Senior Acquisitions Editor: Kenyon Brown
Development Editor: Kathi Duggan
Technical Editor: Richard Clendenning
Production Editor: Christine O'Connor
Copy Editor: Judy Flynn
Editorial Manager: Mary Beth Wakefield
Production Manager: Kathleen Wisor
Associate Publisher: Jim Minatel
Book Designers: Judy Fung and Bill Gibson
Proofreader: Josh Chase, Word One New York
Indexer: Robert Swanson
Project Coordinator, Cover: Brent Savage
Cover Designer: Wiley
Cover Image: © Getty Images Inc./Jeremy Woodhouse
Copyright © 2016 by John Wiley & Sons, Inc., Indianapolis, Indiana
Published by John Wiley & Sons, Inc. Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 978-1-119-15503-4
ISBN: 978-1-119-15505-8 (ebk.)
ISBN: 978-1-119-15504-1 (ebk.)
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Manufactured in the United States of America
Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.
For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.
Library of Congress Control Number: 2015951789
TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. Cisco is a registered trademark of Cisco Technology, Inc. Sourcefire is a registered trademark of Sourcefire, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.
To my wife Shelly who has learned to live all these years with a computer nerd.
—Alex
To Jennifer and Paul Gay: Without your support through the late nights, I never would have made it! Thank you for the wonderful years, and I look forward to many more.
—John
There are many people who work to put a book together, and although as authors we dedicate an enormous amount of time to write the book, it would never be published without the dedicated, hard work of many other people.
First, Kenyon Brown, my acquisitions editor, is instrumental to my success in the Cisco world. I look forward to our continued progress together in this crazy certification world we call Cisco!
Big thanks to Kathryn Duggan, my developmental editor, who helped keep this project together, and on time. No easy feat! Thank you, Kathryn, once again!
Christine O’Connor, my production editor, and Judy Flynn, my copy editor, are my rock and foundation for formatting and intense editing of every page in this book. This amazing team gives me the confidence to help me keep moving during the difficult and very long days, week after week. I could never imagine writing a single page of a book if I didn’t know that the amazing duo of Christine and Judy was behind me all the way! Thank you from the bottom of my heart.
Last listed, but certainly not least, is Richard Clendenning. Phenomenal tech editing at its best and amazing eye on details allowed the authoring team to really shine in this book. Thank you Richard!
—From Todd
Thanks to Todd for driving this entire project. If you ever meet him, you will understand right away how he could write over 60 books. Todd, you’re a wild man!
And I would be remiss not to thank my Lord Jesus Christ, to whom I owe literally everything.
—From Alex
Karen Paulson, my former boss who brought me to the Sourcefire team and supported my career development and growth: I cannot thank her enough for her support over the years.
And to Ed Mendez, a co-worker who has fostered my development and been a great learning partner: thanks, man, for all the help!
—From John
Alex Tatistcheff is currently a network consulting engineer for Cisco Security Solutions specializing in FireSIGHT. Alex came to Cisco via the acquisition of Sourcefire, Inc., in 2013. At Sourcefire, he worked for over five years as a senior security instructor teaching the Sourcefire System, Snort, and rule writing classes. During this time, he also completed consulting engagements with several dozen customers.
Prior to coming to Sourcefire, Alex worked on the security team for a large electric utility as a Sourcefire customer and before that as a network/security consultant for numerous organizations.
Alex calls Boise, Idaho, home, where he lives with his wife, Shelly, and two Australian shepherds, Molly and Boomer. He enjoys mountain biking, traveling, and Raspberry Pi.
John Gay is a field security enablement lead with Cisco Systems. He is responsible for facilitating the learning of internal customers. Prior to Cisco's acquisition of Sourcefire, John served as director of instructional delivery, where he managed the instructor team and assisted in the creation and delivery of learning material. Since 1999, John has been in the security industry, training students around the world in IDS/IPS/NGFW/vulnerability assessment. This includes Fortune 500 companies, government agencies, and even military units in theater. Prior to beginning his career in security, John was teaching networking, routing, and back-office applications for a world-class training company. He was also tasked with giving technology presentations for high-profile partners at customer sites and conferences. John has been involved with computers and technology for over 30 years and has had over 20 years in the industry. He also holds a BS in Communication Arts and an MS in Instructional Technology.
Todd Lammle is the authority on Cisco certification and internetworking and is Cisco certified in most Cisco certification categories. He is a world-renowned author, speaker, trainer, and consultant. Todd has three decades of experience working with LANs, WANs, and large enterprise licensed and unlicensed wireless networks, and lately he's been implementing large Cisco data centers worldwide as well as FirePOWER technologies. His years of real-world experience are evident in his writing; he is not just an author but an experienced networking engineer with very practical experience working on the largest networks in the world at such companies as Xerox, Hughes Aircraft, Texaco, AAA, Cisco, and Toshiba, among many others. Todd has published over 60 books, including the very popular CCNA: Cisco Certified Network Associate Study Guide, CCNA Wireless Study Guide, and CCNA Data Center Study Guide as well as this FirePOWER study guide, all from Sybex. He runs an international consulting and training company based in Colorado, Texas, and San Francisco.
You can reach Todd through his website at www.lammle.com/firepower.
Welcome to the exciting world of Cisco certification! If you’ve picked up this book because you want to improve yourself and your life with a better, more satisfying, and secure job, you’ve done the right thing. Whether you’re striving to enter the thriving, dynamic IT sector or seeking to enhance your skill set and advance your position within it, being Cisco certified can seriously stack the odds in your favor to help you attain your goals!
Cisco certifications are powerful instruments of success that also markedly improve your grasp of all things internetworking. As you progress through this book, you’ll gain a complete understanding of security that reaches far beyond Cisco devices. By the end of this book, you’ll comprehensively know how Sourcefire technologies work together in your network, which is vital to today’s very way of life in the developed world. The knowledge and expertise you’ll gain here is essential for and relevant to every networking job and is why Cisco certifications are in such high demand—even at companies with few Cisco devices!
Although it’s now common knowledge that Cisco rules routing and switching, the fact that it also rocks the voice, data center, and security worlds is also well recognized. And Cisco certifications reach way beyond the popular but less extensive certifications like those offered by CompTIA and Microsoft to equip you with indispensable insight into today’s vastly complex networking realm. Essentially, by deciding to become Cisco certified, you’re proudly announcing that you want to become an unrivaled networking expert—a goal that this book will get you well on your way to achieving. Congratulations in advance on the beginning of your brilliant future!
Cisco, like Microsoft and other vendors that provide certification, has created the certification process to give administrators a set of skills and to equip prospective employers with a way to measure those skills or match certain criteria.
The SSFIPS Securing Cisco Networks with Sourcefire Intrusion Prevention System (500-285) exam is designed for technical professionals who need to demonstrate their expertise and skills in deployment and management of Cisco NGIPS solutions, including Cisco FirePOWER appliances and the Cisco FireSIGHT management system.
Rest assured that if you make it through the SSFIPS and are still interested in Cisco and security, you’re headed down a path to certain success!
This book covers everything you need to know to pass the SSFIPS 500-285 exam.
You will learn the following information in this book:
Chapter 1: Getting Started with FireSIGHT What is FirePOWER? What is FireSIGHT? What is Sourcefire? Understand Sourcefire by building a solid foundation in defining key, industry-wide, and Cisco-specific terms that we’ll be using throughout this book. Various FireSIGHT appliance models will be discussed as well as licensing, policies, and initial system setup.
Chapter 2: Object Management This chapter will provide you with the understanding of object types that are used by the FireSIGHT System. And as with the other chapters, this chapter includes review questions and a hands-on lab to help you build a strong foundation.
Chapter 3: IPS Policy Management This chapter provides you with the background necessary for success on the exam as well as in the real world with a thorough presentation of IPS policy management. This in-depth chapter covers IPS policies, which precisely describe the suspicious and/or malicious traffic that the system must watch out for, and they also control how evil traffic is dealt with when it’s discovered.
Chapter 4: Access Control Policy Chapter 4 covers the heart of the FireSIGHT system. An Access Control policy acts kind of like the central traffic cop for FireSIGHT because all traffic passing through a device is processed through it. And you’ll find plenty of help in this chapter as long as you don’t skip the review questions and hands-on lab at the end.
Chapter 5: FireSIGHT Technologies FireSIGHT is the name given to a technology built into the Cisco FirePOWER NGIPS to provide us with contextual awareness regarding events, IP addresses, users on the network, and even background about the hosts in the system. As with Chapter 4, plenty of help is there for you if don’t skip the review questions and hands-on labs at the end.
Chapter 6: Intrusion Event Analysis In this chapter, we’ll review using the FireSIGHT System to analyze intrusion event data. We’ll explore some of the workflows available when analyzing events and show you examples of how to drill into relevant event data. We’ll also cover how to use the Dashboards and Context Explorer. As always, before tackling the hands-on lab in this chapter, complete the review questions.
Chapter 7: Network-Based Malware Detection A nickname derived from the term malicious software, malware comes in a variety of vile flavors, from coded weapons fashioned to damage, control, or disable a computer system to reconnaissance tools for stealing data or identity theft. FireSIGHT’s Advanced Malware Protection (AMP) is designed to tackle one of the worst and arguably most prevalent threat vectors today—malware! As always, don’t skip the review questions and hands-on lab at the end.
Chapter 8: System Settings This chapter will cover how to apply settings on the systems to control user preferences, time zones, and other key factors plus configuring health checks to alert you to conditions within your devices. Remember the review questions and hands-on labs at the end.
Chapter 9: Account Management In this chapter, we’re going to cover a variety of administrative functions for user account management. We’ll discuss creating and managing both internal and external users. The hands-on labs and review questions will help you master this chapter.
Chapter 10: Device Management In this chapter we’ll discuss and demonstrate registering the device with the Defense Center as well as touring each of the device’s properties. You’ll discover the different settings for the interfaces and switch and router configurations, plus, we’ll survey the different VPN and NAT types available to managed devices as well.
Chapter 11: Correlation Policy Correlation Policy is an often overlooked but useful feature of the FireSIGHT System. The features available in this area concentrate on detection of unusual activity rather than specific intrusion or malware events. By using correlation rules, white lists, and traffic profiles, we can detect network or host behaviors that may be an indication of malicious activity.
Chapter 12: Advanced IPS Policy Settings This chapter is the perfect time to introduce you to some essential advanced IPS policy settings, and we’ll also survey important application layer preprocessor settings, network and transport layer preprocessors, and specific threat detection preprocessors. We’ll also talk about the significant advantages gained via detection enhancements and performance settings.
Chapter 13: Creating Snort Rules In this chapter, we’re going to focus exclusively on the fundamentals of Snort rules, detailing their structure, syntax, and options. We’ll also explore how Snort performs rule optimization for better performance and show you how rule matching takes place internally.
Chapter 14: FireSIGHT version 5.4 Facts and Features Last, but definitely not least, this key chapter covers all the great new features in FireSIGHT Version 5.4 that launched in February 2015. Don’t be fooled when you hear people refer to this release as a “point” upgrade because that’s a serious understatement. Version 5.4 is a major-league upgrade with substantial new capabilities. In addition to all the bright new features, the user interface has been updated, changing the location of some configuration settings. The settings remain largely unchanged from previous versions, but they’ve been moved in the user interface.
Appendix A: Answers to Chapter Review Questions This appendix contains the answers to the book’s review questions.
We’ve worked hard to provide some really great tools to help you with your certification process. The interactive online learning environment that accompanies the SSFIPS Securing Cisco Networks with Sourcefire Intrusion Prevention System Study Guide, Exam 500-285, provides a test bank with study tools to help you prepare for the certification exam—and increase your chances of passing it the first time! The test bank includes the following:
Sample Tests All of the questions in this book are provided, including the assessment test, which you’ll find at the end of this introduction, and the chapter tests that include the review questions at the end of each chapter. In addition, there are two exclusive practice exams with 50 questions each. Use these questions to test your knowledge of the study guide material. The online test bank runs on multiple devices.
Flashcards The online text banks includes 100 flashcards specifically written to hit you hard, so don’t get discouraged if you don’t ace your way through them at first! They’re there to ensure that you’re really ready for the exam. And no worries—armed with the review questions, practice exams, and flashcards, you’ll be more than prepared when exam day comes! Questions are provided in digital flashcard format (a question followed by a single correct answer). You can use the flashcards to reinforce your learning and provide last-minute test prep before the exam.
Other Study Tools A glossary of key terms from this book and their definitions are available as a fully searchable PDF.
In addition to the online test bank, the authors have provided additional study material that’ll help you get the most out of your exam preparation:
Todd Lammle Bonus Material and Labs Be sure to check the www.lammle.com/firepower web page for directions on how to download all the latest bonus material created specifically to help you study for your Securing Cisco Networks with Sourcefire Intrusion Prevention System (SSFIPS) exam.
Online Videos Check out the online videos available at www.lammle.com/firepower.
If you want a solid foundation for the serious effort of preparing for the Securing Cisco Networks with Sourcefire Intrusion Prevention System (SSFIPS) exam, then look no further. We’ve spent hundreds of hours putting together this book with the sole intention of helping you to pass the exam as well as really learn how to correctly configure and manage Firepower!
This book is loaded with valuable information, and you will get the most out of your study time if you understand why the book is organized the way it is.
So to maximize your benefit from this book, I recommend the following study method:
To learn every bit of the material covered in this book, you’ll have to apply yourself regularly, and with discipline. Try to set aside the same time period every day to study, and select a comfortable and quiet place to do so. I’m confident that if you work hard, you’ll be surprised at how quickly you learn this material!
If you follow these steps and really study—doing hands-on labs every single day in addition to using the review questions, the practice exams, and the electronic flashcards—it would actually be hard to fail the Cisco exam. But understand that studying for the Cisco exams is a lot like getting in shape—if you do not go to the gym every day, it’s not going to happen!
You may take the Securing Cisco Networks with Sourcefire Intrusion Prevention System (SSFIPS) exam, or any Cisco exam, at any of the Pearson VUE authorized testing centers. For information, check www.vue.com or call 877-404-EXAM (3926).
To register for a Cisco exam, follow these steps:
The Cisco exams contain about 50 to 60 questions and must be completed in about 90 minutes or less. This information can change per exam. You must get a score of about 80 percent to pass this exam, but again, each exam can be different.
Many questions on the exam have answer choices that at first glance look identical—especially the syntax questions! So remember to read through the choices carefully because close just doesn’t cut it. If you get commands in the wrong order or forget one measly character, you’ll get the question wrong. So, to practice, do the hands-on exercises at the end of this book’s chapters over and over again until they feel natural to you.
Also, never forget that the right answer is the Cisco answer. In many cases, more than one appropriate answer is presented, but the correct answer is the one that Cisco recommends. On the exam, you will always be told to pick one, two, or three options; never “choose all that apply.” The Cisco exam may include the following test formats:
However, be advised that the current SSFIPS exam is listed as all multiple choice questions for now, but understand that this can change at any time.
Here are some general tips for exam success:
After you complete an exam, you’ll get immediate, online notification of your pass or fail status, a printed examination score report that indicates your pass or fail status, and your exam results by section. (The test administrator will give you the printed score report.) Test scores are automatically forwarded to Cisco within five working days after you take the test, so you don’t need to send your score to them. If you pass the exam, you’ll receive confirmation from Cisco, typically within two to four weeks, sometimes a bit longer.
Candidates will demonstrate knowledge of in-depth event analysis, IPS tuning, and configuration in addition to the Snort rules language. Exam takers will show their skills in using and configuring Cisco NGIPS technology, including application control, firewalls, and routing and switching capabilities.
This study guide has been written to cover the SSFIPS exam objectives at a level appropriate to their exam weightings. The following table provides a breakdown of this book’s exam coverage, showing you the weight of each section and the chapter where each objective or subobjective is covered:
| Objective/Subobjective | Percentage of Exam | Chapters |
| 1.0 Object Management | 6% | |
| 1.1 Understand the types of objects that may be created and configured in object management | 2 | |
| 1.2 Describe the implementation of security intelligence feeds | 2, 4 | |
| 2.0 Access Control Policy | 10% | |
| 2.1 Describe the purpose, features, and configuration of access control policy rules | 4 | |
| 2.2 Describe the purpose and configuration of an access control policy | 4 | |
| 3.0 Event Analysis | 5% | |
| 3.1 Understand the role that geolocation can play in analysis | 6 | |
| 3.2 Be familiar with the interfaces for analysis, including the Dashboard, Work Flows and Context Explorer | 6 | |
| 4.0 IPS Policy Basics | 5% | |
| 4.1 Understand and describe the operation of the IPS policy interface | 3 | |
| 4.2 Describe the use of the rule management user interface in the IPS policy editor | 3 | |
| 4.3 Be able to implement Cisco FireSIGHT recommendations | 3 | |
| 5.0 FireSIGHT Technologies | 12% | |
| 5.1 Understand the discovery component inside FireSIGHT, including the policy configuration and the data collected | 5 | |
| 5.2 Understand the type of data collected by connection events with FireSIGHT | 5 | |
| 5.3 Understand the user information that is discovered with FireSIGHT | 5 | |
| 6.0 Network-Based Malware Detection | 10% | |
| 6.1 Describe the interface components used for analyzing malware events | 7 | |
| 6.2 Understand the different techniques used to identify malware | 7 | |
| 6.3 Describe the features of malware detection as used by the Cisco NGIPS, including communication, actions, and protocols | 7 | |
| 7.0 Basic Administration | 12% | |
| 7.1 Describe the settings contained in the system polices | 8 | |
| 7.2 Understand the general user preferences and system settings of the Cisco NGIPS | 8 | |
| 7.3 Describe the settings available for the health monitoring features of the Cisco NGIPS | 8 | |
| 8.0 Account Management | 5% | |
| 8.1 Understand the permissions available to different account roles | 9 | |
| 8.2 Describe the features that can use external authentication | 9 | |
| 9.0 Creating Snort Rules | 5% | |
| 9.1 Be familiar with the options used to create Snort rules inside the Cisco NGIPS | 13 | |
| 10.0 Device Management | 10% | |
| 10.1 Describe the VPN types supported and the configuration of those VPNs | 10 | |
| 10.2 Define the different NAT types | 10 | |
| 10.3 Understand the properties of the managed devices and the settings that may be configured | 10 | |
| 10.4 Describe the settings for configuring the virtual interface and virtual router switch types | 10 | |
| 11.0 Correlation Policies | 10% | |
| 11.1 Describe the components of a correlation policy | 11 | |
| 11.2 Understand the process for creating a white list | 11 | |
| 11.3 Describe the purpose and creation of traffic profiles | 11 | |
| 11.4 Be familiar with the types of responses available when dealing with correlation policies | 11 | |
| 12.0 Advanced IPS Policy Configuration | 10% | |
| 12.1 Describe the features and settings of application layer preprocessors | 12 | |
| 12.2 Describe the features and settings of network and transport layer preprocessors | 12 | |
| 12.3 Describe the features and settings for specific threat detections in the advanced section of IPS polices | 12 | |
| 12.4 Understand the benefits of the detection enhancements and performance settings in the intrusion policy editor | 12 |