CCIE Study Notes

Section 5.3 deals with the IPS appliances versus section 5.4 which deals with IOS IPS.

There are three basic things you're going to want to know. The first is the Product line of devices. You really don't need to know the difference between a 4100 and a 9000 series - but just get a general sense of the devices and the marketing terms that Cisco uses. The second thing you're going to want to know is how to Configure an IPS device. And the third area you'll want to concentrate on are the Signature Engines.

Besides the Cisco Docs, you'll want to read chapters 12 and 13 of the ASA book and all of the Cisco Next-Generation Security Solutions book. The ASA book focuses on the AIP-SSM and AIP-SSC and contains a bit older information.

NGIPS supplements legacy IPS functionality with more capabilities such as:

* Application awareness and control
* Content awareness of the information traversing the infrastructure
* Contextual awareness
* Host and user awareness
* Automated tuning and recommendations
* Impact and vulnerability assessment of the events taking place

Benefits:
+ Increased network availability
+ Faster remediation
+ Deployment flexibility
+ Comprehensive threat protection

If you've been in Security for a while, you remember when IDS/IPS first came on the scene. The first generation of those devices looked at traffic and compared it against "signatures" that detected threats. Well, that's nice, but it can only catch problems that arise from KNOWN threats. If you've seen VirusA and you know that it includes a certain string, you can match that string and detect VirusA. But that only works if you know what to look for - which allows "0 day" threats to impact your environment. So then the industry went from signature-based to heuristic-based detection. This caught more attacks since it detected more of what an attack does versus just looking at known attack signatures. But it still didn't catch everything - since it only caught what we've seen as attack effects. So then anomaly-based detection arose. This learns what is "normal" on your network and alerts/defends against "abnormal" traffic. The new NGIPS uses all three methods to protect and defend the network. In order to do this, it uses SMEs (Signature Microengines) to scan traffic and inspect for attacks.

NGIPS can operate in two modes: inline and monitoring. [Inline mode also offers routing and switched modes.] Monitoring mode is also known as "passive" mode.

Cisco NGIPS products include the following:
+ Cisco ASA5500-X with FirePOWER Services
+ Cisco Firepower NGFW appliances (4100, 9300 Series)
+ Cisco Firepower appliances (7000, 8000 Series)
+ vNGIPS (virtual NGIPS for virtual environments)

You can manage IPS using FMC (Firepower Management Center) or ASDM.

NGIPS Deployment Lifecycle

Step 1. Policy definition
Step 2. Product selection and planning
Step 3. Implementation and operation
Step 4. Evaluation and control

This looks like something that could pop up. Exams sometimes target these kind of things - although if I were going to write a question on IPS, I would target the SMEs.

Be familiar with the various GUI interfaces to configure IPS. It's very unlikely that you have (or had) access to the various iterations of IPS and the multiple interfaces to configure it. For this, I highly recommend the multiple videos from INE that cover IPS. You will see IPS configured via ASDM and via the FMC. The one thing you don't want to happen is seeing an unfamiliar screen shot on the exam.

Another thing you will want to be familiar with is the syntax of Snort rules. And you might want to take some time to browse some of the links in TAC Documents on FirePOWER Service, FireSIGHT System and AMP.

Know that once something is detected, the action can be:

* Send an alarm
* Drop the packet
* Reset the connection
* Deny traffic from the source IP for a specified amount of time
* Deny traffic on the connection for a specified amount of time

Know the types of SMEs:

ATOMIC.L3.IP
ATOMIC.ICMP
ATOMIC.IPOPTIONS
ATOMIC.TCP
ATOMIC.UDP

SERVICE.DNS
SERVICE.HTTP
SERVICE.FTP
SERVICE.SMTP
SERVICE.RPC

STRING.ICMP
STRING.TCP
STRING.UDP

The Signature Engines information on the Cisco site also mentions AIC - which provides thorough analysis of web traffic. There are two AIC engines: AIC FTP and AIC HTTP. The guide also does not mention "STRING"... but that is found on other documentation.

The above guide also mentions the parameters of the Master engine. Important ones are:

Signature ID
Alert Severity
Sig Fidelity Rating
Promiscuous Delta
Signature Type
Engine

You will want to know what those things are - there may be questions on something about them. The promiscuous delta lowers the risk rating of certain alerts in promiscuous mode. Because the sensor does not know the attributes of the target system and in promiscuous mode cannot deny packets, it is useful to lower the prioritization of promiscuous alerts (based on the lower risk rating) so the administrator can focus on investigating higher risk rating alerts.