IPS version 7.0.1 and Global Correlation

Answered Question
Oct 6th, 2009

Tomorrow evening I will be moving an IPS 4240 appliance to the new version 7.0.1. Global Correlation seems like a huge benefit as long as it does not produce a swarm of false positives.

Will there still be a need to implement signature updates on the IPS once we are on the new 7.0.1?

I have this problem too.
0 votes
Correct Answer by marcabal about 7 years 1 month ago

Global Correlation is not a replacement for traditional signature analysis, and is instead just an enhancement to it.

There are 2 aspects to Global Correlation.

The first is what we internally refer to as Reputation. IP Address known to be origins of attacks receive a negative Reputation Score.

When a signature is triggered, the source of the signature is compared against the Reputation database. If that source address has a negative reputation score then the Risk Rating for that alert is increased. With the increased Risk the sensor may make a decision to go ahead and Deny that traffic.

BUT because it is all based on that initial triggering of the signature, this means that you still need to keep your signatures up to date.

The second part of Global Correlation is the Reputation Filter.

With the Reputation Filter the worst offending IP Addresses from the Internet are placed into a special list.

The worst offending IP Addresses are automatically filtered at the sensor without the need for a signature to ever be triggered. These packets are Denied by the sensor during early processing, and works in a similar manner as the Deny Attacker InLine event action.

So the Reputation Filter does Not need signatures in order to work properly and Deny traffic. However, the Reputation Filter is only for the worst known IP Addresses, and only a small subset of attackers wind up in the Reputation Filter list.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
marcabal Tue, 10/06/2009 - 06:53

Global Correlation is not a replacement for traditional signature analysis, and is instead just an enhancement to it.

There are 2 aspects to Global Correlation.

The first is what we internally refer to as Reputation. IP Address known to be origins of attacks receive a negative Reputation Score.

When a signature is triggered, the source of the signature is compared against the Reputation database. If that source address has a negative reputation score then the Risk Rating for that alert is increased. With the increased Risk the sensor may make a decision to go ahead and Deny that traffic.

BUT because it is all based on that initial triggering of the signature, this means that you still need to keep your signatures up to date.

The second part of Global Correlation is the Reputation Filter.

With the Reputation Filter the worst offending IP Addresses from the Internet are placed into a special list.

The worst offending IP Addresses are automatically filtered at the sensor without the need for a signature to ever be triggered. These packets are Denied by the sensor during early processing, and works in a similar manner as the Deny Attacker InLine event action.

So the Reputation Filter does Not need signatures in order to work properly and Deny traffic. However, the Reputation Filter is only for the worst known IP Addresses, and only a small subset of attackers wind up in the Reputation Filter list.

whhtnetwork Tue, 10/13/2009 - 06:16

I have just installed 5 x IPS appliances and unable to figure out how Global correlation will be allowed through proxy server as our proxy server normally need domain authetication , Can we just put in Local DNS and allow it to go through the firewall by allowing HTTP access >???

marcabal Tue, 10/13/2009 - 06:30

If you configure the sensor to use an HTTP proxy for Global Correlation, then DNS configuration on the sensor is not needed.

The sensor will send the URL request to the Proxy server (there will be a web server name and dome in the URL and not an IP). The Proxy Server itself will then need to be configured for DNS, and will do the DNS lookup to resolve the name in the URL in order to determine what IP to send the request to.

The sensor only needs to be configured to use a DNS server when an HTTP Proxy is NOT being used. Then the sensor itself has to do the DNS query to know where to send the request.

whhtnetwork Tue, 10/13/2009 - 07:22

Which ports and protocols does global correlation need to communicate over because i need to allow communication on Firewall ?

whhtnetwork Wed, 10/14/2009 - 03:58

Hi Guys I allowed my IPS appliance to go through firewall and get Signature updates and connect for global correlation engines

My main concern is that during update process Cisco IPS appliance try to access 88.221.94.* via port 80 and this IP address belongs to a88-221-94-72.deploy.akamaitechnologies.com Europe union , I know that this ISP already hosting some renowned companies Servers

How i can get verification this is legitimate Addresses.

marcabal Wed, 10/14/2009 - 07:51

For Global Correlation the sensor will first connect to Cisco (or Ironport) servers to pull down a list of database files it needs for updating.

The names for these first servers will resolve to actual IPs owned by Cisco (Ironport). All the sensor gets from these first servers is the list of files it needs and a new name for the server to connect to for those files.

BUT the new name for the server for those files is not for actual Cisco (or Ironport) servers. Instead Cisco pays Akamai to distribute the database files. So the sensor will connect to another box with a Cisco (or Ironport) name, but that name will wind up resolving to an IP for an Akamai server.

The cisco (or ironport) name is an alias used by the akamai servers since we pay them to server out Cisco files.

Akamai has file servers all over the world, and when your sensor resolves the cisco (or ironport) name for the server to get the database from it will use a local DNS server to resolve that name.

Akamai has it setup so that the DNS will resolve to an IP of one of its servers that is logically close to the sensor on the Internet. This means fewer routes for the sensor to get to the server, and winds up with a higher bandwidth connection to the server, and faster download times.

Hope this answers your question.

whhtnetwork Wed, 10/14/2009 - 08:21

Thanks marcabal,

Can you please point me towards right direction and helpfull information about Global correlation How it works .

I really appreciate your help

Regards

andrey.dugin Fri, 10/16/2009 - 05:19

Using DNS is also helpful when you want to see information about hosts in iplogs using their DNS names but not ip-addresses.

It's a pity that there is no such column as "DNS name" in IME alarm panel, where I can see only ip-addresses.

Actions

This Discussion