• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
CCNP Security: IPSv7.0 Exam Prep (2012 San Diego)
 

CCNP Security: IPSv7.0 Exam Prep (2012 San Diego)

on

  • 1,756 views

Network Intrusion Prevention and Detection technologies are much more effective when they are deployed and managed effectively.by network and security administrators. In this session, we will discuss ...

Network Intrusion Prevention and Detection technologies are much more effective when they are deployed and managed effectively.by network and security administrators. In this session, we will discuss the new CCNP Security IPS Exam 642-627 (formerly CCSP IPS Exam). This session will include high level discussion of the Cisco IPS Hardware & Software Overview and touch upon other important topics that will prepare the audience for the exam.

Cisco Live 365: https://www.ciscolive365.com/connect/sessionDetail.ww?SESSION_ID=4208

Statistics

Views

Total Views
1,756
Views on SlideShare
1,753
Embed Views
3

Actions

Likes
3
Downloads
0
Comments
1

2 Embeds 3

http://www.slashdocs.com 2
http://www.docshut.com 1

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

11 of 1 previous next

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    CCNP Security: IPSv7.0 Exam Prep (2012 San Diego) CCNP Security: IPSv7.0 Exam Prep (2012 San Diego) Presentation Transcript

    • CCNP Security: IPSv7.0 Exam Prep BRKCRT-3133BRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
    • Agenda CCNP Security IPSv7 Exam Topics Review Introduction to Intrusion Prevention & Detection Installing and Maintaining Cisco IPS Sensors Applying Cisco IPS Security Policies Deploying Anomaly-based Operation Managing & Analyzing Events Deploying Virtualization, High Availability, and High Performance Solutions Configuring and Maintaining Specific Cisco IPS HardwareBRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
    • IPSv7.0 Exam Topics Review
    • Disclaimer / Warning This session will strictly adhere to Cisco‘s rules of confidentiality We may not be able to address specific questions If you have taken the exam please refrain from asking questions from the exam—this is a protection from disqualification We will be available after the session to direct you to resources to assist with specific questions or to provide clarificationBRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
    • CCNP Security Certified Means… •All four CCNP Security exams required. No elective options. •Some legacy CCSP exams qualify for CCNP Security credit. See FAQ: https://learningnetwork.cisco.com/docs/DOC-10424 Exam No Exam Name 642-637 Securing Networks with Cisco Routers and Switches (SECURE) 642-627 Implementing Cisco Intrusion Prevention System (IPS) 642-617 Deploying Cisco ASA Firewall Solutions (FIREWALL) 642-647 Deploying Cisco ASA VPN Solutions (VPN)BRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
    • 642-627 IPS Exam Approximately 90 minute exam 60-70 questions Register with Pearson Vue ‒ http://www.vue.com/cisco Exam cost is $150.00 USBRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
    • Test Tips Question Types ‒ Multiple-choice single answer ‒ Multiple-choice multiple answer ‒ Drag-and-drop ‒ Fill-in-the-blank ‒ Testlet / Simlet / Simulations Rule out the nonsense Look for the best answer when multiple exist Look for subtle keys Narrow it down Relate to how the device works Don‘t waste too much timeBRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
    • Preparing for the IPS Exam Recommended reading ‒ CCNP Security IPS 642-627 Official Cert Guide (ISBN-10: 1-58714-255-4) Recommended training via Cisco Learning Partners ‒ Deploying Cisco IPS Solutions Cisco learning network www.cisco.com/go/learnnetspace Practical experience ‒ Real equipment ‒ IDM in demo modeBRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
