SlideShare a Scribd company logo
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 1
IPSV7.0
Agenda:
• CCNP Security IPSv7 Exam Topics Review
• Introduction to Intrusion Prevention & Detection
• Installing and Maintaining Cisco IPS Sensors
• Applying Cisco IPS Security Policies
• Deploying Anomaly-based Operation
• Managing & Analyzing Events
• Deploying Virtualization, High Availability, and High
Performance Solutions
• Configuring and Maintaining Specific Cisco IPS Hardware
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 2
IPSv7.0 Exam Topics Review:
• Approximately 90 minute exam
• 60-70 questions
• Register with Pearson Vue
–http://www.vue.com/cisco
• Exam cost is $200.00 US
• Question Types
–Multiple-choice single answer
–Multiple-choice multiple answer
–Drag-and-drop
–Fill-in-the-blank
–Testlet / Simlet / Simulations
• Rule out the nonsense
• Look for the best answer when multiple exist
• Look for subtle keys
• Narrow it down
• Relate to how the device works
• Don’t waste too much time
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 3
Preparing for the IPS Exam:
• Recommended reading
–CCNP Security IPS 642-627 Official Cert Guide
–CCSP books are still good for reference
–Cisco IPS 7.0 Configuration Guide
• Cisco learning network
www.cisco.com/go/learnnetspace
• Practical experience
–Real equipment
–IDM in demo mode
IPSv7.0 Exam Topics:
• Pre-Production Design
• Choose Cisco IPS technologies to implement High Level Design
• Choose Cisco products to implement High Level Design
• Choose Cisco IPS features to implement High Level Design
• Integrate Cisco network security solutions with other security technologies
• Create and test initial Cisco IPS configurations for new devices/services
• Complex Support Operations
• Optimize Cisco IPS security infrastructure device performance
• Create complex network security rules, to meet the security policy requirements
• Configure and verify the IPS features to identify threats and dynamically block
them from entering the network
• Maintain, update and tune IPS signatures
• Use CSM and MARS for IPS management, deployment, and advanced event
correlation.
• Optimize security functions, rules, and configuration
• Advanced Troubleshooting
• Advanced Cisco IPS security software configuration fault finding and repairing
• Advanced Cisco IPS sensor and module hardware fault finding and repairing
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 4
Introduction to Intrusion Prevention and
Detection:
The Evolution of Internet A Shift to Financial Gain
Top-Ten Cyber Security Menaces:
•Sophisticated website attacks
•Increasing botnet sophistication and effectiveness
•Growing cyber espionage
•Emerging mobile phone threats
•Insider attacks
•Advanced identity theft
•Increasingly malicious spyware
•Web application security exploits
•Sophisticated social engineering
•Supply-chain attacks infecting consumer devices
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 5
Cisco Intrusion Prevention Services:
•Intelligent Detection
• Vulnerability and Exploit specific Signatures
• Traffic and Protocol Anomaly Detection
• Knowledge base Anomaly Detection
• Reputation Filters
•Precision Response
• Risk Management-based Policy
• Global Correlation adding reputation
• On-box Correlation through Meta Event Generator
• “Trustworthiness” Linkages with the Endpoint
•Flexible Deployment
• Passive and/or Inline with Flexible Response (IDS/IPS)
• Sensor Virtualization
• Physical and logical (VLAN) interface support
• Software and Hardware bypass
Cisco Security Intelligence Operations:
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 6
Cisco IPS Intelligent Detection Capabilities: Vulnerability
and Exploit-Based Signatures:
Cisco IPS Product Portfolio: Integrated Security Across the
Network:
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 7
Cisco IPS 4200 Series Sensors Comparison:
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 8
AIP-SSM Module:
Catalyst 6500 IDSM2:
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 9
Cisco IPS Architecture:
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 10
Packet Flow in IPS v7.0:
• IPS Reputation Filters block access to IP’s on stolen ‘zombie’
networks or networks controlled entirely by malicious organizations.
• Global Correlation Inspection raises the Risk Rating of events when
the attacker has a negative reputation allowing those events to be
blocked more confidently and more often than an event without
negative reputation.
• IPS Version 7.0 software permits a device to do promiscuous mode
and inline mode simultaneously, which allows some segments to be
monitored for IDS only while other segments use IPS protection.
Overview of Intrusion Detection Systems (IDS):
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 11
IDS Option 1: Single Interface:
Spanning traffic to the IPS 4200
IDS option 2: VLAN Groups:
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 12
Overview of Intrusion Prevention Systems (IPS):
IPS Option 1 : Interface Pairing:
Interface Pairing
• Bump in the Wire (intelligent wire)
• Two physical Interfaces
• Switch Ports configured as Access Ports or Trunk
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 13
IPS Option 2 : VLAN on-a-Stick:
VLAN-on-a-Stick
• VLAN Mapping
• One Physical Interface configured as Trunk
IPS Option 3 : VLAN Groups:
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 14
IPS in ASA Appliance:
• ASA redirects traffic to IPS Service Module
• Module can be used as IDS (promiscous) or IPS (inline)
• Virtual Sensor and Failure Policy can be defined
Areas of Network IPS or IDS Deployment:
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 15
Key Terms & Acronyms:
Vulnerability: A vulnerability is a weakness that compromises
the security or functionality of a particular system in your
network.
Exploit: An exploit is a mechanism designed to take advantage
of vulnerabilities that exist in your systems.
Signature: A signature is a set of instructions the sensor uses
to identify an unwanted traffic type.
False Alarms: False alarms are IDS/IPS events that you do not
want occurring in your implementation. The two types of false
alarms are false positives and false negatives. Both are
undesirable.
True Alarms: The two types of true alarms in IDS/IPS
terminology are true positive and true negative. Both are
desirable.
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 16
Security Controls:
• False Positive
– A false positive means that an alert has been triggered, but it was for
traffic that does not constitute an actual attack.
• False Negative
–A false negative occurs when attack traffic does not trigger an alert on
the IDS/IPS device. This is often viewed as the worst type of
false alarm.
• True Positive
–A true positive means that the IDS/IPS device recognized and
responded to an attack.
• True Negative
–This means that non offending or benign traffic did not trigger an alarm.
Approaches to Intrusion Prevention:
• Signature Based
• Anomaly Based
• Policy Based
• Protocol Analysis Based
• Reputation Based
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 17
Version 7.0 of the Cisco IPS Sensor Software adds many new
features, including the following:
■ Virtualization support: Allows different policies for different segments
that are being monitored by a single sensor.
■ New signature engines: Additions that cover Server Message Block and
Transparent Network Substrate traffic.
■ Passive operating system fingerprinting: A set of features that enables
Cisco IPS to identify the operating system of the
victim of an attack.
■ Improved risk and threat rating system: The risk rating helps with
alerts and is now based on many different components
to improve the sensor’s performance and operation.
■ Global correlation: Allows the sensor to take stronger preventive action
against traffic originating from hosts with a negative
reputation score.
■ Reputation filtering: Blocks all network traffic originating from hosts with
the worst reputations.
■ Enhanced health and performance monitoring: Allows the IPS
administrator to better monitor the performance of the
sensors.
■ IPv6 detection and prevention: The ability to analyze both IPv4 and
IPv6 network traffic.
■ Cisco Intrusion Prevention System Manager Express (IME): A new
and improved GUI for management and monitoring
of multiple IPS devices.
■ Anomaly detection: Designed to detect worm-infested hosts.
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 18
Cisco Sensor Family
The Cisco sensor family includes the following devices:
■ Cisco IDS 4240 sensor
■ Cisco IPS 4255 sensor
■ Cisco IPS 4260 sensor
■ Cisco IPS 4270 sensor
■ Cisco Catalyst 6500 series IDSM-2
■ Cisco ASA AIP-SSM-10
■ Cisco ASA AIP-SSM-20
■ Cisco ASA AIP-SSM-40
■ Cisco AIM IPS module for ISR routers
■ Cisco NME IPS module for ISR routers
Management Options:
For a single device (element management), options include
the following:
■ Command-line interface (CLI)
■ Cisco IPS Device Manager (IDM)
■ Cisco IPS Manager Express (IME)
For multiple-device management, options include the
following:
■ Cisco IPS Manager Express (IME), for one to ten sensors
■ Cisco Security Manager (CSM), for one or many sensors
■ Cisco Security Monitoring, Analysis, and Response System
(MARS)
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 19
Deploying Sensors:
Consider these technical factors when selecting sensors for
deployment in an organization:
■ The network media in use.
■ The performance of the sensor.
■ The overall network design.
■ The IPS design: Will the sensor analyze and protect many systems, or
just a few?
■ Virtualization: Will multiple virtual sensors be created in the sensor?
The CLI can be used to
■ Initialize the sensor
■ Configure
■ Administer
■ Troubleshoot
■ Monitor
Initializing the Sensor:
The setup command at the CLI walks you through initialization. You
can do the following:
■ Assign a hostname to the sensor. This is case sensitive. It defaults to
sensor.
■ Assign an IP address to the command and control interface. The default is
10.1.9.201/24.
■ Assign a default gateway. The default is 10.1.9.1.
■ Enable or disable the Telnet server. Telnet is disabled by default.
■ Specify the web server port. The default is 443.
■ Create network access control lists (ACL) that can access the sensor for
management.
■ Configure the date and time.
■ Configure the sensor interfaces.
■ Configure virtual sensors. This enables the configuration of promiscuous
and inline interface pairs.
■ Configure threat prevention. An event action override denies high-risk
network traffic with a risk rating of 90 to 100. This
option lets you disable this feature.
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 20
Initial Setup of IPS Appliance:
• CLI wizard performs basic configuration to allow network
connectivity for the GUI.
Threat and Risk Rating:
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 21
Calculating Threat and Risk:
• RR = [(ASR x TVR x SFR) / 10,000] + ARR – PD + WLR
Example:
–ASR = 75 , SFR = 90 , PD = 0 (inline mode) , TVR = 100 , ARR =
10 , and WLR = 0
–RR = [ (75 x 100 x 90) / 10,000] + 10 – 0 + 0 = 78
• TR = RR – Threat Rating Adjustment
– Configuration > Policies > Event Action Rules > rules0 pane and
click on General tab
Real-Time Risk-based Policy: Risk Rating and IPS
Policy
• A quantitative measure of each threat before IPS
mitigation.
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 22
Threat Rating: Post-policy Evaluation of Incident
Urgency
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 23
Where do I configure actions ?
Actions are configured in 3 different places :
– The signature itself where you define the default response if this
signature is triggered
– The Event overwrite will allow the system to add actions depending
of the risk rating
– The Event action filters where the system will be able to remove
actions depending of several parameters like the sig ID, the addresses
of the attacker or victims…
Master engine : Event Actions
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 24
Installing and Maintaining Cisco IPS
Sensors:
IPS Deployment Options:
■ Promiscuous mode: In this mode, packets do not flow through
the sensor. Instead, packets are copied to the interface from a
network device. This is also known as IDS mode.
■ Inline Interface Pairing mode: Traffic passes through the sensor,
from one interface to another. Two monitoring interfaces must be
configured as a pair. The sensor functions as a Layer 2 bridge for
this traffic.
■ Inline VLAN Pairing mode: Here, the monitoring interface acts as
an 802.1Q trunk port. The sensor bridges between pairs of VLANs
on the trunk.
■ VLAN Group mode: Each physical interface can be divided into
VLAN group subinterfaces. This enables you to use a sensor with
only a few interfaces as if it had many interfaces.
Cisco IPS Sensor Promiscuous Mode Deployment:
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 25
Cisco IPS Sensor Inline Interface Mode Deployment:
Cisco IPS Sensor Inline VLAN Pair Mode Deployment:
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 26
Cisco IPS Sensor Inline VLAN Group Mode Deployment:
Cisco IPS Sensor Selective Inline Analysis Mode
Deployment:
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 27
Applying Cisco IPS Security Policies:
IPS 4200 Appliance Management Interface:
• IPS 4200 Sensor managed through out-of-band interface
• IPS Management uses SSH or HTTPS ( SDEE )
Assigning Virtual Sensor:
Both IDS and IPS require assignment of Virtual Sensor
....even if only one Virtual Sensor ( e.g. vs0 ) is used !
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 28
IPv6 and Cisco IPS:
• IPv6 is default for Windows 2008,
Vista and Windows 7!
• Can analyze native IPv6 Traffic
• Can detect IPv6 tunneled traffic
• IPS Tuning can be done on IPv4
and IPv6 traffic simultaneously
Usage of Dual-Stack on all Engines Service HTTP:
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 29
Usage of Dual-Stack on all Engines String TCP with
Custom Signature
Deploying Anomaly-Based Operation:
Signature:
•A Signature is used to detect a potential threat.
•Cisco Signatures are vulnerability focused, not exploit focused
• We need different types of Signatures. To match these
signatures efficiently against the type of traffic, we are using
different Engines.
• There are several signatures status :
• Retired vs. Active
• Disable vs. Enable
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 30
Types of Signatures:
• Three types of Signatures
–Default – Included in the sensor software.
– <ID Range is 1,000 – 59,000>
–Tuned – Built in signatures that the user/administrator modifies.
–Custom – New signatures that the user/administrator modifies.
– <Customer ID Range is 60,000-65000>
What Is an Engine ?
•A signature engine is a component of the Cisco IPS that is
designed to support many signatures in a certain category.
•An engine is composed of a parser and an inspector
•Each engine has a set of parameters that have allowable
ranges or sets of values.
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 31
The Different Engine Families:
•Atomic engine – looking at attacks in a single packet
•Flooding – Specialised in attacks that involve flooding of
hosts with packets
•String – Looking for Patterns across several packets
•Sweep – Specialised in attacks that involve scanning of
hosts and ports
•Anomaly detection – Baselining the traffic first and looking
for threshholds
•Services Engines – Specialised engines looking at
services like DNS, HTTP, FTP,…
•And many others....
• ATOMIC signature engines are
■ ATOMIC ARP
■ ATOMIC IP
■ ATOMIC IP ADVANCED
■ ATOMIC IPv6
• The FIXED engines are
■ STRING ICMP
■ STRING TCP
■ STRING UDP
• FLOOD signature engines are
■ FLOOD NET
■ FLOOD HOST
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 32
• SERVICE signature engines are
■ SERVICE DNS
■ SERVICE FTP
■ SERVICE FTP V2
■ SERVICE GENERIC
■ SERVICE GENERIC ADVANCED
■ SERVICE H225
■ SERVICE HTTP and etc…
• The STRING engines are
■ STRING ICMP
■ STRING ICMP XL
■ STRING TCP
■ STRING TCP XL
■ STRING UDP
■ STRING UDP XL
■ MULTI STRING
What is the difference between STRING and FIXED engines?
FIXED differs from STRING signatures in that FIXED signatures
watch all TCP/UDP ports, whereas STRING watch only defined ports.
• The SWEEP engines are
■ SWEEP
■ SWEEP OTHER TCP
• TROJAN engines are:
■ TROJAN BO2K examines UDP and TCP traffic for Back Orifice.
■ TROJAN TFN2K examines UDP, TCP, or ICMP traffic for irregular
traffic patterns and corrupted headers.
■ TROJAN UDP examines UDP traffic for Trojan attacks.
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 33
Normalizer Module:
Normalizer Engine Signatures:
• The normalizer signatures are designed for inline mode only
• These signatures perform several tasks, including:
–Watch for packets with illegal combinations of flags
–Watch for bad checksums
–Watch for TCP segment overrides
–Watch for fragmented traffic
–Much more
• The normalizer denies or fixes abnormal packets
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 34
TCP Normalization – How:
Layer 4 protection
• Strict tracking of TCP state
• Strict tracking of sequence numbers (including support for
PAWS checks)
• Best effort tracking of previous data seen for un-acked
inspected content (prevents/detects overwrites in the TCP
sequence space)
• Checksums and invalid TCP flags
• Ability to modify TTLs to monotonically decrease or remain
steady over the life of the flow
• URG pointer normalization
Real-Time Anomaly Detection for Day Zero Threats:
• Anomaly Detection algorithms to detect and stop Day-Zero
threats
• Real-time learning of normal network behavior
• Automatic detection and policy-based protection from
anomalous threats to the network
• Result: Protection against attacks for which there is no
signature
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 35
Protocol-Anomaly Detection:
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 36
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 37
Managing and Analyzing Events:
Cisco IPS Manager Express (IME) All-inOne IPS
Management Application for up to 10 IPS Sensors
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 38
CSM 4.3 – IPS Configuration:
• Centrally manage multiple physical and virtual Sensors
• Tune policies
• Create custom Signatures
• Track Policy Change
• Update Signatures and Software for IPS Sensors
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 39
CSM 4.3 – Event logging and filtering:
• Log and monitor all IPS Events
• Granular Filtering and searching through events
• Customizable view
• Event to Policy mapping
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 40
CSM 4.3 – Reporting:
• Tactical Reporting
• Export to PDF or CSV
• Schedule Reports
• Customizable Graph and Data
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 41
CSM 4.3 – Health Monitoring:
• Monitor IPS Systems for throughput, CPU, memory,
number of events, status of hardware,...
• Get Alert when status is changing
IPS Sensor Management:
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 42
Deploying Virtualization, High Availability,
and High Performance Solutions
Flexible Deployment: Sensor Virtualization:
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 43
How to place a Sensor into such an Environment ?
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 44
Introducing Cisco Nexus 1000V for VMware ESX
Simplifying Virtual Machine & Network policy
management:
• Policy Based VM Connectivity
–Mobility of Network & Security Properties
• Virtual Center integration for server administrators
• Cisco NX-OS environment for Network administrators
• Ensures visibility & policy enforcement during VMotion
• Compatible with any switching platform
SPAN Technologies Overview:
• Local SPAN Mirrors traffic from one or more interfaces or VLANs
on the switch to one or more other interfaces (or a service
module) on the same switch.
• Remote SPAN (RSPAN) Mirrors traffic from one or more
interfaces or VLANs on the switch to a special RSPAN VLAN,
which carries the traffic across a Layer 2 switched network to one
or more other switches. The other switches mirror the traffic from
the RSPAN VLAN to one or more of their local interfaces (or
service modules).
• Encapsulated Remote SPAN (ERSPAN) Mirrors traffic from one
or more interfaces or VLANs on the switch into an IP GRE
tunnel, which carries the traffic across an arbitrary Layer 3
network to another device. If the destination is another ERSPAN-
capable switch, it decapsulates the monitored packets and
mirrors them to one or more of its local interfaces (or service
modules).
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 45
How to place a Sensor into such an Environment ?
Server Virtualization IDS and ERSPAN:
Ethernet Network Policy
•Take a Copy of Traffic from Servers and Switch to Appliance
•IPS appliances analyze Server traffic and log activity
Nexus 1000v Makes this possible
• ERSPAN Set Port-Profile w/ Switch port SPAN session IP SPAN traffic
to 6500
• SPAN to connected 4200-IPS
• Permit protocol type header “0x88BE” for ERSPAN GRE
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 46
ERSPAN:
Sample Config for ERSPAN on N1K:
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 47
IPS in virtualized DC:
• Use cases
– Protect Serverfarms through IPS
– Monitoring / Alarming through IPS in IDS Mode
• Products
–Cisco IPS 4260 / 4270 Appliance as:
IPS: via external Service Chassis
IDS: via SPAN Technology
–Cisco ASA IPS SSM for ASA 5585-X as IPS-only
–Cisco IDSM2 Switchmodule as
IPS: via external Service Chassis
IDS: via Switch internal SPAN Session
IDSM2 only availabe for Cat6K, no N7K module
High Availability and Scaling:
•Fail-open (Fail-Safe) techniques: Hardware or software
that functions to detect problems and pass packets through
the device without inspection when required
•Fail-secure (Fail-Closed) techniques: Hardware or
software techniques that will stop forwarding any packets if
IPS fails
•Failover: One or more paths through the network to allow
packets, in the event of a device failure, to either go
through a backup IPS sensor or through a plain wire
•Load Balancing: Using devices or software features to
split a traffic load up across multiple devices. This can
achieve both higher data rates and redundant paths in case
of failure
These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 48
Configuring and Maintaining Specific
Cisco IPS Hardware
Cisco IPS Sensor Initial Setup and Management:
•Using basic Cisco IPS CLI features.
•Configure and verify basic Cisco IPS sensor parameters.
•Configuring and Verify the Cisco IDM features and properties.
•Troubleshoot the initial configuration of the sensor.
•Troubleshoot basic Cisco IPS hardware problems.
•Restoring the Cisco IPS to it’s default configuration.
•Managing Cisco Licenses and Software
•Software Upgrade and Recovery
•Updates and Installation of IPS Signatures
•Managing Access & Password Recovery on the Cisco IPS Sensor.
•Using the CLI & IDM to perform sensor management and monitoring.
Applying Cisco IPS Security Policies:
•Deploying and managing Cisco IPS Sensor basic traffic
analysis.
•Virtual sensor setup
•Traffic Normalization
•IPv6 Support
•Bypass mode
•Deploying and Managing basic aspects of Cisco IPS signatures
and responses.
•Signatures (types, features, properties, and actions).
•IP Logging and Filters
•Evaluating the Cisco IPS signature engines and built-in
signature database.
•Deploying and managing Cisco IPS anomaly-based detection
features.

More Related Content

What's hot

Cisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better TogetherCisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better Together
Lancope, Inc.
 
ASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment ScenariosASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment Scenarios
Cisco Canada
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slides
Amy Gerrie
 
checkpoint
checkpointcheckpoint
checkpoint
Mayank Dhingra
 
Cisco asa fire power services
Cisco asa fire power servicesCisco asa fire power services
Cisco asa fire power services
Tapan Doshi
 
NSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
NSO: Network Service Orchestrator enabled by Tail-f Hands-on LabNSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
NSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
Cisco Canada
 
Application layer Security in IoT: A Survey
Application layer Security in IoT: A SurveyApplication layer Security in IoT: A Survey
Application layer Security in IoT: A Survey
Adeel Ahmed
 
Presentación - Cisco ASA with FirePOWER Services
Presentación -  Cisco ASA with FirePOWER ServicesPresentación -  Cisco ASA with FirePOWER Services
Presentación - Cisco ASA with FirePOWER Services
Oscar Romano
 
Check point presentation june 2014
Check point presentation june 2014Check point presentation june 2014
Check point presentation june 2014
David Berkelmans
 
Meraki powered services bell
Meraki powered services   bellMeraki powered services   bell
Meraki powered services bell
Cisco Canada
 
Chapter 5 overview
Chapter 5 overviewChapter 5 overview
Chapter 5 overview
ali raza
 
Checkpoint Firewall Training | Checkpoint Firewall Online Course
Checkpoint Firewall Training | Checkpoint Firewall Online CourseCheckpoint Firewall Training | Checkpoint Firewall Online Course
Checkpoint Firewall Training | Checkpoint Firewall Online Course
Global Online Trainings
 
CCNA Security - Chapter 6
CCNA Security - Chapter 6CCNA Security - Chapter 6
CCNA Security - Chapter 6
Irsandi Hasan
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security
Lancope, Inc.
 
Deploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXDeploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CX
Cisco Canada
 
Checkpoint Firewall for Dummies
Checkpoint Firewall for Dummies Checkpoint Firewall for Dummies
Checkpoint Firewall for Dummies
sushmil123
 
Ayulgui baidliin buteegdehunud Checkpoint Worldwide #1 Security products
Ayulgui baidliin buteegdehunud Checkpoint Worldwide #1 Security productsAyulgui baidliin buteegdehunud Checkpoint Worldwide #1 Security products
Ayulgui baidliin buteegdehunud Checkpoint Worldwide #1 Security products
VertexMon VertexMon
 
What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 What's New in StealthWatch v6.5
What's New in StealthWatch v6.5
Lancope, Inc.
 
Cisco asa cx firwewall
Cisco asa cx firwewallCisco asa cx firwewall
Cisco asa cx firwewall
Anwesh Dixit
 
Who needs iot security?
Who needs iot security?Who needs iot security?
Who needs iot security?
Justin Black
 

What's hot (20)

Cisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better TogetherCisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better Together
 
ASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment ScenariosASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment Scenarios
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slides
 
checkpoint
checkpointcheckpoint
checkpoint
 
Cisco asa fire power services
Cisco asa fire power servicesCisco asa fire power services
Cisco asa fire power services
 
NSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
NSO: Network Service Orchestrator enabled by Tail-f Hands-on LabNSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
NSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
 
Application layer Security in IoT: A Survey
Application layer Security in IoT: A SurveyApplication layer Security in IoT: A Survey
Application layer Security in IoT: A Survey
 
Presentación - Cisco ASA with FirePOWER Services
Presentación -  Cisco ASA with FirePOWER ServicesPresentación -  Cisco ASA with FirePOWER Services
Presentación - Cisco ASA with FirePOWER Services
 
Check point presentation june 2014
Check point presentation june 2014Check point presentation june 2014
Check point presentation june 2014
 
Meraki powered services bell
Meraki powered services   bellMeraki powered services   bell
Meraki powered services bell
 
Chapter 5 overview
Chapter 5 overviewChapter 5 overview
Chapter 5 overview
 
Checkpoint Firewall Training | Checkpoint Firewall Online Course
Checkpoint Firewall Training | Checkpoint Firewall Online CourseCheckpoint Firewall Training | Checkpoint Firewall Online Course
Checkpoint Firewall Training | Checkpoint Firewall Online Course
 
CCNA Security - Chapter 6
CCNA Security - Chapter 6CCNA Security - Chapter 6
CCNA Security - Chapter 6
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security
 
Deploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXDeploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CX
 
Checkpoint Firewall for Dummies
Checkpoint Firewall for Dummies Checkpoint Firewall for Dummies
Checkpoint Firewall for Dummies
 
Ayulgui baidliin buteegdehunud Checkpoint Worldwide #1 Security products
Ayulgui baidliin buteegdehunud Checkpoint Worldwide #1 Security productsAyulgui baidliin buteegdehunud Checkpoint Worldwide #1 Security products
Ayulgui baidliin buteegdehunud Checkpoint Worldwide #1 Security products
 
What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 What's New in StealthWatch v6.5
What's New in StealthWatch v6.5
 
Cisco asa cx firwewall
Cisco asa cx firwewallCisco asa cx firwewall
Cisco asa cx firwewall
 
Who needs iot security?
Who needs iot security?Who needs iot security?
Who needs iot security?
 

Viewers also liked

CCNP Security-VPN
CCNP Security-VPNCCNP Security-VPN
CCNP Security-VPN
mohannadalhanahnah
 
Cisco ASA Firewall Lab WorkBook
Cisco ASA Firewall Lab WorkBookCisco ASA Firewall Lab WorkBook
Cisco ASA Firewall Lab WorkBook
RHC Technologies
 
Инфографика. Программы-вымогатели: реальное положение вещей
Инфографика. Программы-вымогатели: реальное положение вещейИнфографика. Программы-вымогатели: реальное положение вещей
Инфографика. Программы-вымогатели: реальное положение вещей
Cisco Russia
 
1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618) 1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618)
Mohmed Abou Elenein Attia
 
Hr interview questions and answers for senior executives
Hr interview questions and answers for senior executivesHr interview questions and answers for senior executives
Hr interview questions and answers for senior executives
Mohmed Abou Elenein Attia
 
ASA Multiple Context Training
ASA Multiple Context TrainingASA Multiple Context Training
ASA Multiple Context Training
Tariq Bader
 
NAT in ASA Firewall
NAT in ASA FirewallNAT in ASA Firewall
NAT in ASA Firewall
NetProtocol Xpert
 
CCNP Security SIMOS 300-209=vpn 642-648
CCNP Security SIMOS 300-209=vpn 642-648CCNP Security SIMOS 300-209=vpn 642-648
CCNP Security SIMOS 300-209=vpn 642-648
Mohmed Abou Elenein Attia
 
Cisco ASA Firewalls
Cisco ASA FirewallsCisco ASA Firewalls
Cisco ASA Firewalls
Bryley Systems Inc.
 
Understanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATUnderstanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NAT
Cisco Russia
 
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Cisco Russia
 
Cisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening GuideCisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening Guide
Harris Andrea
 

Viewers also liked (12)

CCNP Security-VPN
CCNP Security-VPNCCNP Security-VPN
CCNP Security-VPN
 
Cisco ASA Firewall Lab WorkBook
Cisco ASA Firewall Lab WorkBookCisco ASA Firewall Lab WorkBook
Cisco ASA Firewall Lab WorkBook
 
Инфографика. Программы-вымогатели: реальное положение вещей
Инфографика. Программы-вымогатели: реальное положение вещейИнфографика. Программы-вымогатели: реальное положение вещей
Инфографика. Программы-вымогатели: реальное положение вещей
 
1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618) 1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618)
 
Hr interview questions and answers for senior executives
Hr interview questions and answers for senior executivesHr interview questions and answers for senior executives
Hr interview questions and answers for senior executives
 
ASA Multiple Context Training
ASA Multiple Context TrainingASA Multiple Context Training
ASA Multiple Context Training
 
NAT in ASA Firewall
NAT in ASA FirewallNAT in ASA Firewall
NAT in ASA Firewall
 
CCNP Security SIMOS 300-209=vpn 642-648
CCNP Security SIMOS 300-209=vpn 642-648CCNP Security SIMOS 300-209=vpn 642-648
CCNP Security SIMOS 300-209=vpn 642-648
 
Cisco ASA Firewalls
Cisco ASA FirewallsCisco ASA Firewalls
Cisco ASA Firewalls
 
Understanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATUnderstanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NAT
 
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
 
Cisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening GuideCisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening Guide
 

Similar to CCNP Security-IPS

CISCO SECURITY INTELLIGENCE OPERATIONS SIO
CISCO SECURITY INTELLIGENCE OPERATIONS SIOCISCO SECURITY INTELLIGENCE OPERATIONS SIO
CISCO SECURITY INTELLIGENCE OPERATIONS SIO
Happy Sad
 
BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...
BGA SOME/SOC Etkinliği - Tehdit  Odaklı Güvenlik Mimarisinde Sourcefire Yakla...BGA SOME/SOC Etkinliği - Tehdit  Odaklı Güvenlik Mimarisinde Sourcefire Yakla...
BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...
BGA Cyber Security
 
CCNA Security 011- implementing ios-based ips
CCNA Security 011- implementing ios-based ipsCCNA Security 011- implementing ios-based ips
CCNA Security 011- implementing ios-based ips
Ahmed Habib
 
Ingenieria de Software Real Academia Española
Ingenieria de Software Real Academia EspañolaIngenieria de Software Real Academia Española
Ingenieria de Software Real Academia Española
pkalckbh
 
Idps technology starter v2.0
Idps technology starter v2.0Idps technology starter v2.0
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
AlienVault
 
MID_SIEM_Boubker_EN
MID_SIEM_Boubker_ENMID_SIEM_Boubker_EN
MID_SIEM_Boubker_EN
Vladyslav Radetsky
 
Pass4sure 640-554 Cisco IOS Network Security
Pass4sure 640-554 Cisco IOS Network SecurityPass4sure 640-554 Cisco IOS Network Security
Pass4sure 640-554 Cisco IOS Network Security
Hecrocro
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
PECB
 
Effective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsEffective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security Controls
BSides Delhi
 
8 Ocak 2015 SOME Etkinligi - Cisco Next Generation Security
8 Ocak 2015 SOME Etkinligi - Cisco Next Generation Security8 Ocak 2015 SOME Etkinligi - Cisco Next Generation Security
8 Ocak 2015 SOME Etkinligi - Cisco Next Generation Security
BGA Cyber Security
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVault
AlienVault
 
Advanced threat security - Cyber Security For The Real World
Advanced threat security - Cyber Security For The Real WorldAdvanced threat security - Cyber Security For The Real World
Advanced threat security - Cyber Security For The Real World
Cisco Canada
 
Pervasive Security Across Your Extended Network
Pervasive Security Across Your Extended NetworkPervasive Security Across Your Extended Network
Pervasive Security Across Your Extended Network
Cisco Security
 
Why ips slide share
Why ips slide shareWhy ips slide share
Why ips slide share
Travis Abrams
 
Inherent Security Design Patterns for SDN/NFV Deployments
Inherent Security Design Patterns for SDN/NFV DeploymentsInherent Security Design Patterns for SDN/NFV Deployments
Inherent Security Design Patterns for SDN/NFV Deployments
OPNFV
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s Missing
Black Duck by Synopsys
 
Incident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceIncident Response for the Work-from-home Workforce
Incident Response for the Work-from-home Workforce
Christopher Gerritz
 
Managed security services
Managed security servicesManaged security services
Managed security services
manoharparakh
 
2019 FRSecure CISSP Mentor Program: Class Ten
2019 FRSecure CISSP Mentor Program: Class Ten2019 FRSecure CISSP Mentor Program: Class Ten
2019 FRSecure CISSP Mentor Program: Class Ten
FRSecure
 

Similar to CCNP Security-IPS (20)

CISCO SECURITY INTELLIGENCE OPERATIONS SIO
CISCO SECURITY INTELLIGENCE OPERATIONS SIOCISCO SECURITY INTELLIGENCE OPERATIONS SIO
CISCO SECURITY INTELLIGENCE OPERATIONS SIO
 
BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...
BGA SOME/SOC Etkinliği - Tehdit  Odaklı Güvenlik Mimarisinde Sourcefire Yakla...BGA SOME/SOC Etkinliği - Tehdit  Odaklı Güvenlik Mimarisinde Sourcefire Yakla...
BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...
 
CCNA Security 011- implementing ios-based ips
CCNA Security 011- implementing ios-based ipsCCNA Security 011- implementing ios-based ips
CCNA Security 011- implementing ios-based ips
 
Ingenieria de Software Real Academia Española
Ingenieria de Software Real Academia EspañolaIngenieria de Software Real Academia Española
Ingenieria de Software Real Academia Española
 
Idps technology starter v2.0
Idps technology starter v2.0Idps technology starter v2.0
Idps technology starter v2.0
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
 
MID_SIEM_Boubker_EN
MID_SIEM_Boubker_ENMID_SIEM_Boubker_EN
MID_SIEM_Boubker_EN
 
Pass4sure 640-554 Cisco IOS Network Security
Pass4sure 640-554 Cisco IOS Network SecurityPass4sure 640-554 Cisco IOS Network Security
Pass4sure 640-554 Cisco IOS Network Security
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
 
Effective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsEffective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security Controls
 
8 Ocak 2015 SOME Etkinligi - Cisco Next Generation Security
8 Ocak 2015 SOME Etkinligi - Cisco Next Generation Security8 Ocak 2015 SOME Etkinligi - Cisco Next Generation Security
8 Ocak 2015 SOME Etkinligi - Cisco Next Generation Security
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVault
 
Advanced threat security - Cyber Security For The Real World
Advanced threat security - Cyber Security For The Real WorldAdvanced threat security - Cyber Security For The Real World
Advanced threat security - Cyber Security For The Real World
 
Pervasive Security Across Your Extended Network
Pervasive Security Across Your Extended NetworkPervasive Security Across Your Extended Network
Pervasive Security Across Your Extended Network
 
Why ips slide share
Why ips slide shareWhy ips slide share
Why ips slide share
 
Inherent Security Design Patterns for SDN/NFV Deployments
Inherent Security Design Patterns for SDN/NFV DeploymentsInherent Security Design Patterns for SDN/NFV Deployments
Inherent Security Design Patterns for SDN/NFV Deployments
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s Missing
 
Incident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceIncident Response for the Work-from-home Workforce
Incident Response for the Work-from-home Workforce
 
Managed security services
Managed security servicesManaged security services
Managed security services
 
2019 FRSecure CISSP Mentor Program: Class Ten
2019 FRSecure CISSP Mentor Program: Class Ten2019 FRSecure CISSP Mentor Program: Class Ten
2019 FRSecure CISSP Mentor Program: Class Ten
 

Recently uploaded

Demystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through StorytellingDemystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through Storytelling
Enterprise Knowledge
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
Fwdays
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Neo4j
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
christinelarrosa
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Alex Pruden
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
christinelarrosa
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
DianaGray10
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
operationspcvita
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
Neo4j
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
LizaNolte
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
Fwdays
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
Jason Yip
 

Recently uploaded (20)

Demystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through StorytellingDemystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through Storytelling
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
 

CCNP Security-IPS

  • 1. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 1 IPSV7.0 Agenda: • CCNP Security IPSv7 Exam Topics Review • Introduction to Intrusion Prevention & Detection • Installing and Maintaining Cisco IPS Sensors • Applying Cisco IPS Security Policies • Deploying Anomaly-based Operation • Managing & Analyzing Events • Deploying Virtualization, High Availability, and High Performance Solutions • Configuring and Maintaining Specific Cisco IPS Hardware
  • 2. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 2 IPSv7.0 Exam Topics Review: • Approximately 90 minute exam • 60-70 questions • Register with Pearson Vue –http://www.vue.com/cisco • Exam cost is $200.00 US • Question Types –Multiple-choice single answer –Multiple-choice multiple answer –Drag-and-drop –Fill-in-the-blank –Testlet / Simlet / Simulations • Rule out the nonsense • Look for the best answer when multiple exist • Look for subtle keys • Narrow it down • Relate to how the device works • Don’t waste too much time
  • 3. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 3 Preparing for the IPS Exam: • Recommended reading –CCNP Security IPS 642-627 Official Cert Guide –CCSP books are still good for reference –Cisco IPS 7.0 Configuration Guide • Cisco learning network www.cisco.com/go/learnnetspace • Practical experience –Real equipment –IDM in demo mode IPSv7.0 Exam Topics: • Pre-Production Design • Choose Cisco IPS technologies to implement High Level Design • Choose Cisco products to implement High Level Design • Choose Cisco IPS features to implement High Level Design • Integrate Cisco network security solutions with other security technologies • Create and test initial Cisco IPS configurations for new devices/services • Complex Support Operations • Optimize Cisco IPS security infrastructure device performance • Create complex network security rules, to meet the security policy requirements • Configure and verify the IPS features to identify threats and dynamically block them from entering the network • Maintain, update and tune IPS signatures • Use CSM and MARS for IPS management, deployment, and advanced event correlation. • Optimize security functions, rules, and configuration • Advanced Troubleshooting • Advanced Cisco IPS security software configuration fault finding and repairing • Advanced Cisco IPS sensor and module hardware fault finding and repairing
  • 4. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 4 Introduction to Intrusion Prevention and Detection: The Evolution of Internet A Shift to Financial Gain Top-Ten Cyber Security Menaces: •Sophisticated website attacks •Increasing botnet sophistication and effectiveness •Growing cyber espionage •Emerging mobile phone threats •Insider attacks •Advanced identity theft •Increasingly malicious spyware •Web application security exploits •Sophisticated social engineering •Supply-chain attacks infecting consumer devices
  • 5. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 5 Cisco Intrusion Prevention Services: •Intelligent Detection • Vulnerability and Exploit specific Signatures • Traffic and Protocol Anomaly Detection • Knowledge base Anomaly Detection • Reputation Filters •Precision Response • Risk Management-based Policy • Global Correlation adding reputation • On-box Correlation through Meta Event Generator • “Trustworthiness” Linkages with the Endpoint •Flexible Deployment • Passive and/or Inline with Flexible Response (IDS/IPS) • Sensor Virtualization • Physical and logical (VLAN) interface support • Software and Hardware bypass Cisco Security Intelligence Operations:
  • 6. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 6 Cisco IPS Intelligent Detection Capabilities: Vulnerability and Exploit-Based Signatures: Cisco IPS Product Portfolio: Integrated Security Across the Network:
  • 7. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 7 Cisco IPS 4200 Series Sensors Comparison:
  • 8. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 8 AIP-SSM Module: Catalyst 6500 IDSM2:
  • 9. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 9 Cisco IPS Architecture:
  • 10. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 10 Packet Flow in IPS v7.0: • IPS Reputation Filters block access to IP’s on stolen ‘zombie’ networks or networks controlled entirely by malicious organizations. • Global Correlation Inspection raises the Risk Rating of events when the attacker has a negative reputation allowing those events to be blocked more confidently and more often than an event without negative reputation. • IPS Version 7.0 software permits a device to do promiscuous mode and inline mode simultaneously, which allows some segments to be monitored for IDS only while other segments use IPS protection. Overview of Intrusion Detection Systems (IDS):
  • 11. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 11 IDS Option 1: Single Interface: Spanning traffic to the IPS 4200 IDS option 2: VLAN Groups:
  • 12. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 12 Overview of Intrusion Prevention Systems (IPS): IPS Option 1 : Interface Pairing: Interface Pairing • Bump in the Wire (intelligent wire) • Two physical Interfaces • Switch Ports configured as Access Ports or Trunk
  • 13. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 13 IPS Option 2 : VLAN on-a-Stick: VLAN-on-a-Stick • VLAN Mapping • One Physical Interface configured as Trunk IPS Option 3 : VLAN Groups:
  • 14. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 14 IPS in ASA Appliance: • ASA redirects traffic to IPS Service Module • Module can be used as IDS (promiscous) or IPS (inline) • Virtual Sensor and Failure Policy can be defined Areas of Network IPS or IDS Deployment:
  • 15. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 15 Key Terms & Acronyms: Vulnerability: A vulnerability is a weakness that compromises the security or functionality of a particular system in your network. Exploit: An exploit is a mechanism designed to take advantage of vulnerabilities that exist in your systems. Signature: A signature is a set of instructions the sensor uses to identify an unwanted traffic type. False Alarms: False alarms are IDS/IPS events that you do not want occurring in your implementation. The two types of false alarms are false positives and false negatives. Both are undesirable. True Alarms: The two types of true alarms in IDS/IPS terminology are true positive and true negative. Both are desirable.
  • 16. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 16 Security Controls: • False Positive – A false positive means that an alert has been triggered, but it was for traffic that does not constitute an actual attack. • False Negative –A false negative occurs when attack traffic does not trigger an alert on the IDS/IPS device. This is often viewed as the worst type of false alarm. • True Positive –A true positive means that the IDS/IPS device recognized and responded to an attack. • True Negative –This means that non offending or benign traffic did not trigger an alarm. Approaches to Intrusion Prevention: • Signature Based • Anomaly Based • Policy Based • Protocol Analysis Based • Reputation Based
