions of that IP address. IP reputation has been an effective means of predicting the trustworthiness of current and future behaviors from an IP address.
Our team has recently published a new white paper that explores the benefits of IPS Global Correlation and how they relate to various IPS deployment scenarios. I would like to share a couple of items from the white paper and encourage you to read it for more information.
- Reputation data facilitates the filtering of network traffic from known-bad sources
- Filtering traffic based on reputation keeps traffic from reaching the traditional inspection capabilities of the IPS, reducing sensor CPU load
- In permissive access environments, Global Correlation may deny a significant portion of malicious traffic seen by the sensor
The Global Correlation functionality is enabled by default. However, IPS Sensors will not contribute data to the reputation algorithms inside Cisco SensorBase, by default. It is recommended that organizations enable Network Participation in order to improve the reputation data they, and others organizations, receive. More information about turning on this feature is available in the IPS documentation.
Are you already leveraging this functionality in your network? I am interested to know what you think!