    • IPSv7.0 Exam Topics Pre-Production Design Choose Cisco IPS technologies to implement High Level Design Choose Cisco products to implement High Level Design Choose Cisco IPS features to implement High Level Design Integrate Cisco network security solutions with other security technologies Create and test initial Cisco IPS configurations for new devices/services Complex Support Operations Optimize Cisco IPS security infrastructure device performance Create complex network security rules, to meet the security policy requirements Configure and verify the IPS features to identify threats and dynamically block them from entering the network Maintain, update and tune IPS signatures Use CSM and MARS for IPS management, deployment, and advanced event correlation. Optimize security functions, rules, and configuration Advanced Troubleshooting Advanced Cisco IPS security software configuration fault finding and repairing Advanced Cisco IPS sensor and module hardware fault finding and repairingBRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
    • Introduction to Intrusion Prevention andDetection
    • The Evolution of InternetA Shift to Financial Gain Threats Are Becoming Increasingly Difficult to Detect and Mitigate Financial: Threat Severity Theft and Damage Fame: Viruses and Malware Notoriety: Basic Intrusions and Viruses 1990 1995 2000 2005 2007 2010BRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
    • Today’s Complex Security ThreatsRequire Systemwide CollaborationTop-Ten Cyber Security Menaces• Sophisticated website attacks• Increasing botnet sophistication and effectiveness• Growing cyber espionage• Emerging mobile phone threats• Insider attacks• Advanced identity theft• Increasingly malicious spyware• Web application security exploits• Sophisticated social engineering• Supply-chain attacks infecting consumer devicesBRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
    • Cisco’s Architecture for Borderless Network Security Policy Policy 4 (Access Control, Acceptable Use, Malware, Data Security) Data Center Borderless Corporate Border Platform Infrastructure Applications as a Service as a Service X 3 and Data Software as a Service as a Service Corporate Office Borderless Internet 2 Branch Office Borderless End Zones Home Office Airport 1 Mobile Coffee User Attackers Partners Customers Shop BRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
    • Cisco Intrusion Prevention Services• Intelligent Detection Vulnerability and Exploit specific Signatures Traffic and Protocol Anomaly Detection Knowledge base Anomaly Detection Reputation Filters• Precision Response Risk Management-based Policy Global Correlation adding reputation On-box Correlation through Meta Event Generator “Trustworthiness” Linkages with the Endpoint• Flexible Deployment Passive and/or Inline with Flexible Response (IDS/IPS) Sensor Virtualization Physical and logical (VLAN) interface support Software and Hardware bypassBRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
    • Cisco IPS Intelligent Detection Capabilities:Vulnerability and Exploit-Based Signatures IPv4 and Adware/Spyware Worm/Virus/Trojan IPv6 P2P/IM protection •Perfect Keylogger Activity •Storm •Mega-D •AIM/ICQ •Hotbar Activity •AOL DDOS/DOS •Blaster •MSN •ICMP/UDP/TCP Floods •Nimda •Sametime Secure Voice •Sasser •Yahoo •SIP •Code Red •BitTorrent •H323 •Slammer •Kazaa •H225 •Backdoor Trojan Spirit •eDonkey •Backdoor Beast •Jabber Web Server •Apache •Fatso Worm Reconnaissance •Internet Information Server (IIS) •Kelvir Worm • ICMP host sweeps Network, L2/3/4 • TCP Port Sweeps • TCP/UDP Combo Sweeps •BGP • UDP Port Sweeps •DHCP Email •DNS • POP •TCP/UDP • IMAP •IP • SMTP •IP Fragment • Microsoft ExchangeBRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
    • Cisco IPS Product Portfolio:Integrated Security Across the Network Cisco IPS 4200 Series Sensors IPS 4240 - 250 Mbps IPS 4255 - 600 Mbps IPS 4260 – 1 Gbps IPS 4270 – 4 Gbps IPS Hardware Platforms share the same Cisco ASA 5500 Series IPS Editions and AIP Modules IPS features/functionality/signatures Configuration CLI, GUI look and feelASA 5510 – ASA 5520 – ASA 5540 – AIP SSC-5 AIP SSM-10 AIP SSM-20 AIP SSM-40Up to 150 Mbps Up to 375 Mbps Up to 650 Mbps 75 Mbps 225 Mbps 500 Mbps 650 Mbps Catalyst 6500 Service Modules Cisco ISR Module Catalyst IDSM-2 Bundle - 2 Gbps IDSM2 - 500 Mbps NME-IPS-K9* AIM-IPS-K9** 75 Mbps 45 Mbps Cisco IOS IPS Cisco IOS IPS (software) Native IOS IPS for the Cisco ISR subset of IPS features/signatures A variety of performance points for the Branch Office Environment Different CLI, GUIBRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
    • Cisco IPS 4200 Series Sensors ComparisonFeatures Cisco IPS Cisco IPS Cisco IPS Cisco IPS 4240 Sensor 4255 Sensor 4260 Sensor 4270 SensorMaximum traffic 300 Mbps 600 Mbps 2 Gbps 4 GbpsthroughputSensing Interfaces Four Four 10/100/1000 Four 10/100/1000 10/100/1000 10/100/1000 BASE-TX BASE-TX BASE-TX or four BASE-TX 1000BASE-SX or two 10GE-SXCommand and 10/100 BASE-TX 10/100 BASE-TX 10/100/1000 BASE-TX 10/100/1000Control Interface BASE-TXOptional Network None None Yes YesIntegrationInterfaces?Redundant Power No No Optional YesSupply BRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
    • AIP-SSM Module Platforms / Subscription Levels CSC SSM-10 CSC SSM-20  AIP-SSM managed via its own ip address  50 User  AIP-SSM has an out-of-band-management port • 500 User  100 User • 750 User  Necessary to boot-strap (ip routing, restrict login, NTP) AIP-  250 User SSM from ”console”. ”Console” is reached via ASA ”session” • 1,000 User  500 User command Physical View Logical View BackplaneNo physicalconsole Management port BRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
    • Catalyst 6500 IDSM2  IPS and IDS module for Catalyst 6500  1 RU  Max performance IPS 500 Mbps  Max performance IDS 600 Mbps  Up to 8 IDSM2 per chassis scalable with etherchannel loadbalancing  IDSM2 has no physical interfaces (no console or LAN ports )  Catalyst 6500 backplane used for 1. initial console access (boot-strap) Logical View 2. management access via SSH, SDEE 3. data traffic IPS mode 4. data traffic IDS mode Si Physical View Backplane carrying -console -management network -data VLANs (IDS) -data VLANs (IPS ) No physical portsBRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
    • Cisco ASA 5585-X (Bad Boy on the Block)Next Generation Multi-Service Adaptive Security Appliance • Scalability and Performance Up to 10 Gbps and 350,000 connections per second with advanced threat protection with Botnet Traffic Filtering and hardware-accelerated IPS with Global Correlation. • Multi-service chassis Same chassis supports different line card performance options for campus, core and data centre applications. • Data centre HA features Building Block for Secure Building block for virtualized cloud computing data Data Centre Cloud Services centers, with HA features such as OIR*, redundant hot swappable power supplies, 2RU form factor. BRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
    • Cisco ASA 5585-X Chassis2RU 19in Rack-Mountable ChassisSupports  Same chassis for all ASA 5585 products  2 Full-Slot Modules  Weighs 62Lbs with 2 modules and 2 power  1 Full and 2 Half-Slot Modules supplies Slot-1 Full Sized Modules available at FCS.  ASA SSP required in Slot 0  IPS SSP optional in Slot 1 Slot-0 IPS-SSP has its own console port (like 4260/4270)BRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
    • ASA 5585-X IPS ModuleHardware Comparison IPS SSP-10 IPS SSP-20 IPS SSP-40 IPS SSP-60 Yes YesProcessor Yes Yes (Dual CPU) (Dual CPU)Maximum Memory 6 GB 12 GB 24 GB 48 GBMaximum Storage 2 GB eUSB 2 GB eUSB 2 GB eUSB 2 GB eUSB 2 x SFP+ 2 x SFP+ 4 x SFP+ 4 x SFP+Ports 8 x 1GbE Cu 8 x 1GbE Cu 6 x 1GbE Cu 6 x 1GbE Cu 2 x 1GbE Cu Mgmt 2 x 1GbE Cu Mgmt. 2 x 1GbE Cu Mgmt. 2 x 1GbE Cu Mgmt. Concurrent Firewall and IPS 2 Gbps 3 Gbps 5 Gbps 10 Gbps ThroughputBRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
    • Cisco IPS Architecture Cisco Threat Signature Context Data Engine Updates Global Intelligence Updates Correlation Services Attack Modular Inspection On-box De-obfuscation Engines Correlation Risk-based Policy Control  Normalize inbound Engine traffic to remove  Vulnerability attempts to hide an attack  Exploit  Meta Event  Calibrated “Risk Rating” Generator for event  Behavioral correlation computed for each event Anomaly  Event Action policy based on risk  Protocol Anomaly categories (e.g. High / Med / Reputation filter Low)  Traffic from known-bad hosts is  Filters for known benign triggers dropped Virtual Sensor Selection Forensics Capture  Traffic directed Mitigation and Alarm to appropriate  logging virtual sensor  “Threat Rating” of event indicates by interface or level of residual risk VLAN OUT INBRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
    • IPS Sensor ArchitectureEvent StoreIDAPI (Inter-Process Communication) Transactional IDM Services CLI (RDEP / SDEE) Sensor Correlation ARC App Main App App SSH/Web Server TelnetSensor Interfaces and TCP/IP Stack BRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
    • Packet Flow in IPS v7.0 IPS Reputation Filters block access to IP‘s on stolen ‗zombie‘ networks or networks controlled entirely by malicious organizations. Global Correlation Inspection raises the Risk Rating of events when the attacker has a negative reputation allowing those events to be blocked more confidently and more often than an event without negative reputation.BRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
    • Overview of Intrusion Detection Systems (IDS) Management Management Interface. No network traffic Network passes on this interface. (Has IP Address Assigned) IDS Sensor Internet Sensing Interface received copies of network traffic from a SPAN port, hub, tap, or VACL Host Capture. It does not sit in the flow of traffic. (Does Not Have An IP Address)BRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
    • Overview of Intrusion Prevention Systems (IPS) Management Interface. No network traffic passes on this Management interface. Network (Has IP Address Assigned) IPS Sensor InternetThe sensor sits in the traffic path, and has the capability to drop traffic Hostwhen desired. Inline Interfaces Do Not Have IP Addresses.Cisco IPS Operates at Layer 2, and Can Be Thought of as a “Smart Wire” BRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
    • Areas of Network IPS or IDS Deployment Data Center Remote/Branch Office ConnectivityManagement Network Corporate Network Internet Remote Access Systems Business Partner Internet Edge Extranet Access Connections Centralized Campus Connections BRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
    • Key Terms & Acronyms False Positive • SFR False Negative Signature Fidelity Rating True Positive • ARR True Negative Attack Risk Rating Signature (Pattern) • ASR Anomaly (out of norm) Attack Severity Rating Threat (circumstance or event) • TVR Vulnerability (or weakness) Exploit (mechanism used) Target Value Rating Risk (Likelihood) • PD SDEE (Security Device Event Exchange) Promiscuous Delta IDM (IPS Device Manager) • WLR IME (IPS Manager Express) Watch List RatingBRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
    • Security Controls False Positive ‒ A Security Control acted when malicious activity did not take place. False Negative ‒ A Security Control did not act when malicious activity took place. True Positive ‒ A Security Control acted when malicious activity took place. True Negative ‒ A Security Control did not act and malicious activity did not take place.BRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
    • Threat and Risk RatingIPS Variable Component Source ValuesSignature Fidelity Signature Accuracy Both are preconfigured SFR = 0-100Rating (SFR) & in a signature and PD = 0-30Promiscuous Delta (PD) tunableAttack Severity Rating Potential Damage Preconfigured in a 25 – Informational(ASR) signature and tunable 50 – Low 75 – Medium 100 – HightThreat Value Rating Target Asset Value Manually Configured 50 – Zero(TVR) 75 – Low 100 – Medium 150 – High 200 – Mission CriticalAttack Relevancy Attack Relevancy Collected or Manually 10 – RelevantRating (ARR) Configured 0 – Unknown -10 – Not RelevantWatch List Rating Clues from other Collected 0 – 100(WLR) controlsBRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
    • Calculating Threat and Risk RR = [(ASR x TVR x SFR) / 10,000] + ARR – PD + WLR Example: ‒ ASR = 75 , SFR = 90 , PD = 0 (inline mode) , TVR = 100 , ARR = 10 , and WLR = 0 ‒ RR = [ (75 x 100 x 90) / 10,000] + 10 – 0 + 0 = 78 TR = RR – Threat Rating Adjustment ‒ Configuration > Policies > Event Action Rules > rules0 pane and click on General tabBRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
    • Installing and Maintaining Cisco IPSSensors
