SSFIPS Securing Cisco Networks with Sourcefire Intrusion Prevention System Study Guide E-Book

SSFIPS Securing Cisco® Networks with Sourcefire® Intrusion Prevention System

Study Guide

Senior Acquisitions Editor: Kenyon Brown Development Editor: Kathi Duggan Technical Editor: Richard Clendenning Production Editor: Christine O'Connor Copy Editor: Judy Flynn Editorial Manager: Mary Beth Wakefield Production Manager: Kathleen Wisor Associate Publisher: Jim Minatel Book Designers: Judy Fung and Bill Gibson Proofreader: Josh Chase, Word One New York Indexer: Robert Swanson Project Coordinator, Cover: Brent Savage Cover Designer: Wiley Cover Image: © Getty Images Inc./Jeremy Woodhouse

Copyright © 2016 by John Wiley & Sons, Inc., Indianapolis, Indiana

Published by John Wiley & Sons, Inc. Indianapolis, Indiana

Published simultaneously in Canada

ISBN: 978-1-119-15503-4

ISBN: 978-1-119-15505-8 (ebk.)

ISBN: 978-1-119-15504-1 (ebk.)

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Manufactured in the United States of America

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Control Number: 2015951789

TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. Cisco is a registered trademark of Cisco Technology, Inc. Sourcefire is a registered trademark of Sourcefire, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

To my wife Shelly who has learned to live all these years with a computer nerd.—Alex

To Jennifer and Paul Gay: Without your support through the late nights, I never would have made it! Thank you for the wonderful years, and I look forward to many more.—John

Acknowledgments

There are many people who work to put a book together, and although as authors we dedicate an enormous amount of time to write the book, it would never be published without the dedicated, hard work of many other people.

First, Kenyon Brown, my acquisitions editor, is instrumental to my success in the Cisco world. I look forward to our continued progress together in this crazy certification world we call Cisco!

Big thanks to Kathryn Duggan, my developmental editor, who helped keep this project together, and on time. No easy feat! Thank you, Kathryn, once again!

Christine O’Connor, my production editor, and Judy Flynn, my copy editor, are my rock and foundation for formatting and intense editing of every page in this book. This amazing team gives me the confidence to help me keep moving during the difficult and very long days, week after week. I could never imagine writing a single page of a book if I didn’t know that the amazing duo of Christine and Judy was behind me all the way! Thank you from the bottom of my heart.

Last listed, but certainly not least, is Richard Clendenning. Phenomenal tech editing at its best and amazing eye on details allowed the authoring team to really shine in this book. Thank you Richard!

—From Todd

Thanks to Todd for driving this entire project. If you ever meet him, you will understand right away how he could write over 60 books. Todd, you’re a wild man!

And I would be remiss not to thank my Lord Jesus Christ, to whom I owe literally everything.

—From Alex

Karen Paulson, my former boss who brought me to the Sourcefire team and supported my career development and growth: I cannot thank her enough for her support over the years.

And to Ed Mendez, a co-worker who has fostered my development and been a great learning partner: thanks, man, for all the help!

—From John

About the Authors

Alex Tatistcheff is currently a network consulting engineer for Cisco Security Solutions specializing in FireSIGHT. Alex came to Cisco via the acquisition of Sourcefire, Inc., in 2013. At Sourcefire, he worked for over five years as a senior security instructor teaching the Sourcefire System, Snort, and rule writing classes. During this time, he also completed consulting engagements with several dozen customers.

Prior to coming to Sourcefire, Alex worked on the security team for a large electric utility as a Sourcefire customer and before that as a network/security consultant for numerous organizations.

Alex calls Boise, Idaho, home, where he lives with his wife, Shelly, and two Australian shepherds, Molly and Boomer. He enjoys mountain biking, traveling, and Raspberry Pi.

John Gay is a field security enablement lead with Cisco Systems. He is responsible for facilitating the learning of internal customers. Prior to Cisco's acquisition of Sourcefire, John served as director of instructional delivery, where he managed the instructor team and assisted in the creation and delivery of learning material. Since 1999, John has been in the security industry, training students around the world in IDS/IPS/NGFW/vulnerability assessment. This includes Fortune 500 companies, government agencies, and even military units in theater. Prior to beginning his career in security, John was teaching networking, routing, and back-office applications for a world-class training company. He was also tasked with giving technology presentations for high-profile partners at customer sites and conferences. John has been involved with computers and technology for over 30 years and has had over 20 years in the industry. He also holds a BS in Communication Arts and an MS in Instructional Technology.

Todd Lammle is the authority on Cisco certification and internetworking and is Cisco certified in most Cisco certification categories. He is a world-renowned author, speaker, trainer, and consultant. Todd has three decades of experience working with LANs, WANs, and large enterprise licensed and unlicensed wireless networks, and lately he's been implementing large Cisco data centers worldwide as well as FirePOWER technologies. His years of real-world experience are evident in his writing; he is not just an author but an experienced networking engineer with very practical experience working on the largest networks in the world at such companies as Xerox, Hughes Aircraft, Texaco, AAA, Cisco, and Toshiba, among many others. Todd has published over 60 books, including the very popular CCNA: Cisco Certified Network Associate Study Guide, CCNA Wireless Study Guide, and CCNA Data Center Study Guide as well as this FirePOWER study guide, all from Sybex. He runs an international consulting and training company based in Colorado, Texas, and San Francisco.

You can reach Todd through his website at www.lammle.com/firepower.

Contents

Introduction

Why Should You Become Certified in the SSFIPS Securing Cisco Networks with Sourcefire Intrusion Prevention System?

What Does This Book Cover?

Interactive Online Learning Environment and Test Bank

How to Use This Book

Where Do You Take the Exams?

SSFIPS Exam Objectives

Assessment Test

Answers to Assessment Test

Chapter 1 Getting Started with FireSIGHT

Industry Terminology

Cisco Terminology

Appliance Models

FireSIGHT Licensing

Network Design

Policies

The User Interface

Initial Appliance Setup

Summary

Hands-on Lab

Review Questions

Chapter 2 Object Management

What Are Objects?

Getting Started

Network Objects

Security Intelligence

Port Objects

VLAN Tag

URL Objects and Site Matching

Application Filters

Variable Sets

File Lists

Security Zones

Geolocation

Summary

Hands-on Lab

Exam Essentials

Review Questions

Chapter 3 IPS Policy Management

IPS Policies

Default Policies

Policy Layers

Creating a Policy

Summary

Hands-on Labs

Exam Essentials

Review Questions

Chapter 4 Access Control Policy

Getting Started with Access Control Policies

Security Intelligence Lists

Access Control Rules

Summary

Hands-on Lab

Exam Essentials

Review Questions

Chapter 5 FireSIGHT Technologies

FireSIGHT Technologies

Summary

Hands-on Labs

Exam Essentials

Review Questions

Chapter 6 Intrusion Event Analysis

Intrusion Analysis Principles

The Dashboard and Context Explorer

Intrusion Events

Summary

Hands-on Lab

Exam Essentials

Review Questions

Chapter 7 Network-Based Malware Detection

AMP Architecture

File Policy

File Types and Categories

File and Malware Event Analysis

Summary

Hands-on Lab

Exam Essentials

Review Questions

Chapter 8 System Settings

User Preferences

System Configuration

System Policy

Health

Summary

Hands-on Lab

Exam Essentials

Review Questions

Chapter 9 Account Management

User Account Management

User Privileges

Creating New User Accounts

Configuring External Authentication

Summary

Hands-on Lab

Exam Essentials

Review Questions

Chapter 10 Device Management

Device Management

NAT Configuration

Virtual Private Networks

Summary

Hands-on Labs

Exam Essentials

Review Questions

Chapter 11 Correlation Policy

Correlation Overview

Correlation Rules, Responses, and Policies

White Lists

Traffic Profiles

Summary

Hands-on Lab

Exam Essentials

Review Questions

Chapter 12 Advanced IPS Policy Settings

Advanced Settings

Summary

Hands-on Lab

Exam Essentials

Review Questions

Chapter 13 Creating Snort Rules

Overview of Snort Rules

Writing Rules

Summary

Exam Essentials

Review Questions

Chapter 14 FireSIGHT v5.4 Facts and Features

Branding

Simplified IPS Policy

Network Analysis Policy

Access Control Policy

SSL Inspection

New Rule Keywords

Platform Enhancements

International Enhancements

Minor Changes

Summary

Appendix Answers to Review Questions

Advert

EULA

List of Tables

Chapter 1

Table 1.1

Table 1.2

Table 1.3

Table 1.4

Chapter 6

Table 6.1

Chapter 7

Table 7.1

Chapter 11

Table 11.1

Chapter 13

Table 13.1

Table 13.2

List of Illustrations

Chapter 1

Figure 1.1

Inline IPS

Figure 1.2

Passive IPS

Figure 1.3

Web UI login screen

Figure 1.4

Analysis and configuration items

Figure 1.5

Operational Items

Figure 1.6

Network configuration

Figure 1.7

Time and update settings

Chapter 2

Figure 2.1

The Objects menu

Figure 2.2

Object types

Figure 2.3

Network object groups

Figure 2.4

The IP context menu

Figure 2.5

Warning dialog

Figure 2.6

Update Feeds button

Figure 2.7

Custom Security Intelligence feed dialog

Figure 2.8

Custom Security Intelligence list dialog

Figure 2.9

Port Objects dialog

Figure 2.10

Port object groups

Figure 2.11

VLAN tag group

Figure 2.12

Creating URL groups

Figure 2.13

Application Filter dialog

Figure 2.14

Application filter balloon

Figure 2.15

Edit Variable dialog

Figure 2.16

Editing the HOME_NET variable

Figure 2.17

Customized variable set

Figure 2.18

Edit Variable FTP_PORTS dialog

Figure 2.19

Variable set warning dialog

Figure 2.20

File List dialog

Figure 2.21

Adding file list entries

Figure 2.22

Security zones

Figure 2.23

Security zones edit dialog

Figure 2.24

Security zone confirmation dialog

Figure 2.25

Creating a geolocation object

Chapter 3

Figure 3.1

Policy layers

Figure 3.2

Create Intrusion Policy dialog

Figure 3.3

The Policy Information section in the policy editor

Figure 3.4

The Rules section in the policy editor

Figure 3.5

The Threshold dialog

Figure 3.6

Dynamic State dialog

Figure 3.7

The FireSIGHT Recommended Rules Configuration screen

Figure 3.8

Policy layers

Figure 3.9

IPS policy repository

Chapter 4

Figure 4.1

The Access Control policy main page

Figure 4.2

Creating a new AC policy

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!