Cisco Cisco Web Security Appliance S160 User Guide
19-2
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 19 Configuring Security Services
Web Reputation Filters Overview
Web Reputation Filters Overview
Web Reputation Filters is a security feature that analyzes web server behavior and assigns a web-based
reputation score (WBRS) to a URL to determine the likelihood that it contains URL-based malware. It
helps protect against URL-based malware that threatens end-user privacy and sensitive corporate
information. The Web Security appliance uses web reputation scores to identify suspicious activity and
stop malware attacks before they occur.
reputation score (WBRS) to a URL to determine the likelihood that it contains URL-based malware. It
helps protect against URL-based malware that threatens end-user privacy and sensitive corporate
information. The Web Security appliance uses web reputation scores to identify suspicious activity and
stop malware attacks before they occur.
Web Reputation Filters are designed to combat the increasingly prevalent and dynamic nature of
malware, especially to protect users from legitimate web sites that have been compromised by malware
writers.
malware, especially to protect users from legitimate web sites that have been compromised by malware
writers.
You can use Web Reputation Filters with Access, Decryption, and Cisco IronPort Data Security Policies.
Web Reputation Scores
Web Reputation Filters use statistically significant data to assess the reliability of Internet domains and
score the reputation of URLs. Data such as how long a specific domain has been registered, or where a
web site is hosted, or whether a web server is using a dynamic IP address is used to judge the
trustworthiness of a given URL.
score the reputation of URLs. Data such as how long a specific domain has been registered, or where a
web site is hosted, or whether a web server is using a dynamic IP address is used to judge the
trustworthiness of a given URL.
The web reputation calculation associates a URL with network parameters to determine the probability
that malware exists. The aggregate probability that malware exists is then mapped to a Web Reputation
Score between -10 and +10, with +10 being the least likely to contain malware.
that malware exists. The aggregate probability that malware exists is then mapped to a Web Reputation
Score between -10 and +10, with +10 being the least likely to contain malware.
Example parameters include the following:
•
URL categorization data
•
Presence of downloadable code
•
Presence of long, obfuscated End-User License Agreements (EULAs)
•
Global volume and changes in volume
•
Network owner information
•
History of a URL
•
Age of a URL
•
Presence on any block lists
•
Presence on any allow lists
•
URL typos of popular domains
•
Domain registrar information
•
IP address information
Note
Cisco does not collect personally identifiable information such as user names, passwords, or client IP
addresses.
addresses.
Understanding How Web Reputation Filtering Works
Web Reputation Scores are associated with an action to take on a URL request. The available actions
depend on the policy group type that is assigned to the URL request:
depend on the policy group type that is assigned to the URL request: