Implementing Cisco Intrusion Prevention System

COURSE OUTLINE:

Description An introduction of Cisco IDS detection platforms including the 4200 Series Sensors, they Catalyst 6500 Series Intrusion Detection Module 2 (IDSM2) and the IDS Network Module (NM-CIDS) are introduced in the IPS course. The command line and the IPS Device Manager GUI are used to configure the sensor.

Who should attend

Network professionals who want to ensure security on their network or who seek the Cisco Certified Security Professional Certification (CCSP).

Certifications

This course is part of the following Certifications:

  • Cisco Certified Security Professional  (CCSP)
  • Cisco IPS Specialist
  • CCIE Security  (CCIES Security)
Prerequisites

Students who attend this advanced course should meet the following prerequisites or have equivalent knowledge:

Interconnecting Cisco Network Devices Part 1 (ICND1)

Interconnecting Cisco Network Devices Part 2 (ICND2)

Securing Networks with ASA Fundamentals (SNAF)

  • Basic knowledge of the Windows operating system
  • Familiarity with basic networking and security terms and concepts

Course Objectives

After completing this course, you will be able to:

  • Install an IPS sensor appliance in the Network and initialize it
  • Use IDM to configure built-in signatures to meet the requirements of a given security policy
  • Describe the functions of signature engines and their parameters and use IDM to tune and create signatures
  • Tune a sensor to work optimally in the network
  • Use the Monitoring Center for Security and Cisco Threat Response
  • Install the NM-CIDS in a router and initialize it
  • Install and recover the sensor software image and perform service pack and signature updates

Course Content


MODULE 1: INTRUSION PREVENTION OVERVIEW

Lesson 1: Explaining Intrusion Prevention
  • Intrusion Detection vs. Intrusion Prevention
  • Intrusion Prevention Technologies
  • Intrusion Prevention Terminology
  • Promiscuous and Inline Modes
  • Features of Cisco IPS Sensor Software Version 6.0

Lesson 2: Explaining Cisco IPS Products
  • Cisco Network Sensors
  • Network IPS
  • Host-Based IPS
  • Sensor Deployment
  • Cisco Self-Defending Network

Lesson 3: Examining Cisco IPS Sensor Software Solutions
  • Cisco IPS Sensor Software Architecture
  • Cisco IPS Element Management Products
  • Cisco IPS Enterprise Management Products
  • esson 4: Examining Evasive Techniques
  • Evasive Techniques
  • String Match Attacks
  • Fragmentation Attacks
  • Session Attacks
  • Insertion Attacks
  • Evasion Attacks
  • TTL-Based Attacks
  • Encryption-Based Attacks
  • Resource Exhaustion Attacks

MODULE 2: INSTALLATION OF A CISCO IPS 4200 SERIES SENSOR

Lesson 1: Installing a Cisco IPS Sensor Using the CLI
  • Introducing the CLI
  • Initializing the Sensor
  • Performing Administrative Tasks
  • Additional Administrative Commands

Lesson 2: Using the Cisco IDM
  • Introducing the Cisco IDM
  • Getting Started with the Cisco IDM
  • How to Configure SSH
  • How to Reboot and Shut Down the Sensor

Lesson 3: Configuring Basic Sensor Settings
  • How to Configure Allowed Hosts
  • How to Set the Time
  • How to Configure Certificates
  • How to Configure User Accounts
  • Defining Interface Roles
  • How to Configure the Interfaces
  • How to Configure Software and Hardware Bypass Mode
  • Viewing Events in the Cisco IDM

MODULE 3: CISCO IPS SIGNATURES

Lesson 1: Configuring Cisco IPS Signatures and Alerts
  • Cisco IPS Signatures
  • How to Locate Signature Information
  • How to Configure Basic Signatures
  • Special Consideration for Signature Actions

Lesson 2: Examining the Signature Engines
  • Introducing Cisco IPS Signature Engines
  • Common Signature Engine Parameters
  • ATOMIC Signature Engines
  • FLOOD Signature Engines
  • SERVICE Signature Engines
  • STRING Signature Engines
  • SWEEP Signature Engines
  • TROJAN Signature Engines
  • TRAFFIC Signature Engines
  • AIC Signature Engines
  • STATE Signature Engine
  • META Signature Engine
  • NORMALIZER Engine

MODULE 4: ADVANCED CISCO IPS CONFIGURATION

Lesson 1: Performing Advanced Tuning for Cisco IPS Sensors
  • Sensor Configuration
  • IP Logging
  • Reassembly Options
  • How to Define Event Variables
  • Target Value Rating
  • Event Action Filters
  • Risk Rating System
  • General Setting of Event Action Rules

Lesson 2: Monitoring and Managing Alarms
  • Cisco IEV Overview
  • Installing Cisco IEV
  • Configuring Cisco IEV
  • Viewing Events
  • Cisco Security Management Suite Overview
  • External Product Interface
  • Integrating Cisco Security Agent into an IPS Installation
  • Cisco ICS

Lesson 3: Configuring a Virtual Sensor
  • Virtual Sensor Overview
  • Preparing for Virtual Sensors
  • Creating Virtual Sensors

Lesson 4: Switch Security Practices and Features
  • Anomaly Detection Overview
  • Anomaly Detection Components
  • Configuring Anomaly Detection
  • POSFP Overview
  • Operating System Identification
  • Configuring POSFP
  • Monitoring POSFP

Lesson 5: Configuring Blocking
  • Blocking Overview
  • ACL Considerations
  • How to Configure Automatic Blocking
  • How to Configure Manual Blocking
  • How to Configure a Master Blocking Scenario

MODULE 5: ADDITIONAL CISCO IPS DEVICES

Lesson 1: Installing the Cisco Catalyst 6500 Series IDSM-2
  • Cisco Catalyst 6500 Series IDSM-2 Overview
  • Installing the Cisco Catalyst 6500 Series IDSM-2
  • Configuring Cisco Catalyst 6500 Series IDSM-2
  • Monitoring the Cisco Catalyst 6500 Series IDSM-2
  • Maintaining the Cisco Catalyst 6500 Series IDSM-2

Lesson 2: Initializing the Cisco ASA AIP-SSM
  • Cisco ASA AIP-SSM Overview
  • Loading the Cisco ASA AIP-SSM
  • Initial Cisco ASA AIP-SSM Configuring Using Cisco ASDM
  • Configuring an IPS Security Policy

MODULE 6: CISCO IPS SENSOR MAINTENANCE

Lesson 1: Maintaining Cisco IPS Sensors
  • Understanding Cisco IPS Licensing
  • How to Upgrade and Recover Sensor Images
  • How to Install Service Packs and Signature Updates
  • Password Recovery
  • How to Restore a Cisco IPS Sensor
    Lesson 2: Managing Cisco IPS Sensors
  • Using the CLI to Monitor the Sensor
  • Using the Cisco IDM to Monitor the Sensor
  • Monitoring Using Cisco Security Manager
  • Monitoring Using SNMP