Official self-study test preparation guide for the Cisco IPS exam 642-532   The official study guide helps you master all the topics on the IPS exam, including: IPS concepts Command-line interface (CLI) and IPS Device Manager (IDM) configuration modes Basic sensor and IPS signature configuration IPS signature engines Sensor tuning IPS event monitoring Sensor maintenance Verifying system configuration Using the Cisco IDS Module (IDSM) and Cisco IDS Network Module Capturing network traffic CCSP IPS Exam Certification Guide is a best of breed Cisco® exam study guide that focuses specifically on the objectives for the IPS exam. Cisco Security Test Engineer Earl Carter shares preparation hints and test-taking tips, helping you identify areas of weakness and improve your Intrusion Prevention System (IPS) knowledge. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics.   CCSP IPS Exam Certification Guide presents you with an organized test preparation routine through the use of proven series elements and techniques. “Do I Know This Already” quizzes open each chapter and allow you to decide how much time you need to spend on each section. Exam topic lists and Foundation Summary materials make referencing easy and give you a quick refresher whenever you need it. Challenging chapter-ending review questions help you assess your knowledge and reinforce key concepts. The companion CD-ROM contains a powerful testing engine that allows you to focus on individual topic areas or take complete, timed exams. The assessment engine also tracks your performance and provides feedback on a module-by-module basis, presenting question-by-question remediation to the text. Well-regarded for its level of detail, assessment features, and challenging review questions and exercises, this book helps you master the concepts and techniques that will enable you to succeed on the exam the first time.   CCSP IPS Exam Certification Guide is part of a recommended learning path from Cisco Systems® that includes simulation and hands-on training from authorized Cisco Learning Partners and self-study products from Cisco Press. To find out more about instructor-led training, e-learning, and hands-on instruction offered by authorized Cisco Learning Partners worldwide, please visit www.cisco.com/go/authorizedtraining.    Companion CD-ROM The CD-ROM contains an electronic copy of the book and more than 200 practice questions for the IPS exam, all available in study mode, test mode, and flash-card format.   This volume is part of the Exam Certification Guide Series from Cisco Press®. Books in this series provide officially developed exam preparation materials that offer assessment, review, and practice to help Cisco Career Certification candidates identify weaknesses, concentrate their study efforts, and enhance their confidence as exam day nears.  

Table of Contents:
            Foreword             Introduction Part I    Cisco IPS Overview Chapter 1       Cisco Intrusion Prevention  System (IPS) Overview “Do I Know This Already?” Quiz Foundation and Supplemental Topics Cisco Intrusion Prevention Solution Intrusion Prevention Overview Intrusion-Prevention Terminology IPS/IDS Triggers Anomaly Detection Misuse Detection Protocol Analysis IPS/IDS Monitoring Locations Host-Based Network-Based Cisco Hybrid IPS/IDS Solution Risk Rating Event Severity Signature Fidelity Asset Value of Target Meta-Event Generator Inline Deep-Packet Inspection Cisco Intrusion Prevention System Hardware Cisco IDS 4200 Series Network Sensors Cisco 4215 Appliance Sensor Cisco 4235 Appliance Sensor Cisco 4240 Diskless Appliance Sensor Cisco 4250 Appliance Sensor Cisco 4250XL Appliance Sensor Cisco 4255 Diskless Appliance Sensor Cisco IDSM-2 for Catalyst 6500 Cisco IDS Network Module for Access Routers Router Sensor Firewall Sensor Inline Sensor Support Inline Mode Versus Promiscuous Mode Software Bypass Auto Mode Off Mode On Mode Cisco Sensor Deployment Internet Boundaries Extranet Boundaries Intranet Boundaries Remote Access Boundaries Servers and Desktops Sensor Deployment Considerations Sensor Placement Sensor Management and Monitoring Options Number of Sensors External Sensor Communications Cisco Sensor Communications Protocols Secure Shell Transport Layer Security (TLS)/Secure Socket Layer (SSL) Remote Data Exchange Protocol Event Messages IP Log Messages Transaction Messages Security Device Event Exchange Standard Cisco Sensor Software Architecture cidWebServer IDM Servlet Event Server Servlet Transaction Server Servlet IP Log Server Servlet mainApp logApp authentication Network Access Controller (NAC) ctlTransSource sensorApp Event Store cidCLI Foundation Summary Q&A Part II   Cisco IPS Configuration Chapter 2       IPS Command-Line Interface “Do I Know This Already?” Quiz Foundation and Supplemental Topics Sensor Installation Installing 5.0 Software via the Network Installing 5.0 Software from a CD Sensor Initialization Accessing the CLI Running the setup Command Creating the Service Account Manually Setting the System Clock Changing your Password Adding and Removing Users Adding a Known SSH Host IPS CLI Using the Sensor CLI Prompts Help Tab Completion Command Recall Command Case Sensitivity Keywords User Roles Administrator Operator Viewer Service CLI Command Modes Privileged Exec Global Configuration Service Service Analysis-Engine Service Authentication Service Event-Action-Rules Service Host Service Interface Service Logger Service Network-Access Service Notification Service Signature-Definition Service SSH-Known-Hosts Service Trusted-Certificates Service Web-Server Administrative Tasks Configuration Tasks Foundation Summary Q&A Chapter 3       Cisco IPS Device Manager (IDM) “Do I Know This Already?” Quiz Foundation and Supplemental Topics Cisco IPS Device Manager System Requirements for IDM Navigating IDM Configuration Sensor Setup Interface Configuration Analysis Engine Signature Definition Event Action Rules Blocking Simple Network Management Protocol Auto Update Monitoring Back Forward Refresh Help Configuring Communication Parameters Using IDM Foundation Summary Q&A Chapter 4       Basic Sensor Configuration “Do I Know This Already?” Quiz Foundation and Supplemental Topics Basic Sensor Configuration Sensor Host Configuration Tasks Configuring Allowed Hosts Configuring Sensor User Accounts Configuring the Sensor’s Time Parameters Manually Setting the Clock Configuring the NTP Server Settings Configuring the Time Zone Configuring the Summertime Settings Configuring SSH Hosts Interface Configuration Tasks Enabling Monitoring Interfaces Editing Monitoring Interface Parameters Configuring Inline Interface Pairs Configuring Inline Software Bypass Configuring Traffic Flow Notifications Analysis Engine Configuration Tasks Foundation Summary Q&A Chapter 5       Basic Cisco IPS Signature Configuration “Do I Know This Already?” Quiz Foundation and Supplemental Topics Configuring Cisco IPS Signatures Signature Groups Displaying Signatures by Attack Displaying Signatures by L2/L3/L4 Protocol Displaying Signatures by Operating System Displaying Signatures by Signature Release Displaying Signatures by Service Displaying Signatures by Signature Identification Displaying Signatures by Signature Name Displaying Signatures by Response Action Displaying Signatures by Signature Engine Alarm Summary Modes Fire Once Fire All Alarm Summarization Variable Alarm Summarization Basic Signature Configuration Viewing NSDB Information Signature Information Related Threats Information Viewing NSDB Information Enabling Signatures Creating New Signatures Editing Existing Signatures Retiring Signatures Defining Signature Responses Foundation Summary Q&A Chapter 6       Cisco IPS Signature Engines “Do I Know This Already?” Quiz Foundation and Supplemental Topics Cisco IPS Signatures Cisco IPS Signature Engines Signature Parameters Application Inspection and Control Signature Engines AIC FTP Signature Engine Parameters AIC HTTP Signature Engine Parameters Content Types Parameters Define Web Traffic Policy Parameters Msg Body Pattern Parameters Request Methods Parameters Transfer Encodings Parameters Atomic Signature Engines Atomic ARP Engine Parameters Atomic IP Engine Parameters Atomic IP ICMP Parameters Atomic IP TCP Parameters Atomic IP UDP Parameters Atomic IP Payload Parameters Flood Signature Engines Flood Host Engine Parameters Flood Host ICMP Parameters Flood Host UDP Parameters Flood Net Engine Parameters Meta Signature Engine Normalizer Signature Engine Service Signature Engines Service DNS Engine Parameters Service FTP Engine Parameters Service Generic Engine Parameters Service H225 Engine Parameters Service HTTP Engine Parameters Service Ident Engine Parameters Service MSSQL Engine Parameters Service NTP Engine Parameters Service RPC Engine Parameters Service SMB Engine Parameters Service SNMP Engine Parameters Service SSH Engine Parameters State Signature Engine Cisco Login States LPR Format String States SMTP States String Signature Engines String ICMP Engine Specific Parameters String TCP Engine-Specific Parameters Sweep Signature Engines Sweep Signature Engine Parameters Unique ICMP Sweep Parameters Unique TCP Sweep Parameters Sweep Other TCP Signature Engine Parameters Trojan Horse Signature Engines Foundation Summary Q&A Chapter 7       Advanced Signature Configuration “Do I Know This Already?” Quiz Foundation and Supplemental Topics Advanced Signature Configuration Regular Expressions String Matching Signature Fields Basic Signature Fields Signature Description Fields Engine-Specific Fields Event Counter Fields Alert Frequency Fields Status Fields Meta-Event Generator Understanding HTTP and FTP Application Policy Enforcement Tuning an Existing Signature Tuning Example Creating a Custom Signature Choose a Signature Engine Network Protocol Target Address Target Port Attack Type Inspection Criteria Verify Existing Functionality Define Signature Parameters Test Signature Effectiveness Custom Signature Scenario Creating Custom Signatures Using IDM Using IDM Custom Signature Wizard Cloning an Existing Signature Foundation Summary Q&A Chapter 8       Sensor Tuning “Do I Know This Already?” Quiz Foundation and Supplemental Topics IDS Evasion Techniques Flooding Fragmentation Encryption Obfuscation Using Control Characters Using Hex Representation Using Unicode Representation TTL Manipulation Tuning the Sensor Configuring IP Log Settings Configuring Application Policy Settings Configuring Reassembly Options Fragment Reassembly Stream Reassembly Configuring Reassembly Options Event Configuration Event Variables Target Value Rating Event Action Override Event Action Filters Foundation Summary Q&A Part III  Cisco IPS Response Configuration Chapter 9       Cisco IPS Response Configuration “Do I Know This Already?” Quiz Foundation and Supplemental Topics Cisco IPS Response Overview Inline Actions Deny Packet Inline Deny Connection Inline Deny Attacker Inline Configuring Deny Attacker Duration Parameter Logging Actions Log Attacker Packets Log Pair Packets Log Victim Packets Manual IP Logging IP Blocking IP Blocking Definitions IP Blocking Devices Cisco Routers Cisco Catalyst 6000 Switches Cisco PIX Firewalls Blocking Guidelines Antispoofing Mechanisms Critical Hosts Network Topology Entry Points Signature Selection Blocking Duration Device Login Information Interface ACL Requirements Blocking Process ACL Placement Considerations External Versus Internal ACLs Versus VACLs Using Existing ACLs Master Blocking Sensor Configuring IP Blocking Assigning a Blocking Action Setting Blocking Properties Setting Blocking Properties via IDM Defining Addresses Never to Block Setting Up Logical Devices Defining Blocking Devices Defining Blocking Devices Using IDM Defining Router Blocking Devices Interfaces Using IDM Defining Cat6K Blocking Device Interfaces Using IDM Defining Master Blocking Sensors Configuring a Master Blocking Sensor in IDM Manual Blocking Blocking Hosts Blocking Networks TCP Reset Foundation Summary Q&A Part IV Cisco IPS Event Monitoring Chapter 10     Alarm Monitoring and Management “Do I Know This Already?” Quiz Foundation and Supplemental Topics CiscoWorks 2000 Login Process Authorization Roles Adding Users Security Monitor Installing Security Monitor  Windows Installation Server Requirements Client Requirements Security Monitor User Interface Configuration Tabs Options Bar TOC Path Bar Instruction Box Content Area Tools Bar Security Monitor Configuration Adding Devices Adding RDEP Devices Adding PostOffice Devices Adding IOS Devices Adding PIX Devices Importing Devices Event Notification Adding Event Rules Activating Event Rules Monitoring Devices Monitoring Connections Monitoring Statistics Monitoring Events Security Monitor Event Viewer Moving Columns Deleting Rows and Columns Delete from This Grid Delete from Database Delete Column Collapsing Rows Collapse > First Group Collapse > All Rows Expanding Rows Expand > First Group Expand > All Rows Suspending and Resuming New Events Changing Display Preferences Actions Cells Sort By Boundaries Severity Indicator Database Creating Graphs By Child By Time Tools Pull-Down Menu Options Explanation Trigger Packet IP Logs Statistics Options Resolving Host Names Security Monitor Administration Data Management System Configuration Settings Defining Event Viewer Preferences Security Monitor Reports Defining the Report Running the Report Viewing the Report Foundation Summary Q&A Part V  Cisco IPS Maintenance and Tuning Chapter 11     Sensor Maintenance “Do I Know This Already?” Quiz Foundation and Supplemental Topics Sensor Maintenance Software Updates IPS Software File Format Software Type Cisco IPS Version Service Pack Level Signature Version Extension Software Update Guidelines Upgrading Sensor Software Saving Current Configuration Software Installation via CLI Software Installation Using IDM Configuring Automatic Software Updates Using IDM Downgrading an Image Updating the Sensor’s License Image Recovery Restoring Default Sensor Configuration Restoring Default Configuration Using the CLI Restoring Default Configuration Using IDM Resetting and Powering Down the Sensor Resetting the Sensor Using the Sensor CLI Resetting the Sensor Using IDM Foundation Summary Q&A Chapter 12     Verifying System Configuration “Do I Know This Already?” Quiz Foundation and Supplemental Topics Verifying System Configuration Viewing Sensor Configuration Displaying Software Version Displaying Sensor Configuration Displaying Sensor PEP Inventory Viewing Sensor Statistics Viewing Sensor Events Viewing Events Using the CLI Viewing Events Using IDM Selecting Event Types Selecting Time Frame for Events Using the IDM Event Viewer Debugging Sensor Operation Verifying Interface Operation Capturing Packets Generating Tech-Support Output Sensor SNMP Access Enabling SNMP Traps by Using the Sensor CLI Enabling SNMP Traps Using IDM Foundation Summary Q&A Chapter 13     Cisco IDS Module (IDSM) “Do I Know This Already?” Quiz Foundation and Supplemental Topics Cisco IDS Module IDSM-2 Technical Specifications Performance Capabilities Catalyst 6500 Requirements Key Features IDSM-2 Traffic Flow IDSM-2 Configuration Verifying IDSM-2 Status Initializing the IDSM-2 Accessing the IDSM-2 CLI Logging in to the IDSM-2 Configuring the Command and Control Port Configuring the Switch Traffic Capture Settings IDSM-2 Ports TCP Reset Port Command and Control Port Monitoring Ports Catalyst 6500 Switch Configuration Configuring the Command and Control Port Setting VLANs by Using IOS Setting VLANs by Using CatOS Monitored Traffic IDSM-2 Administrative Tasks Enabling Full Memory Test Stopping the IDS Module Troubleshooting the IDSM-2 IDSM-2 Status LED Catalyst 6500 Commands show module Command show port Command show trunk Command Foundation Summary Q&A Chapter 14     Cisco IDS Network Module for†Access Routers “Do I Know This Already?” Quiz Foundation and Supplemental Topics NM-CIDS Overview NM-CIDS Key Features NM-CIDS Specifications NM-CIDS Front Panel Traditional Appliance Sensor Network Architecture NM-CIDS Network Architecture NM-CIDS Hardware Architecture NM-CIDS Internal Fast Ethernet Interface NM-CIDS External Fast Ethernet Interface Internal Universal Asynchronous Receiver/Transmitter Interface NM-CIDS Disk, Flash, and Memory Traffic Capture for NM-CIDS Cisco IOS Features Access Control Lists and NM-CIDS Encryption and NM-CIDS Inside NAT and NM-CIDS Outside NAT and NM-CIDS IP Multicast, IP Broadcast, and UDP Flooding and NM-CIDS GRE Tunnels and NM-CIDS Packets Not Forwarded to NM-CIDS NM-CIDS Installation and Configuration Tasks Installing the NM-CIDS Inserting the NM-CIDS into a Router Connecting the NM-CIDS to the Network Verifying That the Router Recognizes the NM-CIDS Verifying That Cisco IOS-IDS is Not Running Configuring the Internal ids-sensor Interface Verifying the NM-CIDS Slot Number Enabling CEF Configuring the Interface Assigning the Clock Settings Using the Router Time Source Using an NTP Time Source Configuring NM-CIDS Clock Mode Setting Up Packet Monitoring Logging In to NM-CIDS Console Accessing NM-CIDS via a Session Accessing NM-CIDS via Telnet NM-CIDS Login Performing Initial Sensor Configuration NM-CIDS Maintenance Tasks Reloading the NM-CIDS Resetting the NM-CIDS Shutting Down the NM-CIDS Viewing the NM-CIDS Status Recovering the NM-CIDS Software Image Configuring the Boot Loader Booting the Helper Image Selecting the File Transfer Method Installing the Application Image Booting the Application Image Configuring the IPS Application Foundation Summary Q&A Chapter 15     Capturing Network Traffic “Do I Know This Already?” Quiz Foundation and Supplemental Topics Capturing Network Traffic Capturing Traffic for Inline Mode Capturing Traffic for Promiscuous Mode Traffic Capture Devices Hub Traffic Flow Network Tap Traffic Flow Switch Traffic Flow Switch Capture Mechanisms Switched Port Analyzer Remote Switched Port Analyzer VLAN Access Control Lists TCP Resets and Switches Configuring SPAN for Catalyst 4500 and 6500 Traffic Capture The monitor session Command Configuring RSPAN for Catalyst 4500 and 6500 Traffic Capture Configuring VACLs for Catalyst 6500 Traffic Capture Configure an ACL Create a VLAN Access Map Match ACL to Access Map Define Action for Access Map Apply Access Map to VLANs Configure Capture Ports Configuring VACLs for Traffic Capture With Cisco Catalyst 6500 IOS Firewall Configure the Extended ACL Apply ACL to an Interface or VLAN Assign the Capture Port Advanced Catalyst 6500 Traffic Capture Configure Destination Port Define Trunks to Capture Assign Switch Ports to VLANs Create the VACL Foundation Summary Q&A Appendix       Answers to the “Do I Know This†Already?” Quizzes and Q&A†Questions Chapter 1 Chapter 2 Chapter 3 Chapter 4 Chapter 5 Chapter 6 Chapter 7 Chapter 8 Chapter 9 Chapter 10 Chapter 11 Chapter 12 Chapter 13 Chapter 14 Chapter 15 Index