41-4
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 41 Configuring Global Correlation
Understanding Global Correlation
To configure network participation, the IPS device requires at least 100 MB of available memory, a
network connection to the sensor, and a network connection to the Internet. For information on
configuring network participation, see Configuring Network Participation, page41-7.
Global Correlation Requirements and Limitations
The following list explains the requirements that you must meet to configure and successfully use global
correlation on IPS devices. It also explains some limitations.
Valid license—You must have a valid sensor license for global correlation features to function. You
can still configure and display statistics for the global correlation features, but the global correlation
databases are cleared and no updates are attempted. Once you install a valid license, the global
correlation features are reactivated. For information on configuring licenses, see Updating IPS
License Files, page 43-1.
Agree to Network Participation disclaimer—If you decide to configure network participation,
you must accept the disclaimer. For more information, see Understanding Network Participation,
page 41-3 and Configuring Network Participation, page41-7.
External connectivity for sensor and a DNS server or HTTP proxy—Global correlation requires
the sensor to connect to the Cisco SensorBase Network. Domain name resolution is also required
for these features to function. You can either configure the sensor to connect through an HTTP proxy
server that has a DNS client running on it, or you can assign an Internet routeable address to the
management interface of the sensor and configure the sensor to use a DNS server. For more
information, see Identifying DNS Servers, page 35-22 and Identifying an HTTP Proxy Server,
page 35-23.
Sensor in inline mode—The sensor must operate in inline mode so that the global correlation
features can increase efficacy by being able to use the inline deny actions.
Sensor and IPS version that supports the global correlation features—The sensor must run IPS
7.0+ software. You cannot configure global correlation on Cisco IOS IPS devices.
Sufficient available memory—To configure network participation, the IPS device requires at least
100 MB of available memory.
Table41-1 Network Participation Data Sharing and Usage
Participation Level Type of Data Purpose
Partial Protocol attributes (TCP maximum
segment size and options string, for
example).
Tracks potential threats and helps Cisco
to understand threat exposure.
Attack type (signature fired, including
signature ID and version, risk rating,
and reputation, for example).
Used to understand current attacks and
attack severity.
Connecting IP address and port. Identifies attack source.
Summary IPS performance (CPU
utilization, memory usage, inline vs
promiscuous, for example).
Tracks product efficacy.
Full Victim IP address and port. Detects threat behavioral pattern.