IBM


IBM Professional Certification Program

Accelerate insight. Improve skills. Get certified now.

Test C2150-561: IBM Security Network Intrusion Prevention System V4.3 Implementation


Note: This test will be withdrawn on Nov 30 2014.
The replacement test is: (C2150-200) IBM Security Systems SiteProtector V3.0 - Implementation


Section 1 - Planning


  1. Given knowledge of IBM Protocol Analysis Module(PAM) and the differences between Intrusion Prevention Systems(IPS) and IDS, describe the PAM and IPS security protection techniques, so that the customer has a better understanding of how the IPS can suit their security needs.
    With emphasis on performing the following tasks:

    1. Review IBM Protocol Analysis Module(PAM) white paper and understand different PAM modules.

      1. Virtual patch - Shields vulnerabilities from exploitation independent of a software patch and provides the security you are required to eliminate the patching fire drills for new threats.

      2. Client-side Application Protection - Protects end users against attacks targeting applications used everyday such as Microsoft Office files, Adobe PDF files Multimedia files and Web browsers.

      3. Web Application Protection - Protects web servers against sophisticated application-level attacks such as SQL Injection, XSS (Cross-site scripting), PHP file-includes, CSRF (Cross-site request forgery).

      4. Threat Detection and Prevention - Detects and prevents entire classes of threats as opposed to a specific exploit or vulnerability.

      5. Data Security - Helps to Prevent Information (Data) Leakage by monitors and identifies unencrypted Personally Identifiable Information (PII) and other confidential information for data awareness. Also provides capability to explore data flow through the network to help determine if any potential risks exist.

      6. Application Control - Manages control of unauthorized applications and risks within defined segments of the network, such as ActiveX fingerprinting, Peer To Peer, Instant Messaging, and tunneling.

    2. Review the problem we are trying to solve in a target environment and then position Intrusion Prevention Systems(IPS) technology versus IDS; firewall and anti-virus.

      1. Identify unique parts of IBM Protocol Analysis Module (PAM) technology.- PAM performs deep packet inspections based on full understanding the protocol. The protocols are recognized and identified by using multiple techniques such as:- Shell Code Heuristics - The shellcode heuristics technology contained in the IBM Protocol Analysis Module (PAM) includes a list of heuristic-based decodes that detect shellcode in the most commonly used file and network protocols. All of these decode or signatures detect payloads used by, but not limited to, metasploit tools and other well-known patterns used to attack and exploit multiple operating systems.- Injection Logic Engine -A logic built into IBM Protocol Analysis Module (PAM) engine that helps in pre-emptive blocking of SQL and shell command injection attacks by detecting unique patterns not usually seen in valid web requests.

      2. IBM Protocol Analysis Module (PAM) does not relies on pattern matching techniques which are more not reactive approach to security and those are more common to anti-virus software.

      3. IBM Protocol Analysis Module (PAM) engine can identified threats that attempt to exploit undisclosed vulnerabilities before software vendors are able to provide a patch. This feature is known as Zero-Day protection.

      4. Understand that IBM Security Network Intrusion Prevention System V4.3 (Network IPS) does not replace firewall and anti-virus solution but it compliments them.

      5. Network IPS can act as IDS device. In which case it can only alert on security attacks but cannot block them.

  2. Given an understanding of your customer's needs and of the Network IPS appliances available, propose the model of appliance that best meets the customers needs, so that a Network IPS appliance solution has been determined.
    With emphasis on performing the following tasks:

    1. Understand different Network IPS models.

      1. GV-1000 -Virtual appliance comes as OVF install file supported on VMware ESX 3.5.

      2. GX4004-V2-200 -Suitable for remote segments with up to 200M inspected throughput and dual inline protection segments. This device does not have redundant power supplies and redundant storage. Has integrated hardware level bypass.

      3. GX4004-V2 -Suitable for network perimeter with up to 800M inspected throughput and dual inline protection segments. This device does not have redundant power supplies and redundant storage. Has integrated hardware level bypass.

      4. GX5008-V2 -Suitable for network perimeter with up to 1.5G inspected throughput and four inline protection segments.

      5. GX5108-V2 -Suitable for network perimeter with up to 2.5G inspected throughput and four inline protection segments.

      6. GX5208-V2 -Suitable for core network segments with up to 4G inspected throughput and four inline protection segments.

      7. GX6116 -Suitable for core network segments with up to 8G inspected throughput and eight inline protection segments.

      8. GX7800 -Suitable for 10G core network segments with up to23G inspected throughput and four inline protection segments.

    2. Explain differences between 4.1, 4.2 and 4.3 versions of Firmware.

      1. Version 4.1 and above support management over IPv6; Blocking directly from analysis views; Health Information updates to IBM Security SiteProtector Systems V2.0 SP8.1(SiteProtector); Geographical High Availability(HA); Integration with Rational AppScan; Quarantine DDOS response; Log Evidence.

      2. Features supported in 4.2 are: Transactional policies (Batches of policies treated as a single transaction); Feature level policies.

      3. Firmware version 4.3 added support for SNMPv3.

    3. IBM Protocol Analysis Module (PAM) V2.0 is a new version of PAM that has increased throughput by leveraging multithread architecture and a new hardware based on 64bit faster processor.

    4. Identify does solution need Network Security Controller (NSC). NSC is a 10 Gigabit (Gb) to 1 Gb intelligent link aggregation/segregation bypass switch. Network Security Controller provides twenty-four 1 Gb ports and four 10 Gb SR or LR ports.

    5. Identify does solution need Active Bypass Unit.

      1. Models GX4000 series have integrated hardware-level bypass. So they can be configured to Fail Open or Close with no additional hardware.

      2. All other models by default Fail Close (device does not allows the network traffic if the appliance fails) and they need external hardware support to be able to Fail Open.

  3. Given the customer's requirements, determine scope and sizing for the deployment project, so that the engineer has determine the best appliance placement, mode, required fault tolerance, and security posture.
    With emphasis on performing the following tasks:

    1. Information gathering

      1. Define customer's goals.- Internal or external traffic (or both)- How much bandwidth on each individual segment.- Add up peak bandwidth consumption to determine a total, throughout the day.- Include peaks to ensure plenty of total bandwidth.- How many physical networks will be required to be monitored.- What types of links will be monitored(100/mbit copper, 1gig copper, 1gig fiber, 10gig fiber).- What issues is the customer attempting to solve.- Identify if they would like the ability to block traffic or strictly want to monitor.- Identify what types of traffic and signature sets customer is most concerned with.- Review network architecture to determine potential locations to intercept desired traffic on the wire.- Ensure that traffic to be monitored is not encrypted at the time it is intercepted on the wire.- HA

    2. Sizing

      1. Review model specifications on the IBM web site for bandwidth capacity, number and type of ports to determine a which model best fits the customer's requirements.- Allow for plenty of growth especially if event load is expected to be high.

    3. Determine Appliance Mode.

      1. Inline Protection- Traffic is inspected and forwarded through the appliance.- This mode allows block responses to be performed actively protecting vulnerable hosts from attacks.- Potential risk involved of interrupting network traffic in the event of a failure or mis-configuration.- Potentially mitigated by using HA and / or Bypass Units.

      2. Inline Simulation- Traffic is inspected and forwarded through the appliance.- This mode does not block traffic, however it will note what traffic would have been blocked.- Useful if customer would like to deploy the appliance, review traffic that would be blocked, and later switch to inline protection.- Potential risk involved of interrupting network traffic in the event of a failure or mis-configuration.- Potentially mitigated by using HA and / or Bypass Unit.- Appliance is cabled identically to the Inline protection mode.

      3. Passive / Monitor only mode- Traffic is inspected passively only. Traffic does not traverse the appliance.- To inspect traffic, network equipment must be configured as a span port or "monitoring" port to the inspection ports of the appliance.- Since only one interface is used of the protection pair, it is possible to monitor a greater number of physical networks.- No traffic passes through the appliance, therefore the appliance is unable to drop malicious traffic inline.- Still possible to configure the appliance to send "RSKILL" or TCP reset packets to forcibly tear down a TCP connection.- Only works with TCP connections, is not always effective.- Appliance is configured completely different from inline modes.- Will require reconfiguration and re-cabling if later choose to use an Inline mode.- Little risk of interrupting normal traffic flow in the event of a mis-configured or failing appliance.

  4. Given a customer's needs, provide a HA solution design, so that a solution has been designed that satisfies the customer's needs.
    With emphasis on performing the following tasks:

    1. Understand different HA scenarios.

      1. Fail Open and Fail Close options discussed in the objective before last one.

      2. Standard Network HA - The protection ports for two appliances are cabled so that each appliance mirrors traffic from the other appliance. Half the ports on each appliance are used as inline ports and the other half are used as mirror ports to the other appliance.- Active-active -The paired devices are about analyzing the traffic. Helps to load balance the traffic.- Active-passive -One device is on stand-by and is not used to inspect the traffic. Single device handles all traffic.- Models GX4000 series do not support this HA.

      3. Geographically dispersed HA -Not fully secured solution, uses management port to duplicate blocking tables, but traffic is not completely mirrored.- Models GX4000 series do not support this HA.

    2. Models GX4000 series have integrated hardware-level bypass. So they can be configured to Fail Open or Close with no additional hardware.

      1. All other models by default Fail Close (device does not allows the network traffic if the appliance fails) and they need external hardware support to be able to Fail Open.

  5. Given you are working with an appliance with GX 4.3 software installed, explain the different type of policies that can be edited so the appliance can perform as expected.
    With emphasis on performing the following tasks:

    1. Protection Settings (Policies)

      1. Data Loss Prevention - Looks for Personal Identifiable Information (PII) or other confidential information moving through and out of your network.

      2. Web Application Protection - Provides overall protection against web application security attacks.

      3. X-Force Virtual Patch - Configure the block and quarantine responses automatically for events or signatures that X-Force recommends.

      4. Security Events - Configures which attacks and audits to look for and what responses to execute when found.

      5. User Defined Events - Write user defined attacks or audits to look for and what responses to execute when found.

      6. Open Signature - Write customized, pattern-matching signatures by using a flexible rules language.

      7. Protection Domains - Configure the domains where you can apply policies to deploy across groups of network assets or globally across your organization.

      8. Connection Events - Configure notifications of open connections to or from particular addresses or ports.

    2. Configuring Response Tuning (Policies)

      1. Quarantine Rules - Review rules generate in response to detected intruder events and manually add new ones.

      2. Responses - Define how the appliance should notify you when it detects an intrusion or other important events in your system.

      3. Response Filters - Use Response Filters on your Network IPS appliance to refine your security policies by controlling the number of events to which the appliance responds and the number of events reported to the management console.

      4. Rolling Packet Capture settings - Define how and when packets are captured and stored for troubleshooting or general network analysis.

    3. Firewall Rules

      1. Firewall Rules - Configures rules to drop or block attacks based on various source and target information in the packet before they enter your network.

    4. System Settings (Policies):

      1. Security Interfaces - View and manage the appliance's network interfaces and to enable HA.

      2. Management and TCP Reset Interfaces - Set network configuration options, such as a hostname, the DNS search path, and speed and duplex settings.

      3. Accounts and Passwords - Configures accounts, users, and passwords to access your Network IPS appliance.

      4. Remote Access - Configures servers for remote authentication.

      5. Alert Settings - Configures sensor and health alerts on your Network IPS appliance.

      6. SiteProtector Management - Configures the appliance to be manager by SiteProtector.

      7. Data/Time Configuration - Sets the current date and time for the appliance.

      8. SNMP - Configures SNMP information and traps.

      9. Administration - Configures how the appliance manages available updates.

      10. Update Settings - Configures automatic updates, license and update servers, and event notifications.

      11. Tuning Parameters - Configure certain parameters to better meet your security needs or enhance the performance of your hardware.

  6. Given that the Network IPS V4.3 software has different options to notify the user directly, list the available options and what types of information is available so notification options can be fully understood.
    With emphasis on performing the following tasks:

    1. SNMP Trap/Inform - Sends traps or informs for:

      1. Available Updates, Update Installation, Update Errors

      2. License Notices

      3. Security Event Notification

      4. System Status

    2. Email - Sends a user configurable number of 27 common agent parameters and 10 component parameters specific to the event that is sent.

