Understanding Global Correlation
You can configure global correlation so that your sensors are aware of network devices with a reputation for malicious activity and can take action against them. Participating IPS devices in a centralized Cisco threat database, the SensorBase, receive and absorb global correlation updates. The reputation data contained in the global correlation updates is factored into the analysis of network traffic, which increases IPS efficacy, because traffic is denied or allowed based on the reputation of the source IP address. The participating IPS devices send data back to the Cisco SensorBase Network, which results in a feedback loop that keeps the updates current and global.
Tip |
The Botnet Traffic Filter feature of adaptive security appliances (ASA) is another dynamic feature you can deploy in your network to defend against malicious activity. Configuring global correlation on IPS devices, and Botnet Traffic Filtering on ASA firewalls, can be an effective combined security implementation. For more information about Botnet Traffic Filtering, see Managing Firewall Botnet Traffic Filter Rules. |
There are three main features of global correlation:
-
Global Correlation Inspection—The IPS uses the global correlation reputation knowledge of attackers to influence alert handling and to deny actions when attackers with a bad score are seen on the sensor. For more information about reputation, see Understanding Reputation.
-
Reputation Filtering—Applies automatic deny actions to packets from known malicious sites.
-
Network Participation—The sensor sends alert and TCP fingerprint data to the SensorBase Network so that other users can share in the community knowledge. For more information, see Understanding Network Participation.
Global correlation has the following goals:
-
Dealing intelligently with alerts thus improving efficacy.
-
Improving protection against known malicious sites.
-
Sharing telemetry data with the SensorBase Network to improve visibility of alerts and sensor actions on a global scale.
-
Simplifying configuration settings.
-
Automatic handling of the uploads and downloads of the information.
Tip |
You can use Report Manager to generate reports comparing the number of alerts generated by global correlation to those generated by traditional IPS inspection. For information on the Inspection/Global Correlation report, see Understanding General IPS Reports. For information on generating reports, see Opening and Generating Reports. |
For information on how to configure global correlation, see the following topics: