CCSP IPS Exam Certification Guide
Official self-study test preparation guide for the Cisco IPS exam 642-532 The official study guide helps you master all the topics on the IPS exam, including:IPS concepts Command-line interface (CLI) and IPS Device Manager (IDM) configuration modes Basic sensor and IPS signature configuration IPS signature engines Sensor tuning IPS event monitoring Sensor maintenance Verifying system configuration Using the Cisco IDS Module (IDSM) and Cisco IDS Network Module Capturing network trafficCCSP IPS Exam Certification Guide is a best of breed Cisco (R) exam study guide that focuses specifically on the objectives for the IPS exam. Cisco Security Test Engineer Earl Carter shares preparation hints and test-taking tips, helping you identify areas of weakness and improve your Intrusion Prevention System (IPS) knowledge. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics. CCSP IPS Exam Certification Guide presents you with an organized test preparation routine through the use of proven series elements and techniques. "Do I Know This Already" quizzes open each chapter and allow you to decide how much time you need to spend on each section. Exam topic lists and Foundation Summary materials make referencing easy and give you a quick refresher whenever you need it. Challenging chapter-ending review questions help you assess your knowledge and reinforce key concepts. The companion CD-ROM contains a powerful testing engine that allows you to focus on individual topic areas or take complete, timed exams. The assessment engine also tracks your performance and provides feedback on a module-by-module basis, presenting question-by-question remediation to the text. Well-regarded for its level of detail, assessment features, and challenging review questions and exercises, this book helps you master the concepts and techniques that will enable you to succeed on the exam the first time. CCSP IPS Exam Certification Guide is part of a recommended learning path from Cisco Systems (R) that includes simulation and hands-on training from authorized Cisco Learning Partners and self-study products from Cisco Press. To find out more about instructor-led training, e-learning, and hands-on instruction offered by authorized Cisco Learning Partners worldwide, please visit www.cisco.com/go/authorizedtraining. Companion CD-ROMThe CD-ROM contains an electronic copy of the book and more than 200 practice questions for the IPS exam, all available in study mode, test mode, and flash-card format. This volume is part of the Exam Certification Guide Series from Cisco Press (R). Books in this series provide officially developed exam preparation materials that offer assessment, review, and practice to help Cisco Career Certification candidates identify weaknesses, concentrate their study efforts, and enhance their confidence as exam day nears.
- Mixed media product | 648 pages
- 188 x 233.7 x 45.7mm | 1,224.71g
- 19 Sep 2005
- Pearson Education (US)
- Cisco Press
- Indianapolis, United States
Back cover copy
The official self-study test preparation guide for the Cisco CCSP Cisco Secure Intrusion Detection System exam The only official self-study book for the CSIDS exam Introduces features and functions of the Cisco Intrusion Detection System solution Includes all book features of this best-selling series: Chapter Review Questions, Foundation Summaries, and more Comprehensive test engine on companion CD-ROM assesses understanding of the topics and concepts covered in the book "CCSP CSIDS Exam Certification Guide" covers all of the major topics on the CSIDS exam, providing readers occasion to practice the skills critical for everyday administration and troubleshooting of Cisco's intrusion detection system solution. Each chapter of the "CCSP CSIDS Exam Certification Guide" tests readers' knowledge of the subjects through specially designed assessment and study features. "Do I Know This Already?" quizzes assess readers' knowledge and help them decide how much time to spend on each section. The Foundation Topics sections provide details on exam topics. Each chapter also includes a Foundation Summary section that highlights essential concepts for quick reference and study. The final section of this book includes scenarios dedicated to working with the Cisco IDS solution. These scenarios include a description of the problem, a portion of the system configuration, debug output, and suggestions to help readers resolve the issue and become more familiar with the inner workings of the IDS solution, while reinforcing understanding of the key concepts covered throughout the book. Earl Carter is a member of the Security Technologies Assessment Team (STAT) that is part ofConsulting Engineering (CE) at Cisco Systems. His duties involve performing security evaluations on numerous Cisco products and consulting with other teams within Cisco to help enhance the security of Cisco products. In this manner, he has examined various products from the PIX Firewall to the Cisco CallManager. Earl has been working in the field of computer security for eight years and lives in Texas.
About Earl Carter
Earl Carter is a member of the Security Technologies Assessment Team at Cisco where his duties involve performing security evaluations on numerous Cisco products as well as consulting with other teams at Cisco to help enhance the security of Cisco products. He has examined various products, from the Cisco PIX (R) Firewall to the Cisco CallManager. Presently, Earl holds a CCNA (R) certification and is working on earning his CCIE (R) certification with a security emphasis.
Table of contents
Foreword IntroductionPart I Cisco IPS OverviewChapter 1 Cisco Intrusion Prevention System (IPS) Overview"Do I Know This Already?" QuizFoundation and Supplemental TopicsCisco Intrusion Prevention SolutionIntrusion Prevention OverviewIntrusion-Prevention TerminologyIPS/IDS TriggersAnomaly DetectionMisuse DetectionProtocol AnalysisIPS/IDS Monitoring LocationsHost-BasedNetwork-BasedCisco Hybrid IPS/IDS SolutionRisk RatingEvent SeveritySignature FidelityAsset Value of TargetMeta-Event GeneratorInline Deep-Packet InspectionCisco Intrusion Prevention System HardwareCisco IDS 4200 Series Network SensorsCisco 4215 Appliance SensorCisco 4235 Appliance SensorCisco 4240 Diskless Appliance SensorCisco 4250 Appliance SensorCisco 4250XL Appliance SensorCisco 4255 Diskless Appliance SensorCisco IDSM-2 for Catalyst 6500Cisco IDS Network Module for Access RoutersRouter SensorFirewall SensorInline Sensor SupportInline Mode Versus Promiscuous ModeSoftware BypassAuto ModeOff ModeOn ModeCisco Sensor DeploymentInternet BoundariesExtranet BoundariesIntranet BoundariesRemote Access BoundariesServers and DesktopsSensor Deployment ConsiderationsSensor PlacementSensor Management and Monitoring OptionsNumber of SensorsExternal Sensor CommunicationsCisco Sensor Communications ProtocolsSecure ShellTransport Layer Security (TLS)/Secure Socket Layer (SSL)Remote Data Exchange ProtocolEvent MessagesIP Log MessagesTransaction MessagesSecurity Device Event Exchange StandardCisco Sensor Software ArchitecturecidWebServerIDM ServletEvent Server ServletTransaction Server ServletIP Log Server ServletmainApplogAppauthenticationNetwork Access Controller (NAC)ctlTransSourcesensorAppEvent StorecidCLIFoundation SummaryQ&APart II Cisco IPS ConfigurationChapter 2 IPS Command-Line Interface"Do I Know This Already?" QuizFoundation and Supplemental TopicsSensor InstallationInstalling 5.0 Software via the NetworkInstalling 5.0 Software from a CDSensor InitializationAccessing the CLIRunning the setup CommandCreating the Service AccountManually Setting the System ClockChanging your PasswordAdding and Removing UsersAdding a Known SSH HostIPS CLIUsing the Sensor CLIPromptsHelpTab CompletionCommand RecallCommand Case SensitivityKeywordsUser RolesAdministratorOperatorViewerServiceCLI Command ModesPrivileged ExecGlobal ConfigurationServiceService Analysis-EngineService AuthenticationService Event-Action-RulesService HostService InterfaceService LoggerService Network-AccessService NotificationService Signature-DefinitionService SSH-Known-HostsService Trusted-CertificatesService Web-ServerAdministrative TasksConfiguration TasksFoundation SummaryQ&AChapter 3 Cisco IPS Device Manager (IDM)"Do I Know This Already?" QuizFoundation and Supplemental TopicsCisco IPS Device ManagerSystem Requirements for IDMNavigating IDMConfigurationSensor SetupInterface ConfigurationAnalysis EngineSignature DefinitionEvent Action RulesBlockingSimple Network Management ProtocolAuto UpdateMonitoringBackForwardRefreshHelpConfiguring Communication Parameters Using IDMFoundation SummaryQ&AChapter 4 Basic Sensor Configuration"Do I Know This Already?" QuizFoundation and Supplemental TopicsBasic Sensor ConfigurationSensor Host Configuration TasksConfiguring Allowed HostsConfiguring Sensor User AccountsConfiguring the Sensor's Time ParametersManually Setting the ClockConfiguring the NTP Server SettingsConfiguring the Time ZoneConfiguring the Summertime SettingsConfiguring SSH HostsInterface Configuration TasksEnabling Monitoring InterfacesEditing Monitoring Interface ParametersConfiguring Inline Interface PairsConfiguring Inline Software BypassConfiguring Traffic Flow NotificationsAnalysis Engine Configuration TasksFoundation SummaryQ&AChapter 5 Basic Cisco IPS Signature Configuration"Do I Know This Already?" QuizFoundation and Supplemental TopicsConfiguring Cisco IPS SignaturesSignature GroupsDisplaying Signatures by AttackDisplaying Signatures by L2/L3/L4 ProtocolDisplaying Signatures by Operating SystemDisplaying Signatures by Signature ReleaseDisplaying Signatures by ServiceDisplaying Signatures by Signature IdentificationDisplaying Signatures by Signature NameDisplaying Signatures by Response ActionDisplaying Signatures by Signature EngineAlarm Summary ModesFire OnceFire AllAlarm SummarizationVariable Alarm SummarizationBasic Signature ConfigurationViewing NSDB InformationSignature InformationRelated Threats InformationViewing NSDB InformationEnabling SignaturesCreating New SignaturesEditing Existing SignaturesRetiring SignaturesDefining Signature ResponsesFoundation SummaryQ&AChapter 6 Cisco IPS Signature Engines"Do I Know This Already?" QuizFoundation and Supplemental TopicsCisco IPS SignaturesCisco IPS Signature EnginesSignature ParametersApplication Inspection and Control Signature EnginesAIC FTP Signature Engine ParametersAIC HTTP Signature Engine ParametersContent Types ParametersDefine Web Traffic Policy ParametersMsg Body Pattern ParametersRequest Methods ParametersTransfer Encodings ParametersAtomic Signature EnginesAtomic ARP Engine ParametersAtomic IP Engine ParametersAtomic IP ICMP ParametersAtomic IP TCP ParametersAtomic IP UDP ParametersAtomic IP Payload ParametersFlood Signature EnginesFlood Host Engine ParametersFlood Host ICMP ParametersFlood Host UDP ParametersFlood Net Engine ParametersMeta Signature EngineNormalizer Signature EngineService Signature EnginesService DNS Engine ParametersService FTP Engine ParametersService Generic Engine ParametersService H225 Engine ParametersService HTTP Engine ParametersService Ident Engine ParametersService MSSQL Engine ParametersService NTP Engine ParametersService RPC Engine ParametersService SMB Engine ParametersService SNMP Engine ParametersService SSH Engine ParametersState Signature EngineCisco Login StatesLPR Format String StatesSMTP StatesString Signature EnginesString ICMP Engine Specific ParametersString TCP Engine-Specific ParametersSweep Signature EnginesSweep Signature Engine ParametersUnique ICMP Sweep ParametersUnique TCP Sweep ParametersSweep Other TCP Signature Engine ParametersTrojan Horse Signature EnginesFoundation SummaryQ&AChapter 7 Advanced Signature Configuration"Do I Know This Already?" QuizFoundation and Supplemental TopicsAdvanced Signature ConfigurationRegular Expressions String MatchingSignature FieldsBasic Signature FieldsSignature Description FieldsEngine-Specific FieldsEvent Counter FieldsAlert Frequency FieldsStatus FieldsMeta-Event GeneratorUnderstanding HTTP and FTP Application Policy EnforcementTuning an Existing SignatureTuning ExampleCreating a Custom SignatureChoose a Signature EngineNetwork ProtocolTarget AddressTarget PortAttack TypeInspection CriteriaVerify Existing FunctionalityDefine Signature ParametersTest Signature EffectivenessCustom Signature ScenarioCreating Custom Signatures Using IDMUsing IDM Custom Signature WizardCloning an Existing SignatureFoundation SummaryQ&AChapter 8 Sensor Tuning"Do I Know This Already?" QuizFoundation and Supplemental TopicsIDS Evasion TechniquesFloodingFragmentationEncryptionObfuscationUsing Control CharactersUsing Hex RepresentationUsing Unicode RepresentationTTL ManipulationTuning the SensorConfiguring IP Log SettingsConfiguring Application Policy SettingsConfiguring Reassembly OptionsFragment ReassemblyStream ReassemblyConfiguring Reassembly OptionsEvent ConfigurationEvent VariablesTarget Value RatingEvent Action OverrideEvent Action FiltersFoundation SummaryQ&APart III Cisco IPS Response ConfigurationChapter 9 Cisco IPS Response Configuration"Do I Know This Already?" QuizFoundation and Supplemental TopicsCisco IPS Response OverviewInline ActionsDeny Packet InlineDeny Connection InlineDeny Attacker InlineConfiguring Deny Attacker Duration ParameterLogging ActionsLog Attacker PacketsLog Pair PacketsLog Victim PacketsManual IP LoggingIP BlockingIP Blocking DefinitionsIP Blocking DevicesCisco RoutersCisco Catalyst 6000 SwitchesCisco PIX FirewallsBlocking GuidelinesAntispoofing MechanismsCritical HostsNetwork TopologyEntry PointsSignature SelectionBlocking DurationDevice Login InformationInterface ACL RequirementsBlocking ProcessACL Placement ConsiderationsExternal Versus InternalACLs Versus VACLsUsing Existing ACLsMaster Blocking SensorConfiguring IP BlockingAssigning a Blocking ActionSetting Blocking PropertiesSetting Blocking Properties via IDMDefining Addresses Never to BlockSetting Up Logical DevicesDefining Blocking DevicesDefining Blocking Devices Using IDMDefining Router Blocking Devices Interfaces Using IDMDefining Cat6K Blocking Device Interfaces Using IDMDefining Master Blocking SensorsConfiguring a Master Blocking Sensor in IDMManual BlockingBlocking HostsBlocking NetworksTCP ResetFoundation SummaryQ&APart IV Cisco IPS Event MonitoringChapter 10 Alarm Monitoring and Management"Do I Know This Already?" QuizFoundation and Supplemental TopicsCiscoWorks 2000Login ProcessAuthorization RolesAdding UsersSecurity MonitorInstalling Security Monitor Windows InstallationServer RequirementsClient RequirementsSecurity Monitor User InterfaceConfiguration TabsOptions BarTOCPath BarInstruction BoxContent AreaTools BarSecurity Monitor ConfigurationAdding DevicesAdding RDEP DevicesAdding PostOffice DevicesAdding IOS DevicesAdding PIX DevicesImporting DevicesEvent NotificationAdding Event RulesActivating Event RulesMonitoring DevicesMonitoring ConnectionsMonitoring StatisticsMonitoring EventsSecurity Monitor Event ViewerMoving ColumnsDeleting Rows and ColumnsDelete from This GridDelete from DatabaseDelete ColumnCollapsing RowsCollapse > First GroupCollapse > All RowsExpanding RowsExpand > First GroupExpand > All RowsSuspending and Resuming New EventsChanging Display PreferencesActionsCellsSort ByBoundariesSeverity IndicatorDatabaseCreating GraphsBy ChildBy TimeTools Pull-Down Menu OptionsExplanationTrigger PacketIP LogsStatisticsOptionsResolving Host NamesSecurity Monitor AdministrationData ManagementSystem Configuration SettingsDefining Event Viewer PreferencesSecurity Monitor ReportsDefining the ReportRunning the ReportViewing the ReportFoundation SummaryQ&APart V Cisco IPS Maintenance and TuningChapter 11 Sensor Maintenance"Do I Know This Already?" QuizFoundation and Supplemental TopicsSensor MaintenanceSoftware UpdatesIPS Software File FormatSoftware TypeCisco IPS VersionService Pack LevelSignature VersionExtensionSoftware Update GuidelinesUpgrading Sensor SoftwareSaving Current ConfigurationSoftware Installation via CLISoftware Installation Using IDMConfiguring Automatic Software Updates Using IDMDowngrading an ImageUpdating the Sensor's LicenseImage RecoveryRestoring Default Sensor ConfigurationRestoring Default Configuration Using the CLIRestoring Default Configuration Using IDMResetting and Powering Down the SensorResetting the Sensor Using the Sensor CLIResetting the Sensor Using IDMFoundation SummaryQ&AChapter 12 Verifying System Configuration"Do I Know This Already?" QuizFoundation and Supplemental TopicsVerifying System ConfigurationViewing Sensor ConfigurationDisplaying Software VersionDisplaying Sensor ConfigurationDisplaying Sensor PEP InventoryViewing Sensor StatisticsViewing Sensor EventsViewing Events Using the CLIViewing Events Using IDMSelecting Event TypesSelecting Time Frame for EventsUsing the IDM Event ViewerDebugging Sensor OperationVerifying Interface OperationCapturing PacketsGenerating Tech-Support OutputSensor SNMP AccessEnabling SNMP Traps by Using the Sensor CLIEnabling SNMP Traps Using IDMFoundation SummaryQ&AChapter 13 Cisco IDS Module (IDSM)"Do I Know This Already?" QuizFoundation and Supplemental TopicsCisco IDS ModuleIDSM-2 Technical SpecificationsPerformance CapabilitiesCatalyst 6500 RequirementsKey FeaturesIDSM-2 Traffic FlowIDSM-2 ConfigurationVerifying IDSM-2 StatusInitializing the IDSM-2Accessing the IDSM-2 CLILogging in to the IDSM-2Configuring the Command and Control PortConfiguring the Switch Traffic Capture SettingsIDSM-2 PortsTCP Reset PortCommand and Control PortMonitoring PortsCatalyst 6500 Switch ConfigurationConfiguring the Command and Control PortSetting VLANs by Using IOSSetting VLANs by Using CatOSMonitored TrafficIDSM-2 Administrative TasksEnabling Full Memory TestStopping the IDS ModuleTroubleshooting the IDSM-2IDSM-2 Status LEDCatalyst 6500 Commandsshow module Commandshow port Commandshow trunk CommandFoundation SummaryQ&AChapter 14 Cisco IDS Network Module forAccess Routers"Do I Know This Already?" QuizFoundation and Supplemental TopicsNM-CIDS OverviewNM-CIDS Key FeaturesNM-CIDS SpecificationsNM-CIDS Front PanelTraditional Appliance Sensor Network ArchitectureNM-CIDS Network ArchitectureNM-CIDS Hardware ArchitectureNM-CIDS Internal Fast Ethernet InterfaceNM-CIDS External Fast Ethernet InterfaceInternal Universal Asynchronous Receiver/Transmitter InterfaceNM-CIDS Disk, Flash, and MemoryTraffic Capture for NM-CIDSCisco IOS FeaturesAccess Control Lists and NM-CIDSEncryption and NM-CIDSInside NAT and NM-CIDSOutside NAT and NM-CIDSIP Multicast, IP Broadcast, and UDP Flooding and NM-CIDSGRE Tunnels and NM-CIDSPackets Not Forwarded to NM-CIDSNM-CIDS Installation and Configuration TasksInstalling the NM-CIDSInserting the NM-CIDS into a RouterConnecting the NM-CIDS to the NetworkVerifying That the Router Recognizes the NM-CIDSVerifying That Cisco IOS-IDS is Not RunningConfiguring the Internal ids-sensor InterfaceVerifying the NM-CIDS Slot NumberEnabling CEFConfiguring the InterfaceAssigning the Clock SettingsUsing the Router Time SourceUsing an NTP Time SourceConfiguring NM-CIDS Clock ModeSetting Up Packet MonitoringLogging In to NM-CIDS ConsoleAccessing NM-CIDS via a SessionAccessing NM-CIDS via TelnetNM-CIDS LoginPerforming Initial Sensor ConfigurationNM-CIDS Maintenance TasksReloading the NM-CIDSResetting the NM-CIDSShutting Down the NM-CIDSViewing the NM-CIDS StatusRecovering the NM-CIDS Software ImageConfiguring the Boot LoaderBooting the Helper ImageSelecting the File Transfer MethodInstalling the Application ImageBooting the Application ImageConfiguring the IPS ApplicationFoundation SummaryQ&AChapter 15 Capturing Network Traffic"Do I Know This Already?" QuizFoundation and Supplemental TopicsCapturing Network TrafficCapturing Traffic for Inline ModeCapturing Traffic for Promiscuous ModeTraffic Capture DevicesHub Traffic FlowNetwork Tap Traffic FlowSwitch Traffic FlowSwitch Capture MechanismsSwitched Port AnalyzerRemote Switched Port AnalyzerVLAN Access Control ListsTCP Resets and SwitchesConfiguring SPAN for Catalyst 4500 and 6500 Traffic CaptureThe monitor session CommandConfiguring RSPAN for Catalyst 4500 and 6500 Traffic CaptureConfiguring VACLs for Catalyst 6500 Traffic CaptureConfigure an ACLCreate a VLAN Access MapMatch ACL to Access MapDefine Action for Access MapApply Access Map to VLANsConfigure Capture PortsConfiguring VACLs for Traffic Capture With Cisco Catalyst 6500 IOS FirewallConfigure the Extended ACLApply ACL to an Interface or VLANAssign the Capture PortAdvanced Catalyst 6500 Traffic CaptureConfigure Destination PortDefine Trunks to CaptureAssign Switch Ports to VLANsCreate the VACLFoundation SummaryQ&AAppendix Answers to the "Do I Know ThisAlready?" Quizzes and Q&AQuestionsChapter 1Chapter 2Chapter 3Chapter 4Chapter 5Chapter 6Chapter 7Chapter 8Chapter 9Chapter 10Chapter 11Chapter 12Chapter 13Chapter 14Chapter 15Index