Cisco Blogs
Share
tweet

Global Correlation: IPS + SIO = Greater Protection

- August 30, 2012 - 0 Comments

The Cisco Intrusion Prevention System (IPS) includes Global Correlation capabilities that utilize real-world data from Cisco Security Intelligence Operations (SIO). We have seen on this blog before how IPS Global Correlation can be used to detect and validate the urgency of emergent threats as well as allow our team to hone the protection capabilities of our IPS Sensors.

Perhaps more fundamentally however, Global Correlation allows Cisco IPS Sensors to filter network traffic using the “reputation” of a packet’s source IP address. The reputation of an IP address is computed by Cisco SensorBase using the past actions of that IP address. IP reputation has been an effective means of predicting the trustworthiness of current and future behaviors from an IP address.

Our team has recently published a new white paper that explores the benefits of IPS Global Correlation and how they relate to various IPS deployment scenarios. I would like to share a couple of items from the white paper and encourage you to read it for more information.

  • Reputation data facilitates the filtering of network traffic from known-bad sources
  • Filtering traffic based on reputation keeps traffic from reaching the traditional inspection capabilities of the IPS, reducing sensor CPU load
  • In permissive access environments, Global Correlation may deny a significant portion of malicious traffic seen by the sensor

The Global Correlation functionality is enabled by default. However, IPS Sensors will not contribute data to the reputation algorithms inside Cisco SensorBase, by default. It is recommended that organizations enable Network Participation in order to improve the reputation data they, and others organizations, receive. More information about turning on this feature is available in the IPS documentation.

Are you already leveraging this functionality in your network? I am interested to know what you think!

Tags:
Leave a comment

We'd love to hear from you! To earn points and badges for participating in the conversation, join Cisco Social Rewards. Your comment(s) will appear instantly on the live site. Spam, promotional and derogatory comments will be removed.

All comments in this blog are held for moderation. Your comment will not display until it has been approved

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.

Share
tweet