Skip Links

Network World

Jamey Heary

Shields Up! Time to Start Blocking with your Cisco IPS Sensors

Cisco Ironport Reputation Database makes the difference

By jheary on Mon, 10/05/09 - 11:19pm.

Cisco started to include reputation functionality in its IPS sensors about 6 months ago with its 7.0 release. The data has been collected on how effective it has been so far. The findings are significant. Cisco's addition of reputation data to its IPS sensor software has resulted in a 100% increase in effectiveness over signature protection alone. Additionally, it has been found that a reputation lookup and drop can be done 100 times faster than a traditional signature check and drop. IP address reputation is just like a credit score in finance. The better your score the more you are allowed to do. So how does reputation actually work on the Cisco IPS sensors? I thought you'd never ask!

The first task for making reputation databases effective is you must have a great reputation database to start with and build upon in the future. Cisco built the SensorBase reputation database from the existing Cisco Ironport reputation database (Senderbase) that already had a great track record to accomplish this out of the gate. Cisco has over 700,000 sensors deployed globally; each of these will now have the ability to contribute directly to the Sensorbase by sharing its threat data anonymously. Additionally, Sensorbase takes advantage of 600 different 3rd party threat data and news feeds. These feeds help to populate the reputation criteria that make up a reputation score. Reputation scores are also shared across Cisco's reputation databases (email, web, IPS, and Firewall) so regardless of the attack vector the information is learned by all databases. Additionally, More than 1000 threat collection servers process 500 GB of data a day for threat analysis used for reputation scoring. The result of all this is the creation of a very accurate and dynamic reputation scoring system. Take a look at your score on senderbase.org

Cisco implements reputation in two ways, reputation filtering and global correlation. Reputation filtering is pretty straightforward, if an IP address has a terrible reputation it gets put on the filtering list and gets dropped outright if it is seen by the sensor. The reputation-filtering list is relatively small compared to the ~4 billion IP addresses out there.

Global correlation (GC) is where the bulk of the value of reputation being added to an IPS system can be realized. Global correlation is a dynamic IP address reputation database in the cloud. Cisco IPS's can opt in to the program and contribute their data to further the efficacy of the database, called Sensorbase. Sensorbase is a subset of the Cisco Ironport Senderbase that has been optimized to work in an IPS system instead of an email anti-spam system. Sensorbase contains 60+ criteria fields that combine to come up with a reputation score of +10 to -10 on an IP address, decimals like 7.6 are used in the score as well. This reputation score is then used to modify the Cisco IPS risk-rating value, increase the risk value if the reputation is poor. Global correlation provides Cisco Sensors with another criteria to use to determine the efficacy of any signature hit logic alone. The idea being that if you add more context around why, where, what caused a particular signature to trigger you can make a better determination how likely it is to be real and actionable. Instead of just relying on the efficacy of the signature logic itself, risk-rating adds context around the signature alert.

Cisco risk-rating (RR) is a number from 0 to 100 with 100 being the highest risk. You then configure IPS actions (like drop packet) based on these risk-rating values. For example, drop packets for any signature hit that calculates a RR of 85-100.
Risk rating is made up of the following criteria today:

-Attack Severity Level (high, med, low, info)
-Signature Fidelity (1-100 value) 100 means it is always real where 1 means it is a 99% chance it is a false positive when fired. The signature creator pre-determines the fidelity rating of the signatures they author based on their test results.
-Attack Relevancy uses built-in OS fingerprinting to determine if the operating system type of victim matches the operating system relevant to a particular attack signature.
-Target Value Rating is a user-determined value assigned to IP addresses and subnets within your environment. Values are Low asset value, Medium, high, or mission critical asset value. The value of the target system will affect the risk rating calculation.
-Promiscuous Delta, changes the risk rating based on if the sensor is inline or not with traffic.
-CSA Watch list. CSA shares its watch list of dynamically determined bad hosts with the IPS system. If an IP address is found to be on the CSA watch list it will result in an increased risk rating value.
-Global Correlation. The reputation of the IP address is used to further affect the risk rating value. A poor reputation will result in an increased risk rating value.

The combination of all of these together is called the risk rating. The addition of global correlation data has made the most significant impact yet on the effectiveness of the risk rating calculations. It has drastically reduced false positives while at the same time just about doubling the real drop rate of a cisco IPS sensor facing the Internet. All IPS event messages will also now contain the reputation score of the source IP address (if it has one). This allows you to filter messages based on reputation, pull reports based on reputation, etc.

The location of the IPS sensor markedly affects the value returned by global correlation. The global correlation database, Senderbase, only contains Internet addresses not private ones. This means that to be effective it needs to see inbound Internet traffic. Additionally, GC only looks at the source IP address field at this time, so only Internet to Corporate traffic could create a reputation score. Corporate to Internet traffic would not have a score since the source IP is not in the database if it is an internal address. So, in a nutshell, this feature is designed to protect your Internet facing assets like web servers from attack.

