CCSP-Cisco Certified Security Professional

The signature severity represents the probability that the matched signature represents a real and immediate security threat to your systems and network. Each signature has a default severity assigned to it by Cisco security engineers and these default severities are ... [full story]

The signature types describe the type of network traffic the signature is used to match. Some signatures detect intrusions by examining the TCP connection requests or UDP connections. Other signature types examine the protocol information in the IP headers or ... [full story]

CIDS signatures fall into four classes. Signatures belong to one of the four classes, based on the type of attack the signature was designed to detect. As discussed in Chapter 23, there are three types of attacks: Reconnaissance, Access, and ... [full story]

The signature implementations of CIDS signatures come in two types: every signature is either context based or content based. Each of these two types of signature implementations describes which part of the TCP/IP packet is examined. Context-Based Signatures Context-based signatures are ... [full story]

CIDS organizes all the signatures into a series. When an alarm is sent, the signature that generated the alarm is also sent. The Event Viewer displays not only the alarm, but also the signature ID. While recognizing every signature ID ... [full story]

CIDS signatures form the intelligence built into your network sensors. A signature is a set of rules pertaining to typical intrusion activity that, when matched, generates a unique response. Signatures can be broken down to be included into a number of ... [full story]

Overview In this chapter, you will learn how to: Understand the CIDS signature series Recognize signature structure and implementation Make use of signature types Know about signature classes Understand signature series Use signature categories Learn about signature severities View and manage alarms Use Event Viewer customization Configure preference settings Understand the ... [full story]

Questions 1.  Which of the following is a disadvantage to placing a single sensor in front of a filtering device? If the sensor is placed in front of the filtering device, it will be unable to detect interior attacks If the sensor is ... [full story]

Extensive planning and preparation are required before deploying sensors on your Internetwork. Until some auditing and planning are done, you can’t even be sure which sensors are needed. This chapter discussed the planning and auditing that can be accomplished to ... [full story]

When a new sensor is installed on the network, it lacks any specific configuration information. In its default state, the sensor has no way of communicating on the network or with any management platform. Before a sensor can be operational, ... [full story]

Once the sensor is installed and powered on, you must gain management access to the sensor. This section describes the methods you can use to connect to your sensor, as well as the default user account you’ll use for initial ... [full story]

Once you decide on the proper placement and deployment strategy, you can then begin to install and configure the sensors. Before you can use Cisco Secure Policy Manager (CSPM) to configure your sensors, though, you must first connect to the ... [full story]

The Administration Area is where the administrative functions can be configured and performed. The Administration Area contains the following Sub-Areas: System Information Update Manual Blocking Diagnostics System Control IDM Properties System Information (Administration | System Information) The system information panel lists configuration and system information for the ... [full story]

The Monitoring Area contains logs and statistics generated by the sensor. The monitoring area contains the Sub-Areas, Logs, Statistics, and Event Viewer. This Area and the Sub-Area contain information and reports about both the sensor and its operating environment. Logs (Monitoring ... [full story]

Adding Remote Hosts (Configuration | Communications | Remote Hosts) By default, the CIDS sensors publish alarm and event data to the host on the host in which you installed IDS Device Manager. You can change or add additional hosts, allowing the ... [full story]

Once the sensor is bootstrapped with the correct configuration, the IDS Device Manager application can be used to configure and manage the CIDS sensor. To configure the sensor, you must use a web browser, such as Netscape or Internet Explorer, ... [full story]

The Device Manager GUI interface consists of the following: Area Bar Sub-Area Bar TOC Content Area Path Bar Tool Bar Area Bar The Area Bar contains the four major configuration headings that can be selected to configure specific settings for the IDS sensor. Once an area is ... [full story]

Before the IDS Device Manager can be used to configure CIDS sensors, the sensors must first be bootstrapped, as previously discussed. Once the sensors are bootstrapped, you can connect to the sensor using Netscape or Internet Explorer. To connect, simply ... [full story]

The IDS Device Manager is a web application that comes preinstalled on all sensors version 3.1 or higher. This application can be used to configure and manage your CIDS sensors. You can access the IDS Device Manager using Netscape or ... [full story]

While some models of the 4200 series network sensor appliance are capable of monitoring up to 500 Mbps, no sensors are capable of monitoring gigabit or multi-gigabit connections. Some network design changes may be required to allow for the inclusion ... [full story]

The larger and more complex your network, the more likely you’ll be forced to deploy multiple sensors throughout the internetwork. Some company departments manage their own Internet and business partner connections, as well as security policies. When the network and ... [full story]

The sensor is designed to monitor all traffic crossing a given network segment. You must consider all external network connections and remote access points you want to protect. The four basic entry points to consider are illustrated in Figure 25-1. ... [full story]

Extensive planning and preparation are required before deploying sensors on your internetwork. Until some auditing and planning are done, you can’t even be sure which sensors are needed. Before you can begin installing your sensors, you must first understand where ... [full story]

In this chapter, you will learn to: Plan for the proper deployment of CIDS sensors Understand the common strategies used to deploy sensors Sensor bootstrap configuration Use Cisco’s IDS Device Manager Configure sensors using IDS Device Manager Sensors form the heart and eyes of the Cisco ... [full story]

Questions 1.  Which of the following sensor models is capable of delivering 200 Mbps or more of monitoring and analyzing? The IDSM module for the Catalyst 5500 The IDSM module for the Catalyst 6500 The 4235-network sensor appliance The 4250-network sensor appliance 2.  On which ... [full story]

The Cisco Secure Intrusion Detection System (CIDS) is a network-based IDS that uses signatures to detect intrusive activity on your network. The CIDS systems rely on both a sensor platform to capture and analyze network traffic, and an Event Viewer ... [full story]

During typical operations, the CIDS infrastructure components generate a great deal of information in the form of log files. Log files are created via the loggerd daemon. These log files are stored as text files on both the sensor and ... [full story]

The CIDS directory structure follows a hierarchy modeled after the UNIX OS. The organization of the structure allows administrators to locate important system and configuration files quickly. The only variable in the directory structure is the name and location of ... [full story]

Two different types of commands are available with CIDS: system commands and configuration commands. System commands allow the administrators to view and manage the IDS environment, while configuration commands are used to view and configure the CIDS sensor and director ... [full story]

Both the sensors and the director platforms have their own OS and IDS software components. The components that make up the IDS software system are called daemons or services. Each function of CIDS is handled through different daemons or services, ... [full story]

The preceding section described the operations and functionality of CIDS. To understand CIDS completely, you must also understand the architecture that makes up the CIDS. This section discusses the major architecture aspects of the CIDS environment. The following major components ... [full story]

When a signature is matched, the Cisco IDS sensors can be configured to take preventative action to stop further intrusive activity. The Cisco Active Response System (CARS) allows the sensor to take control of other systems, such as routers, firewalls, ... [full story]