IPS - Global Correlation - ASA AIP-SSM

 

Global correlation is a central Cisco database that helps your IPS sensor to calcute risk about traffic from individual hosts or even deny traffic from them.

Participating IPS devices in a centralized Cisco threat database, the SensorBase Network, receive and absorb global correlation updates. The reputation information contained in the global correlation updates is factored in to the analysis of network traffic, which increases IPS efficacy, since traffic is denied or allowed based on the reputation of the source IP address.

To use Global Correlation you have to fullfill the following requirements:

  • IPS software - version 7.0 or higher
  • Internet access for IPS sensor(ports tcp/80 and tcp/443)
  • Valid license
  • DNS or proxy configured

CONFIGURATION

 

(config)# service global-correlation

Default settings are:

# show settings
network-participation: off <defaulted>
global-correlation-inspection: on <defaulted>
global-correlation-inspection-influence: standard <defaulted>
reputation-filtering: on <defaulted>
test-global-correlation: off <defaulted>

 

(config-glo)# global-correlation-inspection-influence standard

How much Global Correlation can influence for Risk Rating(RR)

I recommend standard however you can also choose permissive(little) or aggressive(heavily).

 

(config-glo)# reputation-filtering off

Default is on. When on it deny traffic from IP listed in Global Correlation database.

I recommend to set off to have more flexible configuration and rely on more indicators rather than on Cisco database only.

You can also instead of disabling "reputation-filtering" enable test-global-correlation.It will allow you to use global correlation database without denying traffic.

 

(config-glo)# network-participation partial

Default is off. It configures sensor to send to the SensorBase without potentially sensitive information.

You can leave it also disabled(OFF-default) or configure it as a FULL.

 

(config-glo)# exit

If you agree to participate in the SensorBase Network, Cisco will
collect aggregated statistics about traffic sent to your IPS.
This includes summary data on the Cisco IPS network traffic properties
and how this traffic was handled by the Cisco appliances. We do not
collect the data content of traffic or other sensitive business or
personal information. All data is aggregated and sent via secure HTTP
to the Cisco SensorBase Network servers in periodic intervals. All data
shared with Cisco will be anonymous and treated as strictly confidential.
The table below describes how the data will be used by Cisco.
Participation Level = "Partial":
* Type of Data: Protocol Attributes (e.g. TCP max segment size and
options string)
Purpose: Track potential threats and understand threat exposure
* Type of Data: Attack Type (e.g. Signature Fired and Risk Rating)
Purpose: Used to understand current attacks and attack severity
* Type of Data: Connecting IP Address and port
Purpose: Identifies attack source
* Type of Data: Summary IPS performance (CPU utilization memory usage,
inline vs. promiscuous, etc)
Purpose: Tracks product efficacy
Participation Level = "Full" additionally includes:
* Type of Data: Victim IP Address and port
Purpose: Detect threat behavioral patterns

Do you agree to participate in the SensorBase Network?[no]: yes

Apply Changes?[yes]: yes

 

DISPLAY GLOBAL CORRELATION STATS

 

# show statistics global-correlation
Network Participation:
Counters:
Total Connection Attempts = 1
Total Connection Failures = 0
Connection Failures Since Last Success = 0
Connection History:
Connection Attempt on March 04 2013, at 15:06:32 UTC = Successful
Updates:
Status Of Last Update Attempt = Ok
Time Since Last Successful Update = 28 minutes
Counters:
Update Failures Since Last Success = 0
Total Update Attempts = 189
Total Update Failures = 16
Update Interval In Seconds = 300
Update Server = update-manifests.ironport.com
Update Server Address = 204.15.82.17
Current Versions:
config = 1236210407
drop = 1362404731
ip = 1362408127
rule = 1362344139
Warnings:

  

dzbanek 2013-03-04

This site uses cookies. Some of the cookies we use are essential for parts of the site to operate and have already been set. You may delete and block all cookies from this site, but parts of the site will not work.