11-18-2013 03:03 PM - edited 03-10-2019 06:05 AM
I was having a hard time finding some information on the flow of a packet through an inspection engine with reputation filtering and global correlation turned on. I know the reputation filtering kicks in first, but what comes next, the inspection or the correlation? Also, what is the default setting out of the box for the correlation, on or off? I have seen conflicting information for this.
02-12-2014 01:22 AM
Figure 1. Global Correlation on Cisco IPS
• Global Correlation Reputation Filtering: Based on reputation alone. Flow is not passed to the traditional inspection engines.
• Global Correlation Inspection: Based on a combination of traditional inspection and network reputation information. The risk rating mechanism combines the two threat signals.
• Traditional IPS Detection: Based on traditional inspection techniques, including protocol decoding engines, signature based inspection, and anomaly detection via statistical analysis of network traffic. In this case, network reputation information for the traffic flow is not available or does not have an effect on the flow.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide