Cisco IPS 7.0 raises the bar.Byline: jeevan@cpidubai.com (Staff) Cisco is shipping what it claims is the first intrusion-prevention system An intrusion prevention system is a computer security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. (IPS (1) (Inches Per Second) The measurement of the speed of tape passing by a read/write head or paper passing through a pen plotter. (2) (IPS) (Intrusion Prevention S ) to correlate IP reputation filtering with signature-based intrusion prevention See IPS and IDS. sensors. <p>We tested the software upgrade to Cisco's shipping IPS hardware and appliances and found that not only has Cisco increased the value of its IPS in preventing attacks, it has done so in a way that any security manager can easily and intuitively deploy in just minutes. <p>While there are the rough edges and blank spots you'd expect in any new release, Cisco has set the bar pretty high with this release. <p>When Cisco acquired Ironport in 2007, it got a hidden gem gem, ornamental mineral or organic substance gem, commonly, a mineral or organic substance, cut and polished and used as an ornament. Gems also are used as seals (items of assurance) and as talismans (good-luck charms). For birthstones, see month. in the deal: SenderBase, which is Ironport's IP address reputation service. SenderBase originally focused on spam E-mail that is not requested. Also known as "unsolicited commercial e-mail" (UCE), "unsolicited bulk e-mail" (UBE), "gray mail" and just plain "junk mail," the term is both a noun (the e-mail message) and a verb (to send it). sources, but when Ironport's moved into the Web security gateway business it refocused SenderBase as a more generic service that addressed spam, malware (MALicious softWARE) Software designed to destroy, aggravate and otherwise make life unhappy. See crimeware, virus, worm, logic bomb, macro virus and Trojan. and viruses. <p>Cisco has taken the SenderBase technology and created yet another reputation service, Cisco SensorBase, which is accessible in the IPS 7.0 software release. We found that SensorBase is tightly integrated with the IPS and, as our testing shows, actually works. <p>Security managers can use SensorBase data in two ways. Reputation filtering lets you block all traffic from IP addresses with an extremely bad reputation. This is done regardless of traffic type -- all traffic from these sites will be blocked. <p>This basic use of reputation filters isn't new, but what's interesting is that Cisco will use this reputation data to change the Risk Rating of security events identified by the IPS. In other words Adv. 1. in other words - otherwise stated; "in other words, we are broke" put differently , an event linked to a 'bad' IP address will result in an even higher Risk Rating. <p>"Risk Rating" is a Cisco-proprietary value, from 0 to 100, that is computed for every event identified by the IPS. Risk Rating lets you prioritize pri·or·i·tize v. pri·or·i·tized, pri·or·i·tiz·ing, pri·or·i·tiz·es Usage Problem v.tr. To arrange or deal with in order of importance. v.intr. events and decide what to look at and what to ignore. <p>Prior to IPS 7.0, Risk Rating was computed using six main factors, such as value of the asset being attacked, the danger of the attack, the match between the attack and the target operating system operating system (OS) Software that controls the operation of a computer, directs the input and output of data, keeps track of files, and controls the processing of computer programs. , the quality of the signature, and so on. With IPS 7.0, another factor can be thrown into the mix: the reputation of the attacker as determined by Cisco's SensorBase. <p>Testing Global Correlation Inspection<p>In Cisco's IPS products, every event has a Risk Rating and the security manager generally defines three bands of risks: low, medium, and high. For each of the bands, you can then select a set of actions, from logging that an event occurred to actively blocking all traffic from a particular IP address for some period of time. Risk Ratings aren't new -- what's new is the addition of reputation information in 7.0. <p>Global Correlation Inspection raises the Risk Rating for any event when one of the IP addresses involved has a bad reputation.<p>The difference between Reputation Filtering and Global Correlation Inspection is pretty important: with Reputation Filtering turned on, an extremely bad reputation of -10 will cause all traffic to be dropped. With Global Correlation Inspection turned on, bad reputations will only cause Risk Ratings of events to be raised. <p>Global Correlation Inspection is well integrated into the reporting and analysis tools in IPS Manager Express, and we were easily able to see reputation data mixed in with each IPS event. What we couldn't easily see, however, was the effect that reputation data had on the event information. It would have been nice to have a 'before' and 'after' column so we could see what Global Correlation Inspection was doing. <p>Even with several weeks of work, we found it difficult to understand and get comfortable with Global Correlation Inspection because of a lack of reporting information. Cisco could make the lives of security managers easier by giving them more information about exactly what is going on with each event. <p>Ultimately, we found that having the reputation information available with every event gave us two significant benefits: it let us deal with events more quickly, and the change in Risk Ratings let us focus on the events that posed the greatest potential threats. <p>Reputation information in the analysis console turned out to be a great timesaver Timesaver is a well-known model railroad train shunting puzzle created by John Allen. It consists of a specific track layout, a set of initial conditions, a defined goal, and rules which must be obeyed while performing the shunting operations. . Cisco's IPS Manager Express, released in 2008 with IPS software Version 6.1 and included with every IPS sensor A device that measures or detects a real-world condition, such as motion, heat or light and converts the condition into an analog or digital representation. An optical sensor detects the intensity