What are your results with Cisco IPS Global correlation so far? I'd love to hear.

For additional data check out the testing results done by NW's Joel Snyder
https://www.networkworld.com/reviews/2009/081009-cisco-intrusion-prevention-system-test.html

For additional data on Cisco IPS
www.cisco.com/go/ips




The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.

More from Jamey Heary:
* Credit Card Skimming: How thieves can steal your card info without you knowing it
* Why you should always shred your boarding pass
* Video rental records are afforded more privacy protections than your online data
* The truth about new SSL attacks
* 2009 Top Urban Legends in IT Security/a>

Go to Jamey’s Blog for more articles on security.

Sensorbase

0
By Anon (not verified) on Tue, 10/06/2009 - 12:10pm.

Isn't it actually Senderbase, not Sensorbase?

http://www.senderbase.org/

Nope..

0
By Jeff (not verified) on Tue, 10/06/2009 - 2:31pm.

Senderbase is IronPort's SPAM database.
Sensorbase is Cisco's IPS malicious IPs database.

The two are closely related, and likely share data, but serve different purposes.

RE: Sensorbase

0
By Anon (not verified) on Tue, 10/06/2009 - 3:44pm.

sensorbase is the marketing name for all the reputation systems offered by cisco. senderbase is email specific. senderbase.org is the site to look up your reputation. it looks like sensorbase.org is taken

thanks

0
By jheary on Wed, 10/07/2009 - 6:56pm.

I corrected the URL, my bad.
-Jamey

IP sppofing

0
By George Ludgate (not verified) on Wed, 10/07/2009 - 10:48am.

So my reputation gets trashed by someone spoofing my IP address (aka identity theft); now what do I do??
This will always be problematic until packets can be authenticated to come from the REAL sender

IP spoofing

0
By Anon (not verified) on Wed, 10/07/2009 - 5:56pm.

Your IP address has a "credit score". The attacker(s) would need to put A LOT of effort into trashing your IP address (e.g., SMTP, "reverse" DDOS, create multiple domains, etc.) for it to show up repeatedly in a stream of 500GB data per day from 600 different sources and potentially thousands of collection devices.

IP Spoofing

0
By jheary on Wed, 10/07/2009 - 7:04pm.

Good point, but given all of the data inputs to the sensorbase database it would be very hard to trick the system into believing a spoofed address source. Spoofed address attacks are relatively easy to spot these days.
but I do agree the risk does still exist and we would be better off if we had packet or flow authenticity checks on the Internet.

There are several people working on this, especially china. http://www.springerlink.com/content/f104540445w51206/

-Jamey

IP Spoofing

0
By George Ludgate (not verified) on Wed, 10/07/2009 - 8:15pm.

It ever be worth it for an attacker possesing a large worldwide botnet to spoof a VERY important site, say Walmart or Amazon. How would the targeted company recover quickly?? If they cannot recover their reputation quickly I smell lawsuite. Tarnishing a reputation comes with consequences.

Reputation based scheme and trashing of it...

0
By Fengmin (not verified) on Thu, 10/08/2009 - 4:51pm.

Reputation's benefit in general is well accepted. However, without more detail on what kind of things were caught with reputation versus without, it's hard to appreciate the "100% increase in effectiveness" as Jamey presented. Granted that as long as the Reputation is synthesized robustly from a comprehensive list of attributes (e.g. 60+ criteria fields as Jamey put it), it's not trivial for attackers to trash a given IP. Of course, notice the key words "comprehensive" and "robust", which are up to interpretation and implementation but I think you know what I meant. I would be more worried about how quickly the reputation is updated as it pertains to the potential false positives due to imperfection of the synthesis scheme or some IP ownership change or cleanup. Using the reputation score as one factor in risk calculation for IPS is one thing, saying that an IP has a terrible reputation so it will be dropped by being put on a filtering list is quite different. This will require a very clear definition of what a "terrible reputation" really means before an admin is willing to do blocking action. -Cheers

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • You can use BBCode tags in the text.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <p> <strong> <i> <br /> <br> <ul> <ol> <li> <dl> <dt> <dd> <blockquote>

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Welcome, visitor. Register Log in
About Cisco Security Expert

Jamey Heary, CCIE No. 7680, is the author of the Cisco NAC Appliance: Enforcing Host Security with Clean Access book by Cisco Press. Jamey is a seasoned security technologist with over 15 years in the IT field with 10 years focused on IT security. His areas of expertise include network and host security design and implementation, security regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and Microsoft MCSE. He is also a Certified HIPAA Security Professional. Jamey is currently a Security Consulting Systems Engineer with Cisco, though the opinions expressed here are his own. Jamey is a member of Network World's Cisco Subnet blog community.

Contact him.