Shields Up! Time to Start Blocking with your Cisco IPS Sensors

Cisco Ironport Reputation Database makes the difference

Cisco started to include reputation functionality in its IPS sensors about 6 months ago with its 7.0 release. The data has been collected on how effective it has been so far. The findings are significant. Cisco's addition of reputation data to its IPS sensor software has resulted in a 100% increase in effectiveness over signature protection alone. Additionally, it has been found that a reputation lookup and drop can be done 100 times faster than a traditional signature check and drop. IP address reputation is just like a credit score in finance. The better your score the more you are allowed to do. So how does reputation actually work on the Cisco IPS sensors? I thought you'd never ask!

The first task for making reputation databases effective is you must have a great reputation database to start with and build upon in the future. Cisco built the SensorBase reputation database from the existing Cisco Ironport reputation database (Senderbase) that already had a great track record to accomplish this out of the gate. Cisco has over 700,000 sensors deployed globally; each of these will now have the ability to contribute directly to the Sensorbase by sharing its threat data anonymously. Additionally, Sensorbase takes advantage of 600 different 3rd party threat data and news feeds. These feeds help to populate the reputation criteria that make up a reputation score. Reputation scores are also shared across Cisco's reputation databases (email, web, IPS, and Firewall) so regardless of the attack vector the information is learned by all databases. Additionally, More than 1000 threat collection servers process 500 GB of data a day for threat analysis used for reputation scoring. The result of all this is the creation of a very accurate and dynamic reputation scoring system. Take a look at your score on senderbase.org

Cisco implements reputation in two ways, reputation filtering and global correlation. Reputation filtering is pretty straightforward, if an IP address has a terrible reputation it gets put on the filtering list and gets dropped outright if it is seen by the sensor. The reputation-filtering list is relatively small compared to the ~4 billion IP addresses out there.

Global correlation (GC) is where the bulk of the value of reputation being added to an IPS system can be realized. Global correlation is a dynamic IP address reputation database in the cloud. Cisco IPS's can opt in to the program and contribute their data to further the efficacy of the database, called Sensorbase. Sensorbase is a subset of the Cisco Ironport Senderbase that has been optimized to work in an IPS system instead of an email anti-spam system. Sensorbase contains 60+ criteria fields that combine to come up with a reputation score of +10 to -10 on an IP address, decimals like 7.6 are used in the score as well. This reputation score is then used to modify the Cisco IPS risk-rating value, increase the risk value if the reputation is poor. Global correlation provides Cisco Sensors with another criteria to use to determine the efficacy of any signature hit logic alone. The idea being that if you add more context around why, where, what caused a particular signature to trigger you can make a better determination how likely it is to be real and actionable. Instead of just relying on the efficacy of the signature logic itself, risk-rating adds context around the signature alert.

Cisco risk-rating (RR) is a number from 0 to 100 with 100 being the highest risk. You then configure IPS actions (like drop packet) based on these risk-rating values. For example, drop packets for any signature hit that calculates a RR of 85-100.
Risk rating is made up of the following criteria today:

-Attack Severity Level (high, med, low, info)
-Signature Fidelity (1-100 value) 100 means it is always real where 1 means it is a 99% chance it is a false positive when fired. The signature creator pre-determines the fidelity rating of the signatures they author based on their test results.
-Attack Relevancy uses built-in OS fingerprinting to determine if the operating system type of victim matches the operating system relevant to a particular attack signature.
-Target Value Rating is a user-determined value assigned to IP addresses and subnets within your environment. Values are Low asset value, Medium, high, or mission critical asset value. The value of the target system will affect the risk rating calculation.
-Promiscuous Delta, changes the risk rating based on if the sensor is inline or not with traffic.
-CSA Watch list. CSA shares its watch list of dynamically determined bad hosts with the IPS system. If an IP address is found to be on the CSA watch list it will result in an increased risk rating value.
-Global Correlation. The reputation of the IP address is used to further affect the risk rating value. A poor reputation will result in an increased risk rating value.

The combination of all of these together is called the risk rating. The addition of global correlation data has made the most significant impact yet on the effectiveness of the risk rating calculations. It has drastically reduced false positives while at the same time just about doubling the real drop rate of a cisco IPS sensor facing the Internet. All IPS event messages will also now contain the reputation score of the source IP address (if it has one). This allows you to filter messages based on reputation, pull reports based on reputation, etc.

The location of the IPS sensor markedly affects the value returned by global correlation. The global correlation database, Senderbase, only contains Internet addresses not private ones. This means that to be effective it needs to see inbound Internet traffic. Additionally, GC only looks at the source IP address field at this time, so only Internet to Corporate traffic could create a reputation score. Corporate to Internet traffic would not have a score since the source IP is not in the database if it is an internal address. So, in a nutshell, this feature is designed to protect your Internet facing assets like web servers from attack.

What are your results with Cisco IPS Global correlation so far? I'd love to hear.

For additional data check out the testing results done by NW's Joel Snyder
https://www.networkworld.com/reviews/2009/081009-cisco-intrusion-prevention-system-test.html

For additional data on Cisco IPS
www.cisco.com/go/ips

The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.

More from Jamey Heary:
* Credit Card Skimming: How thieves can steal your card info without you knowing it
* Why you should always shred your boarding pass
* Video rental records are afforded more privacy protections than your online data
* The truth about new SSL attacks
* 2009 Top Urban Legends in IT Security/a>

Go to Jamey’s Blog for more articles on security.

• Cisco
• Security
• cisco ips
• cisco ips 7
• cisco reputation
• Cisco Security
• global correlation cisco
• Heary
• intrusion prevention systems
• IPS
• ips reputation
• Jamey Heary
• sensorbase