Cisco Cisco IPS 4360 Sensor 백서

41

Intrusion Prevention

August 2012 Series

41

3008

Traffic is inspected by Cisco ASA firewall 

policy
If denied by firewall policy, traffic is 

dropped
Permitted traffic matching inspection policy 

is sent to Cisco IPS module
Traffic that matches the reputation filter list 

or has a GC adjusted risk rating of 90+ is 

dropped
Clean traffic is sent back to Cisco ASA
If present, VPN access policies are applied, 

and then traffic is forwarded onto network

IPS services integrated into the ASA firewall rely on the firewalls for high 
availability services. The firewalls in the Internet edge are deployed in an 
active/standby configuration; if the primary firewall fails, then the second-
ary firewall will take over all firewall operations, and the IPS module in the 
secondary firewall inspects the traffic. 

Pre-Processing

Cisco IPS 

Reputation Filters

Signature

Inspection

Anomoly

Detection

Global

Correlation

Decision

Engine

3010

Cisco IPS can make informed decisions on whether to permit or block traffic 
based off of reputation. Cisco IPS uses reputation in two key ways:

•

Reputation Filters

—a small list of IP addresses that have been hijacked 

or are owned by malicious groups

•

Global Correlation Inspection

—a rating system for IP addresses based 

off of prior behavior 

Reputation Filters allow the IPS to block all traffic from known bad addresses 
before any significant inspection is done. Global Correlation Inspection uses 
the reputation of the attacker in conjunction with the risk rating associated 
with the signature in order to determine a new risk rating and drop traffic that 
is likely to be malicious.

Because Global Correlation Inspection depends on actual public IP 
addresses to function, any sensor that is deployed internally and sees only 
private addresses should have Global Correlation Inspection disabled 
because it will not add any value.