1 / 49

IPS Tech Talk – Global Correlation 2010 November 18

Thanks for joining! We will begin in just a few minutes as more people come on line. This event will be recorded. IPS Tech Talk – Global Correlation 2010 November 18. Robert Albach, James Kasper, Chad Rhyner. Agenda. Tech Talk Mechanics How these events will operate.

mauve
Download Presentation

IPS Tech Talk – Global Correlation 2010 November 18

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Thanks for joining!We will begin in just a few minutes as more people come on line. This event will be recorded.

  2. IPS Tech Talk – Global Correlation2010 November 18 Robert Albach, James Kasper, Chad Rhyner

  3. Agenda

  4. Tech Talk MechanicsHow these events will operate • With many people on-line we will mute all but the presenters • We will try to answer questions at the end • Please use the “Question and Answer” feature for questions • If we don’t get to your question, we will try to answer them off-line • The presentation and recording will be placed on the Community support site: https://supportforums.cisco.com/

  5. Global Correlation – Simple View Cisco SensorBase Akamai Cisco IPS

  6. Cisco Global CorrelationSensorBase: World’s Largest Traffic Monitoring Network Cisco SensorBase • 700,000+ sensors deployed globally • 8 of the top 10 global ISPs • Over 500GB of data per day • 152 third party feeds • Over 30% of the world’s email traffic

  7. Cisco Global CorrelationSensor Contribution Email Security IPS Web Security Firewall Identifying a global botnet requires complete visibility across all threat vectors

  8. IPS 7.x Global Correlation - Support • Released Spring 2009 as version 7.0(1) • Which Devices Can Use Global Correlation: • 4240, 4255, 4260, 4270 IPS appliances • IDSM2 Cisco Catalyst blades • IPS-AIM and IPS-NMEISR modules • AIP modules for ASA appliances • Which Devices CAN NOT Use Global Correlation: • Cisco IOS IPS • ASA 5505 with AIP-SSC5 card • IPS 4215

  9. IPS 7.0 Global Correlation - Activities ● • Global Correlation Inspection (GC) Use “Reputation” knowledge of Attackers to influence Alarm handling and Denies when there are “Bad Score” attackers seen on the sensor. • Reputation Filter (RF) Apply automatic deny of packets from known malicious sites. • Network Participation (NP) Sensor sends sampled and condensed alarm data and statistics to central “IBNP server” for global analysis.

  10. Quick Poll • Global Correlation and You…

  11. Global Correlation in the IPS • Fully automatic handling of sensor’s uploads and downloads of this Global Correlation and participation data. • Apply intelligent handling to alarms • Improve efficacy - the effectiveness of our defensive action handling. • Improve protection against known malicious sites (by IP address range) with a fully automatic ingress filter. • Share telemetry data with Cisco back-endprocessing to improve visibility of alarms and sensor actions on a global scale. This feeds various analysis tools.

  12. GLOBAL Correlation in the IPS

  13. Event views – Reputation

  14. Global Correlation in IPS Monitoring

  15. Global Correlation / Reputation - Events

  16. Reporting Criteria

  17. Global Correlation / Reputation - Reports

  18. Configuring global Correlation

  19. Configuration Options • Service host / network-settings DNS-server (primary, secondary, tertiary) OR HTTP-Proxy (address and port) • Service global-correlation Network Participation On / Off Participation Mode (Partial or Full) Global Correlation Inspection On / Off Influence (parameter to set how aggressive the function behaves) Reputation Filter On / Off Test Global Correlation (audit mode) On / Off

  20. Configuration by CLI

  21. Global Correlation Configuration in IPS

  22. Global Correlation Configuration via – Cisco Security Manager

  23. Connectivity side of Global Correlation

  24. Automatic GC updates • Fully automatic beyond configuration • Cisco distributes the update files via Akamai caches for load balancing, redundancy, and locality. • Update interval can happen every 5 minutes, as needed. • Sensor first gets a “FULL” update of components, then applies “INCREMENTAL” updates periodically (as new updates are available) • Initial Full updates range upwards from 2G in size • Incremental are typically 100K in size • Each data set has a serial #, displayed in the GC stats. This serial # represents the latest dataset loaded by the sensor. This is informational and does not require any user interaction.

