Table of Contents
Introduction xxviii
Part I Introduction to Intrusion Prevention and Detection, Cisco IPS Software, and Supporting Devices 3
Chapter 1 Intrusion Prevention and Intrusion Detection Systems 5
“Do I Know This Already?” Quiz 5
Foundation Topics 8
Intrusion Prevention Overview 8
Intrusion Detection Versus Intrusion Prevention 8
Intrusion Prevention Terminology 9
Intrusion Prevention Systems 12
Features of Network Intrusion Prevention Systems 13
Limitations of Network Intrusion Prevention Systems 14
Network Intrusion Prevention Approaches 14
Endpoint Security Controls 16
Host-Based Firewalls 17
API and System Call Interception 17
Cisco Security Agent 17
Antimalware Agents 18
Data Loss Prevention Agents 19
Cryptographic Data Protection 19
A Systems Approach to Security 20
Exam Preparation Tasks 21
Review All the Key Topics 21
Complete the Tables and Lists from Memory 21
Define Key Terms 21
Chapter 2 Cisco IPS Software, Hardware, and Supporting Applications 23
Overview 23
“Do I Know This Already?” Quiz 23
Foundation Topics 26
Cisco IPS Network Sensors 26
Cisco IPS 4200 Series Sensors 27
Cisco IPS 4240 Sensor 28
Cisco IPS 4255 Sensor 29
Cisco IPS 4260 Sensor 30
Cisco IPS 4270 Sensor 32
Sensing Interface Details 33
10GE Interface Card 33
4GE Bypass Interface Card 33
2SX Interface Card 34
Cisco ASA AIP SSM and AIP SSC-5 Modules 34
Cisco Catalyst 6500 Series IDSM-2 Module 35
Cisco AIM-IPS and NME-IPS Supported on Cisco ISR Routers 36
Cisco IPS Software Architecture 38
Cisco IPS Management Products 41
Cisco IPS Device Manager 42
Cisco IPS Manager Express 42
Cisco Security Manager 43
Cisco Security MARS 43
Cisco Security Intelligence Operations and Cisco Security IntelliShield Alert Manager Service 45
Cisco Security IntelliShield Alert Manager Service 47
Summary 48
References 48
Exam Preparation Tasks 49
Review All the Key Topics 49
Definitions of Key Terms 49
Chapter 3 Network IPS Traffic Analysis Methods, Evasion Possibilities, and Anti-evasive Countermeasures 51
Overview 51
“Do I Know This Already?” Quiz 51
Foundation Topics 54
Network IPS Traffic Analysis Methods 54
Stateful Content Matching 54
Protocol Decoding 55
Traffic Correlation 55
Rate Analysis 55
Packet Header Matching 56
Packet Content Matching 56
Statistical Modeling 57
Event Correlation 57
Network IPS Evasion Techniques 57
Encryption and Tunneling 58
Timing Attacks 58
Resource Exhaustion 58
Traffic Fragmentation 59
Protocol-Level Misinterpretation 59
Traffic Substitution and Insertion 60
Summary 63
References 63
Exam Preparation Tasks 64
Review All the Key Topics 64
Complete the Tables and Lists from Memory 64
Definitions of Key Terms 64
Chapter 4 Network IPS and IDS Deployment Architecture 67
Overview 67
“Do I Know This Already?” Quiz 67
Foundation Topics 70
Sensor Deployment Considerations 70
Security Considerations 70
Prevention Mode Versus Detection Mode 70
Performance Considerations 71
Virtualization Requirements 72
Network IPS Implementation Guidelines 72
Enterprise or Provider Internet Edge 73
Wide-Area Network 75
Implementing an IPS in Data Centers 78
Centralized Campus 79
Design and Implementation Resources 81
Summary 81
Exam Preparation Tasks 82
Review All the Key Topics 82
Definitions of Key Terms 82
Part II Installing and Maintaining Cisco IPS Sensors 85
Chapter 5 Integrating the Cisco IPS Sensor into a Network 87
Overview 87
“Do I Know This Already?” Quiz 87
Foundation Topics 90
Sensor Deployment Modes 90
Deploying Sensors in Promiscuous Mode 90
Deploying Sensors in Inline Interface Pair Mode 100
