Network IPS Buyer's Guide: Cisco - Page 3
Cisco battles threats by embedding IPS in switches, routers, firewalls, and appliances.
Cisco IPS Manager Express (IME) can be used to manage small NIPS deployments up to 5 sensors, providing basic configuration, real-time monitoring, alerting and reporting. However, larger deployments up to 5000 devices can be handled in an integrated fashion by using Cisco Security Manager, also responsible for managing Cisco firewall, router, and VPN products.
Cloud sourcing threat intelligence
According to Carskadden, Cisco IPS make use of cloud-sourced reputation data in several ways. "One is dynamic blacklisting -- based off intelligence about threat environments at large, we can block the Internet's most wanted. This has been an effective approach for the network IPS market as a whole."
But Carskadden stressed that Cisco's major differentiator is an integrated inspection plane. "By combining signature intelligence with reputation intelligence, we can see activities that in and of themselves would not be conclusive," he explained. "If we can correlate those activities to a source associated with broad-based hacking, that's where we can gain efficacy. We have seen that intelligence modify greater than 80 percent of signatures that fire in edge IPS deployments. That shows that we can stop twice as much by using these together than we can with signatures alone."
Cisco's primary source of threat intelligence is live deployment of Cisco security technologies. "We've gone through our Web security products, our email security products, and our IPsec clients, enabling all of these to send us what they're seeing. That gives us about 4 terabytes of data per day -- not just flow data, but specific threat data," said Carskadden. Cisco's next step, he said, will be pulling in threat data sourced from core routing technologies.
But how does Cisco turn this huge pile of data into actual intelligence that can be applied to IPS? According to Carskadden, this is where Cisco development efforts have recently been focused. "The key is where we see overlaps between different types of environments. If we can see that a host [associated with an IPS event] has sent spam before that might be a good indicator that it's infected. We also see a great correlation between content hosting and threats, such as websites that host ads for on-line gambling and websites that host malware. Pairing these datasets is a force multiplier. You're not just gaining intelligence -- you're incrementally increasing your visibility," he said.
In summary, Cisco's approach to NIPS is multi-faceted. As with many other areas of network security, Cisco has defined a broad NIPS architecture into which individual products within its portfolio can fit. Where possible, Cisco offers NIPS capabilities running on a customer's existing network device -- this approach often appeals to smaller environments that tend prefer consolidation for the sake of simplicity. But for those who want dedicated devices, Cisco offers NIPS appliances -- and dedicated hardware modules that can be paired with other network devices for the sake of performance. As the world's largest network equipment manufacturer, Cisco is in a unique position to gather network-based threat information. Feeding that data into Cisco IPS is clearly beneficial -- so long as customers have the visibility and manageability needed to put this power to good use.
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. With over 25 years in the network industry, Lisa has reviewed, deployed, and tested network security products for nearly a decade.