SKIP THE SHIPPING
Use code NOSHIP during checkout to save 40% on eligible eBooks, now through January 5. Shop now.
Register your product to gain access to bonus material or receive a coupon.
Official self-study test preparation guide for the Cisco IPS exam 642-532
The official study guide helps you master all the topics on the IPS exam, including:
CCSP IPS Exam Certification Guide is a best of breed Cisco® exam study guide that focuses specifically on the objectives for the IPS exam. Cisco Security Test Engineer Earl Carter shares preparation hints and test-taking tips, helping you identify areas of weakness and improve your Intrusion Prevention System (IPS) knowledge. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics.
CCSP IPS Exam Certification Guide presents you with an organized test preparation routine through the use of proven series elements and techniques. “Do I Know This Already” quizzes open each chapter and allow you to decide how much time you need to spend on each section. Exam topic lists and Foundation Summary materials make referencing easy and give you a quick refresher whenever you need it. Challenging chapter-ending review questions help you assess your knowledge and reinforce key concepts. The companion CD-ROM contains a powerful testing engine that allows you to focus on individual topic areas or take complete, timed exams. The assessment engine also tracks your performance and provides feedback on a module-by-module basis, presenting question-by-question remediation to the text. Well-regarded for its level of detail, assessment features, and challenging review questions and exercises, this book helps you master the concepts and techniques that will enable you to succeed on the exam the first time.
CCSP IPS Exam Certification Guide is part of a recommended learning path from Cisco Systems® that includes simulation and hands-on training from authorized Cisco Learning Partners and self-study products from Cisco Press. To find out more about instructor-led training, e-learning, and hands-on instruction offered by authorized Cisco Learning Partners worldwide, please visit www.cisco.com/go/authorizedtraining.
Companion CD-ROM
The CD-ROM contains an electronic copy of the book and more than 200 practice questions for the IPS exam, all available in study mode, test mode, and flash-card format.
This volume is part of the Exam Certification Guide Series from Cisco Press®. Books in this series provide officially developed exam preparation materials that offer assessment, review, and practice to help Cisco Career Certification candidates identify weaknesses, concentrate their study efforts, and enhance their confidence as exam day nears.
Cisco IPS Device Manager (IDM)
Download - 2.15 MB -- Chapter 3: Cisco IPS Device Manager (IDM)
Foreword
Introduction
Part I Cisco IPS Overview
Chapter 1 Cisco Intrusion Prevention System (IPS) Overview
“Do I Know This Already?” Quiz
Foundation and Supplemental Topics
Cisco Intrusion Prevention Solution
Intrusion Prevention Overview
Intrusion-Prevention Terminology
IPS/IDS Triggers
Anomaly Detection
Misuse Detection
Protocol Analysis
IPS/IDS Monitoring Locations
Host-Based
Network-Based
Cisco Hybrid IPS/IDS Solution
Risk Rating
Event Severity
Signature Fidelity
Asset Value of Target
Meta-Event Generator
Inline Deep-Packet Inspection
Cisco Intrusion Prevention System Hardware
Cisco IDS 4200 Series Network Sensors
Cisco 4215 Appliance Sensor
Cisco 4235 Appliance Sensor
Cisco 4240 Diskless Appliance Sensor
Cisco 4250 Appliance Sensor
Cisco 4250XL Appliance Sensor
Cisco 4255 Diskless Appliance Sensor
Cisco IDSM-2 for Catalyst 6500
Cisco IDS Network Module for Access Routers
Router Sensor
Firewall Sensor
Inline Sensor Support
Inline Mode Versus Promiscuous Mode
Software Bypass
Auto Mode
Off Mode
On Mode
Cisco Sensor Deployment
Internet Boundaries
Extranet Boundaries
Intranet Boundaries
Remote Access Boundaries
Servers and Desktops
Sensor Deployment Considerations
Sensor Placement
Sensor Management and Monitoring Options
Number of Sensors
External Sensor Communications
Cisco Sensor Communications Protocols
Secure Shell
Transport Layer Security (TLS)/Secure Socket Layer (SSL)
Remote Data Exchange Protocol
Event Messages
IP Log Messages
Transaction Messages
Security Device Event Exchange Standard
Cisco Sensor Software Architecture
cidWebServer
IDM Servlet
Event Server Servlet
Transaction Server Servlet
IP Log Server Servlet
mainApp
logApp
authentication
Network Access Controller (NAC)
ctlTransSource
sensorApp
Event Store
cidCLI
Foundation Summary
Q&A
Part II Cisco IPS Configuration
Chapter 2 IPS Command-Line Interface
“Do I Know This Already?” Quiz
Foundation and Supplemental Topics
Sensor Installation
Installing 5.0 Software via the Network
Installing 5.0 Software from a CD
Sensor Initialization
Accessing the CLI
Running the setup Command
Creating the Service Account
Manually Setting the System Clock
Changing your Password
Adding and Removing Users
Adding a Known SSH Host
IPS CLI
Using the Sensor CLI
Prompts
Help
Tab Completion
Command Recall
Command Case Sensitivity
Keywords
User Roles
Administrator
Operator
Viewer
Service
CLI Command Modes
Privileged Exec
Global Configuration
Service
Service Analysis-Engine
Service Authentication
Service Event-Action-Rules
Service Host
Service Interface
Service Logger
Service Network-Access
Service Notification
Service Signature-Definition
Service SSH-Known-Hosts
Service Trusted-Certificates
Service Web-Server
Administrative Tasks
Configuration Tasks
Foundation Summary
Q&A
Chapter 3 Cisco IPS Device Manager (IDM)
“Do I Know This Already?” Quiz
Foundation and Supplemental Topics
Cisco IPS Device Manager
System Requirements for IDM
Navigating IDM
Configuration
Sensor Setup
Interface Configuration
Analysis Engine
Signature Definition
Event Action Rules
Blocking
Simple Network Management Protocol
Auto Update
Monitoring
Back
Forward
Refresh
Help
Configuring Communication Parameters Using IDM
Foundation Summary
Q&A
Chapter 4 Basic Sensor Configuration
“Do I Know This Already?” Quiz
Foundation and Supplemental Topics
Basic Sensor Configuration
Sensor Host Configuration Tasks
Configuring Allowed Hosts
Configuring Sensor User Accounts
Configuring the Sensor’s Time Parameters
Manually Setting the Clock
Configuring the NTP Server Settings
Configuring the Time Zone
Configuring the Summertime Settings
Configuring SSH Hosts
Interface Configuration Tasks
Enabling Monitoring Interfaces
Editing Monitoring Interface Parameters
Configuring Inline Interface Pairs
Configuring Inline Software Bypass
Configuring Traffic Flow Notifications
Analysis Engine Configuration Tasks
Foundation Summary
Q&A
Chapter 5 Basic Cisco IPS Signature Configuration
“Do I Know This Already?” Quiz
Foundation and Supplemental Topics
Configuring Cisco IPS Signatures
Signature Groups
Displaying Signatures by Attack
Displaying Signatures by L2/L3/L4 Protocol
Displaying Signatures by Operating System
Displaying Signatures by Signature Release
Displaying Signatures by Service
Displaying Signatures by Signature Identification
Displaying Signatures by Signature Name
Displaying Signatures by Response Action
Displaying Signatures by Signature Engine
Alarm Summary Modes
Fire Once
Fire All
Alarm Summarization
Variable Alarm Summarization
Basic Signature Configuration
Viewing NSDB Information
Signature Information
Related Threats Information
Viewing NSDB Information
Enabling Signatures
Creating New Signatures
Editing Existing Signatures
Retiring Signatures
Defining Signature Responses
Foundation Summary
Q&A
Chapter 6 Cisco IPS Signature Engines
“Do I Know This Already?” Quiz
Foundation and Supplemental Topics
Cisco IPS Signatures
Cisco IPS Signature Engines
Signature Parameters
Application Inspection and Control Signature Engines
AIC FTP Signature Engine Parameters
AIC HTTP Signature Engine Parameters
Content Types Parameters
Define Web Traffic Policy Parameters
Msg Body Pattern Parameters
Request Methods Parameters
Transfer Encodings Parameters
Atomic Signature Engines
Atomic ARP Engine Parameters
Atomic IP Engine Parameters
Atomic IP ICMP Parameters
Atomic IP TCP Parameters
Atomic IP UDP Parameters
Atomic IP Payload Parameters
Flood Signature Engines
Flood Host Engine Parameters
Flood Host ICMP Parameters
Flood Host UDP Parameters
Flood Net Engine Parameters
Meta Signature Engine
Normalizer Signature Engine
Service Signature Engines
Service DNS Engine Parameters
Service FTP Engine Parameters
Service Generic Engine Parameters
Service H225 Engine Parameters
Service HTTP Engine Parameters
Service Ident Engine Parameters
Service MSSQL Engine Parameters
Service NTP Engine Parameters
Service RPC Engine Parameters
Service SMB Engine Parameters
Service SNMP Engine Parameters
Service SSH Engine Parameters
State Signature Engine
Cisco Login States
LPR Format String States
SMTP States
String Signature Engines
String ICMP Engine Specific Parameters
String TCP Engine-Specific Parameters
Sweep Signature Engines
Sweep Signature Engine Parameters
Unique ICMP Sweep Parameters
Unique TCP Sweep Parameters
Sweep Other TCP Signature Engine Parameters
Trojan Horse Signature Engines
Foundation Summary
Q&A
Chapter 7 Advanced Signature Configuration
“Do I Know This Already?” Quiz
Foundation and Supplemental Topics
Advanced Signature Configuration
Regular Expressions String Matching
Signature Fields
Basic Signature Fields
Signature Description Fields
Engine-Specific Fields
Event Counter Fields
Alert Frequency Fields
Status Fields
Meta-Event Generator
Understanding HTTP and FTP Application Policy Enforcement
Tuning an Existing Signature
Tuning Example
Creating a Custom Signature
Choose a Signature Engine
Network Protocol
Target Address
Target Port
Attack Type
Inspection Criteria
Verify Existing Functionality
Define Signature Parameters
Test Signature Effectiveness
Custom Signature Scenario
Creating Custom Signatures Using IDM
Using IDM Custom Signature Wizard
Cloning an Existing Signature
Foundation Summary
Q&A
Chapter 8 Sensor Tuning
“Do I Know This Already?” Quiz
Foundation and Supplemental Topics
IDS Evasion Techniques
Flooding
Fragmentation
Encryption
Obfuscation
Using Control Characters
Using Hex Representation
Using Unicode Representation
TTL Manipulation
Tuning the Sensor
Configuring IP Log Settings
Configuring Application Policy Settings
Configuring Reassembly Options
Fragment Reassembly
Stream Reassembly
Configuring Reassembly Options
Event Configuration
Event Variables
Target Value Rating
Event Action Override
Event Action Filters
Foundation Summary
Q&A
Part III Cisco IPS Response Configuration
Chapter 9 Cisco IPS Response Configuration
“Do I Know This Already?” Quiz
Foundation and Supplemental Topics
Cisco IPS Response Overview
Inline Actions
Deny Packet Inline
Deny Connection Inline
Deny Attacker Inline
Configuring Deny Attacker Duration Parameter
Logging Actions
Log Attacker Packets
Log Pair Packets
Log Victim Packets
Manual IP Logging
IP Blocking
IP Blocking Definitions
IP Blocking Devices
Cisco Routers
Cisco Catalyst 6000 Switches
Cisco PIX Firewalls
Blocking Guidelines
Antispoofing Mechanisms
Critical Hosts
Network Topology
Entry Points
Signature Selection
Blocking Duration
Device Login Information
Interface ACL Requirements
Blocking Process
ACL Placement Considerations
External Versus Internal
ACLs Versus VACLs
Using Existing ACLs
Master Blocking Sensor
Configuring IP Blocking
Assigning a Blocking Action
Setting Blocking Properties
Setting Blocking Properties via IDM
Defining Addresses Never to Block
Setting Up Logical Devices
Defining Blocking Devices
Defining Blocking Devices Using IDM
Defining Router Blocking Devices Interfaces Using IDM
Defining Cat6K Blocking Device Interfaces Using IDM
Defining Master Blocking Sensors
Configuring a Master Blocking Sensor in IDM
Manual Blocking
Blocking Hosts
Blocking Networks
TCP Reset
Foundation Summary
Q&A
Part IV Cisco IPS Event Monitoring
Chapter 10 Alarm Monitoring and Management
“Do I Know This Already?” Quiz
Foundation and Supplemental Topics
CiscoWorks 2000
Login Process
Authorization Roles
Adding Users
Security Monitor
Installing Security Monitor
Windows Installation
Server Requirements
Client Requirements
Security Monitor User Interface
Configuration Tabs
Options Bar
TOC
Path Bar
Instruction Box
Content Area
Tools Bar
Security Monitor Configuration
Adding Devices
Adding RDEP Devices
Adding PostOffice Devices
Adding IOS Devices
Adding PIX Devices
Importing Devices
Event Notification
Adding Event Rules
Activating Event Rules
Monitoring Devices
Monitoring Connections
Monitoring Statistics
Monitoring Events
Security Monitor Event Viewer
Moving Columns
Deleting Rows and Columns
Delete from This Grid
Delete from Database
Delete Column
Collapsing Rows
Collapse > First Group
Collapse > All Rows
Expanding Rows
Expand > First Group
Expand > All Rows
Suspending and Resuming New Events
Changing Display Preferences
Actions
Cells
Sort By
Boundaries
Severity Indicator
Database
Creating Graphs
By Child
By Time
Tools Pull-Down Menu Options
Explanation
Trigger Packet
IP Logs
Statistics
Options
Resolving Host Names
Security Monitor Administration
Data Management
System Configuration Settings
Defining Event Viewer Preferences
Security Monitor Reports
Defining the Report
Running the Report
Viewing the Report
Foundation Summary
Q&A
Part V Cisco IPS Maintenance and Tuning
Chapter 11 Sensor Maintenance
“Do I Know This Already?” Quiz
Foundation and Supplemental Topics
Sensor Maintenance
Software Updates
IPS Software File Format
Software Type
Cisco IPS Version
Service Pack Level
Signature Version
Extension
Software Update Guidelines
Upgrading Sensor Software
Saving Current Configuration
Software Installation via CLI
Software Installation Using IDM
Configuring Automatic Software Updates Using IDM
Downgrading an Image
Updating the Sensor’s License
Image Recovery
Restoring Default Sensor Configuration
Restoring Default Configuration Using the CLI
Restoring Default Configuration Using IDM
Resetting and Powering Down the Sensor
Resetting the Sensor Using the Sensor CLI
Resetting the Sensor Using IDM
Foundation Summary
Q&A
Chapter 12 Verifying System Configuration
“Do I Know This Already?” Quiz
Foundation and Supplemental Topics
Verifying System Configuration
Viewing Sensor Configuration
Displaying Software Version
Displaying Sensor Configuration
Displaying Sensor PEP Inventory
Viewing Sensor Statistics
Viewing Sensor Events
Viewing Events Using the CLI
Viewing Events Using IDM
Selecting Event Types
Selecting Time Frame for Events
Using the IDM Event Viewer
Debugging Sensor Operation
Verifying Interface Operation
Capturing Packets
Generating Tech-Support Output
Sensor SNMP Access
Enabling SNMP Traps by Using the Sensor CLI
Enabling SNMP Traps Using IDM
Foundation Summary
Q&A
Chapter 13 Cisco IDS Module (IDSM)
“Do I Know This Already?” Quiz
Foundation and Supplemental Topics
Cisco IDS Module
IDSM-2 Technical Specifications
Performance Capabilities
Catalyst 6500 Requirements
Key Features
IDSM-2 Traffic Flow
IDSM-2 Configuration
Verifying IDSM-2 Status
Initializing the IDSM-2
Accessing the IDSM-2 CLI
Logging in to the IDSM-2
Configuring the Command and Control Port
Configuring the Switch Traffic Capture Settings
IDSM-2 Ports
TCP Reset Port
Command and Control Port
Monitoring Ports
Catalyst 6500 Switch Configuration
Configuring the Command and Control Port
Setting VLANs by Using IOS
Setting VLANs by Using CatOS
Monitored Traffic
IDSM-2 Administrative Tasks
Enabling Full Memory Test
Stopping the IDS Module
Troubleshooting the IDSM-2
IDSM-2 Status LED
Catalyst 6500 Commands
show module Command
show port Command
show trunk Command
Foundation Summary
Q&A
Chapter 14 Cisco IDS Network Module for†Access Routers
“Do I Know This Already?” Quiz
Foundation and Supplemental Topics
NM-CIDS Overview
NM-CIDS Key Features
NM-CIDS Specifications
NM-CIDS Front Panel
Traditional Appliance Sensor Network Architecture
NM-CIDS Network Architecture
NM-CIDS Hardware Architecture
NM-CIDS Internal Fast Ethernet Interface
NM-CIDS External Fast Ethernet Interface
Internal Universal Asynchronous Receiver/Transmitter Interface
NM-CIDS Disk, Flash, and Memory
Traffic Capture for NM-CIDS
Cisco IOS Features
Access Control Lists and NM-CIDS
Encryption and NM-CIDS
Inside NAT and NM-CIDS
Outside NAT and NM-CIDS
IP Multicast, IP Broadcast, and UDP Flooding and NM-CIDS
GRE Tunnels and NM-CIDS
Packets Not Forwarded to NM-CIDS
NM-CIDS Installation and Configuration Tasks
Installing the NM-CIDS
Inserting the NM-CIDS into a Router
Connecting the NM-CIDS to the Network
Verifying That the Router Recognizes the NM-CIDS
Verifying That Cisco IOS-IDS is Not Running
Configuring the Internal ids-sensor Interface
Verifying the NM-CIDS Slot Number
Enabling CEF
Configuring the Interface
Assigning the Clock Settings
Using the Router Time Source
Using an NTP Time Source
Configuring NM-CIDS Clock Mode
Setting Up Packet Monitoring
Logging In to NM-CIDS Console
Accessing NM-CIDS via a Session
Accessing NM-CIDS via Telnet
NM-CIDS Login
Performing Initial Sensor Configuration
NM-CIDS Maintenance Tasks
Reloading the NM-CIDS
Resetting the NM-CIDS
Shutting Down the NM-CIDS
Viewing the NM-CIDS Status
Recovering the NM-CIDS Software Image
Configuring the Boot Loader
Booting the Helper Image
Selecting the File Transfer Method
Installing the Application Image
Booting the Application Image
Configuring the IPS Application
Foundation Summary
Q&A
Chapter 15 Capturing Network Traffic
“Do I Know This Already?” Quiz
Foundation and Supplemental Topics
Capturing Network Traffic
Capturing Traffic for Inline Mode
Capturing Traffic for Promiscuous Mode
Traffic Capture Devices
Hub Traffic Flow
Network Tap Traffic Flow
Switch Traffic Flow
Switch Capture Mechanisms
Switched Port Analyzer
Remote Switched Port Analyzer
VLAN Access Control Lists
TCP Resets and Switches
Configuring SPAN for Catalyst 4500 and 6500 Traffic Capture
The monitor session Command
Configuring RSPAN for Catalyst 4500 and 6500 Traffic Capture
Configuring VACLs for Catalyst 6500 Traffic Capture
Configure an ACL
Create a VLAN Access Map
Match ACL to Access Map
Define Action for Access Map
Apply Access Map to VLANs
Configure Capture Ports
Configuring VACLs for Traffic Capture With Cisco Catalyst 6500 IOS Firewall
Configure the Extended ACL
Apply ACL to an Interface or VLAN
Assign the Capture Port
Advanced Catalyst 6500 Traffic Capture
Configure Destination Port
Define Trunks to Capture
Assign Switch Ports to VLANs
Create the VACL
Foundation Summary
Q&A
Appendix Answers to the “Do I Know This†Already?” Quizzes and Q&A†Questions
Chapter 1
Chapter 2
Chapter 3
Chapter 4
Chapter 5
Chapter 6
Chapter 7
Chapter 8
Chapter 9
Chapter 10
Chapter 11
Chapter 12
Chapter 13
Chapter 14
Chapter 15
Index
Download - 2 MB -- Index
Page 316 – second paragraph should read:
Leaving this box unchecked causes the sensor to place a permit entry for the sensor’s ip address at the beginning of the dynamically crated block entries.
Download - 76.8 KB - Updated CD-ROM Registration Program