The Global Correlation feature uses network reputation scores in two different but complementary ways. First, the reputation of the source of a new flow is tested and the flow is denied without further processing if the reputation is bad. Second, the flow is passed through traditional IPS inspection engines. These engines determine the threat potential of the flow based on the sensor's policy configuration, and assign a risk rating to the flow. The risk rating is then modified to take into account the reputation of the flow's source. If the resultant risk rating is above a threshold, the flow is denied (or an alternate action is taken, depending on the policy configuration). This process is depicted in Figure 1.
Figure 1. Global Correlation on Cisco IPS
Thus, bad traffic denied by a Cisco IPS sensor falls into three categories:
• Global Correlation Reputation Filtering: Based on reputation alone. Flow is not passed to the traditional inspection engines.
• Global Correlation Inspection: Based on a combination of traditional inspection and network reputation information. The risk rating mechanism combines the two threat signals.
• Traditional IPS Detection: Based on traditional inspection techniques, including protocol decoding engines, signature based inspection, and anomaly detection via statistical analysis of network traffic. In this case, network reputation information for the traffic flow is not available or does not have an effect on the flow.
