Version 4.1 - 6.7 Content and Packet Filtering
Like several other topics, the two Study Guides describe different content for this section. And I would consider this topic differently from either one. For me, this refers to IPS, access lists and regular expressions. This is actually something that I think would have been incorporated throughout the other topics that you have already studied.
There is a Flexible Packet Matching Configuration Guide on the Cisco site. I would think this is the material they are referencing with this section.
"Flexible Packet Matching (FPM) is an access control list (ACL) pattern matching tool, providing more thorough and customized packet filters. FPM enables users to match on arbitrary bits of a packet at an arbitrary depth in the packet header and payload. FPM removes constraints to specific fields that had limited packet inspection."
In Cisco IOS Release 12.4(4)T, FPM is available only in advanced security images.
In Cisco IOS Release 12.2(18)ZY, FPM is available in ipbase and ipservices images for the Supervisor Engine 32 Programmable Intelligent Services Accelerator (PISA) platform.
FPM cannot be used to mitigate an attack that requires stateful classification.
Because FPM is stateless, it cannot keep track of port numbers being used by protocols that dynamically negotiate ports. Thus port numbers must be explicitly specified when using FPM.
FPM cannot perform IP fragmentation or TCP flow reassembly.
FPM inspects only IPv4 unicast packets.
Noninitial fragments will not be matched by the FPM engine.
A filtering policy is defined via the following tasks:
1. Load a PHDF (for protocol header field matching)
2. Define a class map and define the protocol stack chain (traffic class)
3. Define a service policy (traffic policy)
4. Apply the service policy to an interface
"TCDFs are FPM filters in XML format. Each TCDF file is designed to filter for a single individual worm or virus. TCDF packaging support provides packages containing at least one or more worm or virus filters and efficiently updates FPM filters as threat characteristics change. When FPM filters are updated, all systems in a network are automatically updated. This behavior reduces the amount of router configuration needed to deploy FRM filters."
The first study guide relates packet filtering to access-lists. Then it discusses "Cisco IOS Content Filtering feature using Trend Micro infrastructure." For more information, see Configuring Trend Micro Content Security. Basically, this refers to the CSC SSM (which is obsolete). This has been replaced by Cisco Cloud Web Security (formerly known as ScanSafe). Not sure how much you should trust the exam to be "up-to-the-minute" on anything. There have been a number of EOL/EOS devices listed in the blueprint.
The other guide runs up the OSI model with this for some reason.
Layer 1 (Physical) - Secure access to the cabling infrastructure and monitor for cable tampering.
Layer 2 (Data Link) - MAC address filtering and ARP inspection and filtering
Layer 3 (Network) -
* IP address filtering
* RFC 1918 filtering
* uRPF filtering
* RFC 2827 - Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing
Layer 4 (Transport) - TCP/UDP port filtering
Layers 5 (Session), 6 (Presentation) and 7 (Application) all list MAC address filtering and ARP inspection and filtering (also mentioned in layer 4). Not sure why the author chose to go that route or why he added these in for the upper layers.
Like I said - I took this section to mean something else - which was already covered in previous sections.