You are previewing CCSP Self-Study: Cisco Secure Intrusion Detection System (CSIDS).
O'Reilly logo
CCSP Self-Study: Cisco Secure Intrusion Detection System (CSIDS)

Book Description

  • Understand how Cisco IDS can be used to protect, monitor, and enforce physical security policies

  • Review techniques applicable to both network- and host-based platforms

  • Review the security wheel concepts and apply security to AVVID using the SAFE Blueprint

  • Install and configure the Cisco IDS to monitor your network for malicious activity

  • Understand Cisco Threat Response (CTR) benefits and how it operates

  • Apply alarm signatures and gain the proficiency to create your own custom signatures

  • Deploy Cisco IDS effectively in your network using sensor and management platforms

  • Get inside the Cisco Security Agent (CSA) architecture

  • In addition to firewalls and other security appliances intended to limit outsider access to a network, intrusion detection and targeted countermeasures are a critical component of a complete network security plan. The Cisco Intrusion Detection Sensors and Management options work as a united system to provide detection, notification, and aggressive lockdown to malicious network breaches. CCSP Self-Study: Cisco Secure Intrusion Detection System (CSIDS), Second Edition, offers in-depth configuration and deployment information for the reliable and intensive intrusion detection solutions from Cisco Systems.

    CCSP Self-Study: Cisco Secure Intrusion Detection System (CSIDS), Second Edition, is a Cisco authorized, self-paced learning tool that helps you gain mastery over the use of both the host-based and network-based IDS options (as well as the Cisco Threat Response functionality) by presenting a consolidated all-inclusive reference on all of the current Cisco IDS sensor platforms and management platforms. Chapter overviews bring you quickly up to speed and help you get to work right away. Configuration examples are designed to show you how to make the most of your IDS system, and unique chapter-ending review questions test your knowledge.

    Whether you are seeking a reference guide to working with the CIDS sensor and management platforms or a study guide for the 642-531 exam, CCSP Self-Study: Cisco Secure Intrusion Detection System (CSIDS), Second Edition, supports your effective use of the Cisco IDS.

    CCSP Self-Study: Cisco Secure Intrusion Detection System (CSIDS), Second Edition, is part of a recommended learning path from Cisco Systems that can include simulation and hands-on training from authorized Cisco Learning Partners and self-study products from Cisco Press. To find out more about instructor-led training, e-learning, and hands-on instruction offered by authorized Cisco Learning Partners worldwide, please visit www.cisco.com/go/authorizedtraining.

    This volume is in the Certification Self-Study Series offered by Cisco Press. Books in this series provide officially developed training solutions to help networking professionals understand technology implementations and prepare for the Cisco Career Certifications examinations.

    Table of Contents

    1. Copyright
      1. Dedications
    2. About the Author
    3. About the Technical Reviewers
    4. Acknowledgments
    5. Icons Used in This Book
    6. Command Syntax Conventions
    7. Foreword
    8. Introduction
      1. Audience
      2. Organization
        1. Part I, “Introduction to Network Security”
        2. Part II, “Intrusion Detection and the CIDS Environment”
        3. Part III, “Cisco Network IDS Configuration”
        4. Part IV, “Cisco Endpoint Security”
        5. Part V, “CIDS Maintenance and Tuning”
        6. Part VI, “Cisco Enterprise IDS Management”
        7. Part VII, “Cisco Intrusion Protection System Upcoming Functionality”
        8. Part VIII, “Appendixes”
    9. Conventions Used in This Book
    10. Cisco Certified Security Professional
    11. Cisco Intrusion Detection Systems Course
    12. Cisco IDS Course Prerequisites
    13. 1. The Need for Network Security
      1. Security Threats
        1. Unstructured Threats
        2. Structured Threats
        3. External Threats
        4. Internal Threats
      2. Security Concepts
      3. The Phases of an Attack
        1. Setting the Goals for the Attack
        2. Reconnaissance Before the Attack
          1. Public Data Sources
          2. Scanning and Probing
        3. The Actual Attack
      4. Attack Approaches
        1. Ad Hoc
        2. Methodical
        3. Surgical Strike
        4. Patient (Slow)
      5. Network Attack Points
        1. Network Resources
          1. Data Manipulation or Access
          2. Account Access
          3. Privilege Escalation
          4. Exploiting Trust Relationships
        2. Network Protocols
          1. Man-in-the-Middle Attacks
          2. Spoofing Attacks
      6. Hacking Tools and Techniques
        1. Using Reconnaissance Tools
          1. Common Administrative Tools
          2. Common Hacker Scanning Tools
        2. Compromising Weaknesses in Your Network
          1. Authentication Compromises
          2. Common Services Configured Poorly
          3. Protocol Weaknesses
          4. Compromised Trust Relationships
          5. Application Holes
          6. Back Doors
        3. Implementing Denial-of-Service Techniques
          1. Network Resource Overload (Bandwidth Consumption)
          2. Host Resource Starvation
          3. Distributed Attacks
      7. Summary
      8. End Notes
      9. Review Questions
    14. 2. Network Security and Cisco
      1. Securing the Network
        1. Tightening Authentication
          1. Define Common Privilege Groups
          2. Limit Administrative Access
          3. Eliminate Default Passwords
          4. Reduce Anonymous Access
          5. Minimize Trust Relationships
          6. Use One-Time Passwords
        2. Establishing Security Boundaries
          1. Determining Necessary Traffic Patterns
          2. Defining Logical Security Zones
        3. Providing Confidentiality Through Virtual Private Networks
          1. Define Untrusted Links
          2. Define Endpoints
        4. Patching Security Vulnerabilities
      2. Monitoring Network Security
        1. Manual Monitoring
        2. Automatic Monitoring
      3. Testing Network Security
        1. Using Network Scanners
        2. Conducting Professional Security Evaluations
      4. Improving Network Security
        1. Monitoring Security News
          1. Security Mailing Lists
          2. Security Websites
        2. Periodically Review Configuration Files
        3. Evaluating Sensor Placement
        4. Verifying the Security Configuration
      5. Cisco Architecture for Voice, Video, and Integrated Data (AVVID)
        1. Cisco AVVID Architecture
          1. Clients
          2. Network Platforms
          3. Intelligent Network Services
          4. Unified Control Plane
          5. Real-Time Communications
          6. Internet Business Solutions
        2. Cisco AVVID Benefits
          1. Integration
          2. Intelligence
          3. Innovation
          4. Interoperability
      6. Cisco SAFE
        1. SAFE Modular Blueprint
        2. SAFE Benefits
      7. Summary
      8. Review Questions
    15. 3. Intrusion Detection Concepts
      1. Intrusion Detection Definition
      2. IDS Alarm Terminology
        1. False Alarms
          1. False Positives
          2. False Negatives
        2. True Alarms
          1. True Positives
          2. True Negatives
      3. IDS Triggers
        1. Anomaly Detection
          1. Benefits
          2. Drawbacks
        2. Misuse Detection
          1. Benefits
          2. Drawbacks
        3. Protocol Analysis
      4. IDS Monitoring Locations
        1. Host-Based IDSS
          1. Benefits
          2. Drawbacks
        2. Network-Based IDSs
          1. Benefits
          2. Drawbacks
      5. Hybrid IDSs
        1. Benefits
        2. Drawbacks
      6. Intrusion Detection Response Techniques
        1. TCP Reset
        2. IP Blocking
        3. Logging
        4. Access Restriction
      7. Intrusion Detection Evasion Techniques
        1. Flooding
        2. Fragmentation
        3. Encryption
        4. Obfuscation
          1. Using Special Characters
          2. Using Hex Representation
          3. Using Unicode Representation
        5. TTL Manipulation
      8. Summary
      9. Review Questions
    16. 4. Cisco Intrusion Protection
      1. Cisco Intrusion Detection System (IDS) Solution Overview
        1. Intrusion Protection
          1. Enhanced Security over Classic Solutions
          2. Advanced Technology to Meet Changing Threats
          3. Increased Application Attack Resistance
          4. Effective Attack Mitigation
          5. Broad Network Visibility
          6. Greater Protection Against Known and Unpublished Threats
        2. Active Defense
          1. Detection
          2. Prevention
          3. Reaction
        3. Defense in Depth
      2. Cisco IDS Sensors
        1. Network Sensors
        2. Switch Sensors
          1. Intrusion Detection System Module (IDSM)
          2. Intrusion Detection System Module 2 (IDSM-2)
        3. Router Sensors
          1. Cisco Internetworking Operating System (IOS) IDS
          2. IDS Network Module
        4. Firewall Sensors
        5. Host Agents
      3. Cisco Threat Response
      4. Cisco Sensor Management
        1. Cisco IDS Device Manager
        2. Cisco IDS Management Center
      5. Cisco Alarm Monitoring and Reporting
        1. Cisco IDS Event Viewer
        2. Cisco IDS Security Monitor
      6. Deploying Cisco IDS
        1. Sensor Selection
          1. Network Media
          2. Performance of Intrusion Detection Analysis
          3. Network Environment
        2. Sensor Placement
          1. Internet Boundaries
          2. Extranet Boundaries
          3. Intranet Boundaries
          4. Remote-Access Boundaries
          5. Servers and Desktops
        3. Sensor Deployment Considerations
          1. Sensor Management
          2. Number of Sensors
          3. Database Management
          4. Software Updates
        4. Sensor Deployment Scenarios
          1. Internet Protection
          2. Extranet Protection
          3. Intranet Protection
          4. Remote-Access Protection
          5. Desktop and Server Protection
      7. Summary
      8. Review Questions
    17. 5. Cisco IDS Architecture
      1. Past Software Architecture
      2. Cisco IDS 4.0 Software Architecture
        1. cidWebServer
          1. Intrusion Detection System Device Manager (IDM) Servlet
          2. Event Server Servlet
          3. Transaction Server Servlet
          4. IP Log Server Servlet
        2. mainApp
        3. logApp
        4. Authentication
        5. Network Access Controller (NAC)
        6. ctlTransSource
        7. sensorApp
          1. Virtual Sensor
          2. Virtual Alarm
        8. Event Store
        9. cidCLI
      3. Cisco IDS 4.0 Communication Architecture
        1. Communication Overview
        2. Intrusion Detection Application Program Interface
        3. Remote Data Exchange Protocol
          1. Event Messages
          2. IP Log Messages
          3. Transaction Messages
      4. User Accounts and Roles
        1. Administrator
        2. Operator
        3. Viewer
        4. Service
      5. Summary
      6. Review Questions
    18. 6. Capturing Network Traffic
      1. Traffic Capture Devices
        1. Hubs
        2. Network Taps
        3. Switches
      2. Switch Port Analyzer
        1. Switched Port Analyzer (SPAN) Port Terminology
        2. Transport Control Protocol (TCP) Reset Limitations
        3. Catalyst 2900XL/3500XL Switches
          1. port monitor Command
          2. monitor session Command
        4. Catalyst 4000 and 6500 Switches
          1. set span Command (for CatOS)
      3. Remote Switch Port Analyzer
        1. set rspan Command
      4. Virtual Local-Area Network (VLAN) Access Control List
        1. Defining Interesting Traffic
        2. Configuring Virtual Local-Area Network Access Control Lists (VACLs) Using CatOS
          1. Define a Security Access Control List (ACL)
          2. Commit the VACL to Memory
          3. Map the VACL to VLANs
          4. Assign the Capture Port
        3. Configuring VACLs with the Cisco Internetworking Operating System (IOS) Firewall
          1. Create the Extended ACL
          2. Apply the ACL to an Interface or VLAN
          3. Assign the Capture Port
      5. Advanced Traffic Capturing
        1. Trunk Configuration Tasks
          1. Clear Existing VLANs
          2. Define VLANs to Capture
          3. Assign Switch Ports to VLANs
          4. Create the VACL
      6. Summary
      7. Review Questions
    19. 7. Cisco IDS Network Sensor Installation
      1. The IDS Appliance
        1. Appliance Models
          1. IDS 4210
          2. IDS 4215
          3. IDS 4235
          4. IDS 4250
          5. IDS 4250XL
        2. Appliance Restrictions
        3. Hardware Considerations
          1. Recommended Keyboards and Monitors
          2. Installing Spare Hard Drives
          3. BIOS Upgrades
          4. Swapping Interface Cards
      2. IDS Accelerator Card
        1. Installing the Accelerator Card
      3. IDS Appliance Command-Line Interface
        1. Using the CLI
          1. Prompts
          2. Help
          3. Tab Completion
          4. Command Recall
          5. Command Case Sensitivity
          6. Keywords
        2. User Roles
          1. Administrator
          2. Operator
          3. Viewer
          4. Service
        3. CLI Command Modes
          1. Privileged Exec
          2. Global Configuration
          3. Interface Command-Control Configuration
          4. Interface Group Configuration
          5. Interface Sensing Configuration
          6. Service
          7. Service Alarm-Channel-Configuration
          8. Service Host
          9. Service NetworkAccess
          10. Service Virtual-Sensor-Configuration
        4. Administrative Tasks
        5. Configuration Tasks
      4. Installing the IDS Appliance
        1. Upgrading from 3.1 to 4.0
          1. Obtaining 3.0 Appliance Configuration
          2. Installing 4.0 Software from CD
        2. Initial Configuration Tasks
          1. Accessing the CLI
          2. Running the setup Command
          3. Configuring Trusted Hosts
          4. Manually Setting the System Clock
          5. Changing your Password
          6. Adding and Removing Users
          7. Adding a Known SSH Host
      5. Summary
      6. Review Questions
    20. 8. Cisco IDS Module Configuration
      1. Cisco IDS Module (IDSM)
        1. Intrusion Detection System Module 2 (IDSM-2) Technical Specifications
          1. Performance Capabilities
          2. Catalyst 6500 Requirements
        2. Key Features
        3. IDSM versus IDSM-2
      2. IDSM-2 Configuration
        1. IDSM-2 Initialization
          1. Verifying IDSM-2 Status
          2. Initializing the IDSM-2
          3. Configuring the Command and Control Port
          4. Configuring the Switch Traffic Capture Settings
        2. IDSM-2 Ports
          1. TCP Reset Port
          2. Command and Control Port
          3. Monitoring Ports
        3. Capturing Traffic
        4. IDSM-2 Traffic Flow
      3. Catalyst 6500 Switch Configuration
        1. Configuring Command and Control Port
        2. Monitored Traffic
          1. Single IDSM-2 Using Switch Port Analyzer (SPAN)
          2. Single IDSM-2 Using VLAN Access Control Lists (VACLs)
          3. Multiple IDSM-2s Using VACLs
        3. Trunk Configuration Tasks
      4. Administrative Tasks
        1. Enabling a Full Memory Test
        2. Stopping the IDS Module
      5. Troubleshooting
        1. IDSM-2 Status Light-Emitting Diode (LED)
        2. Catalyst 6500 Commands
          1. show module Command
          2. show port Command
          3. show trunk Command
      6. Summary
      7. Review Questions
    21. 9. Cisco IDS Device Manager and Event Viewer
      1. Cisco IDS Device Manager
        1. System Requirements
        2. Installing Cisco IDS Device Manager
        3. Cisco IDS Device Manager Interface Structure
          1. Configuration Tabs
          2. Options Bar
          3. IDS Device Manager Table of Contents (TOC)
          4. Path Bar
          5. Tools Bar
          6. Instructions Box
          7. Activity Bar
          8. Content Area
        4. Accessing IDS Device Manager (IDM)
        5. Accessing Online IDM Help
        6. IDS Device Manager and Cookies
        7. IDS Device Manager and Certificates
          1. Transport Layer Security (TLS) Handshake
          2. Validating Certificate Fingerprints
      2. Cisco IDS Event Viewer
        1. System Requirements
        2. Installing Cisco IDS Event Viewer
        3. Uninstalling Cisco IDS Event Viewer
        4. Starting IDS Event Viewer
        5. Specifying IDS Devices to Monitor
          1. Adding an IDS Device
          2. Editing IDS Device Properties
          3. Deleting an IDS Device
          4. Viewing IDS Device Status
          5. Accessing the Cisco IDS Device Manager
        6. Configuring Filters
          1. Filtering on Source or Destination Address
          2. Filtering on Alarm Severity
          3. Filtering on Signature Name
          4. Filtering by IDS Device Name
          5. Filtering by Date and Time
          6. Filtering by Status
          7. Creating a Filter
          8. Editing Filter Properties
          9. Deleting a Filter
        7. Configuring Views
          1. Default Views
          2. Navigating Views
          3. Creating a View
          4. Editing View Properties
          5. Deleting a View
        8. Viewing Event Data
          1. Viewing All Columns
          2. Sorting Data in Columns
          3. Viewing Events in Realtime Dashboard
          4. Viewing Events in a Graph
        9. Working with Alarms
          1. Viewing Expanded Details Dialog Table
          2. Viewing Individual Alarms
          3. Setting Alarm Status
          4. Adding Notes to an Alarm
          5. Show Alarm Context
        10. Network Security Database (NSDB)
          1. Accessing the NSDB
          2. Signature Information
          3. Related Vulnerability Information
          4. User Notes
        11. Configuring Preferences
          1. Configuring Refresh Cycle
          2. Configuring Data Archival
        12. Configuring Application Settings
        13. Database Administration
          1. Importing Log Files
          2. Exporting Tables
          3. Deleting Alarms
      3. Summary
      4. Review Questions
    22. 10. Sensor Configuration
      1. Adding Sensors in Management Center for IDS Sensors (IDS MC)
        1. Sensor Groups
        2. Individual Sensors
      2. Configuring Network Settings
      3. Configuring Allowed Hosts
      4. Remote Access
      5. Secure Shell (SSH) Properties
        1. Defining Authorized Keys
          1. Generating the SSH Key
          2. Importing the SSH Key
        2. Generating a New Host Key
        3. Configuring SSH Known Host Keys
      6. Certificate Management
        1. Trusted Host Certificates
        2. Generating a Host Certificate
        3. Viewing Server Certificate
      7. Configuring Time
        1. Setting the Time
        2. Configuring the Time Zone
        3. Configuring an NTP Server
        4. Configuring Daylight Savings Time
          1. Configuring Recurring Daylight Savings Time
          2. Configuring Fixed Daylight Savings Time
        5. Correcting the Time
      8. Adding Users
      9. Administrative Tasks
        1. Viewing System Information
        2. Viewing Diagnostic Information
        3. Rebooting the Sensor
      10. Summary
      11. Review Questions
    23. 11. Signature Configuration
      1. Global Sensing Configuration
        1. Internal Networks
          1. Defining Internal Networks Using IDS Device Manager (IDM)
          2. Defining Internal Networks Using Management Center for IDS Sensors (IDS MC)
        2. Reassembly Options
          1. IP Fragment Reassembly
          2. TCP Stream Reassembly
          3. Configuring Reassembly Options Using IDS MC
      2. Signature Groups in IDM
        1. Signature ID
        2. Signature Engine
        3. Attack Type
        4. L2/L3/L4 Protocol
        5. Operating System
        6. Service
      3. Signature Groups in IDS MC
        1. Signature ID
      4. Signature Filtering
        1. Defining an Event Filter
          1. Event Filter Types in IDS MC
          2. Event Filter Types in IDM
        2. Filtering Process
        3. Adding an Event Filter Using IDM
        4. Adding an Event Filter Using IDS MC
      5. Signature Configuration
        1. Signature Tuning
        2. Custom Signatures
      6. Tuning a Signature
        1. Tuning Signature 6250 Using IDM
        2. Tuning Signature 6250 Using IDS MC
      7. Creating Custom Signatures
        1. Choose a Signature Engine
          1. Network Protocol
          2. Target Address
          3. Target Port
          4. Attack Type
          5. Inspection Criteria
        2. Verify Existing Functionality
        3. Define Signature Parameters
        4. Test Signature Effectiveness
        5. Custom Signature Scenario
          1. Creating Custom Signatures Using IDM
          2. Creating Custom Signatures Using IDS MC
          3. Using the IDM Signature Wizard
      8. Summary
      9. Review Questions
    24. 12. Signature Response
      1. Signature Response Overview
      2. IP Blocking
        1. IP Blocking Definitions
        2. IP Blocking Devices
          1. Cisco Routers
          2. Cisco Catalyst 6000 Switches
          3. Cisco PIX Firewalls
        3. Blocking Guidelines
          1. Antispoofing Mechanisms
          2. Critical Hosts
          3. Network Topology
          4. Entry Points
          5. Signature Selection
          6. Blocking Duration
          7. Device Login Information
          8. Interface ACL Requirements
        4. Blocking Process
        5. Access Control List (ACL) Placement Considerations
          1. External versus Internal
          2. Access Control Lists (ACLs) Versus VLAN Access Control Lists (VACLs)
          3. Using Existing ACLs
        6. Master Blocking Sensor
      3. Configuring IP Blocking
        1. Assigning the Block Action
        2. Setting Blocking Properties
          1. Setting Blocking Properties Using IDS Device Manager (IDM)
          2. Setting Blocking Properties Using Management Center for IDS Sensors (IDS MC)
        3. Defining Addresses Never to Block
          1. Defining Never-Block Addresses in IDM
          2. Defining Never-Block Addresses in IDS MC
        4. Setting Up Logical Devices
        5. Defining Blocking Devices
          1. Defining Blocking Devices Using IDM
          2. Defining Router Blocking Devices Interfaces Using IDM
          3. Defining Cat6K Blocking Devices Interfaces Using IDM
          4. Defining Blocking Devices Using IDS MC
          5. Defining Router Blocking Devices Using IDS MC
          6. Defining Catalyst 6000 Blocking Devices Using IDS MC
          7. Defining PIX Blocking Devices Using IDS MC
        6. Defining Master Blocking Sensors
          1. Configuring a Master Blocking Sensor in IDM
          2. Configuring Master Blocking Sensor in IDS MC
      4. Manual Blocking
        1. Blocking Hosts
        2. Blocking Networks
      5. IP Logging
        1. IP Logging Parameters in IDM
        2. IP Logging Parameters in IDS MC
        3. Manual IP Logging
      6. TCP Reset
      7. Summary
      8. Review Questions
    25. 13. Cisco IDS Alarms and Signatures
      1. Cisco IDS Signatures
        1. Alarm Throttle Modes
          1. FireOnce
          2. FireAll
          3. Summarize
          4. GlobalSummarize
        2. Summary Mode Escalation
        3. Regular Expression String Matching
      2. Cisco IDS Alarms
        1. Severity Levels
        2. Sensor Status Alarms
      3. Cisco IDS Signature Engines
        1. Signature Parameters
          1. Master Signature Parameters
          2. Engine-Specific Parameters
        2. Atomic Signature Engines
          1. ATOMIC.ARP Engine Parameters
          2. ATOMIC.ICMP Engine Parameters
          3. ATOMIC.IPOPTIONS Engine Parameters
          4. ATOMIC.L3.IP Engine Parameters
          5. ATOMIC.TCP Engine Parameters
          6. ATOMIC.UDP Engine Parameters
        3. Flood Signature Engines
          1. FLOOD.HOST.ICMP Engine Parameters
          2. FLOOD.HOST.UDP Engine Parameters
          3. FLOOD.NET Engine Parameters
        4. OTHER Signature Engine
        5. Service Signature Engines
          1. SERVICE.DNS Engine Parameters
          2. SERVICE.FTP Engine Parameters
          3. SERVICE.GENERIC Engine Parameters
          4. SERVICE.HTTP Engine Parameters
          5. SERVICE.IDENT Engine Parameters
          6. SERVICE.MSSQL Engine Parameters
          7. SERVICE.NTP Engine Parameters
          8. SERVICE.RPC Engine Parameters
          9. SERVICE.SMB Engine Parameters
          10. SERVICE.SNMP Engine Parameters
          11. SERVICE.SSH Engine Parameters
          12. SERVICE.SYSLOG Engine Parameters
        6. State Signature Engines
          1. STATE.STRING Engine Parameters
          2. SERVICE.SMTP Engine State Transitions
          3. STATE.STRING.CISCOLOGIN Engine State Transitions
          4. STATE.STRING.LPRFORMAT Engine State Transitions
        7. String Signature Engines
        8. Sweep Signature Engines
          1. SWEEP.HOST.ICMP Engine Parameters
          2. SWEEP.HOST.TCP Engine Parameters
          3. SWEEP.MULTI Engine Parameters
          4. SWEEP.OTHER.TCP Engine Parameters
          5. SWEEP.PORT.TCP Engine Parameters
          6. SWEEP.PORT.UDP Engine Parameters
        9. Traffic Signature Engine
        10. Trojan Signature Engine
      4. Summary
      5. Review Questions
    26. 14. Host Intrusion Prevention
      1. Endpoint Protection
        1. Zero-Day Protection
        2. Data Protection
        3. Server and Desktop Maintenance
      2. Cisco Security Agent (CSA)
        1. Attack Protection
          1. Known Malicious Behavior
          2. Policy Violations
          3. Application Profiling
        2. Deployment Overview
          1. CSA Supported Platforms
          2. CSA Installation
        3. Management Center for Cisco Security Agents
      3. Using Management Center for Cisco Security Agents
        1. Defining Security Policies
        2. Role-Based Administration
        3. Deploying CSA Policies
          1. Create Groups
          2. Build and Distribute Agent Kits
          3. Configure CSA Policies
          4. Associating Policies to Groups
          5. Generate Rules
      4. Monitoring CSA Events
        1. Status Summary
        2. Event Log
          1. Filtering by Event Characteristics
          2. Defining a Filter
        3. Event Log Management
        4. Event Monitor
        5. Event Sets
        6. Alerts
      5. Configuring Groups and Managing Hosts
        1. Configuring Groups
        2. Hosts
          1. Determining Active Hosts
          2. Determining Protected Hosts
          3. Verifying Agent Software
          4. Identifying Agents Running in Test Mode
          5. Viewing the Agent's Last Poll Time
      6. CSA Policies
        1. CSA Policy Components
          1. Allow vs. Deny
          2. Secondary Precedence
          3. Monitoring Access
          4. Mandatory Policies
          5. Querying the User
        2. Configuring Policies
        3. Understanding Rules
          1. Rules Common to Windows and UNIX
          2. Windows-Only Rules
          3. UNIX-Only Rules
        4. Using Configuration Variables
          1. File Sets
          2. Network Address Sets
          3. Network Services
          4. Registry Sets
          5. COM Component Sets
          6. Data Sets
        5. Configuring Application Classes
          1. Static Application Classes
          2. Dynamic Application Classes
        6. Global Event Correlation
      7. Agent Kits
        1. Building Agent Kits
        2. Controlling Agent Registration
      8. Distributing Software Updates
        1. Available Software Updates
        2. Scheduled Software Updates
      9. Reports
      10. Profiler
      11. Summary
      12. Review Questions
    27. 15. Cisco IDS Maintenance and Troubleshooting
      1. Software Updates
        1. IDS Software File Format
          1. Software Type
          2. Cisco IDS Version
          3. Service Pack Level
          4. Signature Version
          5. Extension
        2. Software Update Guidelines
      2. Upgrading Sensor Software
        1. Software Installation via the Command-Line Interface (CLI)
        2. Software Installation Using IDS Device Manager (IDM)
        3. Software Installation Using IDS MC
        4. Downgrading an Image
      3. Image Recovery
      4. Basic Troubleshooting
        1. show version
        2. show interfaces
          1. show interfaces command-control
          2. show interfaces sensing
          3. show interfaces group
        3. show tech-support
        4. show statistics
        5. show events
      5. Summary
      6. Review Questions
    28. 16. Enterprise IDS Management
      1. CiscoWorks
        1. Login Process
        2. Authorization Roles
        3. Adding Users
      2. Management Center for IDS Sensors (IDS MC)
        1. Architecture Overview
          1. Directories
          2. Processes
        2. Windows Installation
          1. Server Requirements
          2. Installation Process
        3. Solaris Installation
          1. Server Requirements
          2. Installation Process
        4. Client Requirements
        5. Launching IDS MC
        6. IDS MC Interface
          1. Configuration Tabs
          2. Options Bar
          3. IDS MC Table of Contents (TOC)
          4. Path Bar
          5. Instructions Box
          6. Content Area
          7. Object Bar
          8. Object Selector Handle
          9. Tools Bar
        7. Accessing Online Help in IDS MC
      3. IDS Configuration File Deployment
        1. Deployment and Generate
        2. Deployment and Approve
        3. Deployment and Deploy
          1. Deployment>Deploy>Submit Option
          2. Deploy>Pending Option
      4. Summary
      5. Review Questions
    29. 17. Enterprise IDS Monitoring and Reporting
      1. Monitoring Center for Security
        1. Server Requirements
        2. Client Requirements
        3. User Interface
          1. Configuration Tabs
          2. Options Bar
          3. Table of Contents (TOC)
          4. Path Bar
          5. Instructions Box
          6. Content Area
          7. Tools Bar
      2. Security Monitor Configuration
        1. Adding Devices
          1. Adding Remote Data Exchange Protocol (RDEP) Devices
          2. Adding PostOffice Devices
          3. Adding Internetworking Operating System (IOS) Devices
          4. Adding PIX Devices
        2. Importing Devices
        3. Event Notification
          1. Adding Event Rules
          2. Activating Event Rules
        4. Monitoring Devices
          1. Monitoring Connections
          2. Monitoring Statistics
          3. Monitoring Events
      3. Security Monitor Event Viewer
        1. Moving Columns
        2. Deleting Rows and Columns
          1. Delete>From This Grid
          2. Delete>From Database
          3. Delete>One Column
        3. Collapsing Columns
          1. Collapse>One Column
          2. Collapse>First Group
          3. Collapse>All Columns
        4. Setting the Event Expansion Boundary
        5. Expanding Columns
          1. Expand>One Column
          2. Expand>First Group
          3. Expand>All Columns
        6. Suspending and Resuming New Events
        7. Changing Display Preferences
          1. Actions
          2. Cells
          3. Sort By
          4. Boundaries
          5. Event Severity Indicator
          6. Database
        8. Creating Graphs
          1. By Child
          2. By Time
        9. View
          1. Context Buffer
          2. Host Names
          3. Network Security Database
          4. Statistics
      4. Security Monitor Administration
        1. Database Maintenance
        2. System Configuration Settings
        3. Defining Event Viewer Preferences
      5. Security Monitor Reports
        1. Defining the Report
          1. Scheduling the Report
          2. Viewing the Report
      6. Summary
      7. Review Questions
    30. 18. Cisco Threat Response
      1. Overview
        1. Benefits
          1. Basic Investigation
          2. Advanced Investigation
          3. Forensic Data Capture
        2. Terms and Definitions
        3. Investigation Levels
          1. Level 0 Investigation
          2. Level 1 Investigation
          3. Level 2 Investigation
        4. Predefined Policy Types
          1. Default Policy
          2. Downgrade All
          3. Downgrade and Clear All
          4. Upgrade All
          5. Ignore DNS Activity
          6. Ignore Threat Response Activity
      2. Cisco Threat Response (CTR) Requirements
        1. System Requirements
          1. Server Requirements
          2. Client Requirements
        2. IDS Requirements
        3. Firewall Settings
        4. Migration to CiscoWorks VPN/Security Management Solution
      3. Software Installation
        1. Accessing the CTR Graphical User Interface (GUI)
        2. Quick Start
          1. Server Pass Phrase
          2. Automatic Update Information
          3. Security Zones
          4. IDS Sensors
          5. Initial Configuration
        3. Using Cisco Threat Response
          1. Home Page
          2. Alarms Page
          3. Reports Page
          4. Config Page
      4. Basic Configuration
        1. Defining Alarm Sources
        2. Configuring Security Zones
          1. Defining a Security Zone
          2. Policy Order
        3. Defining Protected Systems
          1. Defining Protected Hosts
          2. Defining Protected Domains
      5. Advanced Configuration
      6. Alarms and Reports
        1. Displaying Alarms
          1. Icon Bar
          2. Alarm Status Buttons
          3. Display Button
          4. Time Button
          5. Alarm Filter Pane
          6. Alarm Filter Tabs
          7. Critical Alarm Pane
          8. Under-Investigation Alarm Pane
          9. Downgraded Alarm Pane
        2. Filtering Alarms
          1. Filtering Alarms by Source Addresses
          2. Filtering Alarms by Target Addresses
          3. Filtering Alarms by Events
        3. Generating Reports
          1. Alarm Reports
          2. Configuration Reports
      7. Maintenance
        1. Auto Update
        2. Users
      8. Summary
      9. Review Questions
    31. 19. Cisco Intrusion Protection System Upcoming Functionality
      1. Cisco Intrusion Protection System Overview
        1. Accurate Threat Detection
        2. Intelligent Threat Investigation
        3. Ease of Management
        4. Flexible Deployment Options
      2. New Hardware Platforms
        1. 4215 Appliance Sensor
        2. Router Network Module
      3. New Software Functionality
        1. Multiple Interface Support
        2. Capture Packet
      4. In-Line IDS Processing
      5. New Signatures
        1. S44 Signature Update
        2. S46 Signature Update
      6. Management
      7. Host Intrusion Prevention (HIP)
      8. Summary
    32. A. Cisco Intrusion Protection Solution Tuning: Case Studies
      1. Sensor Deployment: Network Scenario
        1. Network Perimeter
        2. Dialup Access
        3. Extranet Connection
        4. Intranet Boundary
        5. Telecommuter Access
        6. Demilitarized Zone (DMZ)
      2. Blocking and TCP Reset Using IDSM-2 Scenario
        1. Configure an Access Control List (ACL)
        2. Create a Virtual Local Area Network (VLAN) Access Map
          1. Match the ACL to the Access Map
          2. Define the Action for the Access Map
        3. Apply the Access Map to VLANs
        4. Configure Capture Ports
        5. Configure the TCP Reset Port
      3. Multiple IDSM-2 Blades Scenario
        1. Defining a Security ACL
        2. Commit the VACL to Memory
        3. Map the VACL to the VLAN(s)
        4. Assign the Capture Ports
        5. Modifying Trunking on Capture Ports
      4. Custom Signature Scenario
        1. Create a Custom ATOMIC.TCP Signature
        2. Create an Exclude Filter
        3. Create an Include Filter
      5. Signature Tuning Scenario
    33. B. Answers to Chapter Review Questions
      1. Chapter 1
      2. Chapter 2
      3. Chapter 3
      4. Chapter 4
      5. Chapter 5
      6. Chapter 6
      7. Chapter 7
      8. Chapter 8
      9. Chapter 9
      10. Chapter 10
      11. Chapter 11
      12. Chapter 12
      13. Chapter 13
      14. Chapter 14
      15. Chapter 15
      16. Chapter 16
      17. Chapter 17
      18. Chapter 18
    34. Glossary