IPS - Implementing Cisco Intrusion Prevention System v6.0

Duration: 4 days

Securing Networks Using Intrusion Prevention Systems (IPS) v6.0 is an update to Securing Networks Using Intrusion Prevention Systems (IPS) v5.0, an existing five-day instructor-led course on using the Cisco Intrusion Detection System v5.0 product to protect network systems from intrusions and security threats. The course covers important new IPS 6.0 features. The IPS 6.0 course takes a task-oriented approach to teaching the skills to deploy, configure, and administer Cisco IPS sensors.

• ICND2 - Interconnecting Cisco Network Devices 2
• IINS - Implementing Cisco IOS Network Security

• How Cisco IPS protects network devices from attacks
• Basic intrusion prevention terminology
• Different intrusion prevention technologies and evasive techniques
• Cisco IPS Sensor platforms and their features
• Install and configure basic settings on a Cisco IPS 4200 Series Sensor
• Use the Cisco IPS Device Manager (IDM) to configure built-in signatures to meet the requirements of a given security policy
• Create and implement customized intrusion prevention signatures
• Create alarm filters to reduce alarms and possible false positives
• Configure IPS protective reactions such as TCP reset and deny attacker inline
• Configure a Cisco IPS Sensor to perform blocking on IOS routers and Adaptive Security Appliances (ASAs) or PIX firewalls
• Perform maintenance operations such as signature updates
• Configure and monitor anomaly detection, passive OS fingerprinting, and virtual sensors
• Initialize and install remaining Cisco IPS family of products
• Use the CLI and Cisco IDM to obtain system information
• Configure the Cisco IPS sensor to allow a SNMP NMS to monitor the Cisco IPS sensor

1. Intrusion Prevention Overview

• Explanation of Intrusion Prevention
• Cisco IPS Products
• Cisco IPS Sensor Software Solutions
• Evasive Techniques

2. Installation of a Cisco IPS 4200 Series Sensor

• Installing an IPS Sensor Using the CLI
• Using the Cisco IDM
• Configuring Basic Sensor Settings

3. Cisco IPS Signatures

• Configuring Cisco IPS Signatures and Alarms
• Signature Engines
• Customizing Signatures

4. Advanced Cisco IPS Configuration

• Advanced Tuning of Cisco IPS Sensors
• Monitoring and Managing Alarms
• Configuring a Virtual Sensor
• Configuring Advanced Features
• Configuring Blocking

5. Additional Cisco IPS Devices

• Cisco IDS Module
• Cisco ASA AIP-SSM

6. Cisco IPS Sensor Maintenance

• Maintaining Cisco IPS Sensors
• Managing Cisco IPS Sensors

Appendix A: The Evolution from IPS 6.0 through 6.1, 6.2, and 7.0

• Internetwork professionals who want to ensure security on their network or who seek Cisco certification.

We've enhanced our labs beyond what you'll find in a standard Authorized Cisco IPS course. Our labs cover everything that Cisco teaches plus our own exclusive material.

Lab 0: Remote Lab Environment

We provide an unparalleled lab infrastructure for CCSP-oriented courses. For IPS, each pod has a router, a switch, a PIX Firewall, a 4200 Series IPS Sensor, and four PC systems. These devices are organized in a real-world fashion and are configured to work together to provide a complete security solution. The four PCs are strategically placed in the topology to provide interesting and realistic demonstrations of function. An Inside PC is treated like the Security Administrator's office desktop PC, and an Inside Server runs the applications (such as Cisco Secure Access Control Server) intended to be installed in the data center and shared among multiple administrators. The DMZ server is partially exposed to the Internet and provides HTTP and FTP services. An Outside PC connected to the simulated Internet is often used as the source of network attack traffic.

