Cisco IPS 7.0 raises the bar
New global threat correlation feature boosts effectiveness of intrusion prevention devicesFollow @infoworld
One benefit we hoped to see out of reputation services was increased confidence in IPS connection blocking and also IPS punitive blocking, sometimes called shunning. Most IPS products have an option to turn on punitive blocking. Most security managers don't use it, however, because of the potential for false positives and self-inflicted denial of service attacks.
We hoped that negative reputation would make us confident enough in what the IPS was telling us to be more aggressive about the blocking features. That's certainly Cisco's marketing message: Because the Risk Rating is increased, you can easily select a different set of actions for the same event with different risk ratings, such as alerting on low risk ratings and blocking connections on higher risk ratings.
We found out that reputation-based Risk Ratings are not a magic bullet. The false positives we have seen in the past with some of Cisco's rules were no different with SensorBase input. Adding reputation information let us have a wider variety of actions for the same event type, but the primary responsibility for ensuring that we weren't dropping good traffic still falls on the network manager.
We did eventually set up different actions for different Risk Ratings, but only after running the IPS for two weeks with blocking set to audit mode and looking at all the high risk alerts generated.
In one sense, risk ratings represent a limiting factor in how the security manager deals with reputation information. In the version we tested, the only way that reputation information influences the action taken on an event is by boosting the Risk Rating. You can't look directly at reputation information and other data and take action. For example, there's no way to say "for any event on Port 80 to our Webmail server, block the traffic if the reputation is less than -2".
Our testing showed, however, that there are significant benefits to the security manager that come from combining IPS event data with reputation information using Cisco's Global Correlation Inspection.
On the analysis side, we found ourselves focusing on the most important data when reputation information was available. On the configuration side, reputation data added to a carefully configured IPS that let us use features such as blocking with greater confidence.
The result is that Cisco IPS 7.0 continues to increase the value of the IPS in providing security visibility as well as threat mitigation.
Snyder, a Network World Test Alliance partner, is a senior partner at Opus One in Tucson, Ariz. He can be reached at Joel.Snyder@opus1.com.
Snyder is also a member of the Network World Lab Alliance, a cooperative of the premier reviewers in the network industry each bringing to bear years of practical experience on every review. For more Lab Alliance information, including what it takes to become a member, go to >www.networkworld.com/alliance.