From the course: Cisco Network Security: Intrusion Detection and Prevention

Reputation-based IDS - Cisco Routers Tutorial

From the course: Cisco Network Security: Intrusion Detection and Prevention

Start my 1-month free trial

Reputation-based IDS

- [Instructor] In addition to using signatures to identify threats, Cisco Intrusion Detection Systems can benefit from reputation-based intrusion detection using Cisco's Security Intelligence Operations. In the real world, we make our selections based on the reputation of the company or product. The collective nature of event correlation is very powerful, as it provides information to the Intrusion Detection Systems about certain IP addresses that may have a reputation associated with malicious or risky websites. The Threat Operations Center is constantly vigilant and gathers and analyzes data on malicious activity using automated, along with human interaction methods. The gathered data populates the Cisco SensorBase database. Participants contribute to the database, but also benefit from the collective wisdom and information. The first step is to agree to participate. Then, on the Local Area Network, participating intrusion prevention sensors gather data and then send suspect traffic to the global correlation servers. If there is an identified event, the Intrusion Detection System will send information that includes signature ID, attacker's IP address and port, victim IP address and port, TCP options string, reputation rating and score, and data from the sensor health metrics. The reputation servers update the database and then share the results with other contributing networks. The Cisco SensorBase database changes often. It's best practice to set the sensor to periodically download global correlation updates from the global correlation servers. Reputation-based intrusion detection using Cisco's Security's Intelligence Operations is a powerful feature that helps prevent threats from malware and zero-day attacks by sharing a collective knowledge.

Contents