Lab 1: Cisco IPS Sensor CLI

• Reimage the sensor from the recovery partition
• Initial login to the sensor
• Initial set up of the sensor
• Exclusive - Configure the switching fabric to support IPS
• Exclusive - Demonstrate intrusion detection
• Configure the sensor via the CLI
• Manage user accounts
• Exclusive - Perform a signature update
• Exclusive - View and tune signatures via the CLI and trigger signatures
• Back up the sensor's configuration
• Exclusive - Back up the sensor's configuration to an FTP server

Lab 2: IPS Device Manager

• Exclusive - Install and configure the Java plug-in for IDM support
• Exclusive - Install the IDM application launcher locally
• Exclusive - Sensor starts in a default state, so complete initialization is performed
• Launch IDM and login
• Configure the sensor using IDM, including sensing interfaces, allowed hosts, user accounts, and NTP
• Manage user accounts with IDM
• Monitor events on the sensor using IDM
• Experiment with the sensor's Software Bypass feature

Lab 3: IPS Event Viewer

• Install and Configure IEV
• Create various alert conditions
• IEV Default Views
• IEV Filters
• IEV Custom Views
• Real-Time Dashboard
• Exclusive - IEV Graphs
• IEV Reports

Lab 4: Working with Signatures

• Test a Reference Signature
• Investigate the Deny Packet Inline Action
• Exclusive - Investigate the Reset TCP Connection Action
• Investigate the Deny Attacker Inline Action
• Exclusive - Investigate the Log Pair Packets Action
• Exclusive - Investigate the Produce Verbose Alert Action

Lab 5: Exclusive - Examining Signature Engines

• Examine the definition of signatures for seven different sensor engines to understand how the engines and signatures work. Cause suspicious conditions to trigger these signatures and produce alerts.
  • Atomic IP Engine
  • Flood Host Engine
  • Service HTTP Engine
  • String TCP Engine
  • Sweep Engine
  • Meta Engine
  • Normalizer Engine

Lab 6: Signature Configuration

• Exclusive - Configure and demonstrate behavior changes with Alarm Summarization settings
• Configure and test the HTTP application firewall
• Create and test a Meta event
• Create a signature using the Signature Wizard
• Create a signature with the Signature Wizard, defining the signature engine first

Lab 7: Sensor Tuning

• Understand Fragment Reassembly and Stream Reassembly options
• Configure and use event variables
• Understand Risk Rating
• Configure Event Action Overrides
• Configure Event Action Filters

Lab 8: Virtual Sensors

• Implement a second Virtual Sensor
• Exclusive - Configure the switch fabric to support the second Virtual Sensor
• Exclusive - Test the two Virtual Sensors
• Exclusive - Configure and test unique signature policies
• Remove the second Virtual Sensor

Lab 9: Anomaly Detection and OS Fingerprinting

• Examine Anomaly Detection Status
• Configure Anomaly Detection
• Test Anomaly Detection
• Configure a manual OS mapping
• Exclusive - Test OS mapping affect on Risk Rating

Lab 10: Exclusive - Blocking

• Configure Blocking settings and configure a signature with the Blocking action
• Implement blocking using an IOS router as the blocking device
• Implement blocking using an ASA as the blocking device

Lab 11: Monitoring and Maintaining the Sensor

• Update the sensor via IDM
• Exclusive - Using the Service Account
• Exclusive - Administration of IEV Data Sources
• Exclusive - Troubleshooting via the CLI
• Exclusive - Capturing traffic from the CLI
• Troubleshooting via IDM

Our IPS labs go above and beyond the standard Cisco IPS labs. The focus on signatures-the heart of IPS sensor technology-is our most significant enhancement. In fact, signatures are triggered in our very first IPS sensor lab. We also created an exclusive lab to demonstrate the internal specifications of different signature engines. In our labs, signatures are triggered via realistic intrusion attempts, not just arbitrary methods, and you'll learn why particular signatures are triggered when attack conditions are initiated, whether through the use of a network attack tool or entering a suspicious request in a web browser. Our labs take the mystery out of the sensor, allowing you to understand how signatures are implemented and what causes them to trigger and making you comfortable with the technology.

We have added an exclusive lecture covering the evolution of advances made to Cisco's IPS software through versions 6.1, 6.2, and 7.0. Since the core features of 6.0 are still at the core of the newer releases and perform the same way, you can rest assured that the training that you receive on IPS 6.0 is fully applicable to versions 6.1, 6.2, and 7.0.

E-Labs Included for Post-Class Lab Practice:

Following classroom instruction, you will receive 5 e-Lab credits for post-class lab practice, allowing you to hone your skills using the same hands-on lab equipment you used in the classroom.