  • 17. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 17 Version 7.0 of the Cisco IPS Sensor Software adds many new features, including the following: ■ Virtualization support: Allows different policies for different segments that are being monitored by a single sensor. ■ New signature engines: Additions that cover Server Message Block and Transparent Network Substrate traffic. ■ Passive operating system fingerprinting: A set of features that enables Cisco IPS to identify the operating system of the victim of an attack. ■ Improved risk and threat rating system: The risk rating helps with alerts and is now based on many different components to improve the sensor’s performance and operation. ■ Global correlation: Allows the sensor to take stronger preventive action against traffic originating from hosts with a negative reputation score. ■ Reputation filtering: Blocks all network traffic originating from hosts with the worst reputations. ■ Enhanced health and performance monitoring: Allows the IPS administrator to better monitor the performance of the sensors. ■ IPv6 detection and prevention: The ability to analyze both IPv4 and IPv6 network traffic. ■ Cisco Intrusion Prevention System Manager Express (IME): A new and improved GUI for management and monitoring of multiple IPS devices. ■ Anomaly detection: Designed to detect worm-infested hosts.
  • 18. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 18 Cisco Sensor Family The Cisco sensor family includes the following devices: ■ Cisco IDS 4240 sensor ■ Cisco IPS 4255 sensor ■ Cisco IPS 4260 sensor ■ Cisco IPS 4270 sensor ■ Cisco Catalyst 6500 series IDSM-2 ■ Cisco ASA AIP-SSM-10 ■ Cisco ASA AIP-SSM-20 ■ Cisco ASA AIP-SSM-40 ■ Cisco AIM IPS module for ISR routers ■ Cisco NME IPS module for ISR routers Management Options: For a single device (element management), options include the following: ■ Command-line interface (CLI) ■ Cisco IPS Device Manager (IDM) ■ Cisco IPS Manager Express (IME) For multiple-device management, options include the following: ■ Cisco IPS Manager Express (IME), for one to ten sensors ■ Cisco Security Manager (CSM), for one or many sensors ■ Cisco Security Monitoring, Analysis, and Response System (MARS)
  • 19. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 19 Deploying Sensors: Consider these technical factors when selecting sensors for deployment in an organization: ■ The network media in use. ■ The performance of the sensor. ■ The overall network design. ■ The IPS design: Will the sensor analyze and protect many systems, or just a few? ■ Virtualization: Will multiple virtual sensors be created in the sensor? The CLI can be used to ■ Initialize the sensor ■ Configure ■ Administer ■ Troubleshoot ■ Monitor Initializing the Sensor: The setup command at the CLI walks you through initialization. You can do the following: ■ Assign a hostname to the sensor. This is case sensitive. It defaults to sensor. ■ Assign an IP address to the command and control interface. The default is 10.1.9.201/24. ■ Assign a default gateway. The default is 10.1.9.1. ■ Enable or disable the Telnet server. Telnet is disabled by default. ■ Specify the web server port. The default is 443. ■ Create network access control lists (ACL) that can access the sensor for management. ■ Configure the date and time. ■ Configure the sensor interfaces. ■ Configure virtual sensors. This enables the configuration of promiscuous and inline interface pairs. ■ Configure threat prevention. An event action override denies high-risk network traffic with a risk rating of 90 to 100. This option lets you disable this feature.
  • 20. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 20 Initial Setup of IPS Appliance: • CLI wizard performs basic configuration to allow network connectivity for the GUI. Threat and Risk Rating:
  • 21. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 21 Calculating Threat and Risk: • RR = [(ASR x TVR x SFR) / 10,000] + ARR – PD + WLR Example: –ASR = 75 , SFR = 90 , PD = 0 (inline mode) , TVR = 100 , ARR = 10 , and WLR = 0 –RR = [ (75 x 100 x 90) / 10,000] + 10 – 0 + 0 = 78 • TR = RR – Threat Rating Adjustment – Configuration > Policies > Event Action Rules > rules0 pane and click on General tab Real-Time Risk-based Policy: Risk Rating and IPS Policy • A quantitative measure of each threat before IPS mitigation.
  • 22. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 22 Threat Rating: Post-policy Evaluation of Incident Urgency
  • 23. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 23 Where do I configure actions ? Actions are configured in 3 different places : – The signature itself where you define the default response if this signature is triggered – The Event overwrite will allow the system to add actions depending of the risk rating – The Event action filters where the system will be able to remove actions depending of several parameters like the sig ID, the addresses of the attacker or victims… Master engine : Event Actions
  • 24. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 24 Installing and Maintaining Cisco IPS Sensors: IPS Deployment Options: ■ Promiscuous mode: In this mode, packets do not flow through the sensor. Instead, packets are copied to the interface from a network device. This is also known as IDS mode. ■ Inline Interface Pairing mode: Traffic passes through the sensor, from one interface to another. Two monitoring interfaces must be configured as a pair. The sensor functions as a Layer 2 bridge for this traffic. ■ Inline VLAN Pairing mode: Here, the monitoring interface acts as an 802.1Q trunk port. The sensor bridges between pairs of VLANs on the trunk. ■ VLAN Group mode: Each physical interface can be divided into VLAN group subinterfaces. This enables you to use a sensor with only a few interfaces as if it had many interfaces. Cisco IPS Sensor Promiscuous Mode Deployment:
  • 25. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 25 Cisco IPS Sensor Inline Interface Mode Deployment: Cisco IPS Sensor Inline VLAN Pair Mode Deployment:
  • 26. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 26 Cisco IPS Sensor Inline VLAN Group Mode Deployment: Cisco IPS Sensor Selective Inline Analysis Mode Deployment:
  • 27. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 27 Applying Cisco IPS Security Policies: IPS 4200 Appliance Management Interface: • IPS 4200 Sensor managed through out-of-band interface • IPS Management uses SSH or HTTPS ( SDEE ) Assigning Virtual Sensor: Both IDS and IPS require assignment of Virtual Sensor ....even if only one Virtual Sensor ( e.g. vs0 ) is used !
  • 28. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 28 IPv6 and Cisco IPS: • IPv6 is default for Windows 2008, Vista and Windows 7! • Can analyze native IPv6 Traffic • Can detect IPv6 tunneled traffic • IPS Tuning can be done on IPv4 and IPv6 traffic simultaneously Usage of Dual-Stack on all Engines Service HTTP:
  • 29. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 29 Usage of Dual-Stack on all Engines String TCP with Custom Signature Deploying Anomaly-Based Operation: Signature: •A Signature is used to detect a potential threat. •Cisco Signatures are vulnerability focused, not exploit focused • We need different types of Signatures. To match these signatures efficiently against the type of traffic, we are using different Engines. • There are several signatures status : • Retired vs. Active • Disable vs. Enable
  • 30. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 30 Types of Signatures: • Three types of Signatures –Default – Included in the sensor software. – <ID Range is 1,000 – 59,000> –Tuned – Built in signatures that the user/administrator modifies. –Custom – New signatures that the user/administrator modifies. – <Customer ID Range is 60,000-65000> What Is an Engine ? •A signature engine is a component of the Cisco IPS that is designed to support many signatures in a certain category. •An engine is composed of a parser and an inspector •Each engine has a set of parameters that have allowable ranges or sets of values.
