Summary
A number of issues have been identified in the Reputation and GEO filtering feature on the IPS.
Details
Product Bulletin #: 1052
Subject: IPS IP Reputation Policy Enforcement Issues
Date of Announcement: September 3, 2015
Date of Update: October 2, 2015
Summary: A number of issues have been identified in the Reputation and GEO filtering feature on the IPS. These issues are related to how the IPS engine handles the caching of Reputation and GEO IP addresses, and can manifest in the following incorrect behaviors:
The reputation engine needs to check every IP packet's source and destination IP address against a potentially very large database of ThreatDV reputation, manual reputation and Geo-location IP addresses. To optimize this for scalability and performance, a caching mechanism is implemented which caches IP's between the data-plane (fast but smaller) and the control-plane (slower but larger). Addressing issues found in the caching mechanism resolves the reputation behavior highlighted above.
Affected Products and Versions
Recommended Actions
If you have concerns or further questions regarding this issue, contact the Trend Micro™ TippingPoint Technical Assistance Center (TAC).
Thank you,
Trend Micro™ TippingPoint
For updated contact information, please click here.
Subject: IPS IP Reputation Policy Enforcement Issues
Date of Announcement: September 3, 2015
Date of Update: October 2, 2015
Summary: A number of issues have been identified in the Reputation and GEO filtering feature on the IPS. These issues are related to how the IPS engine handles the caching of Reputation and GEO IP addresses, and can manifest in the following incorrect behaviors:
- IPS does not consistently block Reputation or user defined IP entries
- IPS does not consistently block GEO based filters
- IPS does not honor reputation filter precedence
- Inconsistent Reputation events when using Reputation filters with a permit + notify action
The reputation engine needs to check every IP packet's source and destination IP address against a potentially very large database of ThreatDV reputation, manual reputation and Geo-location IP addresses. To optimize this for scalability and performance, a caching mechanism is implemented which caches IP's between the data-plane (fast but smaller) and the control-plane (slower but larger). Addressing issues found in the caching mechanism resolves the reputation behavior highlighted above.
Affected Products and Versions
TOS Version | Products |
3.6.4 and earlier | S10, S110, S330 |
3.8.0 and earlier | S660N, S1400N, S2500N, S5100N, S6100N |
S2600NX, S5200NX, S6200NX, S7100NX, S7500NX |
Recommended Actions
- S10, S110 and S330 customers who use Reputation or GEO filtering feature should upgrade to TOS 3.6.5 at their earliest convenience, for information on TOS v3.6.5 please refer to the product release notes.
- N/NX-Platform customers who use Reputation or GEO filtering feature should upgrade to TOS 3.8.1 at their earliest convenience, for information on TOS v3.8.1 please refer to the product release notes.
If you have concerns or further questions regarding this issue, contact the Trend Micro™ TippingPoint Technical Assistance Center (TAC).
Thank you,
Trend Micro™ TippingPoint
For updated contact information, please click here.
© Copyright 2018 Trend Micro Incorporated. All rights reserved. Trend Micro, the Trend Micro logo, TippingPoint, the TippingPoint logo, and Digital Vaccine are trademarks or registered trademarks of Trend Micro Incorporated. TippingPoint Reg. U.S. Pat. & Tm. Off. The information is provided "as is" without warranty of any kind and is subject to change without notice. The only warranties for Trend Micro products and services are set forth in the express warranty statements accompanying such products and services. nothing herein should be construed as constituting an additional warranty. Trend Micro shall not be liable for technical or editorial errors or omissions contained herein. |