From the Library of Bolovan Catalin Bogdan

Table of Contents Chapter 1: Introducing Intrusion Detection and Prevention.................................................3 Chapter 2: Installation of a Typical Sensor ........... 15 Chapter 3: Cisco Intrusion Detection and Prevention Signatures.......................... 25 Chapter 4: Advanced Configurations .................... 37 Chapter 5: Additional Intrusion Detection and Prevention Devices ............................... 52 Chapter 6: Monitoring and Maintenance .............. 58

CCNP Security IPS 642-627
Quick Reference

Gary Halleen

ciscopress.com

From the Library of Bolovan Catalin Bogdan

[2] CCNP Security IPS 642-627 Quick Reference

About the Author
Gary Halleen is a security consulting systems engineer and has been at Cisco for more than ten years. Gary is the author of the Cisco Press book, Security Monitoring with Cisco Security MARS, and was technical editor for Intrusion Prevention Fundamentals. He is a regular speaker at Cisco Live, both in the United States and internationally. Prior to working at Cisco, he wrote web-based teaching software, owned an Internet service provider, taught computer science courses, and worked in Information Technology at a college. His diligence resulted in the first successful computer crimes conviction in the state of Oregon. Gary lives in Salem, Oregon, with his wife and children.

About the Technical Reviewer
Jorge Vargas is an electronic engineer that has been working on design, configuration, support, and monitoring of LAN, WAN, Voice and Wireless infrastructures both in Colombia and Australia for four years. He currently holds a CCNA, CCNA Voice, CCNA Security, and is working toward his CCNP and CCNP Security certifications.

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[3] CCNP Security IPS 642-627 Quick Reference

Chapter 1

Introducing Intrusion Detection and Prevention
Understanding Intrusion Prevention and Detection
An intrusion detection system (IDS) is similar to an intrusion prevention system (IPS). Both enable you to analyze network traffic in an attempt to identify malicious or otherwise interesting traffic. Cisco provides for intrusion detection and prevention in a variety of ways in its current security portfolio, and IDS or IPS refer to how it is deployed rather than which product is deployed. You might add this powerful tool to your network via a dedicated hardware appliance known as a sensor. Or you might add this functionality using a network module inserted into a router or firewall. However you decide to implement the technology, the goal is the same: to take some action based on an attack introduced into your network. This action might be to alert the security administrator via a log or automated notification, or it might be to prevent the attack by dropping traffic. These are just two of the event actions at your disposal.

Intrusion Prevention Versus Intrusion Detection
Intrusion detection is powerful in that you can be notified when potential problems or attacks are introduced into your network. However, detection provides only limited capabilities for preventing attacks from being successful. Detection is limited because it operates on copies of packets. These copies of packets are usually received from another Cisco device (typically a switch). Sensors that operate using intrusion detection are said to run in promiscuous mode.

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[4] Chapter 1: Introducing Intrusion Detection and Prevention

Intrusion prevention is more powerful because the sensor has much greater capabilities for preventing malicious traffic from entering your network or a particular network segment. The sensor can perform prevention because it operates inline with packet flows.

IPS/IDS Terminology
You should be aware of the many security terms that are related to intrusion detection and prevention technologies.

Vulnerability
A vulnerability is a weakness that compromises the security or functionality of a particular system in your network. An example of a vulnerability is a web form on your public website that does not adequately filter inputs or guard against improper data entry. An attacker might enter invalid characters in an attempt to corrupt the underlying database.

Exploit
An exploit is a mechanism designed to take advantage of vulnerabilities that exist in your systems. For example, if poor passwords are in use on your network, a password-cracking package might be the exploit aimed at this vulnerability.

Signature
A signature is a set of instructions the sensor uses to identify an unwanted traffic type. A signature is usually created to watch network traffic for a particular vulnerability or exploit.

False Alarms
False alarms are IDS/IPS events that you do not want occurring in your implementation. The two types of false alarms are false positives and false negatives. Both are undesirable.
© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[5] Chapter 1: Introducing Intrusion Detection and Prevention

False Positive
A false positive means that an alert has been triggered, but it was for traffic that does not constitute an actual attack. This type of traffic is often called benign traffic.

False Negative
A false negative occurs when attack traffic does not trigger an alert on the IDS/IPS device. This is often viewed as the worst type of false alarm—for obvious reasons.

True Alarms
The two types of true alarms in IDS/IPS terminology are true positive and true negative. Both are desirable.

True Positive
A true positive means that the IDS/IPS device recognized and responded to an attack.

True Negative
This means that nonoffending or benign traffic did not trigger an alarm.

Promiscuous Versus Inline Mode
Cisco IPS sensors can operate in either promiscuous or inline modes. The decision on what mode to use depends on many considerations and the location in the network. When deployed in promiscuous mode, this means that a device (often a switch) captures traffic for the sensor and forwards a copy for analysis to the sensor. Because the device works with a copy of the traffic, the device performs IDS. It can detect an attack and send an alert (and take other actions), but it does not prevent the attack from entering the network or a network segment. It cannot prevent the attack because it does not operate on traffic inline in the forwarding path. Figure 1-1 shows a promiscuous mode IDS implementation.

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[6] Chapter 1: Introducing Intrusion Detection and Prevention

FIGURE 1-1
Promiscuous Mode (IDS)

If a Cisco IPS device operates in inline mode (see Figure 1-2), it can perform prevention as opposed to simple detection. This is because the IPS device is in the actual traffic path. This makes the device more effective against worms and atomic attacks (attacks that are carried out by a single packet). FIGURE 1-2
Inline Mode (IPS)

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[7] Chapter 1: Introducing Intrusion Detection and Prevention

To deploy in inline mode, you need to configure the sensor as a transparent Layer 2 device that passes traffic between two physical or virtual interfaces. The sensor then functions as a Layer 2 bridge between the network segments, and can block malicious traffic that tries to pass. Keep in mind that a sensor could be configured inline and set up so that it only alerts and does not drop packets. This is an example of an inline configuration where only IDS is performed. IPS Version 7.0 software permits a device to do promiscuous mode and inline mode simultaneously, which allows some segments to be monitored for IDS only while other segments use IPS protection.

Approaches to Intrusion Prevention
Signature Based
Although Cisco uses a blend of detection and prevention technologies, signature-based IPS is the primary tool that Cisco IPS solutions use. Cisco releases signatures that are added to the device; they identify a pattern that the most common attacks present. This tool is much less prone to false positives and ensures that the IPS devices stop common threats. This type of approach is also called pattern matching. As different types of attacks are created, these signatures can be added, tuned, and updated to deal with the new attacks.

Anomaly Based
This type of intrusion prevention technology is often called profile based. It attempts to discover activity that deviates from what an engineer defines as “normal.” Because it can be so difficult to define what is normal activity for a given network, this approach tends to be prone to a high number of false positives. The two common types of anomaly-based IPSs are statistical anomaly detection and nonstatistical. The statistical approach learns about the traffic patterns on the network itself, and the nonstatistical approach uses information coded by the vendor.

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[8] Chapter 1: Introducing Intrusion Detection and Prevention

Policy Based
With this type of technology, the security policy is “written” into the IPS device. Alarms are triggered if activities are detected that violate the security policy coded by the organization. Notice how this differs from signature based. Signature based focuses on stopping common attacks, and policy based is more concerned with enforcing the organization’s security policy.

Protocol Analysis Based
This approach is similar to signature based, but it looks deeper into packets because of a protocol-based inspection of the packet payload that can occur. Whereas most signatures examine rather common settings, protocol analysis based can do much deeper packet inspection and is more flexible at finding some types of attacks.

Reputation Based
This combines any of the previous approaches with knowledge of the attacker. Cisco makes extensive use of reputation-based IPS beginning with the IPS Version 7.0 software. A cloud-based database assigns a reputation score to every IP address in the world, ranging from a positive ten to a negative ten. Hosts that have a history of malicious activity, such as attacking or performing reconnaissance activities, receive a negative score. As the sensor identifies traffic originating from negatively scored hosts, it can take stronger action against the traffic than it might if relying only on a signature.

Exploring Evasive Techniques
Because attackers are aware of IPS technologies, they have developed methods of countering these devices in an attempt to continue attacks on network systems.

