Cisco hasn't yet incorporated the SenderBase IP reputation service into its firewalls or IPSs, but such a move has been widely anticipated since the IronPort acquisition. The company has indicated related announcements would be forthcoming at this month's RSA Conference 2009, and Peterson certainly suggests such integration is imminent. "We think it's time to add some of these factors to the IPSs and firewall connections. Why should those devices be off on their own to make decisions if there's a huge amount of reputation information that could be available to them?" he says.
That's just what Don Bertier, chief security officer at Savvis, a St. Louis-based IT infrastructure services provider, has wondered. The company already uses Cisco's reputation-based IronPort Web security appliances, and has discussed how adding a reputation database to its firewalls could reduce threats coming into the DMZ and Internet portals, he says. "I see reputation moving toward the perimeter, and we're curious to see what Cisco will do to integrate it as a natural, enabled item on its firewalls."
Alternatively, Bertier adds, "I could have a couple of my smart-guy engineers ... manufacture some type of blacklist capability themselves, but to stay on top of that would take too much of their energy. Having the automation and seamless integration into a firewall would be much better."
For his part, Opus One's Snyder has been pondering just what an integrated reputation database would mean from the IPS perspective. He envisions three possibilities.
- In the first and most-straightforward case, the reputation score would provide one more way of identifying which events need attention. "This wouldn't affect the behavior of the IPS at all, but it would help the analyst be smarter about what to look at and what to ignore," Snyder says.
- In another scenario, an IPS would replicate the role of an e-mail or Web security gateway, thus reducing those devices' processing burdens. While reducing the gateway loads on bigger networks could be a smart, easy thing to do, the volumes at smaller companies wouldn't necessarily warrant the addition of a reputation-based IPS, Snyder says.
- The third possibility is the most promising -- but also the most difficult to do, he adds. In this case, the IPS would change its behavior based on an IP connection's reputation, not just in response to spam or Web traffic. "For example," he explains, "I might set the IPS to block traffic to anyone with a bad reputation. Or, I might say, 'If you trigger a signature and your reputation is bad, then I'll drop your packet' or 'If you trigger a signature and your reputation is good, then I'll assume it's a false-positive and I won't drop your packet.'"
Until Cisco and others make their IPS-reputation integration plans clear, and then users start testing, Snyder sits on the fence regarding potential enterprise value. "Playing around with a reputation-based IPS is likely to do no harm for an enterprise, but the question I have is whether it will do any good."
Pairing reputation and identity
One thing that is clear is that the network won't be the stopping point for IP reputation services, according to industry watchers. "This is a lot bigger than firewalls or spam," says Andreas Antonopoulos, an analyst at Nemertes Research.
For example, look at the synergy between reputation and identity, Antonopoulos says. Simply put, he says, "Reputation and identity work very well together, and reputation enhances identity."