    • IPS Deployment Options Promiscuous Mode Inline Modes ‒ Inline Interface Pair ‒ Inline VLAN Pair ‒ Inline VLAN Group ‒ Selective Inline AnalysisBRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
    • Cisco IPS Sensor PromiscuousMode Deployment Integrated Security Detects and Thwarts Attack Attacker Network Devices Self-Protected User During An Attack TargetBRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
    • Cisco IPS Sensor Inline InterfaceMode Deployment Pair Interfaces GE0/0 <-> GE0/1 GE 0/0 GE 0/1 Pair Interfaces GE0/0 <-> GE0/1 ** A sensor connecting two physically separate networks or infrastructures Interface GigabitEthernet0/11 description Port to IPS sensor GE0/0 switchport mode access Pair Interfaces switchport access vlan 11 GE0/0 <-> GE0/1 Interface GigabitEthernet0/12 VLAN 11 description Port to IPS sensor GE0/1 GE 0/0 GE 0/11 switchport mode access switchport access vlan 12 GE 0/1 GE 0/12 VLAN 12 **Sensor connecting two VLANsBRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
    • Cisco IPS Sensor Inline VLAN PairMode Deployment GE 0/11 GE 0/12 VLAN 11 VLAN 12 GE 0/1 Pair VLANs 11<->12 Configure the sensor port for trunking. **Important to allow VLAN pairs on the trunk** Interface GigabitEthernet0/11 description Port in VLAN 11 switchport mode access switchport access vlan 11 Interface GigabitEthernet0/12 description Port in VLAN 12 switchport mode access switchport access vlan 12 Interface GigabitEthernet0/1 description IPS sensor on a trunk port switchport mode trunk switchport trunk allowed vlan 11,12BRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
    • Cisco IPS Sensor Inline VLAN GroupMode Deployment Policy 1: VLANs 11 and 12 Pair Interfaces Policy 2: VLANs 13 and 14 GE0/0 <-> GE0/1 VLANs 11, 12, VLANs 11, 12, 13 and 14 GE 0/0 GE 0/1 13 and 14 Trunk Trunk Switch Switch A B Switch A Configuration: Interface GigabitEthernet0/1 description Trunk to IPS sensor GE0/0 switchport mode trunk switchport trunk allowed vlan 11, 12, 13,14 Switch B Configuration: Interface GigabitEthernet0/1 description Trunk to IPS sensor GE0/1 switchport mode trunk switchport trunk allowed vlan 11, 12, 13,14BRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
    • Cisco IPS Sensor Selective InlineAnalysis Mode Deployment ACLip access-list standard Capture_ACL permit ip any host 10.1.1.1 GE 0/1 permit ip host 10.1.1.1 any!interface GigabitEthernet0/1 ids-service-module monitoring AIM-IPS or NME-IPS inline access-list Capture_ACLip access-list standard Capture_ACL Non-Interesting permit ip any host 10.1.1.1 eq 80 Traffic!class-map IDS match access-group Capture_ACL!policy-map global_policy class IDS AIP-SSC or AIP-SSM Interesting Traffic ips inline fail-closeBRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
    • Applying Cisco IPSSecurity Policies
    • IPS 4200 Appliance Management Interface IPS Management• IPS 4200 Sensor managed through out-of-band interface• IPS Management uses SSH or HTTPS ( SDEE )BRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
    • Initial Setup of IPS ApplianceCLI wizard performs basic configuration to allow network connectivity forthe GUI. BRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
    • Assigning Virtual Sensor Both IDS and IPS require assignment of Virtual Sensor ....even if only one Virtual Sensor ( e.g. vs0 ) is used !BRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
    • Deploying Anomaly-Based Operation
    • Signature• A Signature is used to detect a potential threat.• Cisco Signatures are vulnerability focused, not exploit focused  We need different types of Signatures. To match these signatures efficiently against the type of traffic, we are using different Engines.  There are several signatures status :  Retired vs. Active  Disable vs. Enable BRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
    • Types of Signatures Three types of Signatures ‒ Default – Included in the sensor software. <ID Range is 1,000 – 59,000> ‒ Tuned – Built in signatures that the user/administrator modifies. ‒ Custom – New signatures that the user/administrator modifies. <Customer ID Range is 60,000-65000>BRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
    • What Is an Engine ?• A signature engine is a component of the Cisco IPS that is designed to support many signatures in a certain category.• An engine is composed of a parser and an inspector• Each engine has a set of parameters that have allowable ranges or sets of values.BRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
    • The Different Engine Families• Atomic engine – looking at attacks in a single packet• Flooding – Specialized in attacks that involve flooding of hosts with packets• String – Looking for Patterns across several packets• Sweep – Specialized in attacks that involve scanning of hosts and ports• Anomaly detection – Baselining the traffic first and looking for threshholds• Services Engines – Specialized engines looking at services like DNS, HTTP, FTP,…• And many others....BRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
    • Real-Time Anomaly Detection for DayZero Threats Anomaly Detection algorithms to detect and stop Day-Zero threats Real-time learning of normal network behavior Automatic detection and policy-based protection from anomalous threats to the network Result: Protection against attacks for which there is no signature Traffic conforms to baseline Internet Traffic conforms to baseline Anomalous activity detected, indicating potential zero-day attack!BRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
    • Managing and Analyzing Events
    • Cisco IPS Manager Express (IME)Cisco IPS Manager Expressfor up to 10 IPS Sensors (IME)All-In-One IPS Management ApplicationAll-in-One IPS Management Application for up to 10 IPS Sensors Startup Wizard: Gets you up and running in just minutes Dashboard: Puts needed information at your finger tips Configuration: Save time with intuitive interface Reporting: Create and share security and compliance reports Monitoring: See what‘s happening with real-time and historical security eventsBRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
    • Cisco Security Manager Enterprise Class Security  Unified services management for IPS Update Wizard security including firewall, VPN and IPS (including IOS IPS), switches  Can share network objects between Topology View firewall , VPN, IPS , switches  Keep track of changes : who hasSignature Table done what, configuration archiving  Separation of Duties Device View BRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
    • IPS Sensor Management CSMProduction Network MARS XML Event Over HTTPS Device Manager/CLI Management Network BRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
    • Deploying Virtualization,High Availability, andHigh Performance Solutions
    • Flexible Deployment: Sensor VirtualizationVirtualize Both Policy and Sensor State  Flexible Context Definitions: Ability to define virtualized sensors based on physical interface and VLAN groupings  Assignment of Custom Signature / Policy Settings & response actions to each virtualized sensor Customized policy on Virtual Sensors based on VLAN groupingsVirtualized VLAN 1 VLAN 3 VirtualizedSensor 1 VLAN 2 VLAN 4 Sensor 2 Virtualized Sensor 1: Virtualized Sensor 2: Interface 1 + 2 Interface 3 + 4 Customized policy on Virtual Sensors based on Interface groupings BRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
    • Transparency in the Eye of the Beholder With virtualization, VMs have a transparent view of their resources…BRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
    • Transparency in the Eye of the Beholder …but its difficult to monitor & apply network policies back to virtual machinesBRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
    • How to Place a Sensor into Such anEnvironment? How to span multiple VMs from multiple Where to place to ESX-Hosts? Sensor? How to deal with moving VMs in VMotion? How to monitor traffic between VMs on a single ESX Server?BRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
    • Introducing Cisco Nexus 1000Vfor VMware ESXSimplifying Virtual Machine & Network Policy Management Policy Based VM Connectivity ‒Mobility of Network & Server 1 Server 2 Security Properties VM VM VM VM VM VM VM VM Virtual Center integration for #1 #2 #3 #4 #5 #6 #7 #8 server administrators VMware 1000V Nexus vSwitch Nexus 1000V DVS VMware 1000V Nexus vSwitch Cisco NX-OS environment for VMW ESX VMW ESX Network administrators Ensures visibility & policy enforcement during VMotion Compatible with any switching platformBRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
    • Port Profiles Policy definition supports:  VLAN, PVLAN settings Server VM VM VM VM  ACL, Port Security, ACL Redirect #1 #2 #3 #4  Cisco TrustSec (SGT) Nexus 1000V - VEM  NetFlow Collection VMW ESX  Rate Limiting  QoS Marking (COS/DSCP)  Remote Port Mirror (ERSPAN) Cisco VSMs Virtual CenterBRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
    • SPAN Technologies Overview  Local SPAN Mirrors traffic from one or more interfaces or VLANs on the switch to one or more other interfaces (or a service module) on the same switch.  Remote SPAN (RSPAN) Mirrors traffic from one or more interfaces or VLANs on the switch to a special RSPAN VLAN, which carries the traffic across a Layer 2 switched network to one or more other switches. The other switches mirror the traffic from the RSPAN VLAN to one or more of their local interfaces (or service modules).  Encapsulated Remote SPAN (ERSPAN) Mirrors traffic from one or more interfaces or VLANs on the switch into an IP GRE tunnel, which carries the traffic across an arbitrary Layer 3 network to another device. If the destination is another ERSPAN-capable switch, it decapsulates the monitored packets and mirrors them to one or more of its local interfaces (or service modules).BRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
    • How to Place a Sensor into Such anEnvironment ?BRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
    • Server VirtualizationIDS and ERSPANEthernet Network Policy• Take a Copy of Traffic from Servers and Switch to Appliance• IPS appliances analyze Server traffic and log activity Nexus 1000v Nexus 1000vNexus 1000v Makes this possible ERSPAN Set Port-Profile w/ Switch port SPAN session IP SPAN traffic to 6500 SPAN to connected 4200-IPS Permit protocol type header “0x88BE” for ERSPAN GREBRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
    • ERSPANBRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
    • Sample Config for ERSPAN on N1KBRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
    • What’s Ahead - Network Scale VirtualizationPolicy-based VM Connectivity with Mobility and Security Nexus 1000V Nexus 5500 Software Hypervisor Switching External Hardware Switching Tagless (802.1Q) Tag-based (Pre-standard 802.1Qbh) Feature set Performance Flexibility Consolidation Server Server VM VM VM VM VM VM VM VM #1 #2 #3 #4 #1 #2 #3 #4 Hypervisor Nexus 1000V VIC Hypervisor NIC NIC Nexus 1000V LAN Nexus 5500 Policy-Based Mobility of Network and Non-Disruptive VM Connectivity Security Properties Operational ModelBRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
    • VSS and vPC VSS ‒Two Cat6K form a logical switch ‒Only one Supervisor Engine is active ‒Active SUP controls both chassis vPC ‒Two N7K form a logical switch ‒Both Switches remain active, synchronizing forwarding tables ‒Can be virtualized into up to 4 VDC (Virtual Device Context VDC ‒VDC is a virtual Switch instance (like a virtual Firewall) ‒VDC can only interact with other VDC via external LinkBRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
    • VSS on CAT6K Running as IDS Connect IPS System via any SPAN Technologie Port to a VSS Chassis (dual homed) CAT6K supports ‒SPAN ‒RSPAN ‒ERSPANBRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
    • vPC on Nexus 7000 Running as IDS  Connect IPS System via RSPAN Ports to a vPC Chassis (dual homed)  If VDC is used, consider each VDC as separate Switch  Nexus 7000 supports: ‒Local SPAN ‒RSPAN  HW is capable of ERSPAN but SW does not yet support it N7k1-VDC1BRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
