Cisco IPS 7.0 raises the bar
New global threat correlation feature boosts effectiveness of intrusion prevention devicesFollow @infoworld
In Cisco's IPS products, every event has a Risk Rating and the security manager generally defines three bands of risks: low, medium, and high. For each of the bands, you can then select a set of actions, from logging that an event occurred to actively blocking all traffic from a particular IP address for some period of time. Risk Ratings aren't new -- what's new is the addition of reputation information in 7.0.
Global Correlation Inspection raises the Risk Rating for any event when one of the IP addresses involved has a bad reputation.
The difference between Reputation Filtering and Global Correlation Inspection is pretty important: with Reputation Filtering turned on, an extremely bad reputation of -10 will cause all traffic to be dropped. With Global Correlation Inspection turned on, bad reputations will only cause Risk Ratings of events to be raised.
Global Correlation Inspection is well integrated into the reporting and analysis tools in IPS Manager Express, and we were easily able to see reputation data mixed in with each IPS event. What we couldn't easily see, however, was the effect that reputation data had on the event information. It would have been nice to have a 'before' and 'after' column so we could see what Global Correlation Inspection was doing.
Even with several weeks of work, we found it difficult to understand and get comfortable with Global Correlation Inspection because of a lack of reporting information. Cisco could make the lives of security managers easier by giving them more information about exactly what is going on with each event.
Ultimately, we found that having the reputation information available with every event gave us two significant benefits: it let us deal with events more quickly, and the change in Risk Ratings let us focus on the events that posed the greatest potential threats.
Reputation information in the analysis console turned out to be a great timesaver. Cisco's IPS Manager Express, released in 2008 with IPS software Version 6.1 and included with every IPS sensor, is a huge leap forward from previous IPS and IDS management tools from Cisco.
IPS Manager Express handles up to five sensors and gives competitive products from Juniper and Sourcefire some significant competition. Even with the benefits in IPS Manager Express, we found that we were frequently referring to the reputation data included with each event to help understand which needed to be looked at and which could be ignored.
For example, one day we had 72 events that the Cisco IPS had identified as an attempt to use Web servers on our network as HTTP proxies. Of those 72 events, 71 all came from addresses with fairly bad reputations: -3.8 and -5.5. Since we're pretty confident that the Web servers are configured correctly, we ignored those events as normal probes for misconfigured Web servers.
However, one of the events came from an address without a bad reputation. We investigated and found one of our own users with a misconfigured laptop on the road. Without the reputation service, we never would have investigated any of the events, but because one event stood out, we not only investigated the problem but also resolved a configuration issue.
The second benefit to come out of combining reputation services with IPS events was the variation in Risk Rating. We saw significant numbers of events with modified Risk Ratings because of negative reputation. In one 100-hour period, 11% of the high and medium severity events had their Risk Ratings bumped up because of negative reputation -- almost 2,000 events. By sorting based on Risk Rating within each event type, we were drawn to the events that the IPS thought posed the greatest risk.