Deploying Sensors in Inline VLAN Pair Mode 102
Deploying Sensors in Inline VLAN Group Mode 103
Deploying Sensors in Selective Inline Analysis Mode 105
Design and Implementation Resources 107
Summary 107
Exam Preparation Tasks 108
Review All the Key Topics 108
Definitions of Key Terms 108
Chapter 6 Performing the Cisco IPS Sensor Initial Setup 111
Overview 111
“Do I Know This Already?” Quiz 111
Foundation Topics 114
Accessing and Using the Cisco IPS Sensor CLI 114
IPS Modules 114
Command-Line Interface Features 116
Command-Line Interface Uses 119
Command-Line Interface Modes 119
Initializing the Cisco IPS Sensor 123
Introducing and Configuring Cisco IPS Device Manager 126
Deploying and Configuring Cisco IPS Sensor Interfaces 130
Creating Promiscuous Interfaces 132
Creating Inline Interface Pairs 133
Creating Inline VLAN Pairs 133
Creating Inline VLAN Groups 133
Configuring a CDP Policy 134
Configuring Traffic Flow Notifications 134
Configuring Sensor Bypass 135
Troubleshooting the Initial Cisco IPS Sensor Configuration 136
Troubleshooting the Cisco IPS Sensor Hardware 138
Restoring the Cisco IPS Sensor Default Settings 138
Summary 138
References 139
Exam Preparation Tasks 140
Review All the Key Topics 140
Definitions of Key Terms 140
Chapter 7 Managing Cisco IPS Devices 143
Overview 143
“Do I Know This Already?” Quiz 143
Foundation Topics 146
Managing Basic IPS Sensor Device Features 146
Reconfiguring Basic Network Settings 146
Configuring Time and Time Zone 147
Scheduling Sensor Reboots 150
Viewing the Local Sensor Events Log 150
Managing Users and Remote Management Channels 151
Sensor Local User Accounts 151
Managing the Sensor’s Authentication Credentials 153
Managing Remote Management Access Rules 154
Managing Cisco IPS Licensing 155
Upgrading and Recovering Cisco IPS Sensor Software 157
Updating Cisco IPS Signatures 160
Recovering System Passwords 162
Monitoring Cisco IPS Sensor Health and Performance 163
Displaying and Troubleshooting the Sensor 163
Monitoring Sensor Health and Performance 165
Summary 167
References 168
Exam Preparation Tasks 169
Review All the Key Topics 169
Definitions of Key Terms 169
Part III Applying Cisco IPS Security Policies 171
Chapter 8 Configuring Basic Traffic Analysis 173
Overview 173
“Do I Know This Already?” Quiz 173
Foundation Topics 176
Configuring the Default Virtual Sensor 176
Assigning and Verifying Traffic Sources to the Default Virtual Sensor 176
Understanding Cisco IPS Sensor Inline Traffic Normalization 177
Clearing Flow States 177
Configuring Cisco IPS Sensor Promiscuous Mode Traffic
Reassembly Options 179
IP Fragment Reassembly 179
TCP Stream Reassembly 180
Configuring TCP Session Tracking 181
Understanding IPv6 Support in Cisco IPS Sensors 182
Selecting and Configuring Cisco IPS Sensor Bypass 183
Summary 184
References 185
Exam Preparation Tasks 186
Review All the Key Topics 186
Definitions of Key Terms 186
Chapter 9 Implementing Cisco IPS Signatures and Responses 189
Overview 189
“Do I Know This Already?” Quiz 189
Foundation Topics 192
Cisco IPS Signatures 192
Signature Engines 193
Alerts 193
Configuring Basic Signature Properties 197
Enabling and Disabling Signatures 200
Retiring and Activating Signatures 200
Configuring Signature Actions 201
Signature Detective Actions 201
SNMP Traps 202
Signature Preventive Actions 202
Managing Denied Attackers 205
Detective Signature Action Implementation Guidelines 205
Preventive Signature Action Implementation Guidelines 206
Configuring Remote Blocking 207
Using ACLs on a Router 207
Configuration Tasks 208
