Cisco Cisco IPS 4520 Sensor Libro bianco
© 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 2 of 6
●
Global Correlation Reputation Filtering: Based on reputation alone. Flow is not passed to the traditional
inspection engines.
●
Global Correlation Inspection: Based on a combination of traditional inspection and network reputation
information. The risk rating mechanism combines the two threat signals.
●
Traditional IPS Detection: Based on traditional inspection techniques, including protocol decoding
engines, signature based inspection, and anomaly detection via statistical analysis of network traffic. In this
case, network reputation information for the traffic flow is not available or does not have an effect on the
flow.
Customers deploying Cisco IPS can benefit from Global Correlation in multiple ways. First, bad traffic from known
sources is stopped immediately. This includes zero-day attacks, for which no traditional threat prevention currently
exists, advanced persistent threats (APTs), and botnet command and control traffic. Second, multiple signals are
used to detect and stop incoming threats, enabling Cisco IPS sensors to stop a greater number of threats than
would have been possible with traditional IPS mechanisms alone. Finally, a Cisco IPS sensor is able to inspect
more traffic as traffic denied by Global Correlation Reputation Filtering is prevented from passing through the
computationally intensive traditional IPS inspection process.
Global Correlation put to work by Cisco RMS
Cisco Remote Management Services (RMS) is a Cisco business unit that provides managed services. The
security portion of these services includes monitoring and management of Cisco IPS sensors. Cisco RMS has
more than a decade of experience deploying Cisco IPS across multiple industry segments, as well as first-hand
experience with deploying the Global Correlation feature. We’ll use this data and experience to demonstrate the
effectiveness of Global Correlation.
As we will see, Global Correlation significantly augments traditional IPS techniques in most situations. In cases
where a firewall with tight access control fronts an IPS sensor, the portion of bad traffic caught on the sensor
attributable to Global Correlation is relatively small. However, in cases where such access control is more relaxed,
Global Correlation stops a higher portion of bad traffic on the sensor.
Tight access control in front of sensor
Figure 2
shows data from a sensor at a bank in North America. The bank has a defensive security posture that
includes multiple layers of security. It has a tight access control policy on the firewall, blocking the majority of
known bad traffic. Thus, Global Correlation Reputation Filtering on the IPS sensor (BNK-1) denies a negligible
portion of the bad traffic coming to the sensor. Global Correlation Inspection has a noticeable impact: 7% of bad
traffic denied. However, the bulk of bad traffic coming to the IPS sensor is denied using traditional IPS techniques,
since the firewall has stopped much of that which could be caught by Global Correlation.