IPS - Global Correlation - ASA AIP-SSM
Global correlation is a central Cisco database that helps your IPS sensor to calcute risk about traffic from individual hosts or even deny traffic from them.
Participating IPS devices in a centralized Cisco threat database, the SensorBase Network, receive and absorb global correlation updates. The reputation information contained in the global correlation updates is factored in to the analysis of network traffic, which increases IPS efficacy, since traffic is denied or allowed based on the reputation of the source IP address.
To use Global Correlation you have to fullfill the following requirements:
- IPS software - version 7.0 or higher
- Internet access for IPS sensor(ports tcp/80 and tcp/443)
- Valid license
- DNS or proxy configured
(config)# service global-correlation
Default settings are:
# show settings
network-participation: off <defaulted>
global-correlation-inspection: on <defaulted>
global-correlation-inspection-influence: standard <defaulted>
reputation-filtering: on <defaulted>
test-global-correlation: off <defaulted>
(config-glo)# global-correlation-inspection-influence standard
How much Global Correlation can influence for Risk Rating(RR)
I recommend standard however you can also choose permissive(little) or aggressive(heavily).
(config-glo)# reputation-filtering off
Default is on. When on it deny traffic from IP listed in Global Correlation database.
I recommend to set off to have more flexible configuration and rely on more indicators rather than on Cisco database only.
You can also instead of disabling "reputation-filtering" enable test-global-correlation.It will allow you to use global correlation database without denying traffic.
(config-glo)# network-participation partial
Default is off. It configures sensor to send to the SensorBase without potentially sensitive information.
You can leave it also disabled(OFF-default) or configure it as a FULL.
If you agree to participate in the SensorBase Network, Cisco will
collect aggregated statistics about traffic sent to your IPS.
This includes summary data on the Cisco IPS network traffic properties
and how this traffic was handled by the Cisco appliances. We do not
collect the data content of traffic or other sensitive business or
personal information. All data is aggregated and sent via secure HTTP
to the Cisco SensorBase Network servers in periodic intervals. All data
shared with Cisco will be anonymous and treated as strictly confidential.
The table below describes how the data will be used by Cisco.
Participation Level = "Partial":
* Type of Data: Protocol Attributes (e.g. TCP max segment size and
Purpose: Track potential threats and understand threat exposure
* Type of Data: Attack Type (e.g. Signature Fired and Risk Rating)
Purpose: Used to understand current attacks and attack severity
* Type of Data: Connecting IP Address and port
Purpose: Identifies attack source
* Type of Data: Summary IPS performance (CPU utilization memory usage,
inline vs. promiscuous, etc)
Purpose: Tracks product efficacy
Participation Level = "Full" additionally includes:
* Type of Data: Victim IP Address and port
Purpose: Detect threat behavioral patterns
Do you agree to participate in the SensorBase Network?[no]: yes
Apply Changes?[yes]: yes
DISPLAY GLOBAL CORRELATION STATS
# show statistics global-correlation
Total Connection Attempts = 1
Total Connection Failures = 0
Connection Failures Since Last Success = 0
Connection Attempt on March 04 2013, at 15:06:32 UTC = Successful
Status Of Last Update Attempt = Ok
Time Since Last Successful Update = 28 minutes
Update Failures Since Last Success = 0
Total Update Attempts = 189
Total Update Failures = 16
Update Interval In Seconds = 300
Update Server = update-manifests.ironport.com
Update Server Address = 188.8.131.52
config = 1236210407
drop = 1362404731
ip = 1362408127
rule = 1362344139