This book covers the published topics of the CCSP IPS exam (see "CCSP IPS Exam Topics" in this introduction). The book focuses on familiarizing you with the exam topics and providing you assessment and preparation tools. There is also a wealth of explanatory text, configuration and output examples, figures, diagrams, notes, sidebars, and tables to help you master the exam topics. Each chapter begins with a "Do I Know This Already?" quiz made up of multiple choice questions to help you assess your knowledge of the topics presented in the chapter. After that, each chapter contains a "Foundation and Supplemental Topics" section with detailed information on the exam topics covered in that chapter. A "Foundation Summary" section follows. The "Foundation Summary" section contains chapter highlights in condensed format. This makes for excellent quick review and study the night before the exam. The "Foundation Summary" sections of each chapter are available in printable format from the main menu of the CD-ROM. Each chapter ends with a "Q&A" section of short-answer questions that are designed to highlight the major concepts in the chapter. The purpose of the review questions is to test your knowledge of the information through open-ended questions that require a detailed understanding of the material to answer correctly and completely. The answers to the review questions are included in the appendix.
The CD-ROM includes a database of sample exam questions that you can use to take a full practice exam or focus on a particular topic. When you view your results, note your areas of deficiency and follow up with extra study in those areas.
As with any Cisco certification exam, you should be thoroughly prepared before taking the CCSP IPS exam. There is no way to determine exactly what questions will be on the exam, so the best way to prepare is to have a good working knowledge of all subjects covered on the exam. As you will see, this book does a thorough job of presenting the topics on the exam and providing you with information and assessment tools for mastering them.
You should combine preparation resources, labs, and practice tests with a solid knowledge of the exam topics (see "CCSP IPS Exam Topics" in this introduction). This guide integrates several practice questions and assessment tools with a thorough description of the exam topics to help you better prepare. Of course, if possible you will want to get some hands-on time with an IPS sensor and Security Monitor. There is no substitute for experience, and it is much easier to understand the commands and concepts when you can see alerts generated in real time. For this reason, this book provides configuration and output examples, diagrams and figures, and tables in addition to explanatory text to help you master these topics.
Besides hands-on experience, Cisco.com provides a wealth of information on the Cisco IPS solution and all of the products that it interacts with. Remember, no single source can adequately prepare you for the CCSP IPS exam unless you already have extensive experience with Cisco products and a background in networking or network security. At a minimum, you will want to use this book in conjunction with resources at the "Technical Support & Documentation" page on Cisco.com (http://www.cisco.com/public/support/tac/home.shtml) to prepare for this exam.
After completing a number of certification exams, I have found that you cannot completely know if you are adequately prepared for the exam until you have completed about a third of the questions (during the actual exam). At that point, if you are not prepared, it is too late. Be sure that you prepare for the correct exam. This book covers material for the CCSP IPS exam. The best way to assess your current understanding of the material is to work through the "Do I Know This Already?" quizzes, the Q&A questions, and the CD-ROM practice questions with this book. Use your results to identify areas of deficiency. Then use this book and Cisco resources to improve in these areas. It is best to work your way through the entire book unless you can easily answer the questions for a particular topic. Even then, it is helpful to at least review the "Foundation Summary" section of a chapter before moving on.
Table I-1 contains a list of all of the CCSP IPS exam topics. The table indicates the chapter where each topic is covered, so you can use this as a reference when you want to study a particular topic.
Table I-1. CCSP IPS Exam Topics by Chapter
Topic | Chapter Where Topic Is Covered |
|---|
Identify the Cisco IDS/IPS sensor platforms and describe their features. |
Identify the network sensor appliances that are currently available and describe their features. | 1 |
Identify the interfaces and ports on the various sensor appliances. | 1 |
Describe the Cisco NM-CIDS. | 1, 14 |
Explain how the NM-CIDS works. | 14 |
List the tasks for configuring the NM-CIDS. | 14 |
Describe the Cisco IDSM-2. | 1, 13 |
Describe the IDSM-2 features. | 13 |
List tasks for configuring the IDSM-2. | 13 |
Distinguish between the functions of the various IDSM-2 ports. | 13 |
Explain the various intrusion detection technologies and evasive techniques. |
Define intrusion detection. | 1 |
Define intrusion prevention. | 1 |
Explain the difference between promiscuous and inline intrusion protection. | 1 |
List the network devices involved in capturing traffic for intrusion detection analysis and explain when they are needed. | 15 |
Explain the similarities and differences among the various intrusion detection technologies. | 1 |
Explain the differences between Host IPS and Network IPS. | 1 |
Describe Cisco IPS signatures, alarms, and actions. | 5, 7, 9 |
Explain the difference between true and false and positive and negative alarms. | 1 |