Configuring Packet Capture and IP Logging 214
Downloading, Saving, and Stopping IP Logs 218
Understanding Threat and Risk Management 219
Risk Rating Calculation 221
Threat Rating 221
Understanding and Configuring Event Action Overrides 223
Using Event Action Filters 226
Choosing an Action Configuration Strategy 228
Examining Alerts in IPS Event Logs 229
Viewing Events in the Cisco IDM 232
Summary 233
References 234
Exam Preparation Tasks 235
Review All the Key Topics 235
Complete the Tables and Lists from Memory 235
Definitions of Key Terms 235
Chapter 10 Configuring Cisco IPS Signature Engines and the Signature Database 237
Overview 237
“Do I Know This Already?” Quiz 237
Foundation Topics 239
Using Cisco IPS Signature Engines and Configuring Common
Signature Engine Parameters 239
Signature and Signature Engines 239
Trigger Counting 243
Summary Key 244
Alarm Summarization 244
Dynamic Alarm Summarization 244
Deploying ATOMIC Signature Engines 245
ATOMIC IP Signature Example 245
Implementation Guidelines for ATOMIC Signature Engines 246
Deploying STRING Signature Engines 246
STRING TCP Signature Example 246
Implementation Guidelines for STRING Signature Engines 247
Deploying SERVICE Signature Engines 247
SERVICE HTTP Signature Example 248
Implementation Guidelines for SERVICE Signature Engines 248
Deploying FLOOD Signature Engines 249
FLOOD Signature Example 249
Implementation Guidelines for FLOOD Signature Engines 249
Deploying SWEEP Signature Engines 250
SWEEP Signature Example 250
Implementation Guidelines for SWEEP Signature Engines 250
Deploying the META Signature Engine 251
META Correlation Example 251
Implementation Guidelines for META Signature Engines 251
Deploying the NORMALIZER Engine 252
NORMALIZER Engine Example 252
Implementation Guidelines for the NORMALIZER Engine 252
Deploying Other Engines 253
AIC Signature Engine Example 253
Implementation Guidelines for AIC Engines 253
Summary 254
References 254
Exam Preparation Tasks 255
Review All the Key Topics 255
Complete the Tables and Lists from Memory 255
Definitions of Key Terms 255
Chapter 11 Deploying Anomaly-Based Operation 257
Overview 257
“Do I Know This Already?” Quiz 257
Foundation Topics 259
Anomaly Detection Overview 259
Scanning Worm Details 259
Anomaly Detection Components 260
Histograms 261
Zones 261
Learning 261
Signatures Related to Anomaly Detection 262
Configuring Anomaly Detection 262
Default Anomaly Detection Policy ad0 262
Verifying Anomaly Detection 271
Verifying Anomaly Detection at the Command Line 273
Troubleshooting Anomaly Detection 274
Summary 275
References 275
Exam Preparation Tasks 276
Review All the Key Topics 276
Definitions of Key Terms 276
Part IV Adapting Traffic Analysis and Response to the Environment 279
Chapter 12 Customizing Traffic Analysis 281
Overview 281
“Do I Know This Already?” Quiz 281
Foundation Topics 283
Understanding Custom Signatures 283
Creating Custom Signature Guidelines 283
Selecting Criteria to Match 284
Regular Expressions 284
Using the Custom Signature Wizard 285
Signature Wizard, Specifying the Engine 286
Verifying the Custom Signature 293
Signature Wizard, Without Specifying the Engine 297
Creating Custom Signatures, Without the Wizard 306
Summary 308
References 308
Exam Preparation Tasks 309
Review All the Key Topics 309
Definitions of Key Terms 309
Chapter 13 Managing False Positives and False Negatives 311
Overview 311
“Do I Know This Already?” Quiz 311
Foundation Topics 313
Identifying False Positives and False Negatives 313
False Positives 313
False Negatives 313
Tuning Consequences 314
