CHAP TER
41-1
User Guide for Cisco Security Manager 4.4
OL-28826-01
41
Configuring Global Correlation
You can configure global correlation so that your sensors are aware of network devices with a reputation
for malicious activity and can take action against them. Global correlation allows you to dynamically
use information about malicious activity collected from networks around the globe to change the risk
rating of events that have known bad devices as their source.
To configure global correlation, your sensor must be running IPS 7.0+ software. Global correlation is
not available on Cisco IOS IPS devices.
This chapter contains the following topics:
Understanding Global Correlation, page 41-1
Configuring Global Correlation Inspection and Reputation, page 41-5
Configuring Network Participation, page41-7

Understanding Global Correlation

You can configure global correlation so that your sensors are aware of network devices with a reputation
for malicious activity and can take action against them. Participating IPS devices in a centralized Cisco
threat database, the SensorBase, receive and absorb global correlation updates. The reputation data
contained in the global correlation updates is factored into the analysis of network traffic, which
increases IPS efficacy, because traffic is denied or allowed based on the reputation of the source IP
address. The participating IPS devices send data back to the Cisco SensorBase Network, which results
in a feedback loop that keeps the updates current and global.
Tip The Botnet Traffic Filter feature of adaptive security appliances (ASA) is another dynamic feature you
can deploy in your network to defend against malicious activity. Configuring global correlation on IPS
devices, and Botnet Traffic Filtering on ASA firewalls, can be an effective combined security
implementation. For more information about Botnet Traffic Filtering, see Chapter 19, “Managing
Firewall Botnet Traffic Filter Rules”.
There are three main features of global correlation:
Global Correlation Inspection—The IPS uses the global correlation reputation knowledge of
attackers to influence alert handling and to deny actions when attackers with a bad score are seen on
the sensor. For more information about reputation, see Understanding Reputation, page41-2.
Reputation Filtering—Applies automatic deny actions to packets from known malicious sites.