CCNP Security-IPS

CCNP Security-IPS

1. 1. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 1 IPSV7.0 Agenda: • CCNP Security IPSv7 Exam Topics Review • Introduction to Intrusion Prevention & Detection • Installing and Maintaining Cisco IPS Sensors • Applying Cisco IPS Security Policies • Deploying Anomaly-based Operation • Managing & Analyzing Events • Deploying Virtualization, High Availability, and High Performance Solutions • Configuring and Maintaining Specific Cisco IPS Hardware
2. 2. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 2 IPSv7.0 Exam Topics Review: • Approximately 90 minute exam • 60-70 questions • Register with Pearson Vue –http://www.vue.com/cisco • Exam cost is $200.00 US • Question Types –Multiple-choice single answer –Multiple-choice multiple answer –Drag-and-drop –Fill-in-the-blank –Testlet / Simlet / Simulations • Rule out the nonsense • Look for the best answer when multiple exist • Look for subtle keys • Narrow it down • Relate to how the device works • Don’t waste too much time
3. 3. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 3 Preparing for the IPS Exam: • Recommended reading –CCNP Security IPS 642-627 Official Cert Guide –CCSP books are still good for reference –Cisco IPS 7.0 Configuration Guide • Cisco learning network www.cisco.com/go/learnnetspace • Practical experience –Real equipment –IDM in demo mode IPSv7.0 Exam Topics: • Pre-Production Design • Choose Cisco IPS technologies to implement High Level Design • Choose Cisco products to implement High Level Design • Choose Cisco IPS features to implement High Level Design • Integrate Cisco network security solutions with other security technologies • Create and test initial Cisco IPS configurations for new devices/services • Complex Support Operations • Optimize Cisco IPS security infrastructure device performance • Create complex network security rules, to meet the security policy requirements • Configure and verify the IPS features to identify threats and dynamically block them from entering the network • Maintain, update and tune IPS signatures • Use CSM and MARS for IPS management, deployment, and advanced event correlation. • Optimize security functions, rules, and configuration • Advanced Troubleshooting • Advanced Cisco IPS security software configuration fault finding and repairing • Advanced Cisco IPS sensor and module hardware fault finding and repairing
4. 4. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 4 Introduction to Intrusion Prevention and Detection: The Evolution of Internet A Shift to Financial Gain Top-Ten Cyber Security Menaces: •Sophisticated website attacks •Increasing botnet sophistication and effectiveness •Growing cyber espionage •Emerging mobile phone threats •Insider attacks •Advanced identity theft •Increasingly malicious spyware •Web application security exploits •Sophisticated social engineering •Supply-chain attacks infecting consumer devices
5. 5. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 5 Cisco Intrusion Prevention Services: •Intelligent Detection • Vulnerability and Exploit specific Signatures • Traffic and Protocol Anomaly Detection • Knowledge base Anomaly Detection • Reputation Filters •Precision Response • Risk Management-based Policy • Global Correlation adding reputation • On-box Correlation through Meta Event Generator • “Trustworthiness” Linkages with the Endpoint •Flexible Deployment • Passive and/or Inline with Flexible Response (IDS/IPS) • Sensor Virtualization • Physical and logical (VLAN) interface support • Software and Hardware bypass Cisco Security Intelligence Operations:
6. 6. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 6 Cisco IPS Intelligent Detection Capabilities: Vulnerability and Exploit-Based Signatures: Cisco IPS Product Portfolio: Integrated Security Across the Network:
7. 7. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 7 Cisco IPS 4200 Series Sensors Comparison:
8. 8. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 8 AIP-SSM Module: Catalyst 6500 IDSM2:
9. 9. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 9 Cisco IPS Architecture:
10. 10. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 10 Packet Flow in IPS v7.0: • IPS Reputation Filters block access to IP’s on stolen ‘zombie’ networks or networks controlled entirely by malicious organizations. • Global Correlation Inspection raises the Risk Rating of events when the attacker has a negative reputation allowing those events to be blocked more confidently and more often than an event without negative reputation. • IPS Version 7.0 software permits a device to do promiscuous mode and inline mode simultaneously, which allows some segments to be monitored for IDS only while other segments use IPS protection. Overview of Intrusion Detection Systems (IDS):
11. 11. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 11 IDS Option 1: Single Interface: Spanning traffic to the IPS 4200 IDS option 2: VLAN Groups:
12. 12. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 12 Overview of Intrusion Prevention Systems (IPS): IPS Option 1 : Interface Pairing: Interface Pairing • Bump in the Wire (intelligent wire) • Two physical Interfaces • Switch Ports configured as Access Ports or Trunk
13. 13. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 13 IPS Option 2 : VLAN on-a-Stick: VLAN-on-a-Stick • VLAN Mapping • One Physical Interface configured as Trunk IPS Option 3 : VLAN Groups:
14. 14. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 14 IPS in ASA Appliance: • ASA redirects traffic to IPS Service Module • Module can be used as IDS (promiscous) or IPS (inline) • Virtual Sensor and Failure Policy can be defined Areas of Network IPS or IDS Deployment:
15. 15. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 15 Key Terms & Acronyms: Vulnerability: A vulnerability is a weakness that compromises the security or functionality of a particular system in your network. Exploit: An exploit is a mechanism designed to take advantage of vulnerabilities that exist in your systems. Signature: A signature is a set of instructions the sensor uses to identify an unwanted traffic type. False Alarms: False alarms are IDS/IPS events that you do not want occurring in your implementation. The two types of false alarms are false positives and false negatives. Both are undesirable. True Alarms: The two types of true alarms in IDS/IPS terminology are true positive and true negative. Both are desirable.
16. 16. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 16 Security Controls: • False Positive – A false positive means that an alert has been triggered, but it was for traffic that does not constitute an actual attack. • False Negative –A false negative occurs when attack traffic does not trigger an alert on the IDS/IPS device. This is often viewed as the worst type of false alarm. • True Positive –A true positive means that the IDS/IPS device recognized and responded to an attack. • True Negative –This means that non offending or benign traffic did not trigger an alarm. Approaches to Intrusion Prevention: • Signature Based • Anomaly Based • Policy Based • Protocol Analysis Based • Reputation Based
17. 17. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 17 Version 7.0 of the Cisco IPS Sensor Software adds many new features, including the following: ■ Virtualization support: Allows different policies for different segments that are being monitored by a single sensor. ■ New signature engines: Additions that cover Server Message Block and Transparent Network Substrate traffic. ■ Passive operating system fingerprinting: A set of features that enables Cisco IPS to identify the operating system of the victim of an attack. ■ Improved risk and threat rating system: The risk rating helps with alerts and is now based on many different components to improve the sensor’s performance and operation. ■ Global correlation: Allows the sensor to take stronger preventive action against traffic originating from hosts with a negative reputation score. ■ Reputation filtering: Blocks all network traffic originating from hosts with the worst reputations. ■ Enhanced health and performance monitoring: Allows the IPS administrator to better monitor the performance of the sensors. ■ IPv6 detection and prevention: The ability to analyze both IPv4 and IPv6 network traffic. ■ Cisco Intrusion Prevention System Manager Express (IME): A new and improved GUI for management and monitoring of multiple IPS devices. ■ Anomaly detection: Designed to detect worm-infested hosts.
18. 18. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 18 Cisco Sensor Family The Cisco sensor family includes the following devices: ■ Cisco IDS 4240 sensor ■ Cisco IPS 4255 sensor ■ Cisco IPS 4260 sensor ■ Cisco IPS 4270 sensor ■ Cisco Catalyst 6500 series IDSM-2 ■ Cisco ASA AIP-SSM-10 ■ Cisco ASA AIP-SSM-20 ■ Cisco ASA AIP-SSM-40 ■ Cisco AIM IPS module for ISR routers ■ Cisco NME IPS module for ISR routers Management Options: For a single device (element management), options include the following: ■ Command-line interface (CLI) ■ Cisco IPS Device Manager (IDM) ■ Cisco IPS Manager Express (IME) For multiple-device management, options include the following: ■ Cisco IPS Manager Express (IME), for one to ten sensors ■ Cisco Security Manager (CSM), for one or many sensors ■ Cisco Security Monitoring, Analysis, and Response System (MARS)
19. 19. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 19 Deploying Sensors: Consider these technical factors when selecting sensors for deployment in an organization: ■ The network media in use. ■ The performance of the sensor. ■ The overall network design. ■ The IPS design: Will the sensor analyze and protect many systems, or just a few? ■ Virtualization: Will multiple virtual sensors be created in the sensor? The CLI can be used to ■ Initialize the sensor ■ Configure ■ Administer ■ Troubleshoot ■ Monitor Initializing the Sensor: The setup command at the CLI walks you through initialization. You can do the following: ■ Assign a hostname to the sensor. This is case sensitive. It defaults to sensor. ■ Assign an IP address to the command and control interface. The default is 10.1.9.201/24. ■ Assign a default gateway. The default is 10.1.9.1. ■ Enable or disable the Telnet server. Telnet is disabled by default. ■ Specify the web server port. The default is 443. ■ Create network access control lists (ACL) that can access the sensor for management. ■ Configure the date and time. ■ Configure the sensor interfaces. ■ Configure virtual sensors. This enables the configuration of promiscuous and inline interface pairs. ■ Configure threat prevention. An event action override denies high-risk network traffic with a risk rating of 90 to 100. This option lets you disable this feature.
20. 20. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 20 Initial Setup of IPS Appliance: • CLI wizard performs basic configuration to allow network connectivity for the GUI. Threat and Risk Rating:
21. 21. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 21 Calculating Threat and Risk: • RR = [(ASR x TVR x SFR) / 10,000] + ARR – PD + WLR Example: –ASR = 75 , SFR = 90 , PD = 0 (inline mode) , TVR = 100 , ARR = 10 , and WLR = 0 –RR = [ (75 x 100 x 90) / 10,000] + 10 – 0 + 0 = 78 • TR = RR – Threat Rating Adjustment – Configuration > Policies > Event Action Rules > rules0 pane and click on General tab Real-Time Risk-based Policy: Risk Rating and IPS Policy • A quantitative measure of each threat before IPS mitigation.
22. 22. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 22 Threat Rating: Post-policy Evaluation of Incident Urgency
23. 23. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 23 Where do I configure actions ? Actions are configured in 3 different places : – The signature itself where you define the default response if this signature is triggered – The Event overwrite will allow the system to add actions depending of the risk rating – The Event action filters where the system will be able to remove actions depending of several parameters like the sig ID, the addresses of the attacker or victims… Master engine : Event Actions
24. 24. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 24 Installing and Maintaining Cisco IPS Sensors: IPS Deployment Options: ■ Promiscuous mode: In this mode, packets do not flow through the sensor. Instead, packets are copied to the interface from a network device. This is also known as IDS mode. ■ Inline Interface Pairing mode: Traffic passes through the sensor, from one interface to another. Two monitoring interfaces must be configured as a pair. The sensor functions as a Layer 2 bridge for this traffic. ■ Inline VLAN Pairing mode: Here, the monitoring interface acts as an 802.1Q trunk port. The sensor bridges between pairs of VLANs on the trunk. ■ VLAN Group mode: Each physical interface can be divided into VLAN group subinterfaces. This enables you to use a sensor with only a few interfaces as if it had many interfaces. Cisco IPS Sensor Promiscuous Mode Deployment:
25. 25. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 25 Cisco IPS Sensor Inline Interface Mode Deployment: Cisco IPS Sensor Inline VLAN Pair Mode Deployment:
26. 26. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 26 Cisco IPS Sensor Inline VLAN Group Mode Deployment: Cisco IPS Sensor Selective Inline Analysis Mode Deployment:
27. 27. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 27 Applying Cisco IPS Security Policies: IPS 4200 Appliance Management Interface: • IPS 4200 Sensor managed through out-of-band interface • IPS Management uses SSH or HTTPS ( SDEE ) Assigning Virtual Sensor: Both IDS and IPS require assignment of Virtual Sensor ....even if only one Virtual Sensor ( e.g. vs0 ) is used !
28. 28. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 28 IPv6 and Cisco IPS: • IPv6 is default for Windows 2008, Vista and Windows 7! • Can analyze native IPv6 Traffic • Can detect IPv6 tunneled traffic • IPS Tuning can be done on IPv4 and IPv6 traffic simultaneously Usage of Dual-Stack on all Engines Service HTTP:
29. 29. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 29 Usage of Dual-Stack on all Engines String TCP with Custom Signature Deploying Anomaly-Based Operation: Signature: •A Signature is used to detect a potential threat. •Cisco Signatures are vulnerability focused, not exploit focused • We need different types of Signatures. To match these signatures efficiently against the type of traffic, we are using different Engines. • There are several signatures status : • Retired vs. Active • Disable vs. Enable
30. 30. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 30 Types of Signatures: • Three types of Signatures –Default – Included in the sensor software. – <ID Range is 1,000 – 59,000> –Tuned – Built in signatures that the user/administrator modifies. –Custom – New signatures that the user/administrator modifies. – <Customer ID Range is 60,000-65000> What Is an Engine ? •A signature engine is a component of the Cisco IPS that is designed to support many signatures in a certain category. •An engine is composed of a parser and an inspector •Each engine has a set of parameters that have allowable ranges or sets of values.
31. 31. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 31 The Different Engine Families: •Atomic engine – looking at attacks in a single packet •Flooding – Specialised in attacks that involve flooding of hosts with packets •String – Looking for Patterns across several packets •Sweep – Specialised in attacks that involve scanning of hosts and ports •Anomaly detection – Baselining the traffic first and looking for threshholds •Services Engines – Specialised engines looking at services like DNS, HTTP, FTP,… •And many others.... • ATOMIC signature engines are ■ ATOMIC ARP ■ ATOMIC IP ■ ATOMIC IP ADVANCED ■ ATOMIC IPv6 • The FIXED engines are ■ STRING ICMP ■ STRING TCP ■ STRING UDP • FLOOD signature engines are ■ FLOOD NET ■ FLOOD HOST
32. 32. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 32 • SERVICE signature engines are ■ SERVICE DNS ■ SERVICE FTP ■ SERVICE FTP V2 ■ SERVICE GENERIC ■ SERVICE GENERIC ADVANCED ■ SERVICE H225 ■ SERVICE HTTP and etc… • The STRING engines are ■ STRING ICMP ■ STRING ICMP XL ■ STRING TCP ■ STRING TCP XL ■ STRING UDP ■ STRING UDP XL ■ MULTI STRING What is the difference between STRING and FIXED engines? FIXED differs from STRING signatures in that FIXED signatures watch all TCP/UDP ports, whereas STRING watch only defined ports. • The SWEEP engines are ■ SWEEP ■ SWEEP OTHER TCP • TROJAN engines are: ■ TROJAN BO2K examines UDP and TCP traffic for Back Orifice. ■ TROJAN TFN2K examines UDP, TCP, or ICMP traffic for irregular traffic patterns and corrupted headers. ■ TROJAN UDP examines UDP traffic for Trojan attacks.
33. 33. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 33 Normalizer Module: Normalizer Engine Signatures: • The normalizer signatures are designed for inline mode only • These signatures perform several tasks, including: –Watch for packets with illegal combinations of flags –Watch for bad checksums –Watch for TCP segment overrides –Watch for fragmented traffic –Much more • The normalizer denies or fixes abnormal packets
34. 34. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 34 TCP Normalization – How: Layer 4 protection • Strict tracking of TCP state • Strict tracking of sequence numbers (including support for PAWS checks) • Best effort tracking of previous data seen for un-acked inspected content (prevents/detects overwrites in the TCP sequence space) • Checksums and invalid TCP flags • Ability to modify TTLs to monotonically decrease or remain steady over the life of the flow • URG pointer normalization Real-Time Anomaly Detection for Day Zero Threats: • Anomaly Detection algorithms to detect and stop Day-Zero threats • Real-time learning of normal network behavior • Automatic detection and policy-based protection from anomalous threats to the network • Result: Protection against attacks for which there is no signature
35. 35. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 35 Protocol-Anomaly Detection:
36. 36. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 36
37. 37. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 37 Managing and Analyzing Events: Cisco IPS Manager Express (IME) All-inOne IPS Management Application for up to 10 IPS Sensors
38. 38. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 38 CSM 4.3 – IPS Configuration: • Centrally manage multiple physical and virtual Sensors • Tune policies • Create custom Signatures • Track Policy Change • Update Signatures and Software for IPS Sensors
39. 39. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 39 CSM 4.3 – Event logging and filtering: • Log and monitor all IPS Events • Granular Filtering and searching through events • Customizable view • Event to Policy mapping
40. 40. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 40 CSM 4.3 – Reporting: • Tactical Reporting • Export to PDF or CSV • Schedule Reports • Customizable Graph and Data
41. 41. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 41 CSM 4.3 – Health Monitoring: • Monitor IPS Systems for throughput, CPU, memory, number of events, status of hardware,... • Get Alert when status is changing IPS Sensor Management:
42. 42. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 42 Deploying Virtualization, High Availability, and High Performance Solutions Flexible Deployment: Sensor Virtualization:
43. 43. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 43 How to place a Sensor into such an Environment ?
44. 44. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 44 Introducing Cisco Nexus 1000V for VMware ESX Simplifying Virtual Machine & Network policy management: • Policy Based VM Connectivity –Mobility of Network & Security Properties • Virtual Center integration for server administrators • Cisco NX-OS environment for Network administrators • Ensures visibility & policy enforcement during VMotion • Compatible with any switching platform SPAN Technologies Overview: • Local SPAN Mirrors traffic from one or more interfaces or VLANs on the switch to one or more other interfaces (or a service module) on the same switch. • Remote SPAN (RSPAN) Mirrors traffic from one or more interfaces or VLANs on the switch to a special RSPAN VLAN, which carries the traffic across a Layer 2 switched network to one or more other switches. The other switches mirror the traffic from the RSPAN VLAN to one or more of their local interfaces (or service modules). • Encapsulated Remote SPAN (ERSPAN) Mirrors traffic from one or more interfaces or VLANs on the switch into an IP GRE tunnel, which carries the traffic across an arbitrary Layer 3 network to another device. If the destination is another ERSPAN- capable switch, it decapsulates the monitored packets and mirrors them to one or more of its local interfaces (or service modules).
45. 45. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 45 How to place a Sensor into such an Environment ? Server Virtualization IDS and ERSPAN: Ethernet Network Policy •Take a Copy of Traffic from Servers and Switch to Appliance •IPS appliances analyze Server traffic and log activity Nexus 1000v Makes this possible • ERSPAN Set Port-Profile w/ Switch port SPAN session IP SPAN traffic to 6500 • SPAN to connected 4200-IPS • Permit protocol type header “0x88BE” for ERSPAN GRE
46. 46. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 46 ERSPAN: Sample Config for ERSPAN on N1K:
47. 47. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 47 IPS in virtualized DC: • Use cases – Protect Serverfarms through IPS – Monitoring / Alarming through IPS in IDS Mode • Products –Cisco IPS 4260 / 4270 Appliance as: IPS: via external Service Chassis IDS: via SPAN Technology –Cisco ASA IPS SSM for ASA 5585-X as IPS-only –Cisco IDSM2 Switchmodule as IPS: via external Service Chassis IDS: via Switch internal SPAN Session IDSM2 only availabe for Cat6K, no N7K module High Availability and Scaling: •Fail-open (Fail-Safe) techniques: Hardware or software that functions to detect problems and pass packets through the device without inspection when required •Fail-secure (Fail-Closed) techniques: Hardware or software techniques that will stop forwarding any packets if IPS fails •Failover: One or more paths through the network to allow packets, in the event of a device failure, to either go through a backup IPS sensor or through a plain wire •Load Balancing: Using devices or software features to split a traffic load up across multiple devices. This can achieve both higher data rates and redundant paths in case of failure
48. 48. These slides taken from Cisco live 2012 & 3/20/2014 Eng. Mohannad Alhanahnah 48 Configuring and Maintaining Specific Cisco IPS Hardware Cisco IPS Sensor Initial Setup and Management: •Using basic Cisco IPS CLI features. •Configure and verify basic Cisco IPS sensor parameters. •Configuring and Verify the Cisco IDM features and properties. •Troubleshoot the initial configuration of the sensor. •Troubleshoot basic Cisco IPS hardware problems. •Restoring the Cisco IPS to it’s default configuration. •Managing Cisco Licenses and Software •Software Upgrade and Recovery •Updates and Installation of IPS Signatures •Managing Access & Password Recovery on the Cisco IPS Sensor. •Using the CLI & IDM to perform sensor management and monitoring. Applying Cisco IPS Security Policies: •Deploying and managing Cisco IPS Sensor basic traffic analysis. •Virtual sensor setup •Traffic Normalization •IPv6 Support •Bypass mode •Deploying and Managing basic aspects of Cisco IPS signatures and responses. •Signatures (types, features, properties, and actions). •IP Logging and Filters •Evaluating the Cisco IPS signature engines and built-in signature database. •Deploying and managing Cisco IPS anomaly-based detection features.