Cisco Cisco IPS 4520 Sensor 백서
© 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 5 of 6
Figure 6. Sensor at Professional Services Firm (PRO-2)
Figure 7
shows data from a medical school and hospital that, by policy, maintain a permissive access
environment. The IPS sensor at this school (MED-1) sees a significant amount of peer-to-peer (P2P) and Internet
Relay Chat (IRC) traffic, and some of this traffic contains embedded threats. In addition, the school has an
inconsistently patched OS environment - a fact likely known to hackers. Since many of the networks originating
bad traffic are known to Cisco SIO, the Reputation Filtering portion of Global Correlation on MED-1 denies the
majority of bad traffic.
Figure 7. Sensor at Medical School and Hospital (MED-1)
Even though Global Correlation Inspection has a negligible impact on bad traffic on MED-1, the configuration
related to the inspection should be left in place. The incoming traffic profile and the attacks they contain change
from time to time. In addition, SIO updates the sensor with new signatures periodically. Over time, the balance of
traffic blocked by Reputation Filtering versus Global Correlation Inspection versus Traditional IPS Detection may
vary. However, once Global Correlation is properly configured on a sensor, a security administrator need not
reconfigure this capability to accommodate a changing traffic profile or signature updates.