or brightness of light, or the intensity of red, green and blue for color systems. , is a huge leap forward from previous IPS and IDS management tools from Cisco. <p>IPS Manager Express handles up to five sensors and gives competitive products from Juniper juniper, any tree or shrub of the genus Juniperus, aromatic evergreens of the family Cupressaceae (cypress family), widely distributed over the north temperate zone. Many are valuable as a source of lumber and oil. and Sourcefire some significant competition. Even with the benefits in IPS Manager Express, we found that we were frequently referring to the reputation data included with each event to help understand which needed to be looked at and which could be ignored. <p>For example, one day we had 72 events that the Cisco IPS had identified as an attempt to use Web servers on our network as HTTP proxies A proxy server that specializes in HTML (Web page) transactions. See proxy server. . Of those 72 events, 71 all came from addresses with fairly bad reputations: -3.8 and -5.5. Since we're pretty confident that the Web servers are configured con·fig·ure tr.v. con·fig·ured, con·fig·ur·ing, con·fig·ures To design, arrange, set up, or shape with a view to specific applications or uses: correctly, we ignored those events as normal probes for misconfigured Web servers. <p>However, one of the events came from an address without a bad reputation. We investigated and found one of our own users with a misconfigured laptop Same as laptop computer. laptop - portable computer on the road. Without the reputation service, we never would have investigated any of the events, but because one event stood out, we not only investigated the problem but also resolved a configuration issue. <p>The second benefit to come out of combining reputation services with IPS events was the variation in Risk Rating. We saw significant numbers of events with modified Risk Ratings because of negative reputation. In one 100-hour period, 11% of the high and medium severity events had their Risk Ratings bumped up because of negative reputation -- almost 2,000 events. By sorting based on Risk Rating within each event type, we were drawn to the events that the IPS thought posed the greatest risk. <p>One benefit we hoped to see out of reputation services was increased confidence in IPS connection blocking and also IPS punitive pu·ni·tive adj. Inflicting or aiming to inflict punishment; punishing. [Medieval Latin p  n blocking, sometimes called shunning. Most
IPS products have an option to turn on punitive blocking. Most security
managers don't use it, however, because of the potential for false
positives and self-inflicted denial of service attacks An assault on a network that floods it with so many additional requests that regular traffic is either slowed or completely interrupted. Unlike a virus or worm, which can cause severe damage to databases, a denial of service attack interrupts network service for some period. . <p>We
hoped that negative reputation would make us confident enough in what
the IPS was telling us to be more aggressive about the blocking
features. That's certainly Cisco's marketing message: Because
the Risk Rating is increased, you can easily select a different set of
actions for the same event with different risk ratings, such as alerting
on low risk ratings and blocking connections on higher risk ratings.
<p>We found out that reputation-based Risk Ratings are not a magic
bullet (jargon) magic bullet - (Or "silver bullet" from vampire legends) A term widely used in software engineering for a supposed quick, simple cure for some problem. E.g. "There's no silver bullet for this problem". . The false positives we have seen in the past with some of
Cisco's rules were no different with SensorBase input. Adding
reputation information let us have a wider variety of actions for the
same event type, but the primary responsibility for ensuring that we
weren't dropping good traffic still falls on the network manager.
<p>We did eventually set up different actions for different Risk
Ratings, but only after running the IPS for two weeks with blocking set
to audit mode and looking at all the high risk alerts generated.
<p>In one sense, risk ratings represent a limiting factor A factor or condition that, either temporarily or permanently, impedes mission accomplishment. Illustrative examples are transportation network deficiencies, lack of in-place facilities, malpositioned forces or materiel, extreme climatic conditions, distance, transit or overflight rights, in how
the security manager deals with reputation information. In the version
we tested, the only way that reputation information influences the
action taken on an event is by boosting the Risk Rating. You can't
look directly at reputation information and other data and take action.
For example, there's no way to say "for any event on Port 80
to our Webmail server, block the traffic if the reputation is less than
-2". <p>Our testing showed, however, that there are
significant benefits to the security manager that come from combining
IPS event data with reputation information using Cisco's Global
Correlation Inspection. <p>On the analysis side, we found
ourselves focusing on the most important data when reputation
information was available. On the configuration side, reputation data
added to a carefully configured IPS that let us use features such as
blocking with greater confidence. <p>The result is that Cisco IPS
7.0 continues to increase the value of the IPS in providing security
visibility as well as threat mitigation MITIGATION. To make less rigorous or penal.2. Crimes are frequently committed under circumstances which are not justifiable nor excusable, yet they show that the offender has been greatly tempted; as, for example, when a starving man steals bread to satisfy .<p>Copyright 2009 IDG IDG International Data Group IDG Integrated Drive Generator IDG Installation Design Guide IDG Internet Discussion Group IDG Inset Dielectric Guide IDG International Dangerous Goods (mail, shipping) Middle East. All rights reserved. Provided by Syndigate.info an Albawaba.com company |
|
||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion