In this course, you will gain the skills required to deploy Cisco's recently updated version 6.0 network-based Intrusion Prevention System (IPS). New features added to version 6.0 include virtual sensor support, passive OS fingerprinting, and anomaly detection. The course introduces you to Cisco IPS platforms, including the 4200 Series Sensors, the Catalyst 6000 Series Intrusion Detection Module 2 (IDSM2), the Advanced Inspection, and Prevention Security Services Module (AIP-SSM). The command line and the IPS Device Manager GUI are used to configure the sensor.
Prerequisites
- ICND2 - Interconnecting Cisco Network Devices 2
- IINS - Implementing Cisco IOS Network Security
What You'll Learn
- How Cisco IPS protects network devices from attacks
- Basic intrusion prevention terminology
- Different intrusion prevention technologies and evasive techniques
- Cisco IPS Sensor platforms and their features
- Install and configure basic settings on a Cisco IPS 4200 Series Sensor
- Use the Cisco IPS Device Manager (IDM) to configure built-in signatures to meet the requirements of a given security policy
- Create and implement customized intrusion prevention signatures
- Create alarm filters to reduce alarms and possible false positives
- Configure IPS protective reactions such as TCP reset and deny attacker inline
- Configure a Cisco IPS Sensor to perform blocking on IOS routers and Adaptive Security Appliances (ASAs) or PIX firewalls
- Perform maintenance operations such as signature updates
- Configure and monitor anomaly detection, passive OS fingerprinting, and virtual sensors
- Initialize and install remaining Cisco IPS family of products
- Use the CLI and Cisco IDM to obtain system information
- Configure the Cisco IPS sensor to allow a SNMP NMS to monitor the Cisco IPS sensor
Who Needs to Attend
- Internetwork professionals who want to ensure security on their network or who seek Cisco certification.
Course Outline
1. Intrusion Prevention Overview
- Explanation of Intrusion Prevention
- Cisco IPS Products
- Cisco IPS Sensor Software Solutions
- Evasive Techniques
2. Installation of a Cisco IPS 4200 Series Sensor
- Installing an IPS Sensor Using the CLI
- Using the Cisco IDM
- Configuring Basic Sensor Settings
3. Cisco IPS Signatures
- Configuring Cisco IPS Signatures and Alarms
- Signature Engines
- Customizing Signatures
4. Advanced Cisco IPS Configuration
- Advanced Tuning of Cisco IPS Sensors
- Monitoring and Managing Alarms
- Configuring a Virtual Sensor
- Configuring Advanced Features
- Configuring Blocking
5. Additional Cisco IPS Devices
- Cisco IDS Module
- Cisco ASA AIP-SSM
6. Cisco IPS Sensor Maintenance
- Maintaining Cisco IPS Sensors
- Managing Cisco IPS Sensors
Labs
Lab 1: Cisco IPS Sensor CLI
- Reimage the sensor from the recovery partition
- Initial login to the sensor
- Initial set up of the sensor
- Configure the sensor via the CLI
- Manage user accounts
- Back up the sensor's configuration
Lab 2: IPS Device Manager
- Launch IDM and login
- Configure the sensor using IDM, including sensing interfaces, allowed hosts, user accounts, and NTP
- Manage user accounts with IDM
- Monitor events on the sensor using IDM
- Experiment with the sensor's Software Bypass feature
Lab 3: IPS Event Viewer
- Install and Configure IEV
- Create various alert conditions
- IEV Default Views
- IEV Filters
- IEV Custom Views
- Real-Time Dashboard
- IEV Reports
Lab 4: Working with Signatures
- Test a Reference Signature
- Investigate the Deny Packet Inline Action
- Investigate the Deny Attacker Inline Action
Lab 5: Signature Configuration
- Configure and test the HTTP application firewall
- Create and test a Meta event
- Create a signature using the Signature Wizard
- Create a signature with the Signature Wizard, defining the signature engine first
Lab 6: Sensor Tuning
- Understand Fragment Reassembly and Stream Reassembly options
- Configure and use event variables
- Understand Risk Rating
- Configure Event Action Overrides
- Configure Event Action Filters
Lab 7: Virtual Sensors
- Implement a second Virtual Sensor
- Remove the second Virtual Sensor
Lab 8: Anomaly Detection and OS Fingerprinting
- Examine Anomaly Detection Status
- Configure Anomaly Detection
- Test Anomaly Detection
- Configure a manual OS mapping
Lab 9: Monitoring and Maintaining the Sensor
- Update the sensor via IDM
- Troubleshooting via IDM
Labs
We've enhanced our labs beyond what you'll find in a standard Authorized Cisco IPS course. Our labs cover everything that Cisco teaches plus our own exclusive material.
Lab 0: Remote Lab Environment
We provide an unparalleled lab infrastructure for CCSP-oriented courses. For IPS, each pod has a router, a switch, a PIX Firewall, a 4200 Series IPS Sensor, and four PC systems. These devices are organized in a real-world fashion and are configured to work together to provide a complete security solution. The four PCs are strategically placed in the topology to provide interesting and realistic demonstrations of function. An Inside PC is treated like the Security Administrator's office desktop PC, and an Inside Server runs the applications (such as Cisco Secure Access Control Server) intended to be installed in the data center and shared among multiple administrators. The DMZ server is partially exposed to the Internet and provides HTTP and FTP services. An Outside PC connected to the simulated Internet is often used as the source of network attack traffic.
Lab 1: Cisco IPS Sensor CLI
- Reimage the sensor from the recovery partition
- Initial login to the sensor
- Initial set up of the sensor
- Exclusive - Configure the switching fabric to support IPS
- Exclusive - Demonstrate intrusion detection
- Configure the sensor via the CLI
- Manage user accounts
- Exclusive - Perform a signature update
- Exclusive - View and tune signatures via the CLI and trigger signatures
- Back up the sensor's configuration
- Exclusive - Back up the sensor's configuration to an FTP server
Lab 2: IPS Device Manager
- Exclusive - Install and configure the Java plug-in for IDM support
- Exclusive - Install the IDM application launcher locally
- Exclusive - Sensor starts in a default state, so complete initialization is performed
- Launch IDM and login
- Configure the sensor using IDM, including sensing interfaces, allowed hosts, user accounts, and NTP
- Manage user accounts with IDM
- Monitor events on the sensor using IDM
- Experiment with the sensor's Software Bypass feature
Lab 3: IPS Event Viewer
- Install and Configure IEV
- Create various alert conditions
- IEV Default Views
- IEV Filters
- IEV Custom Views
- Real-Time Dashboard
- Exclusive - IEV Graphs
- IEV Reports
Lab 4: Working with Signatures
- Test a Reference Signature
- Investigate the Deny Packet Inline Action
- Exclusive - Investigate the Reset TCP Connection Action
- Investigate the Deny Attacker Inline Action
- Exclusive - Investigate the Log Pair Packets Action
- Exclusive - Investigate the Produce Verbose Alert Action
Lab 5: Exclusive - Examining Signature Engines
- Examine the definition of signatures for seven different sensor engines to understand how the engines and signatures work. Cause suspicious conditions to trigger these signatures and produce alerts.
- Atomic IP Engine
- Flood Host Engine
- Service HTTP Engine
- String TCP Engine
- Sweep Engine
- Meta Engine
- Normalizer Engine
Lab 6: Signature Configuration
- Exclusive - Configure and demonstrate behavior changes with Alarm Summarization settings
- Configure and test the HTTP application firewall
- Create and test a Meta event
- Create a signature using the Signature Wizard
- Create a signature with the Signature Wizard, defining the signature engine first
Lab 7: Sensor Tuning
- Understand Fragment Reassembly and Stream Reassembly options
- Configure and use event variables
- Understand Risk Rating
- Configure Event Action Overrides
- Configure Event Action Filters
Lab 8: Virtual Sensors
- Implement a second Virtual Sensor
- Exclusive - Configure the switch fabric to support the second Virtual Sensor
- Exclusive - Test the two Virtual Sensors
- Exclusive - Configure and test unique signature policies
- Remove the second Virtual Sensor
Lab 9: Anomaly Detection and OS Fingerprinting
- Examine Anomaly Detection Status
- Configure Anomaly Detection
- Test Anomaly Detection
- Configure a manual OS mapping
- Exclusive - Test OS mapping affect on Risk Rating
Lab 10: Exclusive - Blocking
- Configure Blocking settings and configure a signature with the Blocking action
- Implement blocking using an IOS router as the blocking device
- Implement blocking using an ASA as the blocking device
Lab 11: Monitoring and Maintaining the Sensor
- Update the sensor via IDM
- Exclusive - Using the Service Account
- Exclusive - Administration of IEV Data Sources
- Exclusive - Troubleshooting via the CLI
- Exclusive - Capturing traffic from the CLI
- Troubleshooting via IDM
Classroom Dates and Locations
Date |
Location Details |
|
| Aug 4 - 7, 2009 |
Washington, DC |
Register |
| Aug 11 - 14, 2009 |
Dallas, TX |
Register |
| Aug 25 - 28, 2009 |
Chicago (Schaumburg), IL |
Register |
| Aug 25 - 28, 2009 |
Toronto, ON |
Register |
| Sep 22 - 25, 2009 |
San Jose, CA |
Register |
| Sep 29 - Oct 2, 2009 |
Raleigh, NC |
Register |
| Oct 20 - 23, 2009 |
Morristown, NJ |
Register |
| Oct 27 - 30, 2009 |
Los Angeles, CA |
Register |
| Nov 3 - 6, 2009 |
Washington, DC |
Register |
| Nov 17 - 20, 2009 |
Montreal, QC |
Register |
| Nov 17 - 20, 2009 |
Dallas, TX |
Register |
| Dec 1 - 4, 2009 |
Chicago (Schaumburg), IL |
Register |
| Dec 8 - 11, 2009 |
Toronto, ON |
Register |
| Dec 15 - 18, 2009 |
Ottawa, ON |
Register |
| Jan 5 - 8, 2010 |
New York, NY |
Register |
| Jan 12 - 15, 2010 |
Atlanta, GA |
Register |
| Jan 19 - 22, 2010 |
San Jose, CA |
Register |
| Jan 26 - 29, 2010 |
Washington, DC |
Register |
| Feb 9 - 12, 2010 |
Houston, TX |
Register |
| Feb 23 - 26, 2010 |
Dallas, TX |
Register |
| Mar 2 - 5, 2010 |
Chicago (Schaumburg), IL |
Register |
| Mar 16 - 19, 2010 |
Boston, MA |
Register |
| Mar 23 - 26, 2010 |
Raleigh, NC |
Register |
Don’t see the location or date you need? No problem – just use our By Request service.
