Implementing Cisco Intrusion Protection Systems (IPS)

COURSE OUTLINE:

Description This four-day course covers the knowledge and skills needed to design, install, configure and maintain a Cisco IPS sensor for small, medium and enterprise networks. The course also describes the procedures for managing intrusion prevention system (IPS alarms).

Prerequisites
To fully benefit from this course, students should have the following prerequisite skills and knowledge:

  • Familiarity with networking and security terms and concepts, including completion of the Securing Cisco Network Devices (SND) course
  • Strong user-level experience with Microsoft Windows operating systems

    Learning Objectives
    After completing this course, students will be able to:

    • Explain how the Cisco IPS protects network devices from attacks
    • Install and configure the basic settings on a Cisco IPS 4200 Series Sensor
    • Use the Cisco IDM to configure built-in signatures to meet the requirements of a given security policy
    • Configure some of the more advanced features of the Cisco IPS product line
    • Initialize and install into your environment the rest of the Cisco IPS family of products
    • Use the CLI and the Cisco IDM to obtain system information, and configure the Cisco IPS sensor to allow an SNMP NMS to monitor the Cisco IPS sensor

    Course Content


    MODULE 1: INTRUSION PREVENTION OVERVIEW

    Lesson 1: Explaining Intrusion Prevention
    • Intrusion Detection vs. Intrusion Prevention
    • Intrusion Prevention Technologies
    • Intrusion Prevention Terminology
    • Promiscuous and Inline Modes
    • Features of Cisco IPS Sensor Software Version 6.0

    Lesson 2: Explaining Cisco IPS Products
    • Cisco Network Sensors
    • Network IPS
    • Host-Based IPS
    • Sensor Deployment
    • Cisco Self-Defending Network

    Lesson 3: Examining Cisco IPS Sensor Software Solutions
    • Cisco IPS Sensor Software Architecture
    • Cisco IPS Element Management Products
    • Cisco IPS Enterprise Management Products
    • esson 4: Examining Evasive Techniques
    • Evasive Techniques
    • String Match Attacks
    • Fragmentation Attacks
    • Session Attacks
    • Insertion Attacks
    • Evasion Attacks
    • TTL-Based Attacks
    • Encryption-Based Attacks
    • Resource Exhaustion Attacks

    MODULE 2: INSTALLATION OF A CISCO IPS 4200 SERIES SENSOR

    Lesson 1: Installing a Cisco IPS Sensor Using the CLI
    • Introducing the CLI
    • Initializing the Sensor
    • Performing Administrative Tasks
    • Additional Administrative Commands

    Lesson 2: Using the Cisco IDM
    • Introducing the Cisco IDM
    • Getting Started with the Cisco IDM
    • How to Configure SSH
    • How to Reboot and Shut Down the Sensor

    Lesson 3: Configuring Basic Sensor Settings
    • How to Configure Allowed Hosts
    • How to Set the Time
    • How to Configure Certificates
    • How to Configure User Accounts
    • Defining Interface Roles
    • How to Configure the Interfaces
    • How to Configure Software and Hardware Bypass Mode
    • Viewing Events in the Cisco IDM

    MODULE 3: CISCO IPS SIGNATURES

    Lesson 1: Configuring Cisco IPS Signatures and Alerts
    • Cisco IPS Signatures
    • How to Locate Signature Information
    • How to Configure Basic Signatures
    • Special Consideration for Signature Actions

    Lesson 2: Examining the Signature Engines
    • Introducing Cisco IPS Signature Engines
    • Common Signature Engine Parameters
    • ATOMIC Signature Engines
    • FLOOD Signature Engines
    • SERVICE Signature Engines
    • STRING Signature Engines
    • SWEEP Signature Engines
    • TROJAN Signature Engines
    • TRAFFIC Signature Engines
    • AIC Signature Engines
    • STATE Signature Engine
    • META Signature Engine
    • NORMALIZER Engine

    MODULE 4: ADVANCED CISCO IPS CONFIGURATION

    Lesson 1: Performing Advanced Tuning for Cisco IPS Sensors
    • Sensor Configuration
    • IP Logging
    • Reassembly Options
    • How to Define Event Variables
    • Target Value Rating
    • Event Action Filters
    • Risk Rating System
    • General Setting of Event Action Rules

    Lesson 2: Monitoring and Managing Alarms
    • Cisco IEV Overview
    • Installing Cisco IEV
    • Configuring Cisco IEV
    • Viewing Events
    • Cisco Security Management Suite Overview
    • External Product Interface
    • Integrating Cisco Security Agent into an IPS Installation
    • Cisco ICS

    Lesson 3: Configuring a Virtual Sensor
    • Virtual Sensor Overview
    • Preparing for Virtual Sensors
    • Creating Virtual Sensors

    Lesson 4: Switch Security Practices and Features
    • Anomaly Detection Overview
    • Anomaly Detection Components
    • Configuring Anomaly Detection
    • POSFP Overview
    • Operating System Identification
    • Configuring POSFP
    • Monitoring POSFP

    Lesson 5: Configuring Blocking
    • Blocking Overview
    • ACL Considerations
    • How to Configure Automatic Blocking
    • How to Configure Manual Blocking
    • How to Configure a Master Blocking Scenario

    MODULE 5: ADDITIONAL CISCO IPS DEVICES

    Lesson 1: Installing the Cisco Catalyst 6500 Series IDSM-2
    • Cisco Catalyst 6500 Series IDSM-2 Overview
    • Installing the Cisco Catalyst 6500 Series IDSM-2
    • Configuring Cisco Catalyst 6500 Series IDSM-2
    • Monitoring the Cisco Catalyst 6500 Series IDSM-2
    • Maintaining the Cisco Catalyst 6500 Series IDSM-2

    Lesson 2: Initializing the Cisco ASA AIP-SSM
    • Cisco ASA AIP-SSM Overview
    • Loading the Cisco ASA AIP-SSM
    • Initial Cisco ASA AIP-SSM Configuring Using Cisco ASDM
    • Configuring an IPS Security Policy

    MODULE 6: CISCO IPS SENSOR MAINTENANCE

    Lesson 1: Maintaining Cisco IPS Sensors
    • Understanding Cisco IPS Licensing
    • How to Upgrade and Recover Sensor Images
    • How to Install Service Packs and Signature Updates
    • Password Recovery
    • How to Restore a Cisco IPS Sensor
      Lesson 2: Managing Cisco IPS Sensors
    • Using the CLI to Monitor the Sensor
    • Using the Cisco IDM to Monitor the Sensor
    • Monitoring Using Cisco Security Manager
    • Monitoring Using SNMP