Implementing Cisco Intrusion Prevention System (IPS) — A 5-Day Course

 Open Public Course Closed In-House Course

Synopsis

IPS is a five-day instructor-led, lab-intensive course. This task-oriented course teaches the knowledge and skills needed to design, install, and configure a Cisco Intrusion Prevention solution for small, medium, and enterprise networks. The course covers Cisco IPS platforms including the Cisco 4200 series Sensors, the Catalyst 6500 series Intrusion Detection System Module 2 (IDSM2), and the Network Module for Cisco 2600/3600/3700 routers and Cisco 2800/3800 Integrated Services Routers. The IPS Device Manager and the Management Center for IDS Sensors are used to configure and manage Cisco IDS Sensor platforms and view and respond to IPS alarms.

Course Objectives

After completing this course the student should be able to:

• Explain how Cisco IPS protects network devices from attacks
• Install a sensor appliance in the network and initialise it
• Use the sensor CLI to perform basic sensor configuration
• Describe the management and monitoring capabilities of the IPS Device Manager
• Use the IDM to configure the sensor's communication parameters
• Use the IDM to configure allowed hosts
• Use the IDM to set the sensor's time
• Use the IDM to create user accounts
• Use the IDM to configure sensor interfaces and interface pairs
• Use the IDM to configure software bypass mode
• Describe the functions of signature engines and their parameters
• Use the IDM to tune and create signatures to meet the requirements of a given security policy
• Use the IDM to tune the sensor to work optimally in a network
• Explain blocking concepts
• Use the IDM to configure blocking for a given scenario
• Install the NM-CIDS in a router and initialise it
• Configure communications between the router and the NM-CIDS and initialise the NM-CIDS
• Install and IDSM-2 in a Cisco Catalyst 6500 Switch and initialise it
• Use the IDM to upgrade the senor image
• Use the IDM to install signature and service pack updates
• Use the IDM to configure automatic software updates
• Recover the sensor image
• Use the CLI to back up and restore a sensor configuration
• Use the CLI and the IDM to monitor the sensor
• Use preventive maintenance and general troubleshooting commands

Intended Audience

• Cisco customers who implement and maintain IPS solutions
• Cisco Channel Partners who sell, implement and maintain IPS solutions
• Cisco System Engineers who support sales of Cisco IPS and security product solution

Prerequisites

Students who attend this advanced course meet the following prerequisites:

• Cisco CCNA certification
• Basic knowledge of the Windows operating system
• Familiarity with the networking and security terms and concepts (the concepts are learned in prerequisite training or by reading industry publications)

Certification

IPS training course is recommended as preparation for exam:

• 642-532 IPS

This course is associated with the Cisco Certified Security Professional (CCSP) and Cisco's Security Specializations

Publicly scheduled dates, locations, and prices

Outline Course Contents

Security Fundamentals

• Need for Network Security
• Network Security Policy
• Primary Network Threats and Attacks
• Reconnaissance Attacks and Mitigation
• Access Attacks and Mitigation
• Denial of Service Attacks and Mitigation
• Worm, Virus and Trojan Horse Attacks and Mitigation
• Management Protocols and Functions

Intrusion Prevention Overview

• Intrusion Detection versus Intrusion Prevention
• Intrusion Detection Technologies
• Cisco Network Sensors
• Sensor Appliances
• Cisco Defense-in-Depth
• Sensor Deployment
• IPS Terminology
• Cisco IPS Software Architecture

Getting Started with the IPS Command Line Interface

• Command Line Overview
• Sensor Software Installation
• Sensor Initialisation
• Administrative Task
• Basic Troubleshooting Commands

Using the Intrusion Prevention System Device Manager

• IPS Device Manager Overview
• Getting started with the IDM
• Configuring Certificates
• Configuring SSH
• Rebooting and Shutting down the Sensor
• Viewing Events in the IDM

Basic Sensor Configuration

• Configuring Allowed Hosts
• Setting the time
• Configuring User Accounts
• Configuring the Interfaces
• Configuring Software Bypass

Cisco Intrusion Prevention System Signatures and Alerts

• Cisco IPS Signatures, Engines, and Alerts
• Locating Signature Information
• Basic Signature Configuration
• Special Considerations fro Signature Actions
• Configuring SNMP

Signature Engines

• Cisco IPS Signature Engines
• Atomic Signature Engines
• Flood Signature engines
• Meta Signature Engines
• Multi String Signature Engine
• Normalizer Engine
• OTHER Signature Engine
• Service Signature Engines
• State Signature Engines
• String Signature Engines
• Sweep Signature Engines
• Traffic Signature Engine
• Trojan Signature Engine
• AIC Signature Engines

Signature Configuration

• Parameters Common to All Signature Engines
• Signature Tuning
• Custom Signatures

Sensor Tuning

• Intrusion Detection Evasive Techniques
• Tuning the Sensor
• Logging
• Reassembly Options
• Event Action Rules
• Event Variables
• Target Value Rating
• Event action Overrides
• Event Action Filters
• General Settings

Blocking

• Introduction
• ACL Considerations
• Automatic Blocks
• Manual Blocks
• Master Blocking Sensors

Sensor Maintenance

• Upgrading and Recovering the Sensor Image
• Service Pack and Signature Updates
• Resetting, Powering Down, and Restoring the Default Configuration

Monitoring the Sensor

• Using CLI to Monitor the Sensor
• Using the IDM to Monitor the Sensor

Cisco Intrusion Detection System Network Module

• NM-CIDS Overview
• How the NM-CIDS Works
• Design Considerations
• Installation and Configuration Tasks
• Image Upgrade and Recovery
• Maintenance Tasks Unique to the NM-CIDS

Cisco Intrusion Detection System Module

• Introduction
• Ports, Traffic and Time
• Installation and Configuration Tasks
• Verifying IDSM-2 Status
• Upgrade and Recovery