Primer Parcial Merged

Chapter 5:
Implementing Intrusion Prevention
CCNA Security v2.0

5.0 Introduction
5.1 IPS Technologies
5.2 IPS Signatures
5.3 Implement IPS
5.4 Summary
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Upon completion of this section, you should be able to:
• Explain zero-day attacks.
• Understand how to monitor, detect and stop attacks.
• Describe the advantages and disadvantages of IDS and IPS.
Advantages of an IDS:
• Works passively
• Requires traffic to be mirrored

in order to reach it
• Network traffic does not pass
through the IDS unless it is
mirrored
IPS:
• Implemented in an inline mode
• Monitors Layer 3 and Layer 4

traffic
• Can stop single packet attacks
from reaching target
• Responds immediately, not
allowing any malicious traffic to
pass
Advantages IDS: Advantages IPS:
• No impact on network • Stops trigger packets
• No network impact if there is a • Can use stream normalization

sensor failure techniques
• No network impact if there is a
sensor overload
Disadvantages IDS: Disadvantages IPS:

• Response action cannot stop • Sensor issues might affect
trigger network traffic
• Correct tuning required for • Sensor overloading impacts the
response actions network
• More vulnerable to network • Some impact on network
security evasion techniques
Cisco IPS AIM and Network
Module Enhanced (IPS NME)
Cisco ASA AIP-SSM
Cisco IPS 4300 Series Sensors
Cisco Catalyst 6500 Series IDSM-2
Factors affecting the IPS sensor selection and deployment:
• Amount of network traffic
• Network topology
• Security budget
• Available security staff to manage IPS
Promiscuous Mode
Inline Mode
Traffic Sniffing Using
a Hub
Traffic Sniffing Using

a Switch
Cisco SPAN Commands:
• Monitor session command – used to associate a source port and a destination
port with a SPAN session.
• Show monitor command – used to verify the SPAN session.
Upon completion of the section, you should be able to:
• Understand IPS signature characteristics
• Explain IPS signature alarms
• Manage and monitor IPS
• Understand the global correlation of Cisco IPS devices
A signature is a set of rules that an IDS and an IPS use to detect typical
intrusion activity.
Signatures have three distinct attributes:
• Type
• Trigger (alarm)
• Action
Signatures are categorized as either:
• Atomic – this simplest type of signature consists of a single packet, activity, or
event that is examined to determine if it matches a configured signature. If
yes, an alarm is triggered and a signature action is performed.
• Composite – this type of signature identifies a sequence of operations
distributed across multiple hosts over an arbitrary period of time.
• As new threats are identified, new signatures must be created and
uploaded to an IPS.
• A signature file contains a package of network signatures.
Cisco IOS defines five micro-engines:
• Atomic – Signatures that examine simple packets.
• Service – Signatures that examine the many services that are attacked.
• String - Signatures that use regular expression-based patterns to detect

intrusions.
• Multi-string – Supports flexible pattern matching and Trend Labs signatures.
• Other – Internal engine that handles miscellaneous signatures.
Benefits:
• It uses underlying routing
infrastructure to provide an
additional layer of security.
• It is inline and is supported on a
broad range of routing platforms.
• It provides threat protection at all
entry points to the network when
used in combination with Cisco
IDS, Cisco IOS Firewall, VPN,
and NAC solutions
• The size of the signature
database used by the devices
can be adapted to the amount of
available memory in the router.
Understanding Alarm Types:
Summary of Action Categories:
Generating an Alert:
Logging the Activity:
Dropping or Preventing the Activity:
Resetting the Connection and Blocking the Activity:
IPS Planning and Monitoring Considerations:
• Management method
• Event correlation
• Security staff
• Incident response plan
Goals of global correlation:
• Dealing intelligently with alerts to improve effectiveness
• Improving protection against known malicious sites
• Sharing telemetry data with the SensorBase Network to improve visibility of

alerts and sensor actions on a global scale
• Simplifying configuration settings
• Automatic handling of security information uploads and downloads
Network participation gathers the following data:
• Signature ID
• Attacker IP address
• Attacker port
• Maximum segment size
• Victim IP address
• Victim port
• Signature version
• TCP options string
• Reputation score
• Risk rating
• Understand how to configure Cisco IOS IPS with CLI
• Explain how to verify and monitor IPS
Step 1. Download the IOS IPS files.
Step 2. Create an IOS IPS configuration directory in Flash.
Step 3. Configure an IOS IPS crypto key.
Step 4. Enable IOS IPS.
Step 5. Load the IOS IPS signature package to the router.
Retiring an Individual Signature:
Retiring a Signature Category:
Show commands to verify the IOS IPS configuration:
• show ip ips
• show ip ips all
• show ip ips configuration
• show ip ips interfaces
• show ip ips signatures
• show ip ips statistics
Clear commands to disable IPS:

• clear ip ips configuration
• clear ip ips statistics
Chapter Objectives:
• Describe IPS technologies and how they are implemented.
• Explain IPS Signatures.
• Describe the IPS implementation process.
Thank you.
• Remember, there are
helpful tutorials and user
guides available via your
NetSpace home page. 1
(https://www.netacad.com) 2
• These resources cover a
variety of topics including
navigation, assessments,
and assignments.
• A screenshot has been
provided here highlighting
the tutorials related to
activating exams, managing
assessments, and creating
quizzes.
Chapter 4:
Implementing Firewall
Technologies
CCNA Security v2.0

4.0 Introduction
4.1 Access Control Lists
4.2 Firewall Technologies
4.3 Zone-Based Policy Firewalls
4.4 Summary
• Configure standard and extended IPv4 ACLs using CLI.
• Use ACLs to mitigate common network attacks.
• Configure IPv6 ACLs using CLI.
Standard Numbered ACL Syntax
Extended Numbered ACL Syntax
Named ACL Syntax
Standard ACE Syntax
Extended ACE Syntax
Syntax - Apply an ACL
to an interface
Syntax - Apply an ACL

to the VTY lines
Example - Named Standard ACL
Example - Named Extended ACL
Syntax - Apply an ACL to the VTY lines
Example - Named ACL on VTY lines with logging
Existing access list has three entries
Access list has been edited, which adds a new ACE and replaces ACE line
20.
Updated access list has four entries
Existing access list has four entries
Access list has been edited, which adds a new ACE that permits a specific IP
address.
Updated access list places the new ACE before line 20
• Explain how firewalls are used to help secure networks.
• Describe the various types of firewalls.
• Configure a classic firewall.
• Explain design considerations for implementing firewall technologies.
All firewalls:
• Are resistant to attack
• Are the only transit point
between networks
because all traffic flows
through the firewall
• Enforce the access
control policy
Packet Filtering Firewall Application Gateway Firewall
Stateful Firewall NAT Firewall
Stateful Firewalls State Tables
Stateful Firewall Operation
• Granular identification, visibility, and control of behaviors within applications
• Restricting web and web application use based on the reputation of the site
• Proactive protection against Internet threats
• Enforcement of policies based on the user, device, role, application type, and threat profile
• Performance of NAT, VPN, and SPI
• Use of an IPS
1. Choose the internal and
external interfaces.
2. Configure ACLs for each
interface.
Inspection Rules
3. Define inspection rules.
4. Apply an inspection rule

to an interface.
Considerations for network defense:
• Network core security
• Perimeter security
• Endpoint security
• Communications security
Firewall best practices include:
• Position firewalls at security boundaries.
• It is unwise to rely exclusively on a firewall for security.
• Deny all traffic by default. Permit only services that are needed.
• Ensure that physical access to the firewall is controlled.
• Monitor firewall logs.
• Practice change management for firewall configuration changes.
• Remember that firewalls primarily protect from technical attacks originating from the
outside.
• Explain how Zone-Based Policy Firewalls are used to help secure a network.
• Explain the operation of a Zone-Based Policy Firewall.
• Configure a Zone-Based Policy Firewall with CLI.
• Not dependent on ACLs
• Router security posture

is to block unless
explicitly allowed
• Policies are easy to read
and troubleshoot with
C3PL
• One policy affects any
given traffic, instead of
needing multiple ACLs
and inspection actions
Common designs include:
• LAN-to-Internet
• Firewalls between public servers
• Redundant firewalls
• Complex firewalls
Design steps:
1. Determine the zones
2. Establish policies between zones
3. Design the physical infrastructure
4. Identify subsets within zones and merge traffic requirements
• Inspect - Configures Cisco IOS stateful packet inspections.
• Drop - Analogous to a deny statement in an ACL. A log option is available to log

the rejected packets.
• Pass - Analogous to a permit statement in an ACL. The pass action does not
track the state of connections or sessions within the traffic.
Command Syntax for
class-map
Sub-Configuration
Command Syntax for
class-map
Example class-map Configuration
Command Syntax for
policy-map
Example policy-map
Configuration
Command Syntax for
zone-pair and
service-policy
Example service-policy
Configuration
Verification commands:
• show run | begin class-map
• show policy-map type inspect zone-pair sessions
• show class-map type inspect
• show zone security
• show zone-pair security
• show policy-map type inspect
• No filtering is applied for intra-zone traffic
• Only one zone is allowed per interface.
• No Classic Firewall and ZPF configuration on same interface.
• If only one zone member is assigned, all traffic is dropped.
• Only explicitly allowed traffic is forwarded between zones.
• Traffic to the self zone is not filtered.
Chapter Objectives:
• Implement ACLs to filter traffic and mitigate network attacks on a network.
• Configure a classic firewall to mitigate network attacks.
• Implement ZPF using CLI.
Thank you.
and assignments.
quizzes.
Chapter 3:
Authentication, Authorization,
and Accounting
CCNA Security v2.0

3.0 Introduction
3.1 Purpose of the AAA
3.2 Local AAA Authentication
3.3 Server-Based AAA
3.4 Server-Based AAA Authentication
3.5 Server-Based Authorization and Accounting
3.6 Summary
• Explain why AAA is critical to network security.
• Describe the characteristics of AAA.
Telnet is Vulnerable to Brute-Force Attacks
SSH and Local Database Method
Local AAA
Authentication
Server-Based
AAA Authentication
AAA Authorization
Types of accounting information:
• Network
• Connection
• EXEC AAA Accounting

• System
• Command
• Resource
• Configure AAA authentication, using the CLI, to validate users against a local
database.
• Troubleshoot AAA authentication that validates users against a local database.
1. Add usernames and passwords to the local router database for users that
need administrative access to the router.
2. Enable AAA globally on the router.
3. Configure AAA parameters on the router.
4. Confirm and troubleshoot the AAA configuration.
Example Local AAA Authentication
Command
Syntax
Display Locked
Out Users
Show Unique ID
of a Session
Debug Local AAA Authentication
Understanding Debug Output
• Describe the benefits of server-based AAA.
• Compare the TACACS+ and RADIUS authentication protocols.
Local authentication:
1. User establishes a connection

with the router.
2. Router prompts the user for a

username and password,
authentication the user using a
local database.
Server-based authentication:
1. User establishes a connection

with the router.
2. Router prompts the user for a

username and password.
3. Router passes the username and

password to the Cisco Secure
ACS (server or engine)
4. The Cisco Secure ACS

authenticates the user.
TACACS+ Authentication Process
RADIUS Authentication Process
Cisco Secure ACS
• Configure server-based AAA authentication, using the CLI, on Cisco routers.
• Troubleshoot server-based AAA authentication.
1. Enable AAA.
2. Specify the IP address of the ACS server.
3. Configure the secret key.
4. Configure authentication to use either the RADIUS or
TACACS+ server.
Server-Based AAA
Reference Topology
Configure a AAA
TACACS+ Server
Configure a AAA RADIUS Server
Command Syntax
Configure Server-Based
AAA Authentication
Troubleshooting Server-Based AAA Authentication
Troubleshooting RADIUS
Troubleshooting TACACS+
AAA Server-Based
Authentication Success
AAA Server-Based
Authentication Failure
• Configure server-based AAA authorization.
• Configure server-based AAA accounting.
• Explain the functions of 802.1x components.
Authentication vs. Authorization
• Authentication ensures a device or end-user is legitimate
• Authorization allows or disallows authenticated users access to certain
areas and programs on the network.
TACACS+ vs. RADIUS

