Introduction

Welcome to the exciting world of Cisco certification! If you've picked up this book because you want to improve yourself and your life with a better, more satisfying, and secure job, you've done the right thing. Whether you're striving to enter the thriving, dynamic IT sector or seeking to enhance your skill set and advance your position within it, being Cisco certified can seriously stack the odds in your favor to help you attain your goals!

Cisco certifications are powerful instruments of success that also markedly improve your grasp of all things internetworking. As you progress through this book, you'll gain a complete understanding of security that reaches far beyond Cisco devices. By the end of this book, you'll comprehensively know how Sourcefire technologies work together in your network, which is vital to today's very way of life in the developed world. The knowledge and expertise you'll gain here is essential for and relevant to every networking job and is why Cisco certifications are in such high demand-even at companies with few Cisco devices!

Although it's now common knowledge that Cisco rules routing and switching, the fact that it also rocks the voice, data center, and security worlds is also well recognized. And Cisco certifications reach way beyond the popular but less extensive certifications like those offered by CompTIA and Microsoft to equip you with indispensable insight into today's vastly complex networking realm. Essentially, by deciding to become Cisco certified, you're proudly announcing that you want to become an unrivaled networking expert-a goal that this book will get you well on your way to achieving. Congratulations in advance on the beginning of your brilliant future!

For up-to-the-minute updates covering additions or modifications to the Cisco certification exams, as well as additional study tools, videos, practice questions, and bonus material, be sure to visit the Todd Lammle website and forum at www.lammle.com/firepower.

Why Should You Become Certified in the SSFIPS Securing Cisco Networks with Sourcefire Intrusion Prevention System?

Cisco, like Microsoft and other vendors that provide certification, has created the certification process to give administrators a set of skills and to equip prospective employers with a way to measure those skills or match certain criteria.

The SSFIPS Securing Cisco Networks with Sourcefire Intrusion Prevention System (500-285) exam is designed for technical professionals who need to demonstrate their expertise and skills in deployment and management of Cisco NGIPS solutions, including Cisco FirePOWER appliances and the Cisco FