Cisco Cisco IPS 4360 Sensor 백서
41
Intrusion Prevention
August 2012 Series
41
Figure 10 - Packet flow through a Cisco ASA firewall and IPS module
3008
1
2
3
4
5
6
Traffic is inspected by Cisco ASA firewall
policy
If denied by firewall policy, traffic is
If denied by firewall policy, traffic is
dropped
Permitted traffic matching inspection policy
Permitted traffic matching inspection policy
is sent to Cisco IPS module
Traffic that matches the reputation filter list
Traffic that matches the reputation filter list
or has a GC adjusted risk rating of 90+ is
dropped
Clean traffic is sent back to Cisco ASA
If present, VPN access policies are applied,
Clean traffic is sent back to Cisco ASA
If present, VPN access policies are applied,
and then traffic is forwarded onto network
1
2
3
4
5
6
6
IPS services integrated into the ASA firewall rely on the firewalls for high
availability services. The firewalls in the Internet edge are deployed in an
active/standby configuration; if the primary firewall fails, then the second-
ary firewall will take over all firewall operations, and the IPS module in the
secondary firewall inspects the traffic.
availability services. The firewalls in the Internet edge are deployed in an
active/standby configuration; if the primary firewall fails, then the second-
ary firewall will take over all firewall operations, and the IPS module in the
secondary firewall inspects the traffic.
Figure 11 - IPS processing flowchart
Pre-Processing
Cisco IPS
Reputation Filters
Signature
Inspection
Anomoly
Detection
Global
Correlation
Decision
Engine
3010
Cisco IPS can make informed decisions on whether to permit or block traffic
based off of reputation. Cisco IPS uses reputation in two key ways:
based off of reputation. Cisco IPS uses reputation in two key ways:
•
Reputation Filters
—a small list of IP addresses that have been hijacked
or are owned by malicious groups
•
Global Correlation Inspection
—a rating system for IP addresses based
off of prior behavior
Reputation Filters allow the IPS to block all traffic from known bad addresses
before any significant inspection is done. Global Correlation Inspection uses
the reputation of the attacker in conjunction with the risk rating associated
with the signature in order to determine a new risk rating and drop traffic that
is likely to be malicious.
before any significant inspection is done. Global Correlation Inspection uses
the reputation of the attacker in conjunction with the risk rating associated
with the signature in order to determine a new risk rating and drop traffic that
is likely to be malicious.
Because Global Correlation Inspection depends on actual public IP
addresses to function, any sensor that is deployed internally and sees only
private addresses should have Global Correlation Inspection disabled
because it will not add any value.
addresses to function, any sensor that is deployed internally and sees only
private addresses should have Global Correlation Inspection disabled
because it will not add any value.