Explain the evasive techniques used by hackers and how Cisco IDS/IPS defeats those techniques. | 8 |
Install and initialize a Cisco IDS/IPS sensor. |
Describe the considerations necessary for selection, placement, and deployment of a network intrusion prevention system. | 1 |
Install a sensor appliance in the network. | 2 |
Install an NM-CIDS in a Cisco router. | 14 |
Install an IDSM-2 in a Cisco Catalyst 6500 switch. | 13 |
Obtain management access to a sensor appliance. | 2 |
Obtain management access to an NM-CIDS. | 14 |
Obtain management access to an IDSM-2. | 13 |
Describe the various CLI modes. | 2 |
Navigate the sensor CLI. | 2 |
Use the CLI to install the sensor software image. | 2 |
Use the CLI to initialize the sensor. | 2 |
Describe essential sensor settings and explain how they can be used to meet the requirements of a given security policy. |
Describe allowed hosts. | 2, 4 |
Describe user accounts. | 2 |
Describe interfaces and interface pairs. | 3 |
Define traffic flow notification. | 3, 4 |
Describe software bypass mode. | 1 |
Use the IDM to perform essential sensor configuration and administrative tasks. |
Configure network settings. | 2, 3 |
Configure allowed hosts. | 4 |
Set the time. | 4 |
Create and manage user accounts. | 4 |
Configure interfaces and interface pairs. | 4 |
Configure traffic flow notification. | 4 |
Configure software bypass mode. | 4 |
Use the IDM to configure SSL/TLS and SSH communications. | 4 |
Monitor events. | 10 |
Shut down and reboot the sensor. | 11 |
Use the sensor CLI to perform essential configuration and administrative tasks. |
Perform a configuration backup. | 11 |
Verify the configuration. | 12 |
Use general troubleshooting commands. | 12 |
Monitor events. | 12 |
Describe Cisco IDS/IPS signatures and alerts. |
Explain the Cisco IDS/IPS signature features. | 1, 5, 7 |
Explain how signatures protect your network. | 3, 5 |
Describe signature actions. | 9 |
Explain how the sensor sends SNMP traps. | 12 |
Describe signature engines and their purposes. | 6 |
Describe the engine parameters that are common to all engines and explain how they are used. | 6 |
Describe the engine-specific engine parameters and explain how they are used. | 6 |
Describe IPS alerts. | 5 |
Explain the fields in a Cisco IDS/IPS alert. | 5 |
Explain how signatures can be tuned to work optimally in a specific environment. | 7 |
Describe the use of custom signatures. | 7 |
Use the IDM to configure signatures to meet the requirements of a given security policy. |
Enable and disable signatures. | 5 |
Tune a signature to perform optimally in a given network, including configuring signature actions, common engine parameters, and engine-specific parameters. | 7 |
Create custom signatures. | 7 |
Configure the sensor to send SNMP traps to an SNMP management station. | 12 |
Explain how to tune a Cisco IDS/IPS sensor so that it provides the most beneficial and efficient intrusion protection solution. |
Define sensor tuning. | 8 |
Describe sensor tuning methods. | 8 |
Describe the IP logging capabilities of the sensor. | 8, 9 |
Explain IP fragment and TCP stream reassembly options. | 8 |
Describe Event Action Rules. | 8 |
Describe Meta events. | 1, 7 |
Use the IDM to tune a Cisco IDS/IPS sensor so that it provides the most beneficial and efficient intrusion protection solution. |
Configure IP logging. | 8 |
Configure IP fragment and TCP stream reassembly options. | 8 |
Configure Event Action Rules. | 8 |
Configure Meta events. | 7 |
Explain how to maintain a Cisco IDS/IPS sensor appliance, the IDSM-2, and the NM-CIDS. |
Describe the sensor image types. | 11 |
Describe sensor image file names. | 11 |
Describe service pack updates. | 11 |
Describe service pack file names. | 11 |
Describe signature updates. | 11 |
Describe signature update file names. | 11 |
Describe maintenance tasks unique to the NM-CIDS. | 14 |
Use the CLI and the IDM to maintain the Cisco IDS/IPS sensor appliance, the IDSM-2, and the NM-CIDS. |
Use the CLI to upgrade the sensor image. | 11 |
Use the CLI to recover the sensor software image. | 11 |
Use the IDM to install IDS signature updates and service packs. | 11 |
Use the IDM to configure automatic updates. | 11 |
Use the IDM to restore the sensor default configuration. | 11 |
Use the IDM to reboot and shut down the sensor. | 11 |
Use the IDM to update the sensor license. | 11 |
Monitor the health and welfare of the sensor. |
Describe sensor error and status events. | 12 |
Describe the Cisco Product Evolution Program (PEP). | 12 |
Display PEP information. | 12 |
Use general CLI troubleshooting commands. | 12 |
Use the IDM to run a diagnostics report. | 12 |
Use the IDM to view sensor statistics. | 12 |
Use the IDM to obtain system information. | 12 |
Explain how SNMP can be used to monitor the sensor. | 3 |
Configure the sensor for monitoring by SNMP. | 12 |
Verify the status of the NM-CIDS. | 14 |
Verify the status of the IDSM-2. | 13 |
Describe the Cisco IDS/IPS architecture. |
List the Cisco IDS/IPS services and describe their functions. | 1 |
Explain how the sensor communicates with external management and monitoring systems. | 1 |
Describe Cisco IDS/IPS configuration file format. | 1 |
Describe Cisco IDS/IPS event format. | 1 |
Describe sensor management and monitoring options. | 1, 2, 3 |
Explain the features, benefits, and system requirements of the IDM. | 3 |
Explain blocking concepts. |
Describe the device management capability of the sensor and how it is used to perform blocking with a Cisco device. | 3, 9 |
Design a Cisco IDS/IPS blocking solution. | 3, 9 |
Use the IDM to configure blocking for a given scenario. |
Configure a sensor to use a Cisco device for blocking. | 9 |
Configure a sensor to use a Master Blocking Sensor. | 9 |
