Expert Reference Series of White Papers. Cisco Security Troubleshooting: Part III Intrusion Prevention Systems
|
|
- Whitney Owen
- 6 years ago
- Views:
Transcription
1 Expert Reference Series of White Papers Cisco Security Troubleshooting: Part III Intrusion Prevention Systems COURSES
2 Cisco Security Troubleshooting: Part III Intrusion Prevention Systems Douglas B. McKillip, P.E., CCSI, CCSP, CCIE #1851 Introduction This paper is the third in a three-part series of white papers on Cisco security troubleshooting, each of which examines the challenge of implementing network security on equipment from Cisco Systems while maintaining the connectivity requirements of the business or enterprise. The focus of this third paper is primarily on troubleshooting the proper sensing operation of a signature-based Intrusion Prevention System (IPS). The first two papers in this series are: Troubleshooting Part I Connectivity Through ASA or PIX Firewalls and Troubleshooting Part II Virtual Private Networks Troubleshooting Scenario The following scenario will be used to illustrate many of the concepts discussed in this Cisco security white paper. If the names and IP Addresses look familiar to some of you, this is because the diagram represents a portion of the lab topology used in Cisco Security classes offered by Global Knowledge. Perimeter Router DMZ Subnet / /24 ASA/PIX Outside-PC DMZ-Srv NAT: Admin-PC Copyright 2009 Global Knowledge Training LLC. All rights reserved. 2
3 Intrusion Prevention Systems Before we illustrate the effective use of sensor (CLI) commands as well as IPS Device Manager, some basic principles of operation first need to be discussed. For all deployments of sensor appliances and modules, the interfaces belonging to these devices can take one of three roles. 1) Command and Control/Management - one per device; only interface w IP Address 2) Promiscuous - multiple per device; sensing interface 3) Inline (as part of a pair) - multiple per device; sensing interface While the Command and Control/Management interface is used for Management and Monitoring, the Promiscuous or Inline Pair interfaces are the ones into which the packets to be sensed arrive. The following sequence of events occurs with a properly operating and configured signature-based IPS. 1) A packet arrives at a sensing interface (promiscuous or part of an inline pair). 2) The packet is captured by what is known as the sensor app or analysis engine. 3) The sensor app invokes independent signature engines for matching of patterns. 4) If a pattern match is found against the signature database, an alert is generated. 5) Additional deny, blocking, capture, or alert actions are taken, if configured. The steps outlined above are an oversimplified example of how the IPS operates, assuming that the signature being matched is enabled and that the alerting behavior is configured. Secondly, the pattern match described in the fourth step could be the final packet in a multi-packet or fragment stream versus a single atomic capture. This Cisco white paper will focus on troubleshooting the failure of any of the five steps shown above. Promiscuous Mode Operation Single Switch with SPAN port The diagram to the right represents a modification to the troubleshooting scenario depicted earlier, illustrating the implementation of a promiscuous sensing interface on an IPS plugged into a switch. A Switched Port Analyzer (or SPAN port, as it is commonly known) has been configured for copying packets that enter the switch port connected to the DMZ interface of the ASA or PIX firewall. IOS-based switches must be configured using the monitor global configuration command using the following syntax. Copyright 2009 Global Knowledge Training LLC. All rights reserved. 3
4 monitor1session 1 source interface <hw-interface-name#> both monitor1session 1 destination interface <hw-interface-name#> The keyword both is used above to indicate packets being both received and transmitted by the interface. The commands show monitor and debug monitor can be used to verify proper configuration and operation, respectively. A sample display of show monitor is shown below. IPS-Sw# show monitor Session Type : Local Session Source Ports : Both : Fa0/1 Destination Ports : Fa0/4 Encapsulation : Native Ingress: Disabled Promiscuous Mode Operation - Multiple Switches with RSPAN Occasionally, an IPS will need to be operated in promiscuous mode connected to a switch other than the one through which the interesting traffic is flowing. In this case, a Remote SPAN or RSPAN VLAN can be used to copy packets from the source switch to this VLAN, carried by a trunk port between the switches, and then to a SPAN port on the destination switch. Several key steps are required on the two switches to accomplish this. On both switches: Switch(config)# vlan 900 (900 is an example; any unassigned VLAN # here is fine) Switch(config-vlan)# remote-span Copyright 2009 Global Knowledge Training LLC. All rights reserved. 4
5 On Switch2 (see previous diagram): Switch2(config)# monitor session 1 source interface <hw-interface-name#> Switch2(config)# monitor session 1 destination remote 900 On Switch1 (see previous diagram): Switch1(config)# monitor session 1 source remote 900 Switch1(config)# monitor session 1 destination interface <hw-interface-name#> Once these configurations are in place and spanning-tree for the RSPAN VLAN has been disabled, the reception of packets by the IPS promiscuous interface can be verified by a simple show interface command. Sensor1# show interface Interface Statistics Total Packets Received = 417 Total Bytes Received = Missed Packet Percentage = 0 Current Bypass Mode = Auto_off MAC statistics from interface GigabitEthernet0/0 Interface function = Sensing interface Description = Media Type = TX Default Vlan = 0 Inline Mode = Unpaired Pair Status = N/A Hardware Bypass Capable = No Hardware Bypass Paired = N/A Link Status = Up Link Speed = Auto_100 Link Duplex = Auto_Half Missed Packet Percentage = 0 Total Packets Received = 417 Total Bytes Received = While this command will verify that the sensor is receiving packets, it does not verify that the bi-directional flow between each session endpoint is seen. A more useful command on the sensor to verify this sessionized flow is the packet capture command as seen below (which can also be done for inline operation). Copyright 2009 Global Knowledge Training LLC. All rights reserved. 5
6 Sensor1# packet capture GigabitEthernet0/0 Warning: This command will cause significant performance degradation tcpdump: WARNING: ge0_0: no IPv4 address assigned tcpdump: listening on ge0_0, link-type EN10MB (Ethernet), capture size bytes 115 packets captured 115 packets received by filter 0 packets dropped by kernel Sensor1# packet display packet-file reading from file /usr/cids/idsroot/var/packet-file, link-type EN10- MB (Ethernet)...(other output omitted)... 21:24: IP > : icmp 1208: echo request seq :24: IP > : icmp 1208: echo reply seq :24: IP > : icmp 1208: echo request seq :24: IP > : icmp 1208: echo reply seq :24: IP > : icmp 1208: echo request seq :24: IP > : icmp 1208: echo reply seq :24: IP > : icmp 1208: echo request seq :24: IP > : icmp 1208: echo reply seq 4096 As can be seen from the trace above of a 1200 byte ping from to , both the echorequest and echo-reply packets can be seen. The observation of both directions of flow is necessary for the IPS sensor to properly reassemble fragmented packets in addition to its ability to observe well-behaved TCP connections (the completion of 3-way handshake & FIN exchange, for example). Copyright 2009 Global Knowledge Training LLC. All rights reserved. 6
7 InLine Mode Operation Both Interfaces on the Same Switch The diagram shown above is a more detailed depiction of the Troubleshooting Scenario seen at the beginning of this paper. If the two interfaces on an IPS sensor inline pair are connected to the same switch, the DMZ Server and the ASA/PIX dmz interface must be on different VLANs; otherwise, the sensor will be bypassed. Since each VLAN is traditionally thought of as its own broadcast domain, this means that VLAN 3 and VLAN 13 now have been effectively combined into one. Verification of Sensor Analysis Engine Proper Operation Now that we have examined ways to confirm the proper capture of traffic by using a promiscuous interface or an inline pair, our next focus will be on the analysis engine itself, or sensor app. There are several ways to confirm that the analysis engine is running. The first of these is a simple CLI-based command, show version, whose output is shown below. show version Application Partition: Cisco Intrusion Prevention System, Version 6.0(2)E1 Host: Realm Keys key1.0 Signature Definition: Signature Update S Virus Update V (output omitted) --- MainApp 2007_MAR_29_14_06 (Release) T14:44: Running AnalysisEngine 2007_MAR_29_14_06 (Release) T14:44: Running CLI 2007_MAR_29_14_06 (Release) T14:44: Copyright 2009 Global Knowledge Training LLC. All rights reserved. 7
8 As can be seen previously by the bolded text, the AnalysisEngine is operational. On the next page, an analogous screenshot of IDM is shown of the Monitoring --> System Information area. The display in the text window also indicates a running status. Verification of Operational Status of Signature Engines The third step in the five-step sequence of events outlined in the beginning of this paper was the analysis of captured packet(s) by the various signature engines. A signature engine is a category or family of pattern matches with common tunable thresholds and parameters. An example of this category would be ATOMIC. IP where the signatures belonging to that family all are matched by examining the packet headers of an IP packet (which would also include the ICMP, UDP, or TCP headers). As shown by the output below, the CLI command show statistics analysis engine can be used to verify activity of the signature engines. show statistics analysis-engine Analysis Engine Statistics Number of seconds since service started = The rate of TCP connections tracked per second = 0 The rate of packets per second = 5 Copyright 2009 Global Knowledge Training LLC. All rights reserved. 8
9 The rate of bytes per second = (output omitted) ---- Inspection Stats Inspector active call create delete createpct callpct AtomicL3L4_IP AtomicL3L4_ICMP AtomicL3L4_TCP AtomicL3L4_UDP FloodHostICMP Layer2ARP MSRPC_TCP MSRPC_UDP ServiceDnsUdp ServiceGeneric ServiceHttp ServiceNtp ServiceRpcUDP ServiceRpcTCP ServiceSnmp ServiceTNS String SweepUDP SweepICMP SweepTCP SweepOtherTcp TrafficIcmp TrafficIcmpDDOS TrojanUdp Note that even though the documentation on CCO classifies the ATOMIC.IP as an engine, the transport layer protocols TCP, UDP, and ICMP are separated out statistically. Also note that the line Number of seconds since service started substantiates that the analysis engine is running. Troubleshooting the Generation of Alerts Once the determination has been made that the sensor is properly capturing packets and the analysis engine is running, there are a number of ways to confirm proper signature alert configuration and behavior. One such method using IDM is depicted below where a signature with SigID 3200 was chosen for editing. Note here that not only is the signature disabled (which means alerting will be as well), but also the signature is marked as Copyright 2009 Global Knowledge Training LLC. All rights reserved. 9
10 retired. This latter term means that the sensor will not dynamically allocate memory resources for the data structure necessary for scanning for this signature. When Edit is clicked, the bottom image results. In the above window, the Enabled and Retired Status are changed using the dropdown menu. The show events alert CLI command can be used on a directly connected terminal or using IP-based SSH terminal emulators to yield a live monitor. While this is a useful tool for troubleshooting the absence of ANY alerts, it would be practically infeasible in a live production network due to the volume and speed of displayed information. A sample output is shown next for a large ICMP packet. Copyright 2009 Global Knowledge Training LLC. All rights reserved. 10
11 show events alert evidsalert: eventid= severity=informational vendor=cisco originator: hostid: Sensor1 appname: sensorapp appinstanceid: 365 time: 2009/02/18 01:32: /02/18 01:32:43 UTC signature: description=large ICMP Traffic id=2151 version=s1 subsigid: 0 marscategory: DoS/Host interfacegroup: vs0 vlan: 0 participants: attacker: addr: locality=out target: addr: locality=out os: idsource=learned relevance=relevant type=linux riskratingvalue: attackrelevancerating=relevant targetvaluerating=medium 35 threatratingvalue: 35 interface: ge0_0 protocol: icmp The corresponding area of IDM to observe these alerts (after they occur, not in real-time) is under the Monitoring Tab, Events menu selection as seen below. Another configurable alert property is the Alert Summarization mode which will influence the frequency of observed firings of the signature. As shown on the next page in the IDM Signature Edit screen for SigID 1102, the default Summary Mode is Fire Once. A little known undocumented feature of this alerting mode is that the frequency of alerts in this mode cannot exceed once every two minutes; therefore, to observe the most frequent alerting behavior, Fire All should be chosen. Copyright 2009 Global Knowledge Training LLC. All rights reserved. 11
12 Troubleshooting Additional Signature Actions Besides the basic Produce Alert default setting for all Enabled (and also unretired ) signatures, additional sensor actions can be taken, if desired, by configuring these on an individual signature-by-signature basis. A comprehensive list of the possible signature actions is depicted below, taken from the Configuration --> Policies --> Signature Definitions section, Actions button. Of all the actions depicted in the Assign Actions dialog box below right, the Request Block Connection and Request Block Host options each require that the IPS sensor initiate either a SSH or a telnet session to the blocking device (Cisco ASA/PIX, router, or Catalyst 6500 switch). Once the login profile, the blocking device properties, and the blocking interface designation and Access Control List (ACL) assignments have properly been configured and applied to the sensor, it will immediately attempt to establish a session with the blocking device. The sensor will stay logged in for as long as the router/firewall/catalyst switch is defined as a blocking device in the IPS configuration. This facilitates the quick application or removal of the blocking access-list entry or shun command, the latter used by the PIX or ASA. An example of this behavior is given below by revisiting the troubleshooting scenario shown at the beginning of this paper. Copyright 2009 Global Knowledge Training LLC. All rights reserved. 12
13 Perimeter Router DMZ Subnet / /24 ASA/PIX Outside-PC DMZ-Srv NAT: Admin-PC The managed device in this example is the Perimeter Router, which will be logged into by the sensor using telnet. The traces below illustrate the both the translation of the IPS Command and Control interface private IP address and the occupied terminal line of the router using this translated address. ASA# show xlate -- (output omitted) -- Global Local PERIM#show users Line User Host(s) Idle Location * 0 con 0 admin idle 00:00: vty 0 idle 00:00: As shown above, the sensor s IP address of is being translated to , and this IP address is being used to log in the Perimeter Router terminal line vty0. Copyright 2009 Global Knowledge Training LLC. All rights reserved. 13
14 Summary By now you should understand troubleshooting the basic proper operation of the Cisco Intrusion Prevention System (IPS). We have intentionally omitted the discussion of auxiliary (although frequently used) monitoring tools such as IPS Event Viewer, the newer IPS Manager Express, and CiscoSecure MARS. If alerts can be seen on the CLI console of the sensor, but not by any of these tools, the problem usually lies in the mis-configuration of the monitoring tool along with the omission of adding the monitoring IP address as an allowed host on the IPS. Once the IPS sensor has been properly installed and the management and sensing interfaces have been initialized, the next task is to ensure that signature alerts are being observed. With the successful viewing of these alarms, the accompanying challenge frequently becomes tuning the appliance or module to match the alerting behavior to the environment. Further VPN troubleshooting techniques are addressed in the other two white papers in this series: Troubleshooting Part I Connectivity Through ASA or PIX Firewall and Troubleshooting Part II: Virtual Private Networks. Learn More Learn more about how you can improve productivity, enhance efficiency, and sharpen your competitive edge. Check out the following Global Knowledge courses: IINS (Introduction to IOS Network Security) SNRS (Securing Networks with Cisco Routers and Switches) SNAF (Securing Networks with ASA Fundamentals) SNAA (Securing Networks with ASA Advanced) MARS (Cisco Monitoring Analysis and Reporting System) CANAC (Cisco Appliance for Network Admission Control) For more information or to register, visit or call COURSES to speak with a sales representative. Our courses and enhanced, hands-on labs offer practical skills and tips that you can immediately put to use. Our expert instructors draw upon their experiences to help you understand key concepts and how to apply them to your specific work situation. Choose from our more than 700 courses, delivered through Classrooms, e-learning, and On-site sessions, to meet your IT and management training needs. About the Author Douglas B. McKillip, P.E., CCIE #1851 is the president and principal consultant of Innovative Integrators Incorporated, a Delaware Corporation actually based in Delaware. In addition to a BS and MS in Chemical Engineering from M.I.T., Doug also later obtained an M.S. from the University of Delaware in Computer and Information Science. After 15 years of experience at DuPont and a brief stint with the original startup company associated with the Raptor EagleTM Firewall, Doug began his now 15+ year career of teaching and consulting, specializing in Internet Security with hardware from Cisco Systems since Doug s hobbies include playing piano at his local church and physical activities such as running, cycling, swimming, golf, skiing, and windsurfing. He and his wife Karen reside in Wilmington, Delaware. Doug can be reached at innovativeint@mindspring.com. Copyright 2009 Global Knowledge Training LLC. All rights reserved. 14
Expert Reference Series of White Papers. Cisco Security Troubleshooting: Part I Connectivity Through ASA or PIX Firewalls
Expert Reference Series of White Papers Cisco Security Troubleshooting: Part I Connectivity Through ASA or PIX Firewalls 1-800-COURSES www.globalknowledge.com Cisco Security Troubleshooting: Part I Connectivity
More informationModular Policy Framework. Class Maps SECTION 4. Advanced Configuration
[ 59 ] Section 4: We have now covered the basic configuration and delved into AAA services on the ASA. In this section, we cover some of the more advanced features of the ASA that break it away from a
More informationChapter 10 - Configure ASA Basic Settings and Firewall using ASDM
Chapter 10 - Configure ASA Basic Settings and Firewall using ASDM This lab has been updated for use on NETLAB+ Topology Note: ISR G1 devices use FastEthernet interfaces instead of GigabitEthernet interfaces.
More informationFundamentals of Network Security v1.1 Scope and Sequence
Fundamentals of Network Security v1.1 Scope and Sequence Last Updated: September 9, 2003 This document is exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document
More informationInterconnecting Cisco Networking Devices Part 1 ICND1
Interconnecting Cisco Networking Devices Part 1 ICND1 Course Length: 5 days Course Delivery: Traditional Classroom Online Live Course Overview Interconnecting Cisco Networking Devices, Part 1 (ICND1) v3.0
More informationICND1 v2.0 Interconnecting Cisco Networking Devices Part 1 CCENT & Part of CCNA Rout/Switch
ICND1 v2.0 Interconnecting Cisco Networking Devices Part 1 CCENT & Part of CCNA Rout/Switch Course Length: 5 days Course Delivery: Traditional Classroom Online Live Course Overview Interconnecting Cisco
More informationCCNA Security 1.0 Student Packet Tracer Manual
1.0 Student Packet Tracer Manual This document is exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document for non-commercial distribution and exclusive use by instructors
More informationLab - Troubleshooting Standard IPv4 ACL Configuration and Placement Topology
Lab - Troubleshooting Standard IPv4 ACL Configuration and Placement Topology 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 8 Addressing Table Objectives
More informationCCNA Exploration Network Fundamentals
CCNA Exploration 4.0 1. Network Fundamentals The goal of this course is to introduce you to fundamental networking concepts and technologies. These online course materials will assist you in developing
More informationASACAMP - ASA Lab Camp (5316)
ASACAMP - ASA Lab Camp (5316) Price: $4,595 Cisco Course v1.0 Cisco Security Appliance Software v8.0 Based on our enhanced FIREWALL and VPN courses, this exclusive, lab-based course is designed to provide
More informationASA Access Control. Section 3
[ 39 ] CCNP Security Firewall 642-617 Quick Reference Section 3 ASA Access Control Now that you have connectivity to the ASA and have configured basic networking settings on the ASA, you can start to look
More informationDesigning Solution with Cisco Intrusion Prevention Systems
Designing Solution with Cisco Intrusion Prevention Systems Petr Růžička, CSE CCIE #20166 1 Session Abstract IPS technology could be placed in many different places in the network and as such it has to
More informationLab - Configuring a Switch Management Address
Topology Addressing Table Objectives Device Interface IP Address Subnet Mask Default Gateway S1 VLAN 1 192.168.1.2 255.255.255.0 N/A PC-A NIC 192.168.1.10 255.255.255.0 N/A Part 1: Configure a Basic Network
More informationConfiguring Dashboards
CHAPTER 2 This chapter describes dashboards, and how to add and delete them. It contains the following topics: Understanding Dashboards, page 2-1 Adding and Deleting Dashboards, page 2-1 Understanding
More informationChapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM
Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM Topology Note: ISR G1 devices use FastEthernet interfaces instead of GigabitEthernet interfaces. 2015 Cisco and/or its affiliates. All rights
More informationExpert Reference Series of White Papers. Securing Layer 2
Expert Reference Series of White Papers Securing Layer 2 1-800-COURSES www.globalknowledge.com Securing Layer 2 Carol Kavalla, Global Knowledge Instructor Introduction For many years network administrators
More informationLab - Troubleshooting ACL Configuration and Placement Topology
Topology 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 8 Addressing Table Objectives Device Interface IP Address Subnet Mask Default Gateway HQ G0/1 192.168.1.1
More informationSections Describing Standard Software Features
27 CHAPTER This chapter describes how to configure quality of service (QoS) by using automatic-qos (auto-qos) commands or by using standard QoS commands. With QoS, you can give preferential treatment to
More informationSections Describing Standard Software Features
30 CHAPTER This chapter describes how to configure quality of service (QoS) by using automatic-qos (auto-qos) commands or by using standard QoS commands. With QoS, you can give preferential treatment to
More informationLab - Troubleshooting VLAN Configurations (Instructor Version Optional Lab)
(Instructor Version Optional Lab) Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only. Optional activities are designed to enhance understanding and/or
More informationConfiguring SPAN and RSPAN
CHAPTER 32 This chapter describes how to configure Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) on the Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst
More informationLab 8: Firewalls ASA Firewall Device
Lab 8: Firewalls ASA Firewall Device 8.1 Details Aim: Rich Macfarlane 2015 The aim of this lab is to investigate a Cisco ASA Firewall Device, its default traffic flows, its stateful firewalling functionality,
More informationConfiguring SPAN. Understanding SPAN CHAPTER. This chapter describes how to configure Switched Port Analyzer (SPAN) and on the Catalyst 2960 switch.
CHAPTER 23 This chapter describes how to configure Switched Port Analyzer (SPAN) and on the Catalyst 2960 switch. Note For complete syntax and usage information for the commands used in this chapter, see
More informationCCNA Boot Camp. Course Description
CCNA Boot Camp Course Description CCNA Boot Camp combines both the Interconnecting Cisco Network Devices Part 1 (ICND1) course and the Interconnecting Cisco Network Devices Part 2 (ICND2) course into one
More informationLab - Using Wireshark to Examine TCP and UDP Captures
Topology Part 1 (FTP) Part 1 will highlight a TCP capture of an FTP session. This topology consists of a PC with Internet access. Topology Part 2 (TFTP) Part 2 will highlight a UDP capture of a TFTP session.
More informationInterconnecting Cisco Networking Devices Part 1 (ICND1) Course Overview
Interconnecting Cisco Networking Devices Part 1 (ICND1) Course Overview This course will teach students about building a simple network, establishing internet connectivity, managing network device security,
More information1. Which OSI layers offers reliable, connection-oriented data communication services?
CCNA 1 Practice Final Exam Answers v4.0 100% 1. Which OSI layers offers reliable, connection-oriented data communication services? application presentation session transport network 2. Refer to the exhibit.
More informationASA/PIX Security Appliance
I N D E X A AAA, implementing, 27 28 access to ASA/PIX Security Appliance monitoring, 150 151 securing, 147 150 to websites, blocking, 153 155 access control, 30 access policies, creating for web and mail
More informationCCNA Semester 1 labs. Part 2 of 2 Labs for chapters 8 11
CCNA Semester 1 labs Part 2 of 2 Labs for chapters 8 11 8.1.4.6 Lab - Calculating IPv4 Subnets 8.1.4.8 Lab - Designing and Implementing a Subnetted IPv4 Addressing Scheme 8.2.1.5 Lab - Designing and Implementing
More informationCCNA Discovery 3 Chapter 8 Reading Organizer
Name Date Chapter 8 Reading Organizer After completion of this chapter, you should be able to: Describe traffic filtering and explain how Access Control Lists (ACLs) can filter traffic at router interfaces.
More informationChapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM
Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM Topology Note: ISR G1 devices use FastEthernet interfaces instead of GigabitEthernet Interfaces. 2016 Cisco and/or its affiliates. All
More informationThis study aid describes the purpose of security contexts and explains how to enable, configure, and manage multiple contexts.
Configuring Security Contexts Created by Bob Eckhoff This study aid describes the purpose of security contexts and explains how to enable, configure, and manage multiple contexts. Security Context Overview
More informationThe following steps should be used when configuring a VLAN on the EdgeXOS platform:
EdgeXOS VLANs VLAN Overview This document provides an overview of what a VLAN is and how it is configured on the EdgeXOS platform. Use the step-by-step guide below to configure a VLAN on the Edge appliance
More informationCCNA Semester 2 labs. Labs for chapters 2 10
CCNA Semester 2 labs Labs for chapters 2 10 2.2.2.5 Lab - Configuring IPv4 Static and Default Routes 2.3.2.4 Lab - Troubleshooting Static Routes 3.2.1.9 Lab - Configuring Basic RIPv2 5.2.2.9 Lab - Configuring
More informationLab Configuring and Verifying Standard IPv4 ACLs (Instructor Version Optional Lab)
(Instructor Version Optional Lab) Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only. Optional activities are designed to enhance understanding and/or
More informationConfiguring SPAN and RSPAN
34 CHAPTER This chapter describes how to configure the Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) on the Catalyst 4500 series switches. SPAN selects network traffic for analysis by a network
More informationInterconnecting Cisco Network Devices Part 1 v2.0 (ICND 1)
Interconnecting Cisco Network Devices Part 1 v2.0 (ICND 1) COURSE OVERVIEW: Interconnecting Cisco Networking Devices, Part 1 (ICND1) v2.0 is a five-day, instructor-led training course that teaches learners
More informationCISCO QUAD Cisco CCENT/CCNA/CCDA/CCNA Security (QUAD)
Our Learning Exclusive Custom exam prep software and materials Exam delivery in classroom with 98% success Course specific thinqtank Learning publications to promote fun exciting learning Extended hours
More informationTestOut Routing and Switching Pro - English 6.0.x COURSE OUTLINE. Modified
TestOut Routing and Switching Pro - English 6.0.x COURSE OUTLINE Modified 2017-07-10 TestOut Routing and Switching Pro Outline- English 6.0.x Videos: 133 (15:42:34) Demonstrations: 78 (7:22:19) Simulations:
More informationConfigure the ASA for Dual Internal Networks
Configure the ASA for Dual Internal Networks Document ID: 119195 Contributed by Dinkar Sharma, Bratin Saha, and Prashant Joshi, Cisco TAC Engineers. Aug 05, 2015 Contents Introduction Prerequisites Requirements
More informationWCCPv2 and WCCP Enhancements
WCCPv2 and WCCP Enhancements Release 12.0(11)S June 20, 2000 This feature module describes the Web Cache Communication Protocol (WCCP) Enhancements feature and includes information on the benefits of the
More informationLaboration 2 Troubleshooting Switching and First-Hop Redundancy
Laboration 2 Troubleshooting Switching and First-Hop Redundancy Topology All contents are Copyright 1992 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1
More informationChapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM
Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM This lab has been updated for use on NETLAB+ Topology Note: ISR G1 devices use FastEthernet interfaces instead of GigabitEthernet Interfaces.
More informationConfiguring IDS TCP Reset Using VMS IDS MC
Configuring IDS TCP Reset Using VMS IDS MC Document ID: 47560 Contents Introduction Prerequisites Requirements Components Used Conventions Configure Network Diagram Configurations Initial Sensor Configuration
More informationSecurity Manager Policy Table Lookup from a MARS Event
CHAPTER 17 Security Manager Policy Table Lookup from a MARS Event This chapter describes how to configure and use Security Manager and MARS so as to enable bi-directional lookup between events recieved
More informationLab Configuring Basic RIPv2 (Solution)
(Solution) Topology 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 15 Addressing Table Objectives Device Interface IP Address Subnet Mask Default Gateway
More informationNumerics INDEX. 4GE bypass interface card configuration restrictions 5-9 described 5-8 illustration 5-8
INDEX Numerics 4GE bypass interface card configuration restrictions 5-9 described 5-8 illustration 5-8 A accessing IPS software 18-2 access-list command 4-5 configuring 4-5 misconfiguration C-11 account
More informationHP Load Balancing Module
HP Load Balancing Module Security Configuration Guide Part number: 5998-2686 Document version: 6PW101-20120217 Legal and notice information Copyright 2012 Hewlett-Packard Development Company, L.P. No part
More information* Knowledge of Adaptive Security Appliance (ASA) firewall, Adaptive Security Device Manager (ASDM).
Contents Introduction Prerequisites Requirements Components Used Background Information Configuration Step 1. Configure Intrusion Policy Step 1.1. Create Intrusion Policy Step 1.2. Modify Intrusion Policy
More informationAvailable Commands CHAPTER
CHAPTER 2 This chapter contains the Cisco IPS 6.2 commands listed in alphabetical order. It contains the following sections:. anomaly-detection load, page 2-4 anomaly-detection save, page 2-5 banner login,
More informationWhat s New in VMware vsphere 4:
Written and Provided by Expert Reference Series of White Papers What s New in ware vsphere 4: Virtual Networking 1-800-COURSES www.globalknowledge.com What s New in ware vsphere 4: Virtual Networking Introduction
More informationHP High-End Firewalls
HP High-End Firewalls Access Control Configuration Guide Part number: 5998-2648 Software version: F1000-A-EI&F1000-S-EI: R3721 F5000: F3210 F1000-E: F3171 Firewall module: F3171 Document version: 6PW101-20120719
More informationManaging Latency in IPS Networks
Revision C McAfee Network Security Platform (Managing Latency in IPS Networks) Managing Latency in IPS Networks McAfee Network Security Platform provides you with a set of pre-defined recommended settings
More informationConfiguring Routes on the ACE
CHAPTER2 This chapter describes how the ACE is considered a router hop in the network when it is in routed mode. In the Admin or user contexts, the ACE supports static routes only. The ACE supports up
More informationChapter 6: Network Layer
Chapter 6: Network Layer CCNA Routing and Switching Introduction to Networks v6.0 Chapter 6 - Sections & Objectives 6.1 Network Layer Protocols Explain how network layer protocols and services support
More informationLab Configuring Dynamic and Static NAT (Solution)
(Solution) Topology Addressing Table Objectives Device Interface IP Address Subnet Mask Default Gateway Gateway G0/1 192.168.1.1 255.255.255.0 N/A S0/0/1 209.165.201.18 255.255.255.252 N/A ISP S0/0/0 (DCE)
More informationLab Configuring and Verifying Standard IPv4 ACLs Topology
Topology 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 10 Addressing Table Objectives Device Interface IP Address Subnet Mask Default Gateway R1 G0/1 192.168.10.1
More informationImplementing Firewall Technologies
Implementing Firewall Technologies Network firewalls separate protected from non-protected areas preventing unauthorized users from accessing protected network resources. Technologies used: ACLs Standard,
More informationLab Configuring Dynamic and Static NAT (Instructor Version Optional Lab)
(Instructor Version Optional Lab) Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only. Optional activities are designed to enhance understanding and/or
More informationApplication Notes for Mirage Networks Endpoint Controller in an Avaya IP Telephony Infrastructure Issue 1.0
Avaya Solution & Interoperability Test Lab Application Notes for Mirage Networks Endpoint Controller in an Avaya IP Telephony Infrastructure Issue 1.0 Abstract These Application Notes describe a configuration
More informationUsing the Startup Wizard
CHAPTER 3 This chapter describes the Startup wizard and how to use it to configure your sensor. It contains the following sections: Startup Wizard Introduction Window, page 3-1 Setting up the Sensor, page
More informationLab Configuring and Verifying Extended ACLs Topology
Topology 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 8 Addressing Table Objectives Device Interface IP Address Subnet Mask Default Gateway R1 G0/1 192.168.10.1
More informationConfiguring attack detection and prevention 1
Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack
More informationConfiguring SPAN and RSPAN
Finding Feature Information, page 1 Prerequisites for SPAN and RSPAN, page 1 Restrictions for SPAN and RSPAN, page 2 Information About SPAN and RSPAN, page 3 How to Configure SPAN and RSPAN, page 14 Monitoring
More informationConfiguring SPAN and RSPAN
41 CHAPTER This chapter describes how to configure the Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) on the Catalyst 4500 series switches. SPAN selects network traffic for analysis by a network
More informationOverview of the Cisco Service Control Value Added Services Feature
CHAPTER 1 Overview of the Cisco Service Control Value Added Services Feature Revised: May 27, 2013, Introduction The VAS feature enables the Cisco SCE platform to access an external expert system for classification
More informationLab - Configuring VLANs and Trunking (Solution)
(Solution) Topology Addressing Table Objectives Device Interface IP Address Subnet Mask Default Gateway S1 VLAN 1 192.168.1.11 255.255.255.0 N/A S2 VLAN 1 192.168.1.12 255.255.255.0 N/A PC-A NIC 192.168.10.3
More informationApplication Notes for Mirage Networks CounterPoint in an Avaya IP Telephony Infrastructure Issue 1.0
Avaya Solution & Interoperability Test Lab Application Notes for Mirage Networks CounterPoint in an Avaya IP Telephony Infrastructure Issue 1.0 Abstract These Application Notes describe a configuration
More informationLab Configuring and Verifying Standard ACLs Topology
Topology 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 9 Addressing Table Objectives Device Interface IP Address Subnet Mask Default Gateway R1 G0/1 192.168.10.1
More informationUniNets CCNA Security LAB MANUAL UNiNets CCNA Cisco Certified Network Associate Security LAB MANUAL UniNets CCNA LAB MANUAL
UNiNets CCNA Cisco Certified Network Associate Security LAB MANUAL Contents: UniNets CCNA Security LAB MANUAL Section 1 Securing Layer 2 Lab 1-1 Configuring Native VLAN on a Trunk Links Lab 1-2 Disabling
More informationUsing NAT in Overlapping Networks
Using NAT in Overlapping Networks Document ID: 13774 Contents Introduction Prerequisites Requirements Components Used Conventions Configure Network Diagram Configurations Verify Troubleshoot Related Information
More informationLab I: Using tcpdump and Wireshark
Objectives To get the student familiar with basic network protocol analyzer, tools and equipment used in later labs, including tcpdump and Wireshark. Lab Readings Go to http://www.tcpdump.org/tcpdump_man.html
More informationWorking With Configuration Files
CHAPTER 15 This chapter describes how to use commands that show, copy, and erase the configuration file. It contains the following sections: Displaying the Current Configuration, page 15-1 Displaying the
More informationValue Added Services (VAS) Traffic Forwarding
CHAPTER 12 Revised: June 27, 2011, Introduction This chapter provides an overview of VAS traffic forwarding, explaining what is it and how it works. It also explains the various procedures for configuring
More informationCCNA Security PT Practice SBA
A few things to keep in mind while completing this activity: 1. Do not use the browser Back button or close or reload any Exam windows during the exam. 2. Do not close Packet Tracer when you are done.
More informationCCNP Switch Questions/Answers Securing Campus Infrastructure
What statement is true about a local SPAN configuration? A. A port can act as the destination port for all SPAN sessions configured on the switch. B. A port can be configured to act as a source and destination
More informationLab Configuring Per-Interface Inter-VLAN Routing (Solution)
(Solution) Topology Addressing Table Objectives Device Interface IP Address Subnet Mask Default Gateway R1 G0/0 192.168.20.1 255.255.255.0 N/A G0/1 192.168.10.1 255.255.255.0 N/A S1 VLAN 10 192.168.10.11
More informationLab 8.5.2: Troubleshooting Enterprise Networks 2
Lab 8.5.2: Troubleshooting Enterprise Networks 2 Topology Diagram Addressing Table Device Interface IP Address Subnet Mask Default Gateway Fa0/0 192.168.10.1 255.255.255.0 N/A R1 Fa0/1 192.168.11.1 255.255.255.0
More informationThree interface Router without NAT Cisco IOS Firewall Configuration
Three interface Router without NAT Cisco IOS Firewall Configuration Document ID: 13893 Contents Introduction Prerequisites Requirements Components Used Conventions Configure Network Diagram Configurations
More informationConfiguring attack detection and prevention 1
Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack
More informationCisco IPS AIM Deployment, Benefits, and Capabilities
Cisco IPS AIM Abstract The Cisco IPS Advanced Integration Module (AIM) for Cisco modular integrated services routers integrates a high-performance, feature-rich intrusion prevention system (IPS) into the
More informationIntroducing Cisco Data Center Networking Course DCICN v1.0; 4 Days, Instructor-led
Introducing Cisco Data Center Networking Course DCICN v1.0; 4 Days, Instructor-led Course Description DCICN will introduce the students to the three primary technologies that are used in the Cisco Data
More informationMobile MOUSe ROUTING AND SWITCHING FUNDAMENTALS ONLINE COURSE OUTLINE
Mobile MOUSe ROUTING AND SWITCHING FUNDAMENTALS ONLINE COURSE OUTLINE COURSE TITLE ROUTING AND SWITCHING FUNDAMENTALS COURSE DURATION 16 Hour(s) of Self-Paced Interactive Training COURSE OVERVIEW In the
More informationCCNA Semester 3 labs. Part 1 of 1 Labs for chapters 1 8
CCNA Semester 3 labs Part 1 of 1 Labs for chapters 1 8 2.1.2.12 Lab - Building a Switched Network with Redundant Links 2.3.2.3 Lab - Configuring Rapid PVST+, PortFast and BPDU Guard 2.4.3.4 Lab - Configuring
More informationLab Configuring HSRP and GLBP Topology
Topology 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 9 Addressing Table Objectives Device Interface IP Address Subnet Mask Default Gateway R1 G0/1 192.168.1.1
More informationLab Configuring Per-Interface Inter-VLAN Routing (Instructor Version)
(Instructor Version) Instructor Note: Red font color or Gray highlights indicate text that appears in the instructor copy only. Topology Addressing Table Objectives Device Interface IP Address Subnet Mask
More informationConfiguring Tap Aggregation and MPLS Stripping
This chapter contains the following sections: Information About Tap Aggregation, page 1 Information About MPLS Stripping, page 3 Configuring Tap Aggregation, page 4 Verifying the Tap Aggregation Configuration,
More informationMonitoring the Device
The system includes dashboards and an Event Viewer that you can use to monitor the device and traffic that is passing through the device. Enable Logging to Obtain Traffic Statistics, page 1 Monitoring
More informationSecure ACS Database Replication Configuration Example
Secure ACS Database Replication Configuration Example Document ID: 71320 Introduction Prerequisites Requirements Components Used Related Products Conventions Background Information Scenario I Scenario
More informationConfiguring TAP Aggregation and MPLS Stripping
This chapter describes how to configure TAP aggregation and MPLS stripping on Cisco NX-OS devices. This chapter contains the following sections: About TAP Aggregation, page 1 About MPLS Stripping, page
More informationConfiguring SPAN and RSPAN
Prerequisites for SPAN and RSPAN, page 1 Restrictions for SPAN and RSPAN, page 1 Information About SPAN and RSPAN, page 3 How to Configure SPAN and RSPAN, page 14 Monitoring SPAN and RSPAN Operations,
More informationRemote Access VPN. Remote Access VPN Overview. Licensing Requirements for Remote Access VPN
Remote Access virtual private network (VPN) allows individual users to connect to your network from a remote location using a laptop or desktop computer connected to the Internet. This allows mobile workers
More informationLab - Examining Telnet and SSH in Wireshark
Topology Addressing Table Objectives Device Interface IP Address Subnet Mask Default Gateway R1 G0/1 192.168.1.1 255.255.255.0 N/A PC-A NIC 192.168.1.3 255.255.255.0 192.168.1.1 Part 1: Configure the Devices
More informationCCNA 4 - Final Exam (B)
CCNA 4 - Final Exam (B) 1. Identify the factors that contribute to congestion on an Ethernet LAN. (Choose three.) improper placement of enterprise level servers addition of hosts to a physical segment
More informationLab Troubleshooting IPv4 and IPv6 Static Routes (Instructor Version Optional Lab)
(Instructor Version Optional Lab) Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only. Optional activities are designed to enhance understanding and/or
More informationLab 1. CLI Navigation. Scenario. Initial Configuration for R1
Lab 1 CLI Navigation This lab covers the most basic skills for accessing and using the command-line interface (CLI) on a Cisco router or switch. Many of the small, picky details of how the CLI works cannot
More informationConfiguring Voice VLAN
CHAPTER 15 This chapter describes how to configure the voice VLAN feature on the Catalyst 3750 switch. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack. Voice VLAN
More informationExpert Reference Series of White Papers. How a Spanning Tree Works
Expert Reference Series of White Papers How a Spanning Tree Works 1-800-COURSES www.globalknowledge.com How a Spanning Tree Works Carol Kavalla, Global Knowledge Instructor, S, CCSI, CCDP Introduction
More informationLab 3.3 Configuring Wireshark and SPAN
Lab 3.3 Configuring Wireshark and SPAN Learning Objectives Install Wireshark on a host PC Configure a switch to use the SPAN monitoring tool. Topology Diagram Scenario In this lab, you will configure a
More informationCISCO EXAM QUESTIONS & ANSWERS
CISCO 642-618 EXAM QUESTIONS & ANSWERS Number: 642-618 Passing Score: 800 Time Limit: 120 min File Version: 39.6 http://www.gratisexam.com/ CISCO 642-618 EXAM QUESTIONS & ANSWERS Exam Name: Deploying Cisco
More information