Cisco's IPS Exam (#642-532)

Cisco's newest version of this very product-specific exam for aspiring CCSPs requires in-depth exposure to the company's IDS and IPS products.

Most Cisco security exams are about understanding Cisco's viewpoint on security and how its sales, marketing and products fit within the network. The Securing Networks Using Intrusion Prevention Systems (IPS) security exam is no exception: It's all about Cisco's IPS and Intrusion Detection System (IDS) security products. On my exam, the questions quizzed my knowledge on how to configure Cisco IPS and IDS devices and how to use them to identify, mitigate and secure a Cisco network.

Exam Spotlight

Exam #642-532: Securing Networks Using Intrusion Prevention Systems (IPS)
Vendor: Cisco Systems
Status: Live. Available at Pearson Vue and Prometric testing centers worldwide.
Reviewer's Rating: "Straightforward exam that requires hands-on experience with tested products."
Test Information: 60-70 questions, 90 minutes. Cost: $125 (U.S.).
Who Should Take This Exam? Candidates for Cisco Certified Security Professional (CCSP) or Cisco IPS Specialist certifications.

I received 63 questions and was given 90 minutes to complete the IPS exam, which included a traditional simulation question and a new question type. This new one presented the IPS console, a network topology, four to five questions, and a simulated attack scenario - I'll have more on this later. The passing score was 825 on a scale of 300 to 1,000 points possible. Like all Cisco exams that I've ever taken, I couldn't move back through the question set, mark a question for later review or change my answer, like you can on most other vendors' certification exams. I find Cisco exams easier overall, with many of the questions in the form of one or two sentences with only one correct answer.

Question Types
The exam's simulation-based question was similar in complexity to those I found on the Cisco Certified Security Professional (CCSP): CSVPN and the retired Cisco Secure PIX Firewall (CSPFA) exams, with the one exception as noted. The conventional simulation questions of this exam require you to configure a Cisco device, given a specific set of parameters. As I mentioned above, the new simulation-type question had links to the IPS console, a network topology and a simulated attack scenario. I was able to switch back and forth between all four of the links, unlike the simulation questions I've received on the CSVPN exam. The requirements were to read the question, examine the network topology, watch the simulated attack, correctly configure the IDS/IPS to mitigate the attack and then answer the question - at least that's the strategy I used.

The exam's more traditional simulation questions, which I'm sure many of you are familiar with, present a company's network scenario, topology and usually a partial configuration. You're required to complete the remaining configuration by navigating the particular Cisco device's command line environment. The opening screen of these types of exams warned you about spending too much time on any one simulator; it recommends no more than 10 minutes each. Running short on time for this exam shouldn't be an issue for most candidates, but you'll need to pace yourself during the simulators. Personally, I approach simulation questions just as I would in the real world: I execute the required commands to configure the router, switch or IPS console, show the configuration, save and verify my work. Many times the help function is available if you need it, but its usually limited. The simulation questions are generally more difficult than the more common multiple choice questions. There are also a couple of pick-and-place type questions.

Exam Objectives
The main objectives of the IPS exam are to describe, install, tune, analyze, maintain and troubleshoot Cisco IDS/IPS sensors. More specifically, they require you to have the ability to describe how Cisco IDS/IPS sensors are used to mitigate network security threats, install Cisco IDS/IPS sensors and configure essential system parameters, describe advanced system parameters, tune Cisco IDS/IPS sensor advanced system parameters to optimize attack mitigation performance, analyze Cisco IDS/IPS sensor events to determine the appropriate response to network attacks, upgrade and maintain Cisco IDS/IPS sensors, and finally, troubleshoot Cisco IDS/IPS sensor operation and configuration errors.

As a current Cisco Certified Network Associate (CCNA) is a prerequisite, that's where you should start to obtain the fundamental knowledge on how to configure and troubleshoot Cisco devices. The CCNA will also introduce you to LANs, WANs, ACLs and many other fundamentals that are essential to this exam.

For more on the exam objectives, go here.

Study Materials
An official Cisco instructor-led IPS course is available, as are self-study guides. The exam objectives Web page includes a link to Cisco Press' resources for this exam. I found everything I needed within the Cisco Press book "IPS Exam Certification Guide." For a taste of the book, check out the sample chapter on IPS Device Manager (IDM) provided online. Also available from Cisco Press is the CCSP Flash Cards and Exam Practice Pack. I didn't find it necessary for this exam, but I believe it varies for each candidate based on experience, test-taking skills and, of course, comfort level. If you don't have access to the study guide, I highly recommend you start by reading the IPS and IDS installation, configuration and operation guides available

If you've studied for, understood and passed the CompTIA's Security+ exam, you have the makings of a good foundation. However, nothing can prepare you better for this exam than time with the products covered on this exam. That can be difficult if you don't have a Cisco network with IDS software and IPS sensors to practice with! Many Cisco routers, switches and dedicated appliances are capable of acting at IPS sensors, but they require licensed software, which is usually additional to the base IOS. The best place to start is with product documentation, which includes screenshots and typical implementation scenarios. If you're fortunate enough to have a testing bed, use the scenarios in the product documentation to exercise your hands-on and understanding.

Cisco IDS/IPS Sensors vs. Network Security Threats
Any strong and useful network security configuration starts with a Network Security Policy. Without acceptable and unacceptable network use defined for network users, there can be no enforcement or consequences. One of the more difficult aspects of creating and maintaining a secure network environment is finding the delicate balance between security and usability. There are often tradeoffs that need to be made and can only be supported with strong buy-in from the "owners" and users of the network. There are many studies that still report that most network attacks start from within. Connecting a network to the World Wide Web doesn't come without its risks either.

We that support information technology for business have had to readdress the ways in which we administer networks. Gone are the days of "a group of computer geeks" connecting systems to understand and share information for the sheer excitement and sense of accomplishment in doing so. Nowadays computer and network security are a top concern for companies and networked organizations. It does, however, open up new and exciting opportunities as well as mind-boggling challenges for us.

With that said, let's get on to business! Cisco IDSes and IPSes are network-based devices that are placed either directly in the communication path using two network cards, called a dual-homed sensor, or at a point on the network where they can monitor all traffic. While these sensors are good at detecting signatures, they aren't effective at dealing with encrypted network traffic. As the traffic is encrypted, it's impossible for the network-based IDS or IPS to determine if there is an attack in progress based on a signature.

To overcome the network-based limitations, Cisco IDSes and IPSes can also be deployed on each host. Since the host will have to decrypt any encrypted communication before it can process the information, the IDS or IPS can inspect that clear text before it's processed. Cisco IDS and IPS solutions also have the advantage of working at the application level to enforce additional requirements. However, a host-based IDS and IPS have the disadvantage of having to be deployed on servers, thus impacting processor performance and potentially operating system stability.

An IDS monitors the traffic flow for certain traffic or data patterns that may indicate a possible attack. These patterns may be defined as attack signatures where certain known attacks can be detected by the sequence of commands. If that pattern is detected, an IDS can perform some predetermined action, such as notification of the event. The downfall of this system is if the IDS doesn't have a signature for the attack in progress. Each time a new attack is devised, the IDS administrator must try to determine the sequence of network packets unique to that attack. This is a very reactive approach since signatures can only be developed once the attacks are known and being performed. The Cisco IDS makes use of behavior-based technologies to help determine if the activity on the network appears suspicious. Instead of basing its response on predetermined signatures, it will respond based on certain types of network behavior. For instance, if a source computer is generating a large number of ICMP packets with varying destination addresses all within the same network, this is most likely what is known as a PING sweep. On the other hand, if a large number of connection attempts are being generated to the same destination address but with different port numbers, this most likely is a port scan.

An IDS can help enforce time-based usage restrictions on systems. For example, it may be suspicious if users are connecting to training resources at 3 a.m. (then again, maybe not, if that user is studying for his/her CCSP!). If that type of behavior is in violation of the information security policy, the IDS can alert on that activity and report it to the appropriate personnel. The behavior-based IDSes can detect these types of malicious activity and respond accordingly.

False positive alerts are alerts on activity that is normal network behavior but could possibly be malicious given the right circumstances. The IDS administrator can become so bombarded with false positives that they begin to disregard all alerts including the actual attacks.

An Intrusion Prevention System (IPS) is an IDS that works in conjunction with the IDS by monitoring network traffic for malicious attack profiles and sending notification of suspicious events. The difference is that an IPS actively blocks suspicious traffic. It attempts to prevent an attack by either blocking certain packets or by dropping the connection. Since an IPS is active in its response and can actually block traffic, its potential to disrupt normal network activity is much higher than with just an IDS.

Tip: Whether network-based or host-based, an IPS can be a bastion of security or a wall of denial for legitimate traffic.

An IPS can be configured to limit its reaction to attack signatures by stopping only that traffic that is definitely malicious in activity so that it doesn't interfere with normal traffic. An IPS is typically deployed between the router and the firewall preventing known malicious attacks from ever reaching the firewall. Since IPSes only detect and respond to known attacks that can be verified, letting through attacks that cannot be positively identified, they can't be used as the sole security control on a network. Network security is often defined as "layers in defense." No single configuration, control, device or action, short of unplugging it all and going home, can keep a network secure.

Installing Cisco IDS/IPS Sensors and Configuring Essential System Parameters
This is certainly one area you'll want to be familiar with the console. As I mentioned, the new type of simulation question plus the traditional one I had on my exam required working knowledge. You may be required to navigate the console to complete a configuration. Be sure and read the documents previously linked to understand the software installation and essential configuration whether you have access to a live copy or not.

Tip: PING can verify connectivity to an IPS sensor from the Management Console station.

Describe Advanced System Parameters
Communication with an IPS sensor can take place using the Management Console's Web browser via http or https. After connecting to the IPS, it can be added to the MC through configuration by IP address or by importing. Once it's added, downloading signature updates from Cisco's Web site is essential. Finally, using the MC, configuration such as blocking is done. This is where you'll define such things as blocking action, hosts and subnets on a router's interface. IOS commands "show user" and "show access-list" can be used on the IPS for verification and troubleshooting.

Tip: Connections to an IPS can also be made using Telnet and SSH.

Tune Advanced System Parameters to Optimize Attack Mitigation Performance
Tuning the IDS/IPS sensors involves many things such as loading new signatures and configuring specific source and destination hosts and subnets. This is necessary to avoid false positives and false negatives. A false positive is defined as legitimate network traffic that is flagged as an attack, such as a network-based virus scan. A false negative occurs when an attack is occurring or has occurred but is not detected. There are four primary considerations when tuning a sensor:

* specifying reassembly settings for IP fragments and TCP sessions
* port mapping by adding additional ports
* identifying hosts and subnets that are exempt from blocking
* configuring filter alarms according to their severity and source

All of these as well as other considerations are available for the Cisco IDS/IPS in the documentation link given earlier. Once again, the payback will be great if you can practice these on a test network.

Tip: Configure a sensor to ignore perceived attacks from trusted hosts or subnets.

Analyze Events to Determine the Appropriate Response to Network Attacks
Reviewing events, logged attacks, updating signatures and formulating a response is crucial to securing a network. If you could simply set it and forget it, there wouldn't been an ongoing need for the knowledge and expertise of network security professionals. Regular monitoring is needed to properly secure any host or subnet. Active blocking is an option to thwart an attack at the PIX Firewall. The "shun" command is required.

Tip: A Target Value Rating is a weight factor that's used to calculate the Risk Rating value for alerts. You can assign different TVR values to different targets based on the importance of the target.

Upgrade and Maintain IDS/IPS Sensors
Downloading and installing signatures, tuning and configuring sensors is required knowledge. You can copy configuration settings between sensors using the IPS MC. This is not only a time-saving feature but is also a method of applying uniformity to comply with a network's security policy.

Tip: Signature definition files can be downloaded and applied automatically at regular intervals.

Troubleshoot Cisco IDS/IPS Sensor Operation and Configuration Errors
Many common problems that can occur have been noted -- such as basic communication errors, mis-configurations that create false positives and false negatives. Troubleshooting involves familiarity with the IDS and IPS Management Console and other Cisco software and tools, like the Error Message Decoder and Output Interpreter, which are available at

Tip: The IDS MC includes a reports option to aid in troubleshooting configurations.

Go Forth and Secure
That wraps it up for this exam review. Next month I'll review the final CCSP exam in the series, 642-522: Securing Networks with PIX and ASA (SNPA). Until then, good luck and good night!

Contact Us | Authors | Subject Index | RSS Feeds

Copyright ©2007