      1. Available Updates, Update Installation, Update Errors

      2. License Notices

      3. Security Event Notification

      4. System Status

  7. Given a customer's required to understand the capabilities of Protection Domains and Virtual Local Area Network (VLAN) operations in Network IPS, define security policies for different network segments, to be monitored by a single appliance, so that Protection Domains and VLAN operation for Network IPS have been explained.
    With emphasis on performing the following tasks:

    1. The purpose of Protection Domains is to provide flexibility by allowing one appliance to use different sets of rules according to network segment, VLAN, or IP address.

    2. Define security policies for different network segments monitored by a single appliance.

      1. Protection Domains act like virtual sensors, as though you had several appliances monitoring the network. - You can define Protection Domains by the use of ports, VLANs, or IP Version 4, Version 6 address ranges.

    3. Use Protection Domains to accomplish the following objectives:

      1. To define and apply multiple Protection Domains to a single appliance.

      2. To apply multiple policies to a single appliance, which lets you tune the responses to specific network traffic on one or more networks Protection Domains and security events.

      3. The appliance always uses a global security policy, and the appliance handles security events in the same manner for all areas of the network. The appliance always uses this single global policy to handle security events, unless you define Protection Domains and edit security event policies to suit each domain.

    4. You can create specific security policies for specific Protection Domains.

      1. You can adjust the global policy for specific domains as you see fit.

      2. These policies tell the appliance what properties signal an event and how to respond if the event occurs.

    5. After you have configured Protection Domains, use them in conjunction with security policies that handle security events occurring on the network.

      1. Note: Certain Flood and Sweep signatures are not supported with user-defined Protection Domains.

    6. Based on the number of VLANs to be monitored, use Protection Domains when you want to monitor groups of different VLANs from a single appliance by using global policies to centralize intrusion prevention.

      1. The appliance can monitor all VLANs at one time.

      2. The appliance can monitor VLANs individually.

      3. VLANs uses packet-tagging to monitor to keep track of packets within the switched network.

    7. Web application vulnerability information can be imported from AppScan to create a Protection Domain for web servers.


Section 2 - Installation and Configuration


  1. Given the access options and customer's requirements, identify what methods of accessing the device that can used to configure the appliance, so that then engineer can determine which method to configure the appliance as well as the limitations of each.
    With emphasis on performing the following tasks:

    1. Identify what options will be available.

      1. Ethernet -via command line, SSH by using admin- Once configured allows reboot, IP and interface reconfiguration, backup / restore.- Does not allow any policy modification.

      2. Ethernet -via HTTPS, connect via web browser- Access to initial configuration wizard, once configured allows access to virtually all functions including policy configuration.

      3. Serial / console cable, connect by using terminal

      4. Ethernet -via IBM Security SiteProtector Systems V2.0 SP8.1 (SiteProtector)- Once the appliance has its initial configuration via the setup wizard, this allows policy and event management.

      5. Front Panel LCD- May not be available on some older models.

    2. Connect to the device via the command line by using Ethernet.

      1. SSH to the appliance IP address by using the admin username. In default configuration the password is "admin".

    3. Connect to the device via the HTTPS interface by using Ethernet.

      1. If zero configuration networking option, Bonjour or Avahi can be used to locate and communicate with the device via DNS.- Zero configuration networking is used only for initial device configuration, once configured this service can be disabled on the appliance. (It will prompt during setup.)

      2. Use a supported web browser (IE 7+ or FireFox 1.5+) with Java JRE 1.6 or higher with Java cache disabled or cleared often.

      3. Allows full policy configuration and virtually all features. Appliance can be fully managed from this if SiteProtector is not used once an IP address has been configured.

      4. In a supported browser enter (https://appliance_IP_address ) to connect to the appliance and log in.

    4. Connect to the device via serial or console cable.

      1. Using supplied serial cable, configure Hyper-terminal or other VT100 terminal emulator.- 9600 Baud, 8 data bits, no parity, 1 stop bit, no flow control.

      2. Allows access to the admin shell for initial setup wizard, IP and interface reconfiguration, backup / restore.

    5. Connect to the device via SiteProtector.

      1. During the initial configuration the appliance will prompt for SiteProtector Agent Manager name and address information.- This may also be configured via the HTTPS interface later if it is not performed during the initial configuration.- Within the HTTPS local management interface select Manage System Settings -> Appliance -> SiteProtector Management.- Add the SiteProtector Agent Manager's IP address, port, and name into the list of Agent Managers.- Name the SiteProtector group for the appliance to be registered under.- Determine if the existing policy will override the group's policy when the device is registered.- Save changes.

      2. SiteProtector allows full management of policies and security event management.

    6. Connect to the device by using the LCD.

      1. Allows basic IP address configuration, appliance status, and reboot options.

      2. To configure the IP address:- Press enter.- Follow on screen prompts to configure the network.- Up and down arrows select IP address numbers, left and right arrows move to the next number.- Same method will be used for subnet mask and gateway information.- Once settings are confirmed a temporary password is provided that should be recorded and used to complete configuration by using the HTTPS interface.

  2. Given internet access, a blank USB flash drive or recordable CD, and laptop with serial port, restore the appliance to a factory new / default state, so that appliance is now reset to factory defaults and can be configured as it would if it were delivered from the factory.
    With emphasis on performing the following tasks:

    1. Factory Restore by using built-in recovery via boot manager

      1. Connect to the serial / console port with laptop and proper terminal emulator.

      2. Restart the appliance by powering it off and back on again.

      3. Interrupt boot sequence with arrow keys and select the option to restore to factory defaults.

      4. If prompted for a password, enter the password, sometimes it will remain the default of "admin" if the customer hasn't changed it.

      5. Appliance will re-image itself and restart by using a factory default configuration by using the firmware that the appliance was last imaged from.

    2. Factory Restore by using laptop as a PXE boot server

      1. Download the *.iso image from the IBM download site for the appliance to be re-imaged and write it to the blank CD.

      2. Power off the appliance and boot the laptop off of the CD created, type "bootserver" to start the boot server when prompted.

      3. Once the laptop is booted, connect an Ethernet cable from the laptop to the management port on the appliance, and a serial cable from the communications port to the console port on the appliance.

      4. Power on the appliance, as it begins to boot press "L" to boot off of the laptop via the network.

      5. The appliance will boot and prompt to type "reinstall" to re-image the appliance.

      6. The appliance will re-image and prompt to reboot back to factory defaults.

    3. Factory Restore by using USB Flash drive

      1. Download the proper *.img USB image from the IBM download site for the appliance.

      2. Using win32diskimager or similar tool, write the image file to a blank USB flash drive.

      3. Power off the appliance and insert the USB flash drive.

      4. Connect to the serial / console port with laptop and proper terminal emulator.

      5. Power on the appliance and boot it off of the USB flash drive.

      6. Type "reinstall" to re-image the appliance back to factory defaults and reboot the device.

  3. Given an IBM Security Network Intrusion Prevention System V4.3 (Network IPS) device that (i) has already undergone initial setup and (ii) is of a firmware version earlier than 4.1, explain how to update the appliance's firmware to 4.1 or later, so that a Network IPS appliance has been updated to the most recent firmware version.
    With emphasis on performing the following tasks:

    1. Log in to the Local Management Interface (LMI) of the appliance: https: //IP_address_of_management_interface

    2. Open the Updates menu.

      1. Under Settings -> Automatically Check for Updates, verify whether the appliance will check for updates at a given interval or daily/weekly.

      2. Under the Available Downloads submenu, verify whether downloads are present in the list. Hit the Download Updates Now button.

      3. Under the Available Installs submenu, choose the new firmware version and hit Install Now.

    3. The appliance will install the update and may reboot.

    4. Close the browser or browser tab that was logged in to the LMI. Open a new browser or tab, and log in to the LMI of the newly-updated appliance. The interface will have changed.

    5. Verify the new firmware version under the System summary pane.

  4. Given the requirements from the design document, perform the initial set up of an appliance with Intrusion Prevention Systems(IPS) Setup Wizard, so that the appliance is ready to accessed over management interface to perform detailed configuration.
    With emphasis on performing the following tasks:

    1. Connect to appliance by SSH client or terminal emulation program.

      1. On login screen, type admin and appropriate password.

      2. Review welcome screen and continue.

      3. Review and accept the license agreement.

      4. Enable FIPS mode if required.

      5. Upload License or skip the step.

      6. Configure password fro root and admin users.

      7. Configure management interface: static IP or DHCP, DNS, hostname etc.

      8. Configure the date and time as well NTP protocol (if available).

      9. Configure Agent name as it appears in the management interface.

      10. Optionally, choose to register Network IPS with SiteProtector.

      11. Configure Security Interfaces ports mode settings:- Inline protection- Inline simulation- Passive monitoring

      12. Updates - Install the latest security content available from IBM X-Force for Network.

      13. Completion - Review your configuration settings before they are applied.

  5. Given a knowledge of SiteProtector and Network IPS, explain to a customer how SiteProtector and Network IPS are integrated and how they communicate, so that the customer has a better understanding of the integration between SiteProtector and Network IPS.
    With emphasis on performing the following tasks:

    1. How the SiteProtector Agent Manager works.

      1. When you enable SiteProtector Management, you assign the appliance to an Agent Manager.- Agent Managers manage the command and control activities of various agents and appliances registered with SiteProtector and facilitate data transfer from appliances to the Event Collector, which manages real-time events it receives from appliances.

      2. The Agent Manager sends any policy updates to appliances based on their policy Subscription groups. (A subscription group is a groups of agents or appliances that share a single policy.) Decide which group the appliance should belongs to before you register it with SiteProtector. Eventually, the group's policy is shared down to the appliance itself.

      3. SiteProtector components- SiteProtector Core ( Application Server) talks to the IBM Internet Security Systems (IBM ISS) GX Sensor.- TCP Port to connect to IBM ISS GX Sensor 443.

      4. How SiteProtector Management works.- When you register the appliance with SiteProtector, the appliance sends its first heartbeat to the Agent Manager to let the Agent Manager know that it exists.- A heartbeat is an encrypted, periodic HTTP request the appliance uses to indicate it is still running and to allow it to receive updates from the Agent Manager.- When you register the appliance with SiteProtector, you set the time interval (in seconds) between heartbeats.- When the Agent Manager receives the heartbeat, it places the appliance in the group you specified when you set up registration.- If you did not specify a group, it places the appliance in the default group "G-Series" or "Network IPS," depending on your version of SiteProtector.- If you clear the group box when you register the appliance, it places the appliance in Ungrouped Assets.- Agent Manager talks to IBM ISS GX Sensor.- TCP Port to connect to IBM ISS GX Sensor 3994, 8093, 8443.

      5. IBM ISS GX Sensors- TCP Port to connect to Agent Manager 901-930, 3995.

  6. Given an understanding of the Security Design and leveraging integrations with other system configure proper authentication/login mode, allow multiple users appropriate access to the appliance, so that the Radius or LDAP/AD Authentication capability to centrally manage access control (user name/password) from one location to multiple GX appliances has been configured.
    With emphasis on performing the following tasks:

    1. Two default accounts (local users) comes with the appliance:

      1. Root -Linux root access to the appliance

      2. Admin (OS/CLI user)-account used for SSH access to IPS Setup tool for basic management

      3. Admin (LMI) - account used with LMI

      4. Add additional accounts (remote users) can be configured as administrators of Read-only users by using LMI.

      5. Connect to LMI with admin account.

      6. Select Manage System Settings -> Accounts and passwords.

      7. Configure user account and type of interface that will be used: LMI, SSH or Intrusion Prevention Systems(IPS) Setup tool.

      8. Save configuration.

      9. Test the changes.

    2. The passwords for accounts can be managed/changed by using Network IPS Set up or LMI interface.

    3. LMI provides centrally manage access control (user name/password) from one location to multiple GX appliances through an LDAP, RADIUS, or Active Directory server for multiple user accounts accessing to appliance through multiple interfaces.

      1. Connect to LMI with admin account.

      2. Select Manage System Settings -> Remote access.

      3. Enter LDAP, RADIUS, or Active Directory server parameters.

      4. Save configuration.

      5. Test the changes.

  7. Given an Network IPS appliance running Firmware V4.1 or later that is registered with SiteProtector SP7.0 or later and is obtaining all policies from SiteProtector, explain how to implement Protection Domains, so that a Protection Domain has been created.
    With emphasis on performing the following tasks:

    1. Update the Global Protection Domain policy. In SiteProtector, open a Policy tab and set Agent Type to Network IPS.

    2. Under the Default Repository -> Shared Objects, open the Protection Domains policy. This is a global policy. The existing "Global" entry is site-wide, and it cannot be removed or altered.

      1. Click the green "plus" button to add a new Protection Domain.

      2. Enable the Protection Domain, and name it. Fill in the "comment" field as applicable.

      3. If your Protection Domain is to monitor only specific network segments, check the boxes for the appropriate pairs of interfaces (A and B, C and D, etc) if the segments are in line, or single interfaces (A only, F only, etc) if the interface is monitoring a network tap.

      4. If your Protection Domain is to be created according to Virtual Local Area Networks(VLANs), IPv4 addresses, or IPv6 IP addresses, enter single entries, range entries, or a comma-delimited list of entries as desired.

      5. Click "OK" to commit the rule, and then save the policy. As it is a global policy, it isn't required to be explicitly deployed.

    3. The policy types that can contain separate entries for each Protection Domain are Security Events, User Defined Events, Data Loss Prevention, Web Application Protection, and Response Filters. Identify each of these policy types.

      1. Update the policy that is to have different rules for each Protection Domain. Here we examine the Security Events policy, but the process is similar for updating the other named policy types. Open the Security Events policy, and organize the view so that it is grouped by "Protection Domain" at the root-most level.

      2. Select the events that are to be altered for the new Protection Domain. Copy these events and then click the paste button. This will create duplicates of the events.

      3. Highlight all the new events together, and click the edit button. Select the newly-created Protection Domain.

      4. Alter the new events according to your needs.

      5. Save and deploy the policy.

  8. Given the customers requirement, assets or segments effected by policy has been defined, and the agent has been added to the repository, identify what type of policy is required to manage the type of activity/event and identify the action required when event occurs including notification options, so that a security policy has been created and deployed to Network IPS.
    With emphasis on performing the following tasks:

    1. Log in to SiteProtector.

    2. Validate state of Agent.

      1. Open Agent view that includes the agent for the Network IPS.

      2. Inspect agent health / state.- Health Status should show Healthy.- State should show active.- Update Status should show Current. (Verify version against the IBM download site.)

    3. Open Policy Management for Network IPS by using one of the following methods:

      1. Right-click on Network IPS Agent ->select manage policy from menu.

      2. From Object menu select New Tab ->policy.- Select "Network IPS" Agent Type: from pull-down menu.- Select / Verify Agent version (Ex:4.3).- Select Group / Agent from My Sites on left where Network IPS is located.

      3. From Go to menu in upper right select Policy from pull-down menu.

      4. Select "Network IPS" Agent Type: from pull-down menu.

      5. Select / Verify Agent version (Ex:4.3).

      6. Select Group / Agent from My Sites on left where Network IPS is located.

    4. Create a new policy that addresses customer's requirement (CR).

      1. If not already open, click on "+" next to Policy Not Deployed.

      2. Right-click Policy type that addresses CR.

      3. Select New Policy.

      4. Provide Policy Name.

      5. Verify Policy Content Generate Empty selected and Policy Type.

      6. Click OK.

    5. Configure and Deploy Policy to address CR.

      1. Each Policy Type will have different options. You will be required to review, select, enable or add content based on what policy you are configuring.

      2. Discuss the potential results of deploying the policy.- Review Intrusion Prevention Systems(IPS) modes (Monitor, Inline Simulation, Inline Protection).- Discuss the scheduling options for deployment.

      3. Save and Deploy Policy.- Save Policy by using one of the following procedures.- Click on disk save icon on menu bar at top.- From Action Menu select Save Policy.- Use key sequence "Ctrl"+s.- Complete policy version information.- Add comment that describes the policy.- Click Deploy this new version if you want to deploy policy immediately.- Click OK.- Deploy Policy.- Verify that required policy is identified in Deploy following Policy box.- Select Target for the policy.- Select targets from column on left.- Click on targets in box on right where you want to deploy policy.- Review policy deploy schedule options with customer.- Select Schedule from left column.- Review option to force agent update.- Deploy Policy.- Click OK.- Close Tab for the policy.- Verify that new policy is listed above the "Policy Types Not Deployed" group.

  9. Given a Network IPS GX appliance has been installed and managed by SiteProtector and is in inline simulation mode(ILSM), move the appliance from ILSM to inline protection mode(ILPM), so that the appliance is now in ILPM and takes protective actions as defined in the policy.
    With emphasis on performing the following tasks:

    1. Open SiteProtector Console and log in to site where GX is managed.

    2. Review Events generated while segment was in ILSM.

      1. Open an agent view that includes GX.

      2. Check status of GX agent.- Agent should be Health Status = Healthy, Status = Active, Update = Current.

      3. Review Events generated while in ILSM.- Open an analysis view.- Select Group or device where the GX is being managed.- Change Time Filter to address time period that covers the time frame that unit was in ILSM.- Verify that any events that while in ILSM will not negatively affect the customers operation when in ILPM.- Modify policies to address any required changes.- Run GX in ILSM until changing mode to ILPM will not negatively affect customer operation.

    3. Change Network segment from ILSM to ILPM.

      1. Open a policy view for Network IPS and for the Agent Version Running on the GX.

      2. Select Agent Specific Policies for the GX.

      3. Right-click and select open on Security Interfaces.

      4. Click on Mode field that manages the segment you want to change to ILPM.

      5. Select ILPM from drop-down menu.

      6. Save and Deploy Policy.

    4. Test critical processes for connectivity and operation.

      1. Test critical and less critical communications and applications for functionality.

  10. Given customer requirements for security event notifications and event responses, configure the response policy for a Network IPS appliance so that the customer is notified according to requirements and Intrusion Prevention Systems(IPS) performs the desired responses.
    With emphasis on performing the following tasks:

    1. The response policy controls how the appliance responds when it detects intrusions or other important events. Create responses and then apply them to events as necessary.

    2. You can configure the following response types:

      1. Email- Send e-mail alerts to an individual address or e-mail group.- Configure e-mail notifications to alert individuals or groups when specific events occur.- You can select the event parameters to include in the message to provide important information about detected events. - To add or change e-mail responses:- In IBM ISS Manager, select Responses.- In SiteProtector, select Response Objects.- Select the Email tab.

      2. Log Evidence- Log alert information to a saved file.- Configuring the Log Evidence Response Introduction You can configure the appliance to log the summary of an event. The Log Evidence response creates a copy of the packet that triggers an event and records information that identifies the packet, such as Event Name, Event Date and Time, and Event ID. - Evidence logs show you what an intruder did or tried to do to the network. The appliance logs packets that trigger events to the /var/iss/ directory.- In IBM ISS Manager, select Responses.- In SiteProtector, select Response Objects.- Select the Log Evidence tab.

      3. Quarantine- Quarantine the attack.- You can create quarantine responses that block intruders when the appliance detects security, connection, or user-defined events. These responses block worms and Trojans.- Quarantine responses work only when you have configured the appliance to run in Inline Protection mode.

      4. SNMP- Send SNMP traps to a consolidated SNMP server. You can configure SNMP notification responses for connection, security, and user-defined events that pull certain values and send them to an SNMP manager.- How SNMP works is a set of protocols used for managing networks.- In IBM ISS Manager, select Responses.- In SiteProtector, select Response Objects.- Select the SNMP tab.

      5. User Specified- Process alerts by using your custom programs or scripts.

  11. Given the Network IPS appliance is registered and managed by SiteProtector, validate that the appliance is running and configured, so that the appliance is operational and meets the customer's networking requirements.
    With emphasis on performing the following tasks:

    1. Validate GX is operational and managed by SiteProtector.

      1. Open an agent view and select the device or group where the GX is managed.

      2. Make sure the agent is listed and that the Health Status = Healthy, Status = Active, Updates are current, version is correct, Last contact time is appropriate and proper event manager is listed.

    2. Verify Security Network Interfaces are configured properly and other functions operational.

      1. Inspect Agent Properties.- Right-click GX Agent in Agent View and select properties.- Click on Health Summary and review System, Security, Network status and any Agent Messages.- Click on Module Status.- Click on Agent Info under Agent Status and Review Agent info.- Click on Network Info under Agent Status and review port settings.- Click on Module status -> Intrusion Prevention and validate Status of Active.- Click on Module status -> Engine Status, if policies have been deployed you should event value >0.- Click on Command Job and review for status of jobs all jobs.

      2. Validate network traffic through segments in line or traffic activity present on monitored ports.- Log in to LMI for GX and review network status.- Open browser and enter https://ip_address_of_GX.- Log in by using admin as user and your password.- Select Home Appliance Dashboard Tab and review overall Appliance Status.- Click on "Dashboard" in Network health box.- Check each Segment and Interface for configuration and Throughput, you select and monitor these charts for each of the segments you test and validate.- Generate customer approved traffic that validates traffic traversing the GX segment(s) or monitored ports.- Validate network activity in LMI Segment Chart.

    3. Verify customer approved policy test.

      1. Configure Policy approved by customer for testing and validation for each segment or port being tested.

      2. Log in to the LMI and select "Dashboard Link" in Security Health Box on Home page for appliance.

      3. Review Last 10 Intrusion Prevention Systems(IPS) Events on dashboard.

      4. Inject customer approved event into the network segment, depending on event, you may be required to inject multiple times.

      5. Refresh browser and validate the event is listed in the Last 10 Intrusion Prevention Systems(IPS) Events and that status reflects policy action(s).

      6. Log in to SiteProtector and verify that the same event(s) have been logged.


Section 3 - Problem Determination


  1. Given an IBM Security Network Intrusion Prevention System V4.3 (Network IPS) appliance running Firmware V4.1 or later, identify and explain the built-in troubleshooting tools and log locations to resolve an issue, so that engineer has found the cause of the error and can work towards resolving it.
    With emphasis on performing the following tasks:

    1. The appliance's Local Management Interface provides health indicators, system statistics, problem reporting and a few troubleshooting tools. Use a web browser to log in to the Local Management Interface of the appliance(https://address_of_management_interface) as the user "admin". The Local Management Interface will hereafter be called the LMI.

      1. The Home/Appliance Dashboard screen of the LMI has several panels that provide a quick overview of the appliance's state, and is the first place to check when investigating a problem with the appliance through the LMI:- There are four health-related portlets here: Network health, Security health, System health, and IBM Security SiteProtector Systems V2.0 SP8.1(SiteProtector) health. A green check is displayed if the appliance considers that particular function completely healthy, and a red exclamation point is displayed if the appliance. Examine these panes for issues.- The System summary pane lists basic system information, including the model, firmware version, backup state, uptime, disk usage, and memory usage. Examine these usage indicators for runaway disk or memory usage conditions.- The Network summary pane details the state of each interface and a graph of the last few minutes of the sum of network throughput over all monitoring interfaces. Examine this pane when investigating network-related issues.

      2. The Monitor Health and Statistics screen of the LMI has detailed subsections for everything listed on the Dashboard (which is mentioned in last step). Be able to identify this section as a resource for troubleshooting performance, security or general system issues.

      3. Under the Manage System Settings screen of the LMI -> Appliance -> System Tools -> SiteProtector is a "Test Connection" button to test connectivity to SiteProtector. After running the test, the interface will provide a link to a log file with further details. Be able to identify this as a primary resource for examining SiteProtector connectivity issues.

      4. Under the Review Analysis and Diagnostics screen of the LMI, additional tools and logs are available.- Under the Diagnostics section, identify ping and traceroute as the utilities available to investigate network and connectivity issues.- The Logs -> System page displays entries from the system log, filterable by search text and by time/date range. Be able to identify the system log as /cache/log/messages.- The Downloads -> Logs and Packet Captures page displays a filtered list of files from the /cache/iss folder, which holds many of the log files needed for troubleshooting. You can download these files through this interface. Be able to identify the displayed folder as /cache/iss.

      5. You can troubleshoot by using the command-line interface if you find it convenient to do so or if the LMI is not working. Use of the command-line interface, hereafter called the CLI, may be required for certain troubleshooting steps. Use an SSH client to log in to the appliance as the root user.

      6. The provinfo script collects system information, policy files, and log files, and compresses them into a .tgz archive under /cache/support.- From the CLI, execute "provinfo".- The script may take several minutes to run, and will generate the file: /cache/support/provinfo__.tgz- Be able to identify two ways of retrieving this file:- Copy the file to /cache/iss and download it through the LMI (which is mentioned in the step before last one).- Log in to the appliance as root by using a secure-copy utility, and use the utility to copy the file from the appliance.

      7. Identify "telnet" as a utility to test connectivity to any server that listens on a TCP port.

      8. Identify "openssl" as a utility that verifies whether it is possible to establish an Secure Socket Layer(SSL) session to an SSL server such as the Agent Manager or the X-Press Update Server(XPU).

      9. You may be required to use a text editor to alter logging settings or make other changes. Identify "vi" as the text editor included with the Network IPS appliances.

      10. You may be occasionally required to capture traffic directly on the appliance. Identify "tcpdump" as the built-in utility to do this.

      11. The adapterdump utility provides speed/duplex and link state information about the interfaces; adapter statistics (total packets transmitted, received, forwarded, dropped, uninspected, and injected; total bytes received and transmitted; and total receive errors); and buffer statistics. Be able to identify this tool and its path as /etc/iss/drivers/adapterdump and to name the various types of information that it returns.

      12. The iss-spa (short for SiteProtector Agent) service is responsible for communications with SiteProtector through the SiteProtector Agent Manager. It logs to the syslog, /cache/log/messages, and its configuration file is /etc/spa/iss-spa.conf. Identify the primary function of iss-spa; its logging location; and its configuration file. The log level can be set through /etc/spa/iss-spa.conf as follows:- Stop the iss-spa with "service iss-spa stop".- Open /etc/spa/iss-spa.conf with "vi /etc/spa/iss-spa.conf"- Find the line starting with "DebugLevel" and set its value in the range from 0 (lowest) through 5 (highest). For example, for maximum logging, the line would look as follows: DebugLevel=L5;- Save and close the configuration file, and start iss-spa with "service iss-spa start".

      13. The folder /cache/log contains basic system logs such as the syslog (messages), boot log, and kernel log. Identify this folder and its contents.

      14. The folder /cache/iss contains various log files. Identify this folder and be able to identify the following logs, their associated processes, and the purpose of job of each.- isslum.log -LUM is the licensing and update manager, responsible for obtaining entitlement and managing updates. It runs as the iss-lum process.- CrmCSFTrace.log - The CSF is the Common Sensor Framework, and it is responsible for controlling the Intrusion Prevention Systems(IPS) engines and handling events. It runs as the issCSF process.- engine0.log - The low-level netengine system works directly with the network monitoring interfaces. It runs as the iss-netengine process.- pam0.log - PAM, or the IBM Protocol Analysis Module, is the implementation of the core functionality of the Intrusion Prevention Systems(IPS). It inspects traffic, generates IPS events, and instructs netengine to pass, block, or rewrite traffic. PAM is a library, and it does not have its own process.

  2. Given an Network IPS appliance that is listed as "Offline" in SiteProtector, identify the reason for this status, so that the issue has been defined and can be resolved.
    With emphasis on performing the following tasks:

    1. Log in to the Local Management Interface of the appliance as the admin user:https://IP_address_of_management_interface

    2. Click Manage System Settings, and under the Appliance heading, click SiteProtector Management.

    3. Verify that the Register With SiteProtector box is checked. Under Agent Manager Configuration, note the Agent Manager address and port. Be able to identify 3995 as the default TCP port on which the Agent Manager listens for event and heartbeat traffic.

    4. Through the SiteProtector Console, examine the assigned Agent Manager. Verify whether SiteProtector reports that it is operating correctly and whether its health status is reported as healthy.

    5. If the Agent Manager is operating and healthy, use an SSH client to log in to the appliance as the root user.

    6. Test connectivity to the Agent Manager by using either the telnet utility or the openssh utility:

      1. Run "telnet 3995". If the Agent Manager is not reachable, the telnet attempt will time out. If it times out, this is likely a network issue.

      2. A test by using the openssh utility can help identify problems related to the Secure Socket Layer(SSL) protocol or traffic.Run "openssl s_client -connect :3995". If the telnet test worked but the openssl test gives errors or times out, then there is likely either a server-side configuration or certificate problem, or something in between the appliance and the Agent Manager that is altering or preventing Secure Socket Layer(SSL) communications.

    7. If the connectivity tests revealed no problem, further investigation is needed. This goes beyond the scope of this certification.

  3. Given that SiteProtector and Network IPS are installed and you have received an Active with Errors issue, troubleshoot the issue within SiteProtector and Network IPS, so that the cause of the issue can be determined and resolved.
    With emphasis on performing the following tasks:

    1. General troubleshooting tasks:

      1. Check IBM documentation online.

      2. Check PDFs.

      3. Check KBA's.

    2. SiteProtector:

      1. Go to the Agent preterits:- Check system tab.- Check security tab.- Check network tab.- Check agent messages tab.

      2. Go to module status:- Check agent status.- Check network status.

    3. Network IPS Agent

      1. Under monitor and health statistics:- Check memory usage.- Check disk space.- Check network dashboard.

      2. Under review statistics diagnostics and analysis:- Check logs.- Check firewalls.

  4. Given that an issue has arisen with the LMI and the appliance is being managed by SiteProtector, review the appliance status and identify the issue in the LMI, so that the customer's issue has been identified and can be resolved.
    With emphasis on performing the following tasks:

    1. Log in to GX LMI.

      1. Open approved and configured browser.

      2. Enter URL for GX Appliance LMI Access, https://ip_address_of_gx

      3. Log in by using user= admin and password.

      4. Select "Home" tab if not already active..

    2. Review overall appliance status.

      1. With the Home Tab Selected verify operational health.- Network, Security, System and SiteProtector (if configured) should show green checks.- Resolve any unhealthy errors in appliance before addressing customer issue.- Select Dashboard for component that shows not healthy (ex: Network Health).- Confirm that the configurations, licenses and settings are correct.- Note: If the issue is the operation of or validation of one of these components and it can't be resolved, then contact Tech Support.

    3. Identify Issues and where they are addressed in the LMI.

      1. Identify "category" of issue.- If the issue is traffic is not flowing or appears to be slow:- Select Monitor tab at the top of the LMI and click on Network Dashboard under Network.- Select the Tab associated with the segment with issue.- Verify port configurations.- Review Throughput and Snapshots.- If a specific type of traffic is or is not flowing:- Select Monitor tab at the top of the LMI and click on Dashboard under Security.- Review Last 10 Intrusion Prevention Systems(IPS) events to see if the issue is identified, you may be required to resend or re-inject sample.- Review Policies related to issue.- Select Secure Tab at top of the LMI and select policy type that addresses the issue.- Validate that the policy(s) are set per customers requirements.- If the issue is related to system settings:- Select Manage Tab on the top of the LMI and select item that addresses the issue.- If the issue is not resolved or requires more details:- Select Review Tab at the top of the LMI then select Logs, Diagnostics or Downloads to further investigate issue.


Section 4 - Administration


  1. Given a license, install the license on the appliance so that the appliance is license for updates.
    With emphasis on performing the following tasks:

    1. In Local Management Interface(LMI), select Manage System Settings -> Updates and Licensing -> Administration.

    2. Review information in the Usage license and Maintenance license areas. These areas list the status of each license and when they expire.

    3. In the Update Tools area, use the Upload license key option to upload license files.

    4. Note: Some firmware updates require you to restart the IBM Security Network Intrusion Prevention System V4.3 (Network IPS) system.

  2. Given that updates are available for the Network IPS appliance, navigate to the update page so the updates can be downloaded and installed to the appliance.
    With emphasis on performing the following tasks:

    1. In Local Management Interface(LMI), select Manage System Settings -> Updates and Licensing -> Administration.

    2. In the Update Tools section, click on the Check for Updates link.

      1. If there are updates available click Install Update on the appropriate Firmware or Intrusion Prevention Tab.

      2. If updates are not available, the update packages can be manually downloaded from the IBM Download Center and uploaded via the "Upload File" option.- The device should now display the available Firmware or Intrusion Prevention update on their respective tabs.

  3. Given access to an SSH, and SCP, admin credentials, and a maintenance window to re-boot the appliance, create and retrieve back-up files of the appliance, so that the Network IPS appliance has been backed up and can be restored quickly should the need arise.
    With emphasis on performing the following tasks:

    1. Create the backup.

      1. SSH to the appliance by using the admin username.

      2. Select option for Appliance Management and then Backup Current configuration.- Agree to the reboot and potential downtime while the appliance is offline.

      3. The appliance will reboot, backup it's firmware and configuration and return to normal operation when complete.

    2. Retrieve the backup files by using SCP.

      1. Connect to the appliance by using an SCP tool such as WinSCP and by using the root account.

      2. Copy all files from the /restore/0/images/ directory to a safe location off of the appliance.

    3. Policy backups can be retained within a IBM Security SiteProtector Systems V2.0 SP8.1(SiteProtector) repository.

  4. Given that the Network IPS appliance is being managed by SiteProtector, define how to review the health of the appliance in SiteProtector, so that the status of the health of the appliance has been determined.

    1. Access Network IPS agent properties.

      1. In SiteProtector, right-click the Network IPS agent and select properties.

    2. Review Health Summary.

      1. Click on Health Summary icon on left.- Click on System Tab.- Systems tab identifies the health of appliance.- System memory, disk, internal communications, and Critical Processes are monitored.- Any critical function related to the appliances operation should have a green check.- Click on the Security Tab.- This tab identifies:- State of Network IPS license- High Availability state- Network traffic received and blocked- Attacks blocked and not blocked- Click on Network Tab.- This health check fails when the appliance loses connectivity to one or more security ports.- Click on Agent Messages Tab.- Events related to updates, licenses, packet analysis are logged here.

      2. Click on Module Status icon on left.- Click on Agent Info under Agent Status.- This provides a snapshot of the current status of the agent including:- Firmware version, Uptime, Last restart, Update dates, Last Backup and SNMP details- Click on network info under Agent Status.- This provides a brief configuration setting for the security ports speed and duplex.- Click on Intrusion Prevention under Module Status.- This identifies Version, last reported status and if licensed.- Click on Engine Status under Intrusion Prevention below Module Status.- This provides a snapshot of the status and a brief view of processed events.

      3. Click on Commend Jobs on left.- Use the Command Jobs pane in the Properties tab to view and manage command jobs. Command jobs are created when you perform or schedule actions such as running reports, installing updates, and downloading agent logs.

  5. Given that the NIPS appliance has been deployed with default polices, customize the policies to a customer needs, so that the appliance has had custom policies applied.
    With emphasis on performing the following tasks:

    1. Access NIPS tuning parameters.

      1. In the LMI, click Secure then Tuning Parameters.

      2. Review tuning parameters.

      3. Increase logging level.- Click on sensor.trace.level and click edit.- Modify default value of 3 to 5.- Save settings.

    2. Access NIPS security events.

      1. In the LMI, click Secure then Security Events.

      2. Review default policy.

      3. Modify signature settings.- Expand Attack / Audit. - Expand User overridden: False.- Click Land_Attack signature and click edit.- Enable Signature.- Change Severity to high.- Check Block.- Exit signature and save policy.

    3. Review various policy options.

      1. In the LMI, click Secure then User Defined Events.- Configure custom User Defined Event.

      2. In the LMI, click Secure then Open Signatures.-Configure custom Open Signature.

    4. In the LMI, click Secure then Connection Events.-Configure custom Connection Event.

      1. In the LMI, click Secure then Response Filters.- Configure custom Response Filter.

      2. In the LMI, click Secure then Firewall Rules.-Configure custom Firewall Rule.




Promotions


Connect with Us