  • 31. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 31 The Different Engine Families: •Atomic engine – looking at attacks in a single packet •Flooding – Specialised in attacks that involve flooding of hosts with packets •String – Looking for Patterns across several packets •Sweep – Specialised in attacks that involve scanning of hosts and ports •Anomaly detection – Baselining the traffic first and looking for threshholds •Services Engines – Specialised engines looking at services like DNS, HTTP, FTP,… •And many others.... • ATOMIC signature engines are ■ ATOMIC ARP ■ ATOMIC IP ■ ATOMIC IP ADVANCED ■ ATOMIC IPv6 • The FIXED engines are ■ STRING ICMP ■ STRING TCP ■ STRING UDP • FLOOD signature engines are ■ FLOOD NET ■ FLOOD HOST
  • 32. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 32 • SERVICE signature engines are ■ SERVICE DNS ■ SERVICE FTP ■ SERVICE FTP V2 ■ SERVICE GENERIC ■ SERVICE GENERIC ADVANCED ■ SERVICE H225 ■ SERVICE HTTP and etc… • The STRING engines are ■ STRING ICMP ■ STRING ICMP XL ■ STRING TCP ■ STRING TCP XL ■ STRING UDP ■ STRING UDP XL ■ MULTI STRING What is the difference between STRING and FIXED engines? FIXED differs from STRING signatures in that FIXED signatures watch all TCP/UDP ports, whereas STRING watch only defined ports. • The SWEEP engines are ■ SWEEP ■ SWEEP OTHER TCP • TROJAN engines are: ■ TROJAN BO2K examines UDP and TCP traffic for Back Orifice. ■ TROJAN TFN2K examines UDP, TCP, or ICMP traffic for irregular traffic patterns and corrupted headers. ■ TROJAN UDP examines UDP traffic for Trojan attacks.
  • 33. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 33 Normalizer Module: Normalizer Engine Signatures: • The normalizer signatures are designed for inline mode only • These signatures perform several tasks, including: –Watch for packets with illegal combinations of flags –Watch for bad checksums –Watch for TCP segment overrides –Watch for fragmented traffic –Much more • The normalizer denies or fixes abnormal packets
  • 34. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 34 TCP Normalization – How: Layer 4 protection • Strict tracking of TCP state • Strict tracking of sequence numbers (including support for PAWS checks) • Best effort tracking of previous data seen for un-acked inspected content (prevents/detects overwrites in the TCP sequence space) • Checksums and invalid TCP flags • Ability to modify TTLs to monotonically decrease or remain steady over the life of the flow • URG pointer normalization Real-Time Anomaly Detection for Day Zero Threats: • Anomaly Detection algorithms to detect and stop Day-Zero threats • Real-time learning of normal network behavior • Automatic detection and policy-based protection from anomalous threats to the network • Result: Protection against attacks for which there is no signature
  • 35. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 35 Protocol-Anomaly Detection:
  • 36. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 36
  • 37. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 37 Managing and Analyzing Events: Cisco IPS Manager Express (IME) All-inOne IPS Management Application for up to 10 IPS Sensors
  • 38. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 38 CSM 4.3 – IPS Configuration: • Centrally manage multiple physical and virtual Sensors • Tune policies • Create custom Signatures • Track Policy Change • Update Signatures and Software for IPS Sensors
  • 39. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 39 CSM 4.3 – Event logging and filtering: • Log and monitor all IPS Events • Granular Filtering and searching through events • Customizable view • Event to Policy mapping
  • 40. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 40 CSM 4.3 – Reporting: • Tactical Reporting • Export to PDF or CSV • Schedule Reports • Customizable Graph and Data
  • 41. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 41 CSM 4.3 – Health Monitoring: • Monitor IPS Systems for throughput, CPU, memory, number of events, status of hardware,... • Get Alert when status is changing IPS Sensor Management:
  • 42. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 42 Deploying Virtualization, High Availability, and High Performance Solutions Flexible Deployment: Sensor Virtualization:
  • 43. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 43 How to place a Sensor into such an Environment ?
  • 44. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 44 Introducing Cisco Nexus 1000V for VMware ESX Simplifying Virtual Machine & Network policy management: • Policy Based VM Connectivity –Mobility of Network & Security Properties • Virtual Center integration for server administrators • Cisco NX-OS environment for Network administrators • Ensures visibility & policy enforcement during VMotion • Compatible with any switching platform SPAN Technologies Overview: • Local SPAN Mirrors traffic from one or more interfaces or VLANs on the switch to one or more other interfaces (or a service module) on the same switch. • Remote SPAN (RSPAN) Mirrors traffic from one or more interfaces or VLANs on the switch to a special RSPAN VLAN, which carries the traffic across a Layer 2 switched network to one or more other switches. The other switches mirror the traffic from the RSPAN VLAN to one or more of their local interfaces (or service modules). • Encapsulated Remote SPAN (ERSPAN) Mirrors traffic from one or more interfaces or VLANs on the switch into an IP GRE tunnel, which carries the traffic across an arbitrary Layer 3 network to another device. If the destination is another ERSPAN- capable switch, it decapsulates the monitored packets and mirrors them to one or more of its local interfaces (or service modules).
  • 45. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 45 How to place a Sensor into such an Environment ? Server Virtualization IDS and ERSPAN: Ethernet Network Policy •Take a Copy of Traffic from Servers and Switch to Appliance •IPS appliances analyze Server traffic and log activity Nexus 1000v Makes this possible • ERSPAN Set Port-Profile w/ Switch port SPAN session IP SPAN traffic to 6500 • SPAN to connected 4200-IPS • Permit protocol type header “0x88BE” for ERSPAN GRE
  • 46. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 46 ERSPAN: Sample Config for ERSPAN on N1K:
  • 47. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 47 IPS in virtualized DC: • Use cases – Protect Serverfarms through IPS – Monitoring / Alarming through IPS in IDS Mode • Products –Cisco IPS 4260 / 4270 Appliance as: IPS: via external Service Chassis IDS: via SPAN Technology –Cisco ASA IPS SSM for ASA 5585-X as IPS-only –Cisco IDSM2 Switchmodule as IPS: via external Service Chassis IDS: via Switch internal SPAN Session IDSM2 only availabe for Cat6K, no N7K module High Availability and Scaling: •Fail-open (Fail-Safe) techniques: Hardware or software that functions to detect problems and pass packets through the device without inspection when required •Fail-secure (Fail-Closed) techniques: Hardware or software techniques that will stop forwarding any packets if IPS fails •Failover: One or more paths through the network to allow packets, in the event of a device failure, to either go through a backup IPS sensor or through a plain wire •Load Balancing: Using devices or software features to split a traffic load up across multiple devices. This can achieve both higher data rates and redundant paths in case of failure
  • 48. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 48 Configuring and Maintaining Specific Cisco IPS Hardware Cisco IPS Sensor Initial Setup and Management: •Using basic Cisco IPS CLI features. •Configure and verify basic Cisco IPS sensor parameters. •Configuring and Verify the Cisco IDM features and properties. •Troubleshoot the initial configuration of the sensor. •Troubleshoot basic Cisco IPS hardware problems. •Restoring the Cisco IPS to it’s default configuration. •Managing Cisco Licenses and Software •Software Upgrade and Recovery •Updates and Installation of IPS Signatures •Managing Access & Password Recovery on the Cisco IPS Sensor. •Using the CLI & IDM to perform sensor management and monitoring. Applying Cisco IPS Security Policies: •Deploying and managing Cisco IPS Sensor basic traffic analysis. •Virtual sensor setup •Traffic Normalization •IPv6 Support •Bypass mode •Deploying and Managing basic aspects of Cisco IPS signatures and responses. •Signatures (types, features, properties, and actions). •IP Logging and Filters •Evaluating the Cisco IPS signature engines and built-in signature database. •Deploying and managing Cisco IPS anomaly-based detection features.