Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Thanks for joining! We will begin in just a few minutes as more people.

Published byDerick Hunter Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Thanks for joining! We will begin in just a few minutes as more people."— Presentation transcript:

1 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Thanks for joining! We will begin in just a few minutes as more people come on line. This event will be recorded.

2 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 2 IPS Tech Talk – Global Correlation 2010 November 18 Robert Albach, James Kasper, Chad Rhyner

3 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 3 Agenda :00 Welcome to Tech Talks :03 Global Correlation @ :30 Question and Answer Mechanics of Tech Talks Introduction and Definitions What you can do with it and how Where found in product Details to consider

4 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 4 Tech Talk Mechanics How these events will operate  With many people on-line we will mute all but the presenters  We will try to answer questions at the end Please use the “Question and Answer” feature for questions If we don’t get to your question, we will try to answer them off- line  The presentation and recording will be placed on the Community support site: https://supportforums.cisco.com/

5 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 5 Global Correlation – Simple View Cisco SensorBase Akamai Cisco IPS

6 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 6 Cisco Global Correlation SensorBase: World’s Largest Traffic Monitoring Network Cisco SensorBase

7 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 7 Cisco Global Correlation Sensor Contribution Email Security Web Security IPS Firewall Identifying a global botnet requires complete visibility across all threat vectors

8 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 8 IPS 7.x Global Correlation - Support  Released Spring 2009 as version 7.0(1)  Which Devices Can Use Global Correlation: 4240, 4255, 4260, 4270 IPS appliances IDSM2 Cisco Catalyst blades IPS-AIM and IPS-NME ISR modules AIP modules for ASA appliances  Which Devices CAN NOT Use Global Correlation: Cisco IOS IPS ASA 5505 with AIP-SSC5 card IPS 4215

9 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 9 ●  Global Correlation Inspection (GC) Use “Reputation” knowledge of Attackers to influence Alarm handling and Denies when there are “Bad Score” attackers seen on the sensor.  Reputation Filter (RF) Apply automatic deny of packets from known malicious sites.  Network Participation (NP) Sensor sends sampled and condensed alarm data and statistics to central “IBNP server” for global analysis. IPS 7.0 Global Correlation - Activities

10 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 10 Quick Poll  Global Correlation and You…

11 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 11 Global Correlation in the IPS  Fully automatic handling of sensor’s uploads and downloads of this Global Correlation and participation data.  Apply intelligent handling to alarms  Improve efficacy - the effectiveness of our defensive action handling.  Improve protection against known malicious sites (by IP address range) with a fully automatic ingress filter.  Share telemetry data with Cisco back-end processing to improve visibility of alarms and sensor actions on a global scale. This feeds various analysis tools.

12 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 12 GLOBAL CORRELATION IN THE IPS

13 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 13 Event views – Reputation

14 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 14 Global Correlation in IPS Monitoring

15 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 15 Global Correlation / Reputation - Events

16 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 16 Reporting Criteria

17 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 17 Global Correlation / Reputation - Reports

18 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 18 CONFIGURING GLOBAL CORRELATION

19 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 19 Configuration Options  Service host / network-settings DNS-server (primary, secondary, tertiary) OR HTTP-Proxy (address and port)  Service global-correlation Network Participation On / Off Participation Mode (Partial or Full) Global Correlation Inspection On / Off Influence (parameter to set how aggressive the function behaves) Reputation Filter On / Off Test Global Correlation (audit mode) On / Off

20 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 20 Configuration by CLI

21 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 21 Global Correlation Configuration in IPS

22 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 22 Global Correlation Configuration via – Cisco Security Manager

23 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 23 CONNECTIVITY SIDE OF GLOBAL CORRELATION

24 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 24 Automatic GC updates  Fully automatic beyond configuration  Cisco distributes the update files via Akamai caches for load balancing, redundancy, and locality.  Update interval can happen every 5 minutes, as needed.  Sensor first gets a “FULL” update of components, then applies “INCREMENTAL” updates periodically (as new updates are available)  Initial Full updates range upwards from 2G in size  Incremental are typically 100K in size  Each data set has a serial #, displayed in the GC stats. This serial # represents the latest dataset loaded by the sensor. This is informational and does not require any user interaction.

25 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 25 Global Correlation Reputation Updates 1.Initiate request to update reputation data through HTTPS request 2.Sensor gets back a manifest containing the DNS name of a server to get the data from 3.DNS request returns the nearest Akamai server 4.Initiate actual data download using HTTP from the Akamai server CSIO Cisco CallManager Servers Desktop Cisco IPS Internet 3 ‘Akamaized’ DNS request for nearest server 1 IPS initiates request to update reputation data HTTPS://update- manifest.ironport.com 2 URL list of local Akamai servers is returned 4 IPS initiates actual data download over HTTP demosensor1# show statistics global.. Update Server = update-manifests.ironport.com Update Server Address = 204.15.82.17 Current Versions: config = 1236210407 drop = 1245425355 ip = 1245424447 rule = 1245348807 Reputation data comes in the form of multiple files (config, drop, ip, rule) that get downloaded as needed during updates

