Cisco Systems Inc. is shipping what it claims is the first intrusion-prevention system (IPS) to correlate IP reputation filtering with signature-based intrusion prevention sensors.
We tested the software upgrade to Cisco’s shipping IPS hardware and appliances and found that not only has Cisco increased the value of its IPS in preventing attacks, it has done so in a way that any security manager can easily and intuitively deploy in just minutes.
While there are the rough edges and blank spots you’d expect in any new release, Cisco has set the bar pretty high with this release.
When Cisco acquired Ironport in 2007, it got a hidden gem in the deal: SenderBase, which is Ironport’s IP address reputation service. SenderBase originally focused on spam sources, but when Ironport’s moved into the Web security gateway business it refocused SenderBase as a more generic service that addressed spam, malware and viruses.
Cisco has taken the SenderBase technology and created yet another reputation service, Cisco SensorBase, which is accessible in the IPS 7.0 software release. We found that SensorBase is tightly integrated with the IPS and, as our testing shows, actually works.
Security managers can use SensorBase data in two ways. Reputation filtering lets you block all traffic from IP addresses with an extremely bad reputation. This is done regardless of traffic type — all traffic from these sites will be blocked.
This basic use of reputation filters isn’t new, but what’s interesting is that Cisco will use this reputation data to change the risk rating of security events identified by the IPS. In other words, an event linked to a bad IP address will result in an even higher Risk Rating.
Risk rating is a Cisco-proprietary value, from 0 to 100, that is computed for every event identified by the IPS. Risk rating lets you prioritize events and decide what to look at and what to ignore.
Prior to IPS 7.0, Risk rating was computed using six main factors, such as value of the asset being attacked, the danger of the attack, the match between the attack and the target operating system, the quality of the signature, and so on. With IPS 7.0, another factor can be thrown into the mix: the reputation of the attacker as determined by Cisco’s SensorBase.
Testing Global Correlation Inspection
In Cisco’s IPS products, every event has a Risk rating and the security manager generally defines three bands of risks: low, medium and high. For each of the bands, you can then select a set of actions, from logging an event to blocking all traffic from a particular IP address for some period of time. Risk ratings aren’t new — what’s new is the addition of reputation information in 7.0.
Global Correlation Inspection raises the Risk Rating for any event when one of the IP addresses involved has a bad reputation.
The difference between Reputation Filtering and Global Correlation Inspection is pretty important: with Reputation Filtering turned on, an extremely bad reputation of -10 will cause all traffic to be dropped. With Global Correlation Inspection turned on, bad reputations will only cause Risk Ratings of events to be raised.
Global Correlation Inspection is well integrated into the reporting and analysis tools in IPS Manager Express, and we were easily able to see reputation data mixed in with each IPS event. What we couldn’t easily see, however, was the effect that reputation data had on the event information. It would have been nice to have a “before” and “after” column so we could see what Global Correlation Inspection was doing.
Even with several weeks of work, we found it difficult to understand and get comfortable with Global Correlation Inspection because of a lack of reporting information. Cisco could make the lives of security managers easier by giving them more information about exactly what is going on with each event. Ultimately, we found that having the reputation information available with every event gave us two significant benefits: it let us deal with events more quickly, and the change in Risk Ratings let us focus on the events that posed the greatest potential threats.
Reputation information in the analysis console turned out to be a great time saver. Cisco’s IPS Manager Express, released in 2008 with IPS software Version 6.1 and included with every IPS sensor, is a huge leap forward from previous IPS and IDS management tools from Cisco.
IPS Manager Express handles up to five sensors and gives competitive products from Juniper and Sourcefire some significant competition. Even with the benefits in IPS Manager Express, we found that we were frequently referring to the reputation data included with each event to help understand which needed to be looked at and which could be ignored.
For example, one day we had 72 events that the Cisco IPS had identified as an attempt to use Web servers on our network as HTTP proxies. Of those 72 events, 71 all came from addresses with fairly bad reputations: -3.8 and -5.5. Since we’re pretty confident that the Web servers are configured correctly, we ignored those events as normal probes for misconfigured Web servers.
However, one of the events came from an address without a bad reputation. We investigated and found one of our own users with a misconfigured laptop on the road. Without the reputation service, we never would have investigated any of the events, but because one event stood out, we not only investigated the problem but also resolved a configuration issue.
The second benefit to come out of combining reputation services with IPS events was the variation in risk rating. We saw significant numbers of events with modified risk ratings because of negative reputation. In one 100-hour period, 11 per cent of the high and medium-severity events had their risk ratings bumped up because of negative reputation — almost 2,000 events. By sorting based on risk rating within each event type, we were drawn to the events that the IPS thought posed the greatest risk.
One benefit we hoped to see out of reputation services was increased confidence in IPS connection blocking and also IPS punitive blocking, sometimes called shunning. Most IPS products have an option to turn on punitive blocking. Most security managers don’t use it, however, because of the potential for false positives and self-inflicted denial of service attacks.
We hoped that negative reputation would make us confident enough in what the IPS was telling us to be more aggressive about the blocking features. That’s certainly Cisco’s marketing message: Because the risk rating is increased, you can easily select a different set of actions for the same event with different risk ratings, such as alerting on low risk ratings and blocking connections on higher risk ratings.
We found out that a reputation-based risk ratings is not a magic bullet. The false positives we have seen in the past with some of Cisco’s rules were no different with SensorBase input. Adding reputation information let us have a wider variety of actions for the same event type, but the primary responsibility for ensuring that we weren’t dropping good traffic still falls on the network manager.
We did eventually set up different actions for different risk ratings, but only after running the IPS for two weeks with blocking set to audit mode and looking at all the high risk alerts generated.
In one sense, risk ratings represent a limiting factor in how the security manager deals with reputation information. In the version we tested, the only way that reputation information influences the action taken on an event is by boosting the risk rating. You can’t look directly at reputation information and other data and take action. For example, there’s no way to say “for any event on Port 80 to our Webmail server, block the traffic if the reputation is less than -2”.
Our testing showed, however, that there are significant benefits to the security manager that come from combining IPS event data with reputation information using Cisco’s Global Correlation Inspection.
On the analysis side, we found ourselves focusing on the most important data when reputation information was available. On the configuration side, reputation data added to a carefully configured IPS that let us use features such as blocking with greater confidence.
The result is that Cisco IPS 7.0 continues to increase the value of the IPS in providing security visibility as well as threat mitigation.
For more information on the Network World Lab Alliance, including what it takes to become a member, check the Web site.