EmailSafety.net - Testing Cisco IPS 7.0's reputation filtering

Testing Cisco IPS 7.0's reputation filtering

Anti-Spam Software

What is Spam?

Spam Laws

Spam Facts

User Tips

Common Email Scams

What Are Visuses?

Virus Prevention Tips

Anti-Virus Software

Basic Tips

Recent News

The traditional way of querying a reputation service database, by DNS queries, wouldn't work in an IPS environment. Instead, IPS 7.0 downloads the entire reputation service database and keeps it frequently updated. No additional license is required to use reputation filtering, but you must have an active license and Cisco support agreement to turn on downloading.

From there, enabling Reputation Filtering is as simple as checking a single button. There are no thresholds or parameters to set — Cisco told us that no normal site could ever be blocked by Reputation Filtering, because the reputation service score required to block is -10, as bad as it gets.

The IPS 7.0 software does have a "test" button, which lets you see what the IPS would have done, but does not actually block traffic because of reputation services.

We started out, as Cisco recommended, by turning on Reputation Filtering, and quickly ran into one of the weak parts in this new feature: reporting and status information.

Related Content

Reputation Filtering blocking does not show up as standard IPS events. Instead, the information is aggregated and reported at the bottom of a 10-page long obscure text-only report. What is available is network block numbers (such as 94.232.248.0/21, a Russian site hosting such domains as "trustedtablets.com," "ultimatepillstore.com," and "viagracomparison.com") and the number of denied packets from that network block.

What you don't get is any background information on the site being blocked, what address on your network they tried to connect to, or what TCP or UDP port is being probed. This means you can't tell whether this site was simply trying to send you spam or whether a more malicious attack was brewing.

Alternatively, you can see a report that presents a bar chart showing how many packets have been blocked by Reputation Filtering, but it was one of the least informative uses of a bar chart that we've ever seen.

Over the two week test period, we didn't see a huge number of denied packets — an average of about one per minute, or 1,500 a day (see "How we tested" for more details on our traffic loads). If the Reputation Filtering is simply taking some of the load off of your anti-spam gateway, 1,500 blocked connections a day isn't worth much — the site we tested Reputation Filtering with is already blocking about 400,000 connections a day using reputation services with an anti-spam gateway.

Recent News:

· Feds draw a bead on Russian behind Mega-D botnet
· Ransomware Attack Resurfaces to Hold Files Hostage
· Adobe Reader X Makes PDF Files Safer
· PayPal Users Beware of Holiday Phishing Scam
· McAfee Reports Malware at All-Time High

Site Map | Recent News | Related Sites