    • vPC and ServicesCatalyst 6500 Services Chassis w. Services VDC SandwichTwo Nexus 7000 Virtual Device Contexts used to―sandwich‖ services between virtual switching layers Layer-2 switching in Services Chassis with transparent services Services Chassis provides EtherChannel capabilities for interaction with vPC vPC running in both VDC pairs to provide EtherChannel for both inside and outside interfaces to Services ChassisDesign considerations: Access switches requiring services are connected to sub-aggregation VDC Access switches not requiring services may be connected to aggregation VDC May be extended to support multiple virtualized service contexts by using multiple VRF instances in the sub-aggregation VDCBRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
    • IPS in Virtualized DC  Use cases ‒ Protect Serverfarms through IPS ‒ Monitoring / Alarming through IPS in IDS Mode  Products ‒Cisco IPS 4260 / 4270 Appliance as: IPS: via external Service Chassis IDS: via SPAN Technology ‒Cisco ASA IPS SSM for ASA 5585-X as IPS-only ‒Cisco IDSM2 Switchmodule as IPS: via external Service Chassis IDS: via Switch internal SPAN Session IDSM2 only available for Cat6K, no N7K moduleBRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
    • High Availability and ScalingLet‘s Make Sure We Speak the Same Language • Fail-open (Fail-Safe) techniques: Hardware or software that functions to detect problems and pass packets through the device without inspection when required • Fail-secure (Fail-Closed) techniques : Hardware or software techniques that will stop forwarding any packets if IPS fails • Failover: One or more paths through the network to allow packets, in the event of a device failure, to either go through a backup IPS sensor or through a plain wire • Load Balancing: Using devices or software features to split a traffic load up across multiple devices. This can achieve both higher data rates and redundant paths in case of failureBRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
    • Configuring and Maintaining Specific CiscoIPS Hardware
    • Cisco IPS Sensor Initial Setup and Management Using basic Cisco IPS CLI features. Configure and verify basic Cisco IPS sensor parameters. Configuring and Verify the Cisco IDM features and properties. Troubleshoot the initial configuration of the sensor. Troubleshoot basic Cisco IPS hardware problems. Restoring the Cisco IPS to it‘s default configuration. Managing Cisco Licenses and Software ‒ Software Upgrade and Recovery ‒ Updates and Installation of IPS Signatures Managing Access & Password Recovery on the Cisco IPS Sensor. Using the CLI & IDM to perform sensor management and monitoring.BRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
    • Applying Cisco IPS Security Policies Deploying and managing Cisco IPS Sensor basic traffic analysis. ‒ Virtual sensor setup ‒ Traffic Normalization ‒ IPv6 Support ‒ Bypass mode Deploying and Managing basic aspects of Cisco IPS signatures and responses. ‒ Signatures (types, features, properties, and actions). ‒ IP Logging and Filters Evaluating the Cisco IPS signature engines and built-in signature database. Deploying and managing Cisco IPS anomaly-based detection features.BRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
    • Q & A / Discussion
    • Complete Your OnlineSession Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Passport points for each session evaluation you complete. Complete your session evaluation online now (open a browser through our wireless network to access our Don‘t forget to activate your portal) or visit one of the Internet Cisco Live Virtual account for access to stations throughout the Convention all session material, communities, and on-demand and live activities throughout Center. the year. Activate your account at the Cisco booth in the World of Solutions or visit www.ciscolive.com.BRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
    • Final Thoughts Get hands-on experience with the Walk-in Labs located in World of Solutions, booth 1042 Come see demos of many key solutions and products in the main Cisco booth 2924 Visit www.ciscoLive365.com after the event for updated PDFs, on- demand session videos, networking, and more! Follow Cisco Live! using social media: ‒ Facebook: https://www.facebook.com/ciscoliveus ‒ Twitter: https://twitter.com/#!/CiscoLive ‒ LinkedIn Group: http://linkd.in/CiscoLIBRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
    • BRKCRT-3133 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public