Would you like your IPS to use over half a million sensors instead of just the ones you deploy? Cisco IPS 7.0 introduced Global Correlation which uses information from SensorBase to help you determine if incoming traffic is from a known hostile host or from a legitimate source. But let’s not get ahead of ourselves.
SensorBase is a reputation service.
So what is reputation?
If I go out to a restaurant to eat and I’m dissatisfied with the service I get, you can bet I will tell my friends about it. If the restaurant were to serve my chicken raw I can guarantee that I would spread the word and warn people. My friends would probably take my advice and avoid the place, some might even tell some of their friends. However this doesn’t scale at all since there are a lot of people I don’t know. Others might go to the restaurant having never heard my warning. Another problem with this example is that I might just have caught them on a bad day and others might love the restaurant. If my friends knew that 50 people loved the restaurant and I alone thought it was bad, they wouldn’t give my words much credit.
SensorBase gives each IP address a score between -10 and +10, where -10 is the worst possible score. Unlike me warning my friends about a particular restaurant SenderBase scales, it is the world’s largest traffic monitoring network. With over 700 000 deployed sensors world wide it sees a lot of traffic. It is in use by 8 of the 10 top global ISP’s and also collects information from 500 third party feeds. It uses a lot of factors to determine the reputation of an IP address.
If an IP address has a very low score SensorBase score you probably don’t want traffic from that host entering your network. You can be pretty sure that there has been a lot of malicious activity from that address.
I will avoid the restaurant which gave me bad food for years to come, i.e. black listing. Even if the restaurant fires the chef the next day they will still be on my black list.
The reputation service provided by SensorBase doesn’t work that way, since traffic is constantly being monitored by all sensors an IP address which was considered to be very hostile two months ago might have a positive score today. The other side of this coin is that a “good” IP address can fall from grace if the sensors start seeing repeated malicious activity.
I’m sure I’m not alone when I say that I’ve found an IP address in a log file and wondered what it was, checking DNS and whois records to see if it is anything to worry about. Now I can just ask SensorBase about its opinion and save me some time.
Origins of Cisco SensorBase
When Cisco bought IronPort in 2007, SenderBase was part of the deal. SenderBase was IronPort’s reputation service for their anti spam solution. Instead of just relying in signatures IronPort developed SenderBase in order to be able to drop connections from known bad hosts based on the reputation of those hosts. Currently SenderBase sees over 30% of the world’s email traffic (that quite some SPAM :)).
A lot of SPAM includes a link to a website, it turns out that a lot of these websites are hosted on the same infected machines which are sending the SPAM. Since IronPort already had a huge reputation database with all these IP addresses they saw an opportunity to use this database for other services aside from pure anti spam. They then created the S-Series web security appliances. The name SenderBase remained the same even though it wasn’t only concerned by “senders” at that time.
As more products are beginning to use the reputation service Cisco has now rebranded it as SensorBase.
Aside from being used by the IronPort Web and Email security products, SensorBase is used by Cisco IPS 7.0. The botnet traffic filter function which came with Cisco ASA 8.2 also uses SensorBase, though it currently doesn’t block any traffic it can really open your eyes as to what kind of hosts your end nodes are talking to.
It would have been cool to see SensorBase integrated with Cisco Security Agent, but you can’t have everything. However I’m sure we’re going to see SensorBase becoming available to more and more products, and the larger the monitoring network grows the better the service becomes.