26 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 26 CONTRIBUTING TO GLOBAL CORRELATION SUCCESS

27 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 27  Per Alarm shows: The partial mode telemetry data includes: SIGID Attacker Address and Port Signature Version GC Reputation Score Risk Rating fields  AnalysisEngine GC Stats Alerts Hits/Miss GC Reputation actions Packet Denies counters  FULL mode adds: Victim IP and Port Network Participation

28 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 28 Network Participation – Configuration via CSM

29 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 29 CSM Network Participation Explanation

30 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 30 REPUTATION FILTERING

31 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 31 Reputation Filtering - Configuration

32 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 32 Reputation Filtering: Deny Filter Processor Deny Attacker addresses registered here. GlobalCorrelation ReputationFilter registered here. This is an INGRESS filter, and will drop packets matching deny attacker or RF. Deny Attacker is most aggressive action. Deny Attacker can come from SigEvent action, manual user command, and GC alarm feature. Deny Attacker modes: Axxx: deny-attacker AxBx: deny-attacker-victim-pair Axxb: deny-attacker-service-pair

33 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 33 GLOBAL CORRELATION AND RISK RATINGS / ACTIONS

34 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 34 How is Risk Rating Determined?  Risk Rating has multiple contributing inputs. Attack Severity Rating – derived from other inputs (more to come) Target Value Rating – configurable by user Signature Fidelity Rating – pre-set by Cisco for each signature Attack Relevance Rating – derived from other inputs (more to come) Promiscuous Delta – derived value – impacted by IDS mode Watch List Rating – derived from internal list data (more to come) *Global Correlation – (7.0 and later) + Risk Delta

35 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 35 Reputation Effect on Risk Rating

36 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 36 Global Correlation and Risk Rating  For 7.0+ releases you have access to Cisco Global Correlation Reputation data  There are three modes that let you determine how aggressively the sensor uses global correlation information to initiate deny actions: Permissive: Modifies standard Risk Rating w Risk Delta (below). Standard: Permissive but uses lower internal overide thresholds. Deny Packet – 86Deny Attacker - 100 Aggressive: Standard but uses even lower override thresholds. Deny Packet – 83Deny Attacker - 95 + Risk Delta

37 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 37 How To: Global Correlation and Risk Rating

38 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 38 Configuring Through - CSM

39 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 39 DEBUGGING AND DETAILED METRICS

40 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 40  local network devices May have to open up port 443 or proxy port at gateway  Statistics of interest Show stat analysis-engine Show stat global-correlation  Show version displays license information.  GC license feature requires proper time/date setting.  ReputationFilter drops are seen in analysis-engine statistics. Some Debugging Information

41 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 41 Device Detail Information – Global Correlation / Reputation

42 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 42 Device Detail Information – Global Correlation / Reputation

43 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 43 What might be some limitations?  IPS location may make a difference.  Example: If inspecting only internal traffic then external reputation data may not have much meaning (Global Correlation) less impact but my internal watch list info is a better fit.

44 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 44 Global Correlation Summary  Global Correlation helps you to: Reduces traffic with Reputation Filters prior to deep inspection Influences actions taken by the IPS by altering Risk Ratings  Global Correlation is easy: Downloads are automated and simple to set up  Global Correlation is made better by you! Your participation improves yours and others identification of attackers and bad sites

45 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 45 Quick Poll  Global Correlation and You…

46 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 46 Before the Q&A Session  Thanks for attending.  Let us know: Was this session worth while to you? What future topics would you like to see? How might we improve these events?  Send an email to: Robert Albach ralbach@cisco.com

47 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 47 Q&A Please use the Question and Answer section of WebEx

48 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 48 THANKS!

49 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 49

Download ppt "© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Thanks for joining! We will begin in just a few minutes as more people."

Similar presentations

WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.

WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.
1 Authority on Demand Flexible Access Control Solution.

1 Authority on Demand Flexible Access Control Solution.
1 © 2006 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Using the Cisco Technical Support & Documentation Website for Voice Issues.

1 © 2006 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Using the Cisco Technical Support & Documentation Website for Voice Issues.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Troubleshooting.

Troubleshooting.
Trusted Internet Connections. Background Pervasive and sustained cyber attacks against the United States continue to pose a potentially devastating impact.

Trusted Internet Connections. Background Pervasive and sustained cyber attacks against the United States continue to pose a potentially devastating impact.
Copyright 2011 Trend Micro Inc. Trend Micro Web Security- Overview.

Copyright 2011 Trend Micro Inc. Trend Micro Web Security- Overview.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Department Of Computer Engineering

Department Of Computer Engineering
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
1 © 2006 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Using the Cisco Technical Support & Documentation Website for Security.

1 © 2006 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Using the Cisco Technical Support & Documentation Website for Security.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 5 – Implementing Intrusion Prevention.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 5 – Implementing Intrusion Prevention.
Packet Tracer: Novice Session

Packet Tracer: Novice Session
Packet Tracer 4.1: Novice Session

Packet Tracer 4.1: Novice Session

Similar presentations

Ads by Google