Tuning Process Prioritization 314
Tuning to Reduce False Positives 314
Do No Harm, Initially 315
Learning About the Signatures and Why They Triggered a False Positive 316
Selecting and Verifying Signatures and Rules in Place 316
Removing All Aggressive Actions 317
Adding Verbose Alerts and Logging 319
Using the Alert Data and Logging to Tune Out False Positives 322
Tuning the Signatures Based on Your Network 327
Removing the Preliminary Overrides and Filters 328
Tuning the Sensor to Reduce False Negatives 329
Tuning a Specific Signature 330
Promiscuous Mode IP Reassembly 331
TCP Reassembly Mode 333
Normalizer Tuning 334
Application-Layer Decoding and Deobfuscation 335
Encrypted Traffic 335
Summary 336
References 336
Exam Preparation Tasks 337
Review All the Key Topics 337
Definitions of Key Terms 337
Chapter 14 Improving Alarm and Response Quality 339
Overview 339
“Do I Know This Already?” Quiz 339
Foundation Topics 341
Identifying and Adjusting Risk-Rating Components 341
Formula for Risk Rating 341
Using Attack Severity and Signature Fidelity Ratings 342
Target Value Ratings 343
Attack Relevancy Rating 345
Watch List Rating 346
Operating System Fingerprinting 346
Global Correlation and Reputation-Based Filtering 351
Reputation Filters 351
Global Correlation 351
Summary 355
References 355
Exam Preparation Tasks 356
Review All the Key Topics 356
Definitions of Key Terms 356
Part V Managing and Analyzing Events 359
Chapter 15 Installing and Integrating Cisco IPS Manager Express with Cisco IPS Sensors 361
Overview 361
“Do I Know This Already?” Quiz 361
Foundation Topics 364
Cisco IPS Manager Express Overview 364
Cisco IME Versus Cisco IDM 365
Installing Cisco IPS Manager Express 366
Installing Cisco IME 367
Integrating Cisco IPS Manager Express with Cisco IPS Sensors 370
Tuning the Cisco IPS Sensor 374
Using and Customizing the Cisco IPS Manager Express User Interface 376
Customizing Cisco IME: Dashboards 378
Adding Gadgets 380
Customizing Cisco IME: Cisco Security Center 382
Summary 385
References 386
Exam Preparation Tasks 387
Review All the Key Topics 387
Complete the Tables and Lists from Memory 387
Definitions of Key Terms 387
Chapter 16 Managing and Investigating Events Using Cisco IPS Manager Express 389
Overview 389
“Do I Know This Already?” Quiz 389
Foundation Topics 391
Managing IPS Events Using Cisco IPS Manager Express 391
Event Monitoring Views 391
Creating and Customizing Event Views 393
View Settings 393
Customizing Event Views 395
Tuning and Creating IME Filters from the Event Display 398
Saving and Deleting Events 400
Investigating IPS Events Using Cisco IPS Manager Express 401
Acting on IPS Events Using Cisco IPS Manager Express 405
Exporting, Importing, and Archiving Events 408
Summary 409
Exam Preparation Tasks 410
Review All the Key Topics 410
Complete the Tables and Lists from Memory 410
Definitions of Key Terms 410
Chapter 17 Using Cisco IPS Manager Express Correlation, Reporting, Notification, and Archiving 413
Overview 413
“Do I Know This Already?” Quiz 413
Foundation Topics 415
Configuring Event Reporting in Cisco IME 415
IME Reporting 415
Configuring and Generating Reports 416
Event Dashboards 417
Using Notifications in Cisco IME 418
Summary 420
References 420
Exam Preparation Tasks 421
Review All the Key Topics 421
Complete the Tables and Lists from Memory 421
Definitions of Key Terms 421
Chapter 18 Integrating Cisco IPS with CSM and Cisco Security MARS 423
Overview 423
“Do I Know This Already?” Quiz 423
Foundation Topics 425
Configuring Integration with Cisco Security Manager 425