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[9] Chapter 1: Introducing Intrusion Detection and Prevention

String Match
In this type of attack, strings in the data are changed in minor ways in an attempt to evade detection. Obfuscation is one method, in which control characters, hexadecimal representation, or Unicode representation help disguise the attack. Another string-match type of evasive technique is to simply change the string’s case.

Fragmentation
With this evasive measure, the attacker breaks the attack packets into fragments so that they are more difficult to recognize. Fragmentation adds a layer of complexity for the sensor, which now must engage in the resource-intensive process of reassembling the packets.

Session
In this type of attack, the attacker spreads the attack using a large number of very small packets, not using fragmentation in the approach. TCP segment reassembly can be used to combat this evasive measure.

Insertion
In this evasive technique, the attacker inserts data that is harmless along with the attack data. The IPS sensor does not fire an alert because of the harmless data. The end system ignores the harmless data and processes only the attack data.

Evasion
With this type of evasive technique, the attacker causes the sensor to see a different data stream than the intended victim. Unlike the insertion attack, the end system sees more data than the sensor, which results in an attack.

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 10 ] Chapter 1: Introducing Intrusion Detection and Prevention

TTL Based
One way to implement an insertion attack is to manipulate fragments’ time-to-live (TTL) value. With this evasive procedure, the IPS sensor sees a different data stream than the end system because of the manipulation of the TTL field in the IP header.

Encryption Based
This is an effective means of having attacks enter the network. The attacker sends the attack via an encrypted session. The IPS device can sometimes detect the encrypted attack, but cannot look inside the encrypted payload. Because this method of foiling the IPS device exists, care must be taken to ensure that attackers cannot establish encrypted sessions.

Resource Exhaustion
Another evasive approach is to simply overwhelm the sensor. Often, attackers just try to overwhelm the physical device or the staff in charge of monitoring by flooding the device with alarm conditions.

Cisco Solutions and Products
Cisco offers many products and solutions that address the need for intrusion detection/prevention in your network infrastructure. This Quick Reference focuses on Cisco products that can run Version 7.0 of the Cisco IPS Sensor Software. This version adds many new features, including the following:
■ ■ ■

Virtualization support: Allows different policies for different segments that are being monitored by a single sensor. New signature engines: Additions that cover Server Message Block and Transparent Network Substrate traffic. Passive operating system fingerprinting: A set of features that enables Cisco IPS to identify the operating system of the victim of an attack.

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 11 ] Chapter 1: Introducing Intrusion Detection and Prevention

Improved risk and threat rating system: The risk rating helps with alerts and is now based on many different components to improve the sensor’s performance and operation. Global correlation: Allows the sensor to take stronger preventive action against traffic originating from hosts with a negative reputation score. Reputation filtering: Blocks all network traffic originating from hosts with the worst reputations. Enhanced health and performance monitoring: Allows the IPS administrator to better monitor the performance of the sensors. IPv6 detection and prevention: The ability to analyze both IPv4 and IPv6 network traffic. Cisco Intrusion Prevention System Manager Express (IME): A new and improved GUI for management and monitoring of multiple IPS devices. Anomaly detection: Designed to detect worm-infested hosts.

■ ■

■ ■

Cisco Sensor Family
The Cisco sensor family includes the following devices:
■ ■ ■ ■ ■ ■ ■ ■

Cisco IDS 4240 sensor Cisco IPS 4255 sensor Cisco IPS 4260 sensor Cisco IPS 4270 sensor Cisco Catalyst 6500 series IDSM-2 Cisco ASA AIP-SSM-10 Cisco ASA AIP-SSM-20 Cisco ASA AIP-SSM-40
© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 12 ] Chapter 1: Introducing Intrusion Detection and Prevention

■ ■ ■ ■ ■ ■

Cisco ASA IPS-SSP-10 Cisco ASA IPS-SSP-20 Cisco ASA IPS-SSP-40 Cisco ASA IPS-SSP-60 Cisco AIM IPS module for ISR routers Cisco NME IPS module for ISR routers

Sensor Software Solutions
You have many options for configuring and managing Cisco sensors. Also, the sensor operating systems and overall architecture are worth exploring for the certification exam and beyond.

IPS Sensor Software Architecture
IPS Sensor Software Version 7.0 runs on the Linux operating system. The components include the following:
■ ■ ■ ■ ■ ■

Event Store (provides storage for all events) Secure Shell (SSH) and Telnet (by default, Telnet disabled) Intrusion Detection Application Programming Interface (IDAPI) MainApp SensorApp (for packet capture and analysis) Sensor interfaces

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 13 ] Chapter 1: Introducing Intrusion Detection and Prevention

Management Options
For a single device (element management), options include the following:
■ ■ ■

Command-line interface (CLI) Cisco IPS Device Manager (IDM) Cisco IPS Manager Express (IME)

For multiple-device management, options include the following:
■ ■ ■

Cisco IPS Manager Express (IME), for one to ten sensors Cisco Security Manager (CSM), for one or many sensors Cisco Security Monitoring, Analysis, and Response System (MARS)

Network IPS
Network IPS refers to the deployment in the network of devices (typically sensors) that capture and analyze traffic as it traverses the network. Because the sensor analyzes network traffic, it can protect many hosts at the same time.

Host IPS
A host IPS solution features software installed on servers and workstations. Note that this solution does not require additional hardware (sensors). It complements network IPS by protecting the integrity of applications and operating systems.

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 14 ] Chapter 1: Introducing Intrusion Detection and Prevention

Deploying Sensors
Consider these technical factors when selecting sensors for deployment in an organization:
■ ■ ■ ■ ■

The network media in use. The performance of the sensor. The overall network design. The IPS design: Will the sensor analyze and protect many systems, or just a few? Virtualization: Will multiple virtual sensors be created in the sensor?

Here are some important issues to keep in mind for an IPS design:
■ ■ ■

Your network topology: Size and complexity, connections, the amount and type of traffic. The placement of sensors: Recommended to be placed at entry and exit points that provide sufficient IPS coverage. Your management and monitoring options: The number of sensors often dictates the level of management you need.

Locations that generally need to be protected include the following:
■ ■ ■ ■ ■

Internet: The sensor between your perimeter gateway and the Internet Extranet: Between your network and extranet connection Internal: Between internal data centers Remote access: Hardens perimeter control Server farm: The network IPS at the perimeter and host IPS on the servers

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 15 ] CCNP Security IPS 642-627 Quick Reference

Chapter 2

Installation of a Typical Sensor
Command-Line Interface
The command-line interface (CLI) of a Cisco IPS sensor is much like an IOS router, but with fewer commands and different modes. You can access the CLI using
■ ■ ■

Telnet (disabled by default) Secure Shell (SSH) Serial interface

The default username is cisco, with a default password of cisco. You are prompted to change these upon the first login. The CLI can be used to
■ ■ ■ ■ ■

Initialize the sensor Configure Administer Troubleshoot Monitor

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 16 ] Chapter 2: Installation of a Typical Sensor

Two modes of the CLI differ from a router:
■ ■

Service mode: Used to edit a service. You enter it using the command service service-name. Multi-instance service mode: Some of the services are multi-instance services to support virtualization. To enter this mode, use the command service service-name logical-instance-name.

Initializing the Sensor
The setup command at the CLI walks you through initialization. You can do the following:
■ ■ ■ ■ ■ ■ ■ ■ ■ ■

Assign a hostname to the sensor. This is case sensitive. It defaults to sensor. Assign an IP address to the command and control interface. The default is 10.1.9.201/24. Assign a default gateway. The default is 10.1.9.1. Enable or disable the Telnet server. Telnet is disabled by default. Specify the web server port. The default is 443. Create network access control lists (ACL) that can access the sensor for management. Configure the date and time. Configure the sensor interfaces. Configure virtual sensors. This enables the configuration of promiscuous and inline interface pairs. Configure threat prevention. An event action override denies high-risk network traffic with a risk rating of 90 to 100. This option lets you disable this feature.

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 17 ] Chapter 2: Installation of a Typical Sensor

Common CLI Configuration Tasks
Here are some common commands available for use at the CLI:
■ ■ ■ ■ ■ ■ ■ ■ ■ ■

ping trace banner login show version copy /erase source-url destination-url (The erase option erases the destination file before copying.) copy current-config backup-config copy /erase backup-config current-config more keyword (Displays configs.) show settings show events

Using Cisco IPS Device Manager
The Cisco IPS Device Manager (IDM), shown in Figure 2-1, is a superb web-based graphical user interface (GUI) for managing a single IPS device. To maintain security, the IDM and the client engage in Transport Layer Security (TLS) and Secure Sockets Layer (SSL). The server uses a trusted host certificate to verify the identity of the management workstation. The client uses a server certificate to ensure the identity of the IPS device.

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 18 ] Chapter 2: Installation of a Typical Sensor

FIGURE 2-1
Cisco IDM

The Cisco IPS Sensor Software Version 7.0 uses Security Device Event Exchange (SDEE) for communication, but it still relies on Remote Data Exchange Protocol (RDEP2) to communicate configuration and IP log information. SDEE is an IPS communications protocol developed by Cisco. Through SDEE, IPS Sensor Software Version 7.0 provides an application programming interface (API) for the sensor itself. SDEE is an enhancement to the earlier RDEP.

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 19 ] Chapter 2: Installation of a Typical Sensor

The Cisco IDM runs on the following:
■ ■ ■ ■ ■ ■ ■ ■

Windows XP Professional (32 bit) Windows Vista, Business and Ultimate (32 bit) Windows 2003 Server U.S. or Japanese versions of the previously listed Windows versions Red Hat Linux Desktop Version 4 Red Hat Enterprise Linux Server Version 4 Java SE 5.0 or 6.0 Internet Explorer 6.0 or 7.0, or Firefox 2.0

To log in to the IDM, enter https://sensor_ip_address. The default address is 10.1.9.201 if you did not provide one during setup. After you are in the IDM, you can configure the general network settings (such as hostname and IP address) by choosing Configuration, Sensor Setup, Network. To display or re-create the sensor’s SSH host key, choose Configuration, Sensor Setup, SSH, Sensor Key. To reboot the sensor, choose Configuration, Reboot. To shut down the sensor, choose Configuration, Shut Down Sensor. For both the reboot and shutdown, the sensor delays for 30 seconds. The logged-in users are notified that the sensor is shutting down.

Using Cisco IPS Manager Express
Cisco IPS Manager Express (IME), shown in Figure 2-2, is a free GUI for managing, monitoring, and reporting for up to ten IPS devices. It is installed onto a Windows computer and shares a common look and feel with IPS Device Manager. Like IDM, it also uses TLS and SSL for communication with the IPS sensors. The server uses a trusted host certificate to verify the identity of the management workstation. The client uses a server certificate to ensure the identity of the IPS device.
© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 20 ] Chapter 2: Installation of a Typical Sensor

FIGURE 2-2
Cisco IME

Cisco IPS Manager Express runs on the following:
■ ■ ■

Windows XP (32 bit) Windows Vista, Business or Ultimate (32 bit) Windows 2003 Server

Cisco IME supports only the 32-bit U.S. version of Windows.

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 21 ] Chapter 2: Installation of a Typical Sensor

Cisco IME is launched like any Windows application. When it is installed, it creates icons for both the regular version and a demo version. The demo version is useful for learning the application.

Configuring Basic Sensor Settings
This section provides guidance for completing the basic sensor setup. As soon as these tasks are complete, a basic sensor configuration will be in place in your network. The sensor generates alarms for potentially unsafe traffic that it sees. Although many of these tasks might have been completed using the setup command at the command line, this section focuses on using the IDM for sensor configuration.

Configuring Allowed Hosts
To configure the hosts that are allowed to access the sensor for management and configuration, choose Configuration, Sensor Setup, Allowed Hosts. If a host is not listed as an Allowed Host, the sensor ignores all network traffic from it, including ping.

Setting the Time
It is important to ensure that the sensor knows the correct time. This way, event information is more valuable. For a sensor, use Network Time Protocol (NTP) or, if you must, set the time manually. For the Cisco Catalyst 6500 IDSM-2, use the parent device or NTP. For the AIP-SSM, use the parent device or NTP. For the sensor, choose Configuration, Sensor Setup, Time to find the time settings.

Configuring Certificates
The sensor uses certificates to prove its identity to other Cisco devices on the network, and also to verify the identity of those devices.

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 22 ] Chapter 2: Installation of a Typical Sensor

The sensor generates a server certificate when it first starts. You can view this certificate and generate a new one by choosing Configuration, Sensor Setup, Certificates, Server Certificate. The Trusted Hosts area lists all the trusted host certificates your sensor will accept from other Cisco devices. To modify this list, choose Configuration, Sensor Setup, Certificates, Server Certificate and Configuration, Sensor Setup, Certificates, Trusted Hosts.

User Accounts
When creating user accounts on the sensor for management, you can choose from one of four roles:
■ ■ ■ ■

Administrator is the highest level of privileges. Operator can view all configuration and events. Operator can also tune signatures and manage virtual sensors and routers. Viewer can view configuration and event data, but cannot modify any configuration except its own password. Service is a special role with access to the underlying Linux operating system. It is typically used only for troubleshooting by Technical Assistance Center (TAC). Only one service account can be created on each sensor.

Only one user at a time can log in to IDM. Create users by choosing Configuration, Sensor Setup, Users.

Interface Roles
Each sensor has one command and control interface for management purposes. Depending on the sensor, you can configure multiple monitoring interfaces, depending on specific hardware being used. Interfaces can function as command and control, or monitoring, or alternate TCP reset interfaces. The alternate TCP reset interface is for when the interface is operating in promiscuous mode and cannot send TCP reset packets over the same interface where the attack was detected.

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 23 ] Chapter 2: Installation of a Typical Sensor

Monitoring interfaces can operate in one of four modes:

Promiscuous mode: In this mode, packets do not flow through the sensor. Instead, packets are copied to the interface from a network device. This is also known as IDS mode. Inline Interface Pairing mode: Traffic passes through the sensor, from one interface to another. Two monitoring interfaces must be configured as a pair. The sensor functions as a Layer 2 bridge for this traffic. Inline VLAN Pairing mode: Here, the monitoring interface acts as an 802.1Q trunk port. The sensor bridges between pairs of VLANs on the trunk. VLAN Group mode: Each physical interface can be divided into VLAN group subinterfaces. This enables you to use a sensor with only a few interfaces as if it had many interfaces.

Configuring Interfaces
To set up monitoring interfaces, choose Configuration, Interface Configuration, Interfaces.

Software and Hardware Bypass Mode
The software bypass feature allows the sensor to continue passing traffic even if the sensor software fails. You configure it by choosing Configuration, Interface Configuration, Bypass. The possible modes are Auto, Off, and On. Choosing On causes the sensor to simply act as a bridge and not inspect traffic. Choosing Off disables software bypass entirely. Hardware bypass complements software bypass. The four-port Gigabit Ethernet bypass card, which is available for the IPS-4260 and IPS-4270 sensors, supports hardware bypass only between ports 0 and 1 and ports 2 and 3. Hardware bypass is available only when interfaces are configured in Inline Interface Pairing mode.

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 24 ] Chapter 2: Installation of a Typical Sensor

Viewing Events
As you have learned, following the steps described in this chapter enables you to configure the basics on the sensor. The sensor now produces alerts based on its default signature settings. You can view the events triggered by signatures that are enabled easily in IDM or IME. To do this in IDM, choose Monitoring, Events. To view events in IME, click the Event Monitoring button.

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 25 ] CCNP Security IPS 642-627 Quick Reference

Chapter 3

Cisco Intrusion Detection and Prevention Signatures
Configuring Signatures and Alerts
Signatures are the foundation of an intrusion prevention system (IPS). This chapter shows you how to tune and configure signatures to control how the sensor behaves. There are default signatures, tuned signatures (default signatures that you have modified), and your own custom signatures. Most built-in signatures generate an alert when fired. Event actions can be defined either per signature, or as part of an event action override policy. When possible, it is simpler to manage using the policy. Frequent configuration tasks include enabling or disabling signatures and defining the actions that should occur upon firing. To access the signatures for configuration, choose Configuration, Signature Definitions, Signature Configuration. Here are the possible actions that you can configure in response to a signature firing:

Deny Attacker Inline terminates the current packet and future packets from the attacker address for a specified period of time. If the attack uses TCP traffic, it also sends a TCP Reset packet to the host under attack. This is the most severe of the deny actions. Deny Attacker Service Pair Inline terminates the current packet and future packets from the attacker address victim port pair for a specified period of time. For example, if the attack uses TCP port 80, future traffic from that attacker to any protected host on port 80 is blocked, but traffic on other ports is allowed.
© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 26 ] Chapter 3: Cisco Intrusion Detection and Prevention Signatures

Deny Attacker Victim Pair Inline terminates the current packet and future packets from the attacker address and victim address pair for a specified period of time. Future traffic on port from the attacking IP address to the victim IP address is blocked. Deny Connection Inline terminates the current packet and future packets in the TCP flow. Deny Packet Inline drops the packet. Log Attacker Packets starts IP logging on packets that contain the attacker address. A pcap format file is captured on the sensor. Log Pair Packets starts IP logging on packets that contain the attacker and victim IP address pair. Log Victim Packets starts IP logging on packets that contain the victim address. Produce Alert generates an alert. Produce Verbose Alert generates an alert that contains a pcap of the packet that caused the signature to fire. Request Block Connection sends a request to a blocking device to block the connection. Blocking devices can be ASA firewalls, switches, routers, or access points. Request Block Host sends a request to a blocking device to block the attacker host. Request SNMP Trap generates an SNMP trap if the trap destination is already configured. Reset TCP Connection sends one or more TCP Reset packets. Modify Packet Inline modifies illegal portions of a packet. This event action is only available to the Normalizer engine.

■ ■ ■

■ ■ ■ ■ ■

■ ■ ■ ■

Notice that many of the response actions to a signature firing involve denying attackers access to your protected network. To manage denied attackers, choose Monitoring, Denied Attackers.

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 27 ] Chapter 3: Cisco Intrusion Detection and Prevention Signatures

Signature Engines
An IPS sensor relies on signature engines to efficiently monitor your network using the many signatures that make up the operation of the sensor. Each signature engine is responsible for running a group for the signatures. As new signature engines are released, engines may be added or removed. The list of signatures and engine here is current as of Engine 4. Many signature engines support entire categories of signatures. Signature engines include tunable parameters. Some parameters are specific to an engine, and others are more common.

Common Parameters
Some common signature parameters include Signature ID, Alert Severity, and Signature Fidelity Rating. The Summary mode common parameter controls the number of alarms generated:
■ ■ ■ ■

Fire Once. Fire All is an alarm for all activity that matches signature characteristics. Summarize consolidates alarms. Global summarize consolidates alarms for all address combinations.

Summary threshold and global summary threshold values enable you to configure automatic summarization based on the number of alerts detected. This can prevent you from being overwhelmed by a large number of events produced by the sensor.

ATOMIC
ATOMIC support signatures are triggered by the content of a single packet. They do not store any state information across packets.

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 28 ] Chapter 3: Cisco Intrusion Detection and Prevention Signatures

ATOMIC signature engines are
■ ■ ■ ■

ATOMIC ARP ATOMIC IP ATOMIC IP ADVANCED ATOMIC IPv6

FIXED
The FIXED signature engines support regular expressions for pattern matching. Also, alarm functionality is provided for Internet Control Message Protocol (ICMP), User Datagram Protocol (UDP), and Transmission Control Protocol (TCP). State information is maintained because pattern matches are made across a stream of packets. FIXED differs from STRING signatures in that FIXED signatures watch all TCP/UDP ports, whereas STRING watch only defined ports. The FIXED engines are
■ ■ ■

STRING ICMP STRING TCP STRING UDP

FLOOD
The FLOOD signature engines are designed to detect attacks in which the attacker floods traffic to a single host or an entire network. FLOOD signature engines are
■ ■

FLOOD NET FLOOD HOST
© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 29 ] Chapter 3: Cisco Intrusion Detection and Prevention Signatures

SERVICE
SERVICE engines analyze traffic at and above Layer 5 of the OSI model. They provide protocol decoding for numerous protocols. SERVICE signature engines are
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■

SERVICE DNS SERVICE FTP SERVICE FTP V2 SERVICE GENERIC SERVICE GENERIC ADVANCED SERVICE H225 SERVICE HTTP SERVICE HTTP V2 SERVICE IDENT SERVICE MSRPC SERVICE MSSQL SERVICE NTP SERVICE P2P SERVICE RPC SERVICE SMB SERVICE SMB ADVANCED

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 30 ] Chapter 3: Cisco Intrusion Detection and Prevention Signatures

■ ■ ■ ■

SERVICE SMTP V1 SERVICE SNMP SERVICE SSH SERVICE TNS

STRING
The STRING signature engines support regular expressions for pattern matching. Also, alarm functionality is provided for ICMP, UDP, and TCP. State information is maintained because pattern matches are made across a stream of packets. The STRING engines are
■ ■ ■ ■ ■ ■ ■

STRING ICMP STRING ICMP XL STRING TCP STRING TCP XL STRING UDP STRING UDP XL MULTI STRING

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 31 ] Chapter 3: Cisco Intrusion Detection and Prevention Signatures

SWEEP
The SWEEP signature engines detect attacks that involve the attacker making connections to multiple hosts/ports. The SWEEP engines are
■ ■

SWEEP SWEEP OTHER TCP (supports signatures that fire when a mix of TCP packets have different flags set)

TROJAN
TROJAN engines are designed to detect Trojan program attacks against your network:
■ ■ ■

TROJAN BO2K examines UDP and TCP traffic for Back Orifice. TROJAN TFN2K examines UDP, TCP, or ICMP traffic for irregular traffic patterns and corrupted headers. TROJAN UDP examines UDP traffic for Trojan attacks.

TRAFFIC
The TRAFFIC signature engines analyze nonstandard protocols, such as TFN2K, LOKI, and DDOS. The engines are
■ ■

TRAFFIC ICMP examines protocols such as LOKI. TRAFFIC ANOMALY examines UDP, TCP, and other traffic for worms.

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 32 ] Chapter 3: Cisco Intrusion Detection and Prevention Signatures

AIC
The AIC engines provide Layer 4 to Layer 7 inspection for HTTP and FTP. The engines are
■ ■

AIC FTP AIC HTTP

To use these engines, you must enable Application Policy enforcement. To do this, choose Configuration, Signature Definitions, signature policy name, Active Signatures, Advanced. Place a check mark on Enable HTTP or Enable FTP, as desired.

STATE
The STATE engine enables the sensor to inspect the various states of Cisco login, an LPR format string, or Simple Mail Transfer Protocol (SMTP).

META
The META signature engine provides event correlation. This engine takes signature events as its input instead of packets. An example is many signatures firing within a certain time limit to indicate the Nimda attack.

NORMALIZER
The NORMALIZER engine detects and correlates ambiguities or illegal packets of data flows through the sensor. Proper packet sequencing and reassembly are options for this engine. The NORMALIZER engine is only available for inline traffic.

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 33 ] Chapter 3: Cisco Intrusion Detection and Prevention Signatures

Customizing Signatures
You can tune the built-in signatures or create your own. You might tune signatures for one of the following reasons:
■ ■ ■ ■ ■

To reduce background noise. The sensor can cause a lot of alarms on a busy and complex network. To reduce false positives. To reduce false negatives. To more closely sync to the devices being protected. This means that the sensor is more aware of your network's needs. To increase performance.

Noise Reduction
Consider the following noise reduction principles:

You do not have to display noisy events. If a signature is generating too much noise, and you do not want to see it, you can filter it, or you can disable the Produce Alert event action. When disabling events, be sure to list what attacks can no longer be detected. Rethink your strategy periodically based on new attacks. Try to modify the signature for some hosts.

■ ■ ■

False-Positive Reduction
You have two main strategies for dealing with false-positive alerts. You can selectively disable alerts, and you can match signatures more closely to the environment.

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 34 ] Chapter 3: Cisco Intrusion Detection and Prevention Signatures

You should also consider tuning alert triggering by changing the thresholds used within a signature. You can increase the limits if you find that they are exceeded too often. You can also tune a signature’s content. You might change the range of allowed parameters, or modify string matching. Follow these guidelines to reduce false positives:
■ ■ ■ ■

Unskilled operators benefit the most. When disabling events, be sure to list what attacks can no longer be detected. Rethink your strategy periodically based on new attacks. Try to modify the signature for some hosts.

False-Negative Reduction
You can reduce false negatives by doing the following:
■ ■ ■

Increase the time span that a sensor uses to detect scans and sweeps. Lower the limit if the number of correlated events that must happen is too high. Try to modify the settings on a per-host basis.

To combat evasion, use all available anti-evasion measures. You should detect conditions that normally should not occur, such as fragmentation overlaps, fragmentation database timeouts, TCP stream or sequence overlaps, out-of-memory errors, or unexpected dropping of packets at the sensor. Follow these guidelines to reduce false negatives:
■ ■ ■

Tune signature thresholds. Tune signature content. Employ maximum anti-evasion measures.

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 35 ] Chapter 3: Cisco Intrusion Detection and Prevention Signatures

Syncing to Protected Devices
Specific tuning recommendations are based on the systems being monitored. For Windows systems, follow these guidelines:
■ ■ ■ ■ ■

For IP reassembly, use the reassembly mode of NT. Enable all IIS signatures if you are running an IIS server. Enable general Windows/NetBIOS signatures. Consider the more specific Windows/NetBIOS signatures. De-obfuscation inside the HTTP protocol is turned on for all HTTP signatures by default. It uses the ISS dialect.

For Solaris systems, follow these guidelines:
■ ■ ■ ■

The IP reassembly mode should be set to Solaris. Enable UNIX Remote Procedure Class (RPC) signatures. Enable UNIX remote services (r-services) signatures. Enable general RPC/Network File System signatures depending on the server's role.

If you are monitoring Linux systems, follow these guidelines:
■ ■ ■ ■

Set the IP reassembly mode to Linux. Enable the UNIX RPC signatures. Enable UNIX r-services signatures. Enable general RPC/NFS signatures, depending on the server's role.

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 36 ] Chapter 3: Cisco Intrusion Detection and Prevention Signatures

Focusing IPS Sensors to Policy
To take a more policy-based approach, detect unauthorized protocols, detect unauthorized applications, detect unauthorized actions, and enable almost all signatures.

Performance Optimization Guidelines
You should consider the following:
■ ■ ■

Filter traffic before capture. Place the sensor behind a firewall; selective capture. Reduce detection capabilities. Disable unneeded signatures, simplify signatures; unidirectional capture. Load balance to multiple sensors.

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 37 ] CCNP Security IPS 642-627 Quick Reference

Chapter 4

Advanced Configurations
Advanced Tuning
You may need the following types of information before you begin advanced tuning:
■ ■ ■ ■ ■ ■ ■

Network topology Network address space Which inside addresses are static and which are Dynamic Host Configuration Protocol (DHCP) Which inside addresses are owned, but not used Operating systems running on the servers Applications running on servers Overall security policy

Sensor Configurations
The location of the sensor is important for tuning considerations. The nature of the traffic that the sensor monitors will vary, and so will the security policy that the sensor interacts with. Some organizations place the intrusion prevention system (IPS) sensor outside the firewall, for example, and others place it inside. Some place the sensor in a datacenter, whereas others use it to monitor wireless user traffic. The type of policy a sensor is configured to use will likely vary in each of these instances. It is also likely that the deployment model will vary.

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 38 ] Chapter 4: Advanced Configurations

A sensor placed outside the firewall sees much more noise than a sensor placed inside the firewall because the firewall filters most of the unwanted traffic. You should avoid assigning a high severity level to any single event when the sensor is outside the firewall. Also, turn off all response actions, and use the sensor to look for trends that might indicate attacks, viruses, or worms, such as Sasser or Netsky. Sensors deployed in datacenters tend to be in promiscuous, or intrusion detection system (IDS), mode. At the perimeter, they are more likely to be deployed inline, as an IPS. You tune the sensor for many reasons. The default configuration is not optimized for the types of systems or applications your organization is running. Often, the sensor’s default settings makes it too “noisy” to be of great benefit to the network admin team. Reasons for sensor tuning include reducing background noise, reducing false positives, reducing false negatives, and increasing performance. Tuning the sensor is done in phases:
■ ■ ■

During deployment, the sensor is usually running the default configuration. Tuning usually takes place during the weeks following deployment. Maintenance is performed periodically.

To tune the sensor, you enable and disable signatures, change signature parameters, create policies to override event actions, and create event action filters. You can use global sensor settings to ensure that the sensor’s valuable resources are not wasted. These include IP logging, IP fragment reassembly, and TCP stream reassembly.

Global Correlation Inspection
The Global Correlation feature allows the sensor to take a stronger action against malicious traffic that originates from addresses that have a reputation for attacking other networks. For example, you are more likely to want to block questionable traffic coming from a known attacker than you might from a partner, especially if there is a chance that the traffic is misidentified.

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 39 ] Chapter 4: Advanced Configurations

Global Correlation includes the ability to modify the risk rating based on the attacker’s reputation. It also includes a feature called Reputation Filtering, which is used to block all traffic from addresses known to be always bad. An example of an address in the Reputation Filtering list is an address that is not owned by any organization and should not be sending traffic at all. Address blocks that are wholly owned by malware organizations are another example. To enable Global Correlation inspection and reputation filtering, choose Configuration, Global Correlation, Inspection/ Reputation. Available options for Global Correlation are Off, Permissive, Standard, and Aggressive. Options for reputation filtering are On or Off. Cisco requests that you also enable Network Participation if this is permitted by your security policy. Participation makes the Global Correlation Inspection database more accurate by capturing greater amounts of information on attackers, globally. You should be aware that information contained in the data fields of packets are never sent to Cisco. To enable Network Participation, choose Configuration, Global Correlation, Network Participation.

IP Logging
At times, you might want to enable the IP logging feature. This allows you to capture raw, unaltered IP packets. You can use these packets for confirmation of the attack and damage assessment, and forensic evidence or tuning. IP logs are generated when you enable it for certain systems using the Add IP Logging dialog box, or when you configure the Log Attacker Packets, Log Pair Packets, or Log Victim Packets event actions for a signature. The log file is in a libpcap format. Several of the sensor models are diskless and store the IP logs in RAM. To log IP traffic for a particular host (manual logging), choose Monitoring, Time-Based Actions, IP Logging, Add. To configure global IP logging parameters, choose Configuration, Policies, Signature Definitions, signature policy name, Active Signatures, Advanced, Miscellaneous.

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 40 ] Chapter 4: Advanced Configurations

Reassembly Options
You can configure sensor reassembly settings to try to make the best of resource usage on the sensor. When TCP traffic arrives on a host that is fragmented, and overlaps other fragments, hosts make a best-effort attempt to reassemble it. Although this is sometimes benign, attackers often use it to bypass IDS or IPS sensor detection. Different operating systems treat this type of traffic differently, and it is best to configure your sensor to treat it like the majority of your hosts would. The options for IP Reassembly mode are BSD, Linux, NT, and Solaris. The options for TCP Reassembly mode are Asymmetric, Loose, and Strict. How you configure reassembly affects the sensor’s overall performance and is not specific to certain signatures. Using Cisco IPS Device Manager (IDM) or Cisco IPS Manager Express (IME), you can configure both IP fragment reassembly and TCP stream reassembly on the sensor. Choose Configuration, Policies, Signature Definitions, signature policy name, Active Signatures, Advanced, Miscellaneous.

Target Value Rating
You should consider using target value ratings on your network assets. These ratings are used to calculate the risk rating of events when signatures are triggered. The risk rating allows different dynamic actions for different assets that are attacked. Events with a higher risk rating trigger more severe event actions. The available values for the target value are Low, Medium, High, Mission Critical, and No Value. To configure a new target value rating, choose Configuration, Event Action Rules, rule name, and then choose either the IPv4 Target Value Rating or IPv6 Target Value Rating tab.

Event Variables
Consider creating event variables for tuning. These event variables are used in event action filters. This is useful when you plan to use the same value in many different filters. To create an event variable, choose Configuration, Event Action Rules, rule name, and then choose the Event Variables tab.
© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 41 ] Chapter 4: Advanced Configurations

Event Action Overrides
The event action override is a key component in using a policy to define dynamic actions. This enables you to change the actions associated with an event based on the relative severity of the event, using multiple points of data. You use the overall risk rating score as the trigger. For example, perhaps you want to deny attacker inline only if the risk rating for the event is above a certain value. To configure event action overrides, choose Configuration, Event Action Rules, rule name, and then choose the Event Action Overrides tab.

Event Action Filters
You can use event action filters to remove specific actions from an event or to prevent an entire event from firing. Remember, the event variables that you created earlier can be used in event action filters. To configure event action filters, choose Configuration, Event Action Rules, rule name, and then choose the Event Action Filters tab.

Risk Rating System
Risk ratings are associated with alerts, not signatures. The intent of this feature is to provide administrators with a value that represents the relative risk of traffic or a host that is accessing your network. The risk rating is calculated from several different components. Some are configured, some are collected, and others are derived. The following components make up the risk rating:

Attack severity rating (ASR): This is determined by the severity level you configure for the signature: Information (25), Low (50), Medium (75), High (100). Target value rating (TVR): Zero (50), Low (75), Medium (100), High (150), Mission Critical (200).

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 42 ] Chapter 4: Advanced Configurations

Signature fidelity rating (SFR): Configured on a per-signature basis. Valid numbers are 0 to 100. This indicates how accurately the signature detects the event it describes, and can be thought of as the percentage chance a signature fires correctly. Attack relevancy rating (ARR): This value is derived, not configured. Relevant (10), Unknown (0), and Not Relevant (–10). This is based on the relevant operating system for the attack. For example, the buffer overflow attack is relevant for Microsoft IIS, but not Apache. Promiscuous delta (PD): Configured on a per-signature basis. Valid numbers are 0 to 30. This is relevant only in promiscuous mode. It is not recommended that this value be changed. Cisco uses it to lower the risk rating on certain alerts in promiscuous mode. Watch list, or Reputation rating (WLR): If the attacker for an alert is found in the watch list, the WLR is added to the risk rating. Valid numbers are 0 to 35.

Figure 4-1 shows the risk rating formula. Valid numbers are from 0 to 100. FIGURE 4-1
Risk Rating Formula

General Settings for Event Action Rules
There are some general settings for event action rules, such as if you want to use the event summarizer and the meta event generator. You can also configure settings for how long you want to deny attackers, the maximum number of denied attackers, and how long blocks should last.
© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 43 ] Chapter 4: Advanced Configurations

To configure general settings, choose Configuration, Event Action Rules, rule name, General. There is also a threat rating adjustment. The threat rating adjusts the risk rating. Most response actions have a threat rating adjustment. This value is subtracted from the risk rating. If the threat rating is disabled, the threat rating and the risk rating are identical.

Monitoring Alarms
IME
The Cisco IPS Manager Express (IME) supports both event monitoring and reporting for up to ten sensors. Event monitoring and reporting is accessed by clicking the Event Monitoring or Reports buttons.

Cisco Security Manager
Cisco Security Manager (CSM) features the ability to manage and monitor firewalls, virtual private networks (VPN), IPS devices, routers, and switches using a powerful graphical user interface. Versions earlier than 4.0 supported only management capabilities. Beginning in 4.1, CSM can also support event monitoring and reporting.

Virtual Sensor Configuration
A virtual sensor enables you to monitor multiple segments and apply a different policy or configuration for each monitored segment. You can assign physical interfaces, inline interface pairs, inline VLAN pairs, and VLAN groups to a virtual sensor.

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 44 ] Chapter 4: Advanced Configurations

Virtual sensors have some restrictions:
■ ■ ■

The persistent event store is limited. The sensor should see both directions of traffic in the same VLAN group. You can define up to four virtual sensors. Note that the vs0 virtual sensor already exists and uses sig0, rules0, and ad0. You cannot delete this sensor.

To add a virtual sensor, choose Configuration, IPS Policies and select Add Virtual Sensor.

Inline TCP Session Tracking Mode
In some sensor deployments, it is possible for one traffic flow to potentially flow past or through the sensor more than once. When this occurs, it is important for the sensor to be able to differentiate that flow from another instance. This might occur, for instance, when one interface is configured to monitor traffic in an internal network, while at the perimeter, the traffic is passing through the same sensor on the way to the Internet. The Inline TCP Session Tracking mode enables you to define how to differentiate the flows. Available options are as follows:
■ ■ ■

Virtual Sensor (default) VLAN only Interface and VLAN

To configure Inline TCP Session Tracking mode, choose Configuration, IPS Policies and highlight the Virtual Sensor. Select Edit, Advanced Options.

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 45 ] Chapter 4: Advanced Configurations

Normalizer Mode
A sensor deployed in inline (IPS) mode requires symmetric traffic flows for the most accurate detection and protection capabilities. When a traffic flow can sometimes take an alternate path, bypassing the sensor, or flowing through a different sensor, that asymmetric traffic will cause sometimes unpredictable behavior from the sensor, including false positives and false negatives, and potentially deny legitimate network traffic. It is best to avoid asymmetric traffic flows through alternate network design options and IPS deployment models. However, when this cannot be done, the sensor can be instructed to expect asymmetric traffic. This reduces the protection profile provided by the sensor, but eliminates the likelihood of dropping legitimate traffic. To configure the Normalizer mode, choose Configuration, IPS Policies and highlight the Virtual Sensor. Select Edit, Advanced Options. Strict Evasion Protection is the default setting. Changing this setting forces the sensor to reboot.

Configuring Advanced Features
Anomaly Detection
Cisco IPS can detect worm-infected hosts by watching changes in host behavior. This component allows the sensor to learn about normal activity, send alerts, and take response actions for behavior that deviates from the norm. Note that this feature cannot protect against email-based worms, such as Melissa. Anomaly detection looks for a single worm-infected host that enters the network and starts scanning and for a network that becomes congested with worm traffic.

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 46 ] Chapter 4: Advanced Configurations

Anomaly Detection Components
Anomaly detection uses the following components:
■ ■

Scanner: A source IP that generates scan events on the same service for multiple destination IP addresses. Scan event: TCP: Nonestablished connections. UDP: Unidirectional connections. ICMP or other: Unidirectional connections.

The anomaly detection feature uses the concept of zones. A zone is a set of destination IP addresses. By subdividing the network into zones, you can achieve a lower false-negative rate. There are three types of zones, each with its own thresholds: internal, external, and illegal. You configure anomaly detection by choosing Configuration, Anomaly Detections, anomaly detection policy name. Learning is the process that anomaly detection uses to detect the normal state of the network. The two phases are Learn mode and Detect mode. Learn mode takes at least 24 hours. To set the operation mode to learning, choose Configuration, IPS Policies and highlight the virtual sensor name. Choose Edit, AD Operational Mode, Learn. To move to Detect mode, choose Edit, AD Operational Mode, Detect. The following anomaly detection event actions are possible:
■ ■

Produce alert: Writes the event to the Event Store Deny attacker inline: (Inline only) Does not transmit this packet and future packets originating from the attacker address for a specified period of time Log attacker pairs: Starts IP logging for packets that contain the attacker address Log pair packets: Starts IP logging for packets that contain the attacker and victim address pair Deny attacker service pair inline: Blocks the source IP address and the destination port Request SNMP trap: Sends a request to NotificationApp to perform Simple Network Management Protocol (SNMP) notification Request block host: Sends a request to the Attack Response Controller (ARC) to block this host (the attacker)
© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

■ ■ ■ ■

From the Library of Bolovan Catalin Bogdan

[ 47 ] Chapter 4: Advanced Configurations

To configure anomaly detection fully, do the following: 1. 2. 3. 4. 5. 6. Add the anomaly detection policy to your virtual sensor. Configure the AD zones, protocols, and services. Set the anomaly detection operation mode to Learn. Let the sensor run in this mode for at least 24 hours. Switch to Detect mode. Configure the anomaly detection parameter.

To monitor anomaly detection, choose Monitoring, Anomaly Detection. Also, the command show statistics anomaly-detection is available on the command-line interface (CLI).

Passive Operating System Fingerprinting Analysis
Passive OS fingerprinting lets the sensor determine which operating system hosts are running. The sensor analyzes network traffic between hosts and stores the type of operating system of these hosts with their IP addresses. The sensor inspects TCP SYN and ACK packets exchanged on the network to determine the operating system type. The sensor then uses the target host operating system to compute the attack relevancy rating (ARR) component of the risk rating. The sensor has three ways to associate an IP address with an operating system identity: Configured, Imported, and Learned. You are not required to configure this feature, but you can control the following:

Define operating system mappings: It is recommended that you configure OS mappings to define the identity of operating systems running on critical systems. Import OS mappings: This is done through the external product interfaces. You import the mappings from CiscoWorks Management Center for Cisco Security Agent.

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 48 ] Chapter 4: Advanced Configurations

■ ■

Define the ARR for a specific IP address: This limits the ARR calculations to IP addresses on the protected network. Define event action rules filters using the target OS relevancy value: This provides a way to filter alerts solely on OS relevancy.

Configuration can be done by choosing Configuration, IPS Policies, OS Identifications. For monitoring, choose Monitoring, OS Identifications, Learned OS.

Blocking
To fully understand blocking, you should be familiar with the following terms:

Blocking prevents packets from reaching their destination. Blocking is initiated by a sensor and is performed by another Cisco device at the sensor's request. The Attack Response Controller (ARC) is the sensor's blocking application. ARC is also used in rate limiting. Device management is the sensor's ability to interact with a Cisco device and dynamically reconfigure the Cisco device to block the source of an attack in real time. The managed device is the Cisco device that actually blocks the attack. The blocking sensor is configured to control a managed device. The managed interface or VLAN is the interface or VLAN on the managed device where the sensor applies the dynamically created ACL or VLAN ACL (VACL). The active ACL or VACL is the ACL or VACL that is dynamically created and maintained by the sensor and that is applied to the managed interface or VLAN.

■ ■

■ ■ ■

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 49 ] Chapter 4: Advanced Configurations

Blocking Devices
The ARC can control up to 250 supported devices. These can be Cisco routers, PIX 500 series Security Appliances, Cat 6500, Cat 6500 Firewall Services modules, or ASA 5500 series Adaptive Security Appliances. Blocking is done with ACLs, VACLs, or the shun command. All the Cisco PIX security appliance models that support the shun command can be used as blocking devices.

Blocking Device Requirements
■ ■ ■

The sensor must be able to communicate with the blocking device via IP. Network access must exist between the sensor and the blocking device using Telnet or Secure Shell (SSH) (the default). If you are using SSH, add the blocking device to the sensor known host list by choosing Configuration, Sensor Management, SSH, Known Host Keys.

Guidelines
■ ■ ■ ■ ■

Implement antispoofing. Identify hosts that should be excluded. Identify network entry points that will participate in blocking. Assign a block reaction to the appropriate signatures. Determine the appropriate blocking duration.

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 50 ] Chapter 4: Advanced Configurations

ARC Block Actions
Two events can cause the ARC to initiate a block:

Automatic blocking is a signature configured with a block action. Examples are REQUEST BLOCK HOST and REQUEST BLOCK CONNECTION. Manual blocking is a manually configured block action.

Blocking Process
■ ■ ■ ■ ■

An attack is launched against a server. The sensor detects the attack and fires a signature that is configured to block. The sensor writes a new ACL on the managed router. ACLs. For an external interface, prefer an inbound ACL direction. This is the opposite for an internal interface. The sensor takes full control of ACLs on the managed interface. A preblock ACL is an existing ACL. These override the deny lines resulting from blocks. Preblock ACLs are used to permit what you do not want the sensor to block. You can also have postblock ACLs that are added after the dynamically created ACL. These are used for additional blocking or permitting of what you want to occur on an interface or direction.

Configuration Tasks
■ ■ ■ ■ ■

Assign a block reaction to a signature. Assign the sensor global blocking properties. Create the device login profiles. Define the blocking device properties. Optional: Define a master blocking sensor.

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 51 ] Chapter 4: Advanced Configurations

To configure blocking, choose Configuration, Sensor Management, Blocking, Blocking Properties. To configure manual blocking, choose Monitoring, Host Blocks. For network blocks, choose Monitoring, Network Blocks. Add a new block to either by clicking the Add button.

Master Blocking
A master blocking sensor is any sensor that controls blocking on a device on behalf of another sensor. A blocking forwarding sensor sends block requests to a master blocking sensor (MBS). A sensor can forward block requests to a maximum of ten MBSs. To have a sensor initiate blocking on behalf of another sensor, you must configure both sensors. On the blocking forwarding sensor, do the following: 1. 2. 3. 4. Identify the remote host that serves as the MBS. Add the MBS to the blocking forwarding sensor TLS trusted host table. On the MBS, add the blocking forwarding sensor IP address to the allowed host configuration. Choose Configuration, Sensor Management, Blocking, Master Blocking Sensor.

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 52 ] CCNP Security IPS 642-627 Quick Reference

Chapter 5

Additional Intrusion Detection and Prevention Devices
ASA Modules
There are several options for including Intrusion Detection and Prevention modules into Cisco Adaptive Security Appliances. Each of the available modules provides common features, but at different performance levels. For the Cisco ASA-5510, ASA-5520, and ASA-5540 appliances, three IPS modules are available: the AIP-SSM-10, AIP-SSM-20, and AIP-SSM-40, shown in Figure 5-1. These Advanced Inspection and Prevention Security Services Modules (ASA AIP-SSM) are a powerful option for providing intrusion detection system (IDS) or intrusion prevention system (IPS) services. For the Cisco ASA-5505 appliance, a single card, called the AIP-SSC-5, is available. This module is a lower performance option for providing IPS services into the smallest form factor ASA. For the Cisco ASA-5585-X chassis, there are four options: the IPS-SSP-10, IPS-SSP-20, IPS-SSP-40, and IPS-SSP-60, shown in Figure 5-2. These IPS Security Services Modules are the most powerful option for providing IDS or IPS services. In addition to providing security services, they also add a total of ten additional interfaces to the ASA chassis, to be used for either firewall or IPS purposes.

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 53 ] Chapter 5: Additional Intrusion Detection and Prevention Devices

FIGURE 5-1
ASA AIP-SSM

Overview
Be aware of the major differences between these devices and a 4200 series sensor:

The ASA IPS modules automatically synchronizes their clock with the Cisco ASA, but do not synchronize time zone or summertime settings. The ASA IPS modules have no clock set command. The ASA IPS modules do not require two interfaces to be in inline mode. They do not support inline VLAN pairs or inline pairs. The ASA IPS module supports sensor virtualization starting with Cisco ASA Software Version 8.0. Console access is provided via the Cisco ASA console and execution of the session command. Many ASA IPS module commands are executed from the Cisco ASA command-line interface (CLI). The NORMALIZER engine is disabled on the ASA IPS module. Normalizer functionality is provided by the ASA appliance instead.

■ ■ ■ ■ ■ ■ ■

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 54 ] Chapter 5: Additional Intrusion Detection and Prevention Devices

The AIP-SSM and the IPS SSP support an internal (sensing) interface and an external (command and control) interface to the ASA 5500 series Adaptive Security Appliance. The internal interface is the primary IPS data path interface for both inline and promiscuous IPS packets. The external interface is used for all management and monitoring purposes, including downloading IPS software and signatures and for ASDM access. The external interface has an IP address configured (10.1.9.201/24), but this will need to be modified to function on the network it is installed on. The AIP-SSC supports only an internal interface, which is used for both sensing as well as command and control purposes. You must configure whether the device fails open or fails closed. Fail-open allows traffic to continue to flow even if the IPS module fails.

Initializing the Module
You must initialize the device as follows: 1. Load the IPS software if necessary. Use the show module detail command to see the software state. If the software load is required, use the hw module 1 recover command to load a recovery software image to the IPS module from a TFTP server. Use the hw module 1 recover boot command to initiate the TFTP download of the image defined in the hw module 1 recover configure command. Configure the initial setup of the IPS module using the setup command. Configure a security policy on the ASA using the ASDM graphical user interface.

2. 3.

FIGURE 5-2
ASA IPS-SSP

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 55 ] Chapter 5: Additional Intrusion Detection and Prevention Devices

IDSM-2
Another powerful option for providing IDS or IPS services is the Cisco Catalyst 6500 Series switch’s Intrusion Detection System Services Module 2 (IDSM-2). This option for adding IPS capabilities leverages the existing Cisco network infrastructure. The IDSM2 also benefits from the power of the 6500 series switches.

Overview
Be aware of some key differences between this module and a typical Cisco IPS sensor (such as the 4200 series):
■ ■ ■ ■ ■ ■ ■ ■ ■ ■

It does not support sensor virtualization using inline VLAN groups. It does not support subdividing inline interfaces or VLAN groups. It automatically synchronizes its clock with the switch. It does not have a clock set command. It has only two sensing interfaces. It must be configured with a native VLAN. It does not have console access. Several of the IDSM-2-related commands are executed on the 6500 switch. It has a maintenance partition. This allows for a simple full system reimage of the IDSM-2. Features vary, depending on whether promiscuous mode or inline mode is used.

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 56 ] Chapter 5: Additional Intrusion Detection and Prevention Devices

The IDSM-2 has four logical ports:
■ ■ ■

Port 1 (System0/1): TCP reset port for promiscuous mode Port 2 (Gi0/2): Command and control port Ports 7 and 8 (Gi0/7, Gi0/8): Monitoring ports

Time Configuration
You can use one of the following options:

Configure time synchronization with the switch. Only Coordinated Universal Time (UTC) is synced. You still must configure time zone and daylight saving settings. Configure the module to use a Network Time Protocol (NTP) time source.

Installing
Use the following procedure:
■ ■

Physically install into the chosen slot. Initialize using the setup command. The default username and password are both cisco. Use the session command at the switch to access the module CLI. Configure the switch for command and control access. Assign the command and control port to the correct VLAN. Configure the interfaces to receive traffic. Set the native VLAN for the sensing ports. Clear all VLANs from the sensing ports except for the native VLAN. Enable bridge protocol data unit (BPDU) Spanning Tree Protocol (STP) filtering on the sensing port.

■ ■

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 57 ] Chapter 5: Additional Intrusion Detection and Prevention Devices

Configure for inline operation using an inline pair. Configure the sensing ports as a port pair. Assign the port pair to the default virtual sensor.

Monitoring
You can use the show module command at the switch CLI to display module status and information. You can use the upgrade command to apply image upgrades, service packs, and signature updates to the IDSM-2.

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 58 ] CCNP Security IPS 642-627 Quick Reference

Chapter 6

Monitoring and Maintenance
Maintaining the Sensor
You need to be able to perform several maintenance tasks using the sensor.

Licensing
Remember that licensing is extremely important when it comes to the sensor modules and devices. A valid license is required to perform signature updates. If a valid services contract is valid on the sensor, the license can usually be retrieved automatically using either Cisco IPS Device Manager (IDM) or Cisco IPS Manager Express (IME). Apply for the appropriate license at www.cisco.com/go/license. Use the copy command with the keyword license-key to install. If you’re using the IDM or IME, choose Configuration, Sensor Management, Licensing.

Upgrade and Recovery
These are the three sensor image types:
■ ■ ■

Application is used for operation. System is used for reimaging. Recovery is the application image plus an installer used for recovery.
© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 59 ] Chapter 6: Monitoring and Maintenance

Use the upgrade command to apply image upgrades, service packs, and signature updates. Follow these steps to install a new system image and reset the sensor to factory default: 1. 2. 3. 4. 5. 6. 7. 8. 9. Place the image on a TFTP server. Verify access. Reboot the sensor. Escape the boot sequence by pressing Break or Esc. Change the interface port number if necessary. Specify the sensor’s IP address. Specify the IP address of the sensor default gateway. Specify the path and filename of the TFTP server. Begin the TFTP download.

If your IPS sensor application image becomes corrupted, you can recover it using one of two methods:
■ ■

Use the recover command to reimage from an image stored on the recovery partition. Choose the Cisco IPS recovery image from the boot menu during boot. This method also retains your sensor IP address, subnet mask, and default gateway settings. It is useful if you are unable to access the command-line interface (CLI).

Service Packs and Signature Updates
From the IDM Update Sensor panel, you can immediately apply service pack and signature updates. The sensor does not download service pack and signature updates from Cisco.com. You must download them from Cisco.com to an FTP, SCP, HTTP, or HTTPS server and then configure the sensor to download them from your server. Choose Configuration, Update Sensor. You can configure automatic updates to have service pack or signature updates that reside on a local FTP or SCP server downloaded and applied to your sensor. Choose Configuration, Auto Update.
© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 60 ] Chapter 6: Monitoring and Maintenance

Password Recovery
For most Cisco IPS sensor platforms, you can now recover the password on the sensor rather than using the service account or reimaging the sensor. Password recovery implementations vary according to Cisco IPS sensor platform requirements.

Restoring
To restore a sensor to its original configuration, choose Configuration, Restore Defaults in the Cisco IDM.

Backup and Restore
To back up and restore configurations, use the copy command at the CLI. You can use the /overwrite switch to overwrite one configuration with another. For example, to overwrite the current configuration with the backup configuration, you issue the command copy /erase ftp://100.20.34.15/mybackup-config current-config.

Managing Sensors
You should also monitor and manage the sensor’s health.

CLI
Use the show inventory command to obtain Cisco Product Evolution Program (PEP) information. This helps you electronically inventory your Cisco equipment and simplify product identification. Use the show statistics command with additional keywords to provide a snapshot of the current internal state of sensor services. Use show interfaces for interface statistics.

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 61 ] Chapter 6: Monitoring and Maintenance

To display operating system IDs associated with the IP addresses learned by the sensor through passive analysis, use the show osidentification command. Use the show ad-knowledge-base command to display the anomaly detection knowledge base files available for a virtual sensor. Use the show tech-support command to capture all status and configuration information on the sensor.

Sensor Monitoring
Choose Monitoring, Support Information, Diagnostics Report to obtain important diagnostic information about your sensor. Also, you can choose Monitoring, Support Information, System Information to see a wealth of information about your device. This includes versions, status of applications, upgrades installed, and PEP information. In addition, consider monitoring with Cisco Security Manager or Simple Network Management Protocol (SNMP) for enhanced capabilities and more manageability. To configure SNMP settings, choose Configuration, SNMP, SNMP General Configuration.

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 62 for more details.

From the Library of Bolovan Catalin Bogdan

[ 62 ] CCNP Security IPS 642-627 Quick Reference

CCNP Security IPS 642-627 Quick Reference
Gary Halleen
Technical Reviewer: Jorge Vargas
Copyright © 2011 Pearson Education, Inc. Published by: Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved. No part of this Quick Reference may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in review. Digital Edition April 2011 ISBN-10: 0-13-256641-9 ISBN-13: 978-0-13-256641-4

Trademark Acknowledgments
All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of this information. Use of a term in this Quick Reference should not be regarded as affecting the validity of any trademark or service mark.

Feedback Information
At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional techniAmericas Headquarters Asia Pacific Headquarters Europe Headquarters cal community. Cisco Systems, Inc. Cisco Systems (USA) Pte. Ltd. Cisco Systems International BV Readers’ feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book or otherwise alter it to better suit your needs, you can contact us through email at feedback@ciscopress. Cisco Please than 200 offices worldwide. Addresses, phone ISBN in your message. com. has moremake sure to include the book title and numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.
CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

San Jose, CA

Singapore

Amsterdam, The Netherlands

We greatly appreciate your assistance.

Corporate and Government Sales

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0812R)

Cisco Press offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales. For more information, please contact: U.S. Corporate and Government Sales 1-800-382-3419 corpsales@pearsontechgroup.com For sales outside the U.S., please contact: International Sales international@pearsoned.com

Warning and Disclaimer
This book is designed to provide information about CCNP Security. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco Systems, Inc., shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this Quick Reference. The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems, Inc

Americas Headquarters Cisco Systems, Inc. San Jose, CA

Asia Pacific Headquarters Cisco Systems (USA) Pte. Ltd. Singapore

Europe Headquarters Cisco Systems International BV Amsterdam, The Netherlands

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.
CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0812R)

© 2011 Cisco Systems Inc. All rights reserved. This publication is protected by copyright.

From the Library of Bolovan Catalin Bogdan

Sign up to vote on this title
UsefulNot useful