• TACACS+ separates authentication from authorization
• RADIUS does not separate authentication from authorization
Command Syntax
Authorization Method Lists
Example AAA Authorization
Command Syntax
Accounting Method Lists
Example AAA Accounting
802.1X Roles
802.1X Message Exchange
Command Syntax for dot1x port-control
Chapter Objectives:
• Explain how AAA is used to secure a network.
• Implement AAA authentication that validates users against a local database.
• Implement server-based AAA authentication using TACACS+ and RADIUS

protocols.
• Configure server-based AAA authorization and accounting.
Thank you.
and assignments.
quizzes.
Chapter 2:
Securing Network Devices
CCNA Security v2.0

2.0 Introduction
2.1 Securing Device Access
2.2 Assigning Administrative Roles
2.3 Monitoring and Managing Devices
2.4 Using Automated Security Features
2.5 Securing the Control Plane
2.6 Summary
• Explain how to secure a network perimeter.
• Configure secure administrative access to Cisco routers.
• Configure enhanced security for virtual logins.
• Configure an SSH daemon for secure remote management.
Single Router Approach
Defense in Depth Approach
DMZ Approach
Tasks:
• Restrict device accessibility
• Log and account for all access
• Authenticate access
• Authorize actions
• Present legal notification
• Ensure the confidentiality of data
Local Access Remote Access Using Telnet
Remote Access Using Modem and Aux Port
Dedicated Management Network
Guidelines:
• Use a password length of 10 or more characters.
• Include a mix of uppercase and lowercase letters, numbers, symbols, and spaces.
• Avoid passwords based on easily identifiable pieces of information.
• Deliberately misspell a password (Smith = Smyth = 5mYth).
• Change passwords often.
• Do not write passwords down and leave them in obvious places.
Weak Password Why it is Weak Strong Password Why it is Strong
secret Simple dictionary password b67n42d39c Combines alphanumeric characters
smith Mother’s maiden name 12^h u4@1p7 Combines alphanumeric characters,

symbols, and includes a space
toyota Make of car
bob1967 Name and birthday of user
Blueleaf23 Simple words and numbers
Guidelines:
• Configure all secret passwords using type 8 or type 9 passwords
• Use the enable algorithm-type command syntax to enter an unencrypted

password
• Use the username name algorithm-type command to specify type 9

encryption
Virtual login security enhancements:
• Implement delays between
successive login attempts
• Enable login shutdown if DoS
attacks are suspected
• Generate system-logging
messages for login detection
Command Syntax: login block-for
Example: login quiet-mode access-class
Example: login delay
Generate Login Syslog Messages
Example: show login failures
Example SSH Configuration
Example Verification of SSH
Two ways to connect:
• Enable SSH and use a Cisco router as an SSH server or SSH client.
As a server, the router can accept SSH client connections
As a client, the router can connect via SSH to another SSH-enabled router
• Use an SSH client running on a host, such as PuTTY, OpenSSH, or TeraTerm.
• Configure administrative privilege levels to control command availability.
• Configure role-based CLI access to control command availability.
Privilege levels: Levels of access commands:
• Level 0: Predefined for user-level access privileges. • User EXEC mode (privilege level 1)
Lowest EXEC mode user privileges
• Level 1: Default level for login with the router prompt.
Only user-level command available at the router> prompt
• Level 2-14: May be customized for user-level privileges.
• Privileged EXEC mode (privilege level 15)
• Level 15: Reserved for the enable mode privileges.
All enable-level commands at the router# prompt
Privilege Level Syntax
• No access control to specific interfaces, ports, logical interfaces, and
slots on a router
• Commands available at lower privilege levels are always executable at
higher privilege levels
• Commands specifically set at higher privilege levels are not available
for lower privilege users
• Assigning a command with multiple keywords allows access to all
commands that use those
For example:
• Security operator privileges
Configure AAA
Issue show commands
Configure firewall
Configure IDS/IPS
Configure NetFlow
• WAN engineer privileges