  25. Global Correlation Reputation Updates Initiate request to update reputation data through HTTPS request Sensor gets back a manifest containing the DNS name of a server to get the data from DNS request returns the nearest Akamai server Initiate actual data download using HTTP from the Akamai server CSIO CiscoCallManager Servers Desktop 2 URL list of local Akamai servers is returned HTTPS://update-manifest.ironport.com 3 ‘Akamaized’ DNS request for nearest server Internet 1 IPS initiates request to update reputation data 4 IPS initiates actual data download over HTTP Cisco IPS demosensor1# show statistics global . . . . Update Server = update-manifests.ironport.com Update Server Address = 204.15.82.17 Current Versions: config = 1236210407 drop = 1245425355 ip = 1245424447 rule = 1245348807 Reputation data comes in the form of multiple files (config, drop, ip, rule) that get downloaded as needed during updates

  26. Contributing to Global Correlation Success

  27. Network Participation • Per Alarm shows: The partial mode telemetry data includes: SIGID Attacker Address and Port Signature Version GC Reputation Score Risk Rating fields • AnalysisEngine GC Stats Alerts Hits/Miss GC Reputation actions Packet Denies counters • FULL mode adds: Victim IP and Port

  28. Network Participation – Configuration via CSM

  29. CSM Network Participation Explanation

  30. Reputation Filtering

  31. Reputation Filtering - Configuration

  32. Reputation Filtering: Deny Filter Processor • Deny Attacker addresses registered here. • GlobalCorrelationReputationFilter registered here. • This is an INGRESS filter, and will drop packets matching deny attacker or RF. • Deny Attacker is most aggressive action. • Deny Attacker can come from SigEvent action, manual user command, and GC alarm feature. • Deny Attacker modes: • Axxx: deny-attacker • AxBx: deny-attacker-victim-pair • Axxb: deny-attacker-service-pair

  33. Global Correlation and Risk Ratings / Actions

  34. How is Risk Rating Determined? • Risk Rating has multiple contributing inputs. • Attack Severity Rating – derived from other inputs (more to come) • Target Value Rating – configurable by user • Signature Fidelity Rating – pre-set by Cisco for each signature • Attack Relevance Rating – derived from other inputs (more to come) • Promiscuous Delta – derived value – impacted by IDS mode • Watch List Rating – derived from internal list data (more to come) • *Global Correlation – (7.0 and later) + Risk Delta

  35. Reputation Effect on Risk Rating

  36. Global Correlation and Risk Rating • For 7.0+ releases you have access to Cisco Global Correlation Reputation data • There are three modes that let you determine how aggressively the sensor uses global correlation information to initiate deny actions: • Permissive: Modifies standard Risk Rating w Risk Delta (below). • Standard: Permissive but uses lower internal overide thresholds. • Deny Packet – 86 Deny Attacker - 100 • Aggressive: Standard but uses even lower override thresholds. • Deny Packet – 83 Deny Attacker - 95 + Risk Delta

  37. How To:Global Correlation and Risk Rating

  38. Configuring Through - CSM

  39. Debugging and Detailed metrics

  40. Some Debugging Information • local network devices May have to open up port 443 or proxy port at gateway • Statistics of interest Show stat analysis-engine Show stat global-correlation • Show version displays license information. • GC license feature requires proper time/date setting. • ReputationFilter drops are seen in analysis-engine statistics.

  41. Device Detail Information – Global Correlation / Reputation

  42. Device Detail Information – Global Correlation / Reputation

  43. What might be some limitations? • IPS location may make a difference. • Example: • If inspecting only internal traffic then external reputation data may not have much meaning (Global Correlation) less impact but my internal watch list info is a better fit.

  44. Global Correlation Summary • Global Correlation helps you to: • Reduces traffic with Reputation Filters prior to deep inspection • Influences actions taken by the IPS by altering Risk Ratings • Global Correlation is easy: • Downloads are automated and simple to set up • Global Correlation is made better by you! • Your participation improves yours and others identification of attackers and bad sites

  45. Quick Poll • Global Correlation and You…

  46. Before the Q&A Session • Thanks for attending. • Let us know: • Was this session worth while to you? • What future topics would you like to see? • How might we improve these events? • Send an email to: • Robert Albach • ralbach@cisco.com

  47. Please use the Question and Answer section of WebEx Q&A

  48. Thanks!

More Related