The Cisco Threat Operations Center uses dynamic updates and actionable intelligence obtained from ASAs, IPSs, Email security appliances, web security appliances, and system administrators to calculate a web reputation score for web sites. Web reputation is a statistical assessment based on context and past behavior and combines many factors of varying significance into one correlated metric. Similar to a person’s credit score, web reputation is a continuous value along a graduated scale from -10 to 10. By defining a low reputation zone, you can implement predictive, zero-day protection against low reputation sites, the ones that are most likely to serve malware to your users.
Following is a general guideline to the web reputation scores:
To implement reputation-based processing, you apply a web reputation profile to the following types of policy:
- -10 to -6
Sites in the lowest reputation zone are dedicated or hijacked sites that persistently distribute key loggers, root-kits, and other malware. Also included are phishing sites, bots, and drive-by installers. Sites in this reputation range are almost guaranteed to be malicious.
The pre-defined default web reputation profile defines this zone as the low reputation zone.
- -6 to -3
Sites in this zone tend to be aggressive ad syndication and user tracking networks. These sites are suspected of being malicious, but maliciousness has not been confirmed.
- -3 to 3
Sites in this zone tend to be well managed, responsible content syndication networks and user generated content sites.
- 0 to 5
Sites in this zone have some history of responsible behavior or third party validation.
- 5 to 10
Sites in this zone have a long history of responsible behavior, have significant traffic volume, and are widely accessed.
- Access policies that allow traffic. By adding a web reputation profile, the policy will in general allow matching traffic, but drop any traffic from a low reputation site. You can apply the profile to any or all access policies that have the Allow action.
- Decryption policies whose action is Decrypt Potentially Malicious Traffic. By adding a web reputation profile, any low reputation sites that match the policy will be decrypted, so that access policies have knowledge of the content of the traffic. The access policies can then drop the traffic if configured to do so. Even if you do not have a matching access policy that drops the traffic, decrypting the low reputation traffic provides data for reports that is otherwise unavailable for encrypted TLS/SSL traffic flows.
For access policies, you can configure a device-level profile and have the policy use that profile. You can then easily change your default filtering policy by editing the Malware Protection settings.
The following procedure shows how to implement reputation-based processing to drop or decrypt traffic flows for sites in the -10 to -6 zone. This example assumes that you have defined your access policies, that you have enabled decryption, and that you have some decryption policies that use the Do Not Decrypt action (or that you would like to reduce the amount of traffic that you decrypt).