Configure routing
Configure interfaces
Issue show commands
Step 1
Step 2
Step 3
Step 4
Step 1
Step 2
Step 3
Enable Root View and Verify All Views
• Use the Cisco IOS resilient configuration feature to secure the Cisco IOS
image and configuration files.
• Compare in-band and out-of band management access.
• Configure syslog to log system events.
• Configure secure SNMPv3 access using ACL
• Configure NTP to enable accurate timestamping between all devices.
Configure the router for server-side SCP with local AAA:
1. Configure SSH
2. Configure at least one user with privilege level 15
3. Enable AAA
4. Specify that the local database is to be used for authentication
5. Configure command authorization
6. Enable SCP server-side functionality
1. Connect to the console port.
2. Record the configuration register setting.
3. Power cycle the router.
4. Issue the break sequence.
5. Change the default configuration register with the confreg 0x2142 command.
6. Reboot the router.
7. Press Ctrl-C to skip the initial setup procedure.
8. Put the router into privileged EXEC mode.
9. Copy the startup configuration to the running configuration.
10. Verify the configuration.
11. Change the enable secret password.
12. Enable all interfaces.
13. Change the config-register with the config-register configuration_register_setting.
14. Save the configuration changes.
Disable Password Recovery
No Service Password Recovery
Password Recovery
Functionality is Disabled
In-Band Management:
• Apply only to devices that need to be

managed or monitored
• Use IPsec, SSH, or SSL when

possible
• Decide whether the management

channel need to be open at all time
Out-of-Band (OOB) Management:
• Provide highest level of security
• Mitigate the risk of passing management

protocols over the production network
Security Levels
Example Severity Levels
Step 1
Step 2 (optional)
Step 3
Step 4
Cisco MIB
Hierarchy
Message integrity & authentication
Encryption
Access control
• Transmissions from manager to agent may be authenticated to guarantee the identity of

the sender and the integrity and timeliness of a message.
• SNMPv3 messages may be encrypted to ensure privacy.
• Agent may enforce access control to restrict each principal to certain actions on specific
portions of data.
Sample NTP Topology
Sample NTP
Configuration on R1
Sample NTP
Configuration on R2
• Use security audit tools to determine IOS-based router vulnerabilities.
• Use AutoSecure to enable security on IOS-based routers.
There is a detailed list of security settings for protocols and services
provided in Figure 2 of this page in the course.
Additional recommended practices to ensure a device is secure:

• Disable unnecessary services and interfaces.
• Disable and restrict commonly configured management services.
• Disable probes and scans. Ensure terminal access security.
• Disable gratuitous and proxy ARPs
• Disable IP-directed broadcasts.
1. The auto secure command is entered
2. Wizard gathers information about the outside interfaces
3. AutoSecure secures the management plane by disabling

unnecessary services
4. AutoSecure prompts for a banner
5. AutoSecure prompts for passwords and enables password and login

features
6. Interfaces are secured
7. Forwarding plane is secured
• Configure a routing protocol authentication.
• Explain the function of Control Plane Policing.
Consequences of protocol spoofing:
• Redirect traffic to create routing loops.
• Redirect traffic so it can be monitored on an insecure link.
• Redirect traffic to discard it.
Chapter Objectives:
• Configure secure administrative access.
• Configure command authorization using privilege levels and role-based CLI.
• Implement the secure management and monitoring of network devices.
• Use automated features to enable security on IOS-based routers.
• Implement control plane security.
Thank you.
and assignments.
quizzes.
Chapter 1:
Modern Network Security Threats
CCNA Security v2.0

1.0 Introduction
1.1 Securing Networks
1.2 Network Threats
1.3 Mitigating Threats
1.4 Summary
• Describe the current network security landscape.
• Explain how all types of networks need to be protected.
Common network security terms:
• Threat
• Vulnerability
• Mitigation
Cisco Security Intelligence Operations
• Risk
Vectors of data loss:
• Email/Webmail
• Unencrypted Devices
• Cloud Storage Devices
• Removable Media
• Hard Copy
• Improper Access Control
Outside perimeter security:
• On-premise security officers
• Fences and gates
• Continuous video surveillance
• Security breach alarms
Inside perimeter security:

• Electronic motion detectors
• Security traps
• Continuous video surveillance
• Biometric access and exit sensors
VM-specific threats: Components of a secure data center:
• Hyperjacking • Secure segmentation
• Instant On activation • Threat defense
• Antivirus storm • Visibility
Critical MDM functions for BYOD network:

• Data encryption
• PIN enforcement
• Data wipe
• Data loss prevention
• Jailbreak/root detection
Upon completion of the section, you should be able to:
• Describe the evolution of network security.
• Describe the various types of attack tools used by hackers.
• Describe malware.
• Explain common network attacks.
Modern hacking titles:
• Script Kiddies
• Vulnerability Brokers
• Hacktivists
• Cyber Criminals
• State-Sponsored
Hackers
Penetration testing tools:
• Password crackers • Forensic
• Wireless hacking • Debuggers
• Network scanning and hacking • Hacking operating systems
• Packet crafting • Encryption
• Packet sniffers • Vulnerability exploitation
• Rootkit detectors • Vulnerability Scanners
• Fuzzers to search vulnerabilities
Network hacking attacks:
• Eavesdropping
• Data modification
• IP address spoofing
• Password-based
• Denial-of-service
• Man-in-the-middle
• Compromised-key
• Sniffer
Classifications:
• Security software disabler
• Remote-access
• Data-sending
• Destructive
• Proxy
• FTP
• DoS
Initial Code Red Worm Infection
Code Red Worm Infection 19 Hours

Later
Components:
1.
Propagate
• Enabling vulnerability for 19 days
• Propagation mechanism
• Payload
4.
Code Red 2.
Launch DoS
Repeat the
cycle
Worm attack for
next 7 days
Propagation
3.
Stop and go
dormant for
a few days
Ransomware Scareware
Spyware Phishing
Adware Rootkits
Data
Modification
Syn Flood
Smurf
Attack
Reconnaissance
Access
DoS
• Initial query of a target
• Ping sweep of the target network
• Port scan of active IP addresses
• Vulnerability scanners
• Exploitation tools
A few reasons why hackers use access attacks:
• To retrieve data
• To gain access
• To escalate access privileges
A few types of access attacks include:

• Password
• Trust exploitation
• Port redirection
• Man-in-the-middle
• Buffer overflow
• IP, MAC, DHCP spoofing
• Pretexting
• Phishing
• Spearphishing
• Spam
• Tailgating
• Something for Something
• Baiting
1. Hacker builds a network of infected machines
• A network of infected hosts is called a botnet.
• The compromised computers are called zombies.
• Zombies are controlled by handler systems.
2. Zombie computers continue to scan and infect more targets

3. Hacker instructs handler system to make the botnet of zombies
carry out the DDoS attack
Upon completion of this section, you should be able to::
• Describe methods and resources to protect the networks.
• Describe a collection of domains for network security.
• Explain the purpose of the Cisco SecureX Architecture.
• Describe the techniques used to mitigate common network attacks.
• Explain how to secure the three functional areas of Cisco routers and switches.
Confidentiality:
Uses encryption to
encrypt and hide
data.
Components
of
Cryptography
Availability:
Integrity:
Assures data is
Uses hashing
accessible.
algorithms to
Guaranteed by
ensure data is
network hardening
unaltered during
mechanisms and
operation.
backup systems.
• Risk assessment
• Security policy
• Organization of information security
• Asset management
• Human resources security
• Physical and environmental security
• Communications and operations management
• Information systems acquisition, development, and maintenance
• Access control
• Information security incident management
• Business continuity management
• Compliance
Server Edge
and Branch
Secure Data Secure

Center and Email and
Virtualization Web
SecureX
Secure Secure
Access Mobility
Cisco SecureX Architecture:
• Scanning engines
• Delivery mechanisms
• Security intelligence operations (SIO)
• Policy management consoles
• Next-generation endpoint
Defines security policies based on five parameters:
• Type of device being used for access
• Person’s identity
• Application in use
• Location
• Time of access
Best practices:
• Develop a written security policy.
• Educate employees about the risks of social engineering, and develop strategies to
validate identities over the phone, via email, or in person.
• Control physical access to systems.
• Use strong passwords and change them often.
• Encrypt and password-protect sensitive data.
• Implement security hardware and software.
• Perform backups and test the backed up files on a regular basis.
• Shut down unnecessary services and ports.
• Keep patches up-to-date by installing them weekly or daily to prevent buffer

overflow and privilege escalation attacks.
• Perform security audits to test the network.
Containment
Inoculation Quarantine
Treatment
Chapter Objectives:
• Explain network security.
• Describe various types of threats and attacks.
• Explain tools and procedures to mitigate the effects of malware and common
network attacks.
Thank you.
and assignments.
quizzes.

Primer Parcial Merged

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Primer Parcial Merged

Uploaded by

Copyright:

Available Formats

Chapter 5:

Implementing Intrusion Prevention

CCNA Security v2.0

• Understand how to monitor, detect and stop attacks.

• Describe the advantages and disadvantages of IDS and IPS.

• Requires traffic to be mirrored

• Monitors Layer 3 and Layer 4

• No network impact if there is a • Can use stream normalization

Disadvantages IDS: Disadvantages IPS:

Cisco ASA AIP-SSM

Cisco IPS 4300 Series Sensors

Cisco Catalyst 6500 Series IDSM-2

• Available security staff to manage IPS

Traffic Sniffing Using

• Show monitor command – used to verify the SPAN session.

• Explain IPS signature alarms

• Manage and monitor IPS

• Understand the global correlation of Cisco IPS devices

• String - Signatures that use regular expression-based patterns to detect

• Other – Internal engine that handles miscellaneous signatures.

• Incident response plan

• Improving protection against known malicious sites

• Sharing telemetry data with the SensorBase Network to improve visibility of

• Automatic handling of security information uploads and downloads

• Maximum segment size

• TCP options string

• Explain how to verify and monitor IPS

Retiring a Signature Category:

• show ip ips all

• show ip ips configuration

• show ip ips interfaces

• show ip ips signatures

• show ip ips statistics

Clear commands to disable IPS:

• clear ip ips statistics

• Explain IPS Signatures.

• Describe the IPS implementation process.

CCNA Security v2.0

• Use ACLs to mitigate common network attacks.

• Configure IPv6 ACLs using CLI.

Extended Numbered ACL Syntax

Named ACL Syntax

Standard ACE Syntax

Extended ACE Syntax

Syntax - Apply an ACL

Example - Named Standard ACL

Example - Named Extended ACL

Example - Named ACL on VTY lines with logging

Updated access list has four entries

Updated access list places the new ACE before line 20

• Describe the various types of firewalls.

• Configure a classic firewall.

• Explain design considerations for implementing firewall technologies.

Stateful Firewall NAT Firewall

Stateful Firewall Operation

• Proactive protection against Internet threats

• Performance of NAT, VPN, and SPI

4. Apply an inspection rule

Firewall best practices include:

• Position firewalls at security boundaries.

• It is unwise to rely exclusively on a firewall for security.

• Ensure that physical access to the firewall is controlled.

• Monitor firewall logs.

• Practice change management for firewall configuration changes.