Cisco Security Manager 4.0 Features and Benefits 425
Managing Cisco IPS Sensors Using Cisco Security Manager 428
Adding Sensors to Cisco Security Manager 429
Configuring Integration with Cisco Security MARS 431
Add a Cisco IPS Sensor to MARS 432
Event Feed Verification 434
Cisco Security Manager (CSM) and MARS Cross-Launch Capability 435
Summary 436
References 437
Exam Preparation Tasks 438
Review All the Key Topics 438
Complete the Tables and Lists from Memory 438
Definitions of Key Terms 438
Chapter 19 Using the Cisco IntelliShield Database and Services 441
Overview 441
“Do I Know This Already?” Quiz 441
Foundation Topics 443
Using Cisco Security Intelligence Operations 443
Security Alerts 444
Threat Analysis and Reporting 445
Resources 446
Products and Services Updates 448
IPS Threat Defense Bulletin 448
Using Cisco IntelliShield Alert Manager Service 449
Home Page 451
Alerts 452
IPS Signatures 454
Inbox 455
Product Sets 456
New Product Sets 458
Notifications 459
Reports 460
Preferences 461
Users 461
Groups 461
IntelliShield Alert Manager Service Subscription 461
Summary 461
References 462
Exam Preparation Tasks 463
Review All the Key Topics 463
Complete the Tables and Lists from Memory 463
Definitions of Key Terms 463
Part VI Deploying Virtualization, High Availability, and High-Performance Solutions 465
Chapter 20 Using Cisco IPS Virtual Sensors 467
Overview 467
“Do I Know This Already?” Quiz 467
Foundation Topics 469
Sensor Virtualization Overview 469
Virtual IPS 469
Adding, Editing, and Configuring Virtual Sensors 470
Verifying Virtual Sensor Operation 475
Summary 478
References 478
Exam Preparation Tasks 479
Review All the Key Topics 479
Complete the Tables and Lists from Memory 479
Definitions of Key Terms 479
Chapter 21 Deploying Cisco IPS for High Availability and High Performance 481
Overview 481
“Do I Know This Already?” Quiz 481
Foundation Topics 483
High-Availability Solutions for Cisco IPS Deployments 483
Switching-Based Sensor High Availability 484
EtherChannel-Based High Availability 485
Inline Mode Redundant IPS Sensor Deployment Using a Single Switch 486
Promiscuous Mode Redundant IPS Sensor Deployment Using a Single Switch 486
EtherChannel-Based High-Availability Implementation Guidelines 486
STP-Based High Availability 487
STP-Based High-Availability Implementation Guidelines 487
Routing-Based Sensor High Availability 488
Routing-Based Sensor High-Availability Implementation Guidelines 488
Cisco ASA-Based Sensor High Availability 489
Cisco ASA—Based Sensor High-Availability Implementation Guidelines 490
Cisco IPS Sensor Performance Overview 491
Performance Issues 491
Detecting Performance Issues 492
Configuring Traffic Flow Notifications 492
Inspecting Performance-Related Gadgets 493
Checking Switch SPAN Interfaces for Dropped Packets 495
Scaling SPAN Sessions 496
Increasing Performance Using Load Sharing 497
ECLB with Cisco Catalyst 6500 Series Switch and IDSM-2 497
Guidelines for Increasing Performance Using Load-Sharing Implementation 497
Increasing Performance Using Traffic Reduction 498
Cisco ASA IPS Modules–Inline Operation 498
Cisco ASA IPS Modules–Promiscuous Operation 498
Cisco Catalyst Switches–VACL Capture 498
Summary 499
References 499
Exam Preparation Tasks 500
Review All the Key Topics 500
Complete the Tables and Lists from Memory 500
Definitions of Key Terms 500
Part VII Configuring and Maintaining Specific Cisco IPS Hardware 503
Chapter 22 Configuring and Maintaining the Cisco ASA AIP SSM Modules 505
Overview 505
“Do I Know This Already?” Quiz 505
Foundation Topics 508
