Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Response actions
This enables the sensor to take action in response to a triggered event, such as
denying a packet, creating an alert, resetting the TCP connection, or denying the
attacker's future packets for a period of time
Alarm summarization This helps prevent resource exhaustion by summarizing events that are all the
same or at least the same signature. Under heavy attack, a summary may show
the attack happened 15,000 times as opposed to producing 15,000 individual
alerts. Summarization is tunable on both the IOS IPS and the appliances
Threshold
configuration
Anti-evasive
techniques
Similar to the appliances, the intelligence in the IOS IPS is designed to correctly
interpret the actual data regardless if it is fragmented or using a combination of
character sets, such as Unicode
Risk ratings
A calculated number between 0-100 associated with an alert. The higher the
number, the more risk is presumed. Identifying your critical servers/hosts
enables the system to generate higher risk ratings when signatures to those
devices are matched. Those higher risk ratings can then trigger countermeasures
against the attack(s)
Configure > Security > Intrusion Prevention Click Launch IPS Rule Wizard
a. If Security Device Event Exchange (SDEE) Protocol has not been enabled yet, you
will be prompted to do so. Click OK
4. Subscription is open to the router to get SDEE events; a subscription is the term used to
describe a connection to an IPS device that sends alerts via SDEE and manages the IPS. Click
OK
2. Interfaces that are currently on the router are shown. Usually inbound should be
chosen, and the interface(s) on the less trusted network, like the Internet. Click NEXT
3. Select the ZIP file on the local computer or use FTP, or specify it on the router flash;
click OK
4. Cisco signs their signature files so that they can be verified (to make sure you aren't
downloading malicious signatures)
a. public key found with downloaded signatures from Cisco
5. Click NEXT
7. Advanced category has more than 1000 signatures if you have plenty of cpu and
memory, otherwise pick basic category with fewer than 500 signatures enabled.
a. Click NEXT
8. Compiling will take up to 5 minutes, and a smaller router will utilize the CPU up to
100%
a. See CLI output while signatures compiled into Micro-Engines
Disabled
Retired
Unretired
4. Ping should now trigger an alert and whatever actions you chose. The example below
shows a workstation pinging the routers interface that has IPS enabled
9. f
10. f
11. f
12. f
13. f
2. SDEE Log
3. You can also get here by going to Monitor > Router > Logging click SDEE Message
Log tab
4. Filter by clicking the drop-down menu next to SDEE Messages and select one of the
four filtering options
a. All
b. Error
c. Status
d. Alerts
5. Also can click the Search button to search for source or destination IP address or
specific text
6. Another way
a. Monitor > Security > IPS Status Click IPS Alert Statistics tab
b. Color codes based on risk rating, as shown below
c. Risk rating is important because you can configure something called an event
action override, which automatically initiates countermeasures based on the
resulting risk rating
8. f
1-4
5-6
7-8
1. Because of how a router operates, which IPS/IDS mode does it operate in?
a. Promiscuous
b. Out-of-band
c. IPS
d. IDS
2. Which of the following enable you to manage an IOS router's IPS configuration?
(Choose all that apply.)
a. CLI
b. CSM
c. CCP
d. IME
3. Why is the public key for Cisco required as part of the IPS installation?
a. It is used to verify the routers self-signed certificate
b. It is used to log in to CCO for automated signature updates
c. It is used to validate the signature that Cisco has placed on the signature package
d. No public key is used as part of an IOS-based IPS
4. Where are the specific signature-related configuration files kept related to an IOSbased IPS?
a. RADIUS server
b. TACAC+ server
c. On Flash or FTP or other reachable destination that the router is configured to use
for that purpose
d. NVRAM
5. Which of the following are examples of tuning a signature? (Choose all that apply.)
a. Changing the default severity level
b. Enabling it if it was disabled by default
c. Disabling it if it was enabled by default
d. Changing the default action
6. Which of the following is used to indicate that a signature is enabled? (Choose all that
apply.)
a. A green icon in the Enabled column
b. A check mark in the Enabled column
c. A missing check mark in the Disabled column
d. A missing check mark in the Unretired column
7. Which of the following are methods that enable you to see alerts that have been
triggered by IOS based IPS?
a. CLI
b. CCP
c. IME
d. CSM
8. Why is it considered a best practice to avoid compiling, enabling, and running all
available signatures? (Choose all that apply.)
a. CPU utilization
b. Memory utilization
c. The size of NVRAM
d. Not a best practice
Page
Number
Table 16-2
393
Figure 16-7
397
399
Figure 16-10
401
Table 16-3
402
Figure 16-12
403
Figure 16-14
405
Figure 16-18
415
415
These are the IP addresses that will be applied on an interface facing the internal network (typically the inside or demilitarized zone
[DMZ]) to our ASAs external-facing interface (typically the outside
interface) for use by our remote clients to communicate with the
ASA for VPN tunnel establishment. The external-facing IP address
can either be a public routable address or an address assigned from
our internal IP addressing plan (typically RFC1918) that might have
been subject to a Network Address Translation (NAT) further toward your organizations gateway to the Internet. Regardless of the
type of external address used, both must be unused and routable
within your environment.
Configure required
routing
Configure preferred This step is optional. However, based on your existing policies and
IKEv1 policies
the default ASA policies (these are added after enabling ISAKMP
on an interface using the Adaptive Security Device Manager
[ASDM]), you might need to further customize the various combinations of encryption or authentication parameters and protocols
in use. This section also includes the use of peer authentication and
whether an extended authentication scheme will be used (for example, XAUTH).
Configure preferred This step is optional. However, based on your requirement to furIPsec policies
ther customize the default ASA policies (these are added after enabling ISAKMP on an interface using the ASDM), you might need
to further customize the various combinations of encryption or authentication
Configure Client
settings
As part of your configuration, you must determine and enter the required information that will be applied to connecting clients (for
example: IP address pools, the use of internal, external or static assignment, Domain Name System [DNS] servers, and domain suffixes).
Configure basic
access control
You do this through the use of policy assignment and access control lists (ACL). Depending on the resource access you are providing
to users, you might or might not want to restrict their movement
within your network environment.
Install and
For further information about the installation of the client software
Configure the Cisco and basic parameters required to add a connection, see Chapter 15,
IPsec VPN client
Deploying and Managing the Cisco VPN Client.
software
Table 16-3 Tunnel Policy (Crypto Map) Basic Tab
Field
Value
Interface
Select from the list of available interfaces this crypto map will apply
to (default outside).
Policy Type
Priority
Enter the priority of this crypto map. Values range from 1 to 65535,
with 1 being the preferred (first) policy map to be checked for parameter matches. It is common for a dynamic catchall policy to be
given the value of 65535, allowing for more specific policies to be
entered below.
Transform Sets to
Be Added
Connection Type
IP Address of Peer
to Be Added
Enable PFS
Disabled
Retired
Unretired
IPS signature files Cisco public key signature micro-engines enabled disabled retired unretired -
Description
Ip ips sdm_ips_rule in