Cisco Reputation Filtering Overview

Wednesday, October 20, 2010

Antonio Ierano


Trying to find a weapon to reinforce our arsenal against the bad guys is always an interesting job.

There are on the market several new or quite new technologies, there are also old technologies presented in a new fashion or implemented in a new way.

One of the most interesting areas is the use of reputation services.

Reputation services are a way to determine if a source IP or service (that can be translated as IP and Port, IP and URL, and so on) is a vector of threat or not.

Trying to understand if a source is trustworthy or not is a quite difficult job, mainly because we are not in a black or white environment where a source is absolutely and completely bad forever and ever, but we are in an environment where things change rapidly.

When talking about reputation we should understand a couple of things:

First of all reputation is a rating service and not a blacklist service. Is a way to express in a metric how “risky” is to connect to a specific source.

Nothing is absolutely trustable, than means that everything can be compromised and be, form time to time, source of risk. Nevertheless all the compromised sources are 100% un-trustable, since they can deliver also legitimate contents.

An IP address can deliver thousands of different services, not all those service can be compromised at the same time. As a matter of fact a source can be trustable for smtp and not trustable for http.

The reason behind this is quite simple, TCP\IP suite has been designed to provide connection to a great variety of applications and services.

To provide this the TCP\IP suites has been build to provide a common addressing schema (The IP address and the port) able to manage different protocols that could require a connected (TCP) or connectionless (UDP) transaction with the counterpart. All the protocols related to TCP\IP are independents one to another, and generally are associated to different daemons or programs that can generate traffic through them.

PAT, NAT and DHCP are also a reasonable reason to have different behaviors coming from a single IP.

A single public IP can be associated to different physical or logical service sources that can be mapped, for example, through Port Address Translation in order to expose different services generated by different servers with a private IP addressing schema.

The real challenge with reputation services is  that a good reputation service is related to the ability to monitor the widest possible IP area and have enough historical data to provide projection and analysis.

This is a mandatory requirement because we cannot have direct control over every single IP or every single daemon that is behind an IP service so we can understand if something is going bad or good only monitoring its activity.

Cisco's approach to this problem has recently evolved to the Cisco SIO integration: the previous Cisco network has been merged with Cisco Ironport Senderbase network and recently with the Scansafe one. This new merged network is called Cisco Sensorbase network.

The idea is to provide an extensive monitoring platform of what happens on the internet, adding data from firewalls, IPS, different kind of traps and sensors, web browsing, spam analysis, malware analysis and so on, correlate all those data and provide reputation outputs.

Think of Cisco SIO as the world’s largest cooperative global security ecosystem, using more than 700,000 live feeds from linked Cisco email, web, firewall, and intrusion prevention systems (IPSs).

1) Cisco SensorBase collects raw event data from more than 700,000 globally linked sensors in Cisco IPS devices, firewalls, and web security and e-mail security devices, as well as data from more than 600 third-party feeds. SensorBase examines more than 30 percent of the world’s e-mail, thanks to strategically located “honey-pot” accounts equipped with e-mail addresses publicized on lists that spammers might use.

2) The Cisco SIO Threat Operations Center weights and processes the data. When necessary, Cisco security experts reverse-engineer malware and other Internet threats. Engineers also collect, research, and supply information about security events that have the potential for widespread impact on networks, applications, and devices.

3) When the data is ready for deployment, Cisco SIO mechanisms dynamically deliver updates to Cisco firewall, web, IPS, and email devices, and Cisco IntelliShield vulnerability aggregation and alert services. Cisco SIO also sends security best practice recommendations and  community outreach services to Cisco customers.

Reputation provided with this system is used to feed Cisco web and email security products as well as Cisco IPS devices. but SIO output feed not only reputation but also antibotnet engine on Cisco ASA as well as L4TM engine on Cisco WSA.

But what does this reputation look like?

Basically for email and web security the reputation score is just a number in a range (–10.0 _ +10.0).

–10 means you have a devil at your door, while values +10 means an angel in knocking at your window. all the values in between means we have to deal with sources that can have different risk rating.

If we are working on a e-mail security solution we can use this risk rating to manage smtp connection.

What we can do is to modify the TCP accepting behavior doing an effective shaping of the traffic. In other words we can tell to the system to reject connection that are below a specific value (I usually suggest –3), and limit the number of accepted connections and email sent per smtp connection in a specific range.

If we are working with a web security solution we can decide how we want to process the web traffic we received.

Once again we can block connections with a reputation below a specific value, force malware inspection and\or https inspection in specific ranges.

While the reputation value is an attribute given by SIO the policy is created by the Security Manager or administrator.

On the IPS solution (with IPS 7.0) Security managers can use SensorBase data in two ways. Reputation filtering lets you block all traffic from IP addresses with an extremely bad reputation. This is done regardless of traffic type -- all traffic from these sites will be blocked.

This basic use of reputation filters isn't new, but what's interesting is that Cisco will use this reputation data to change the Risk Rating of security events identified by the IPS. In other words, an event linked to a 'bad' IP address will result in an even higher Risk Rating.

"Risk Rating" is a Cisco-proprietary value, from 0 to 100, that is computed for every event identified by the IPS. Risk Rating lets you prioritize events and decide what to look at and what to ignore.

In Cisco's IPS products, every event has a Risk Rating and the security manager generally defines three bands of risks: low, medium, and high.

For each of the bands, you can then select a set of actions, from logging that an event occurred to actively blocking all traffic from a particular IP address for some period of time. Risk Ratings aren't new -- what's new is the addition of reputation information in 7.0.

Global Correlation Inspection raises the Risk Rating for any event when one of the IP addresses involved has a bad reputation.

The difference between Reputation Filtering and Global Correlation Inspection is pretty important: with Reputation Filtering turned on, an extremely bad reputation of -10 will cause all traffic to be dropped. With Global Correlation Inspection turned on, bad reputations will only cause Risk Ratings of events to be raised.

Using risk rating with Global correlation will help the administrator to take into account what really they care of, having the reputation information available with every event gave us two significant benefits: it let us deal with events more quickly, and the change in Risk Ratings let us focus on the events that posed the greatest potential threats.

Cross-posted from DoctorReptile
Possibly Related Articles:
Viruses & Malware
Cisco malware
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.