Testing Cisco IPS 7.0's reputation filtering

The traditional way of querying a reputation service database, by DNS queries, wouldn't work in an IPS environment. Instead, IPS 7.0 downloads the entire reputation service database and keeps it frequently updated. No additional license is required to use reputation filtering, but you must have an active license and Cisco support agreement to turn on downloading.

From there, enabling Reputation Filtering is as simple as checking a single button. There are no thresholds or parameters to set — Cisco told us that no normal site could ever be blocked by Reputation Filtering, because the reputation service score required to block is -10, as bad as it gets.

The IPS 7.0 software does have a "test" button, which lets you see what the IPS would have done, but does not actually block traffic because of reputation services.

We started out, as Cisco recommended, by turning on Reputation Filtering, and quickly ran into one of the weak parts in this new feature: reporting and status information.

Reputation Filtering blocking does not show up as standard IPS events. Instead, the information is aggregated and reported at the bottom of a 10-page long obscure text-only report. What is available is network block numbers (such as 94.232.248.0/21, a Russian site hosting such domains as "trustedtablets.com," "ultimatepillstore.com," and "viagracomparison.com") and the number of denied packets from that network block.

What you don't get is any background information on the site being blocked, what address on your network they tried to connect to, or what TCP or UDP port is being probed. This means you can't tell whether this site was simply trying to send you spam or whether a more malicious attack was brewing.

Alternatively, you can see a report that presents a bar chart showing how many packets have been blocked by Reputation Filtering, but it was one of the least informative uses of a bar chart that we've ever seen.

Over the two week test period, we didn't see a huge number of denied packets — an average of about one per minute, or 1,500 a day (see "How we tested" for more details on our traffic loads). If the Reputation Filtering is simply taking some of the load off of your anti-spam gateway, 1,500 blocked connections a day isn't worth much — the site we tested Reputation Filtering with is already blocking about 400,000 connections a day using reputation services with an anti-spam gateway.

On the other hand, if the traffic coming in isn't spam, that adds up to a serious number of probable attacks each day. Remembering that these packets were seen behind the firewall; in other words, after all the usual port scans and invalid connects were filtered out. So, the Cisco IPS certainly blocked a lot of traffic that the firewall let through.

Our testing didn't turn up any false positives. We randomly picked 25 networks blocked by the Reputation Filtering and investigated each one, searching the Internet for reasons that the network blocks were listed and our own logs to see if these blocks had made legitimate connections in the recent past. We concluded that each one of them should have been blocked and that there were no legitimate users on the blocked networks.

Return to test.