Overview of the Cisco ASA AIP SSM and AIP SSC Modules 508
Inline Operation 510
Promiscuous Operation 510
Single-Mode Cisco ASA with Multiple Virtual Sensors 511
Cisco ASA with Security Contexts and Virtual Sensors 512
Deployment Guidelines–ASA AIP SSM and SSC 512
Initializing the Cisco ASA AIP SSM and AIP SSC Modules 512
Initial Configuration of the AIP SSM and AIP SSC 514
Software Update of the AIP SSM and AIP SSC 516
Basic Configuration of the AIP SSM and AIP SSC 520
Access the AIP SSM and AIP SSC Through the Cisco IDM or ASDM 523
Redirecting Traffic to the Cisco ASA AIP SSM and AIP SSC Modules 525
Traffic Redirection Policy Configuration Using the Cisco ASDM 526
Traffic Redirection Policy Configuration Using the CLI 529
Troubleshooting the Cisco ASA AIP SSM and AIP SSC Modules 530
Summary 531
References 531
Exam Preparation Tasks 532
Review All the Key Topics 532
Complete the Tables and Lists from Memory 532
Definitions of Key Terms 532
Chapter 23 Configuring and Maintaining the Cisco ISR AIM-IPS and NME-IPS Modules 535
Overview 535
“Do I Know This Already?” Quiz 535
Foundation Topics 538
Overview of the Cisco ISR AIM-IPS and NME-IPS Modules 538
Inline Operation 540
Promiscuous Operation 540
AIM-IPS and Router Communication 541
NME-IPS and Router Communication 542
Initializing the Cisco ISR AIM-IPS and NME-IPS 543
Initial Configuration of the AIM-IPS and NME-IPS 545
Redirecting Traffic to the Cisco AIM-IPS and NME-IPS 546
Troubleshooting the Cisco AIM-IPS and NME-IPS 547
Heartbeat Operation 547
Rebooting, Resetting, and Shutdown Procedures 548
Password Recovery Procedure 549
IPS Module Interoperability 550
Summary 550
References 551
Exam Preparation Tasks 552
Review All the Key Topics 552
Complete the Tables and Lists from Memory 552
Definitions of Key Terms 552
Chapter 24 Configuring and Maintaining the Cisco IDSM-2 555
Overview 555
“Do I Know This Already?” Quiz 555
Foundation Topics 557
Overview of the Cisco IDSM-2 557
Inline Operation 560
Promiscuous Operation 561
Initializing the Cisco IDSM-2 562
Installing the Cisco IDSM-2 562
Initial Configuration of the Cisco IDSM-2 564
Command and Control Access for the Cisco IDSM-2 568
Redirecting Traffic to the Cisco IDSM-2 568
Maintaining the Cisco IDSM-2 572
Upgrade Procedure 572
Recovery Procedure 572
Upgrading the Application Partition 572
Re-imaging the Maintenance Partition 577
Troubleshooting the Cisco IDSM-2 577
Password Recovery 577
Summary 578
References 579
Exam Preparation Tasks 580
Review All the Key Topics 580
Complete the Tables and Lists from Memory 580
Definitions of Key Terms 580
Part VIII Final Exam Preparation 583
Chapter 25 Final Preparation 585
Tools for Final Preparation 585
Pearson Cert Practice Test Engine and Questions on the CD 585
Install the Software from the CD 586
Activate and Download the Practice Exam 586
Activating Other Exams 587
Premium Edition 587
Cisco Learning Network 587
Memory Tables 588
Chapter-Ending Review Tools 588
Suggested Plan for Final Review/Study 588
Step 1: Review the Key Topics and the “Do I Know This Already?” Questions from the Beginning of the Chapter 589
Step 2: Complete the Memory Tables 589
Step 3: Do Hands-On Practice 589
Step 4: Build Configuration Checklists 590
Step 5: Use the Exam Engine 590
Summary 591
Part IX Appendixes
Appendix A Answers to the “Do I Know This Already?” Quizzes 595
Appendix B CCNP Security IPS 642-627 Exam Updates, Version 1.0 609
Glossary 613
Index 619
Appendix C Memory Tables (CD Only)
Appendix D Memory Tables Answer Key (CD Only)
9781587142550 TOC 9/23/2011