I was having a hard time finding some information on the flow of a packet through an inspection engine with reputation filtering and global correlation turned on. I know the reputation filtering kicks in first, but what comes next, the inspection or the correlation? Also, what is the default setting out of the box for the correlation, on or off? I have seen conflicting information for this.
The Global Correlation feature uses network reputation scores in two different but complementary ways. First, the reputation of the source of a new flow is tested and the flow is denied without further processing if the reputation is bad. Second, the flow is passed through traditional IPS inspection engines. These engines determine the threat potential of the flow based on the sensor's policy configuration, and assign a risk rating to the flow. The risk rating is then modified to take into account the reputation of the flow's source. If the resultant risk rating is above a threshold, the flow is denied (or an alternate action is taken, depending on the policy configuration). This process is depicted in Figure 1.
Figure 1. Global Correlation on Cisco IPS
Thus, bad traffic denied by a Cisco IPS sensor falls into three categories:
• Global Correlation Reputation Filtering: Based on reputation alone. Flow is not passed to the traditional inspection engines.
• Global Correlation Inspection: Based on a combination of traditional inspection and network reputation information. The risk rating mechanism combines the two threat signals.
• Traditional IPS Detection: Based on traditional inspection techniques, including protocol decoding engines, signature based inspection, and anomaly detection via statistical analysis of network traffic. In this case, network reputation information for the traffic flow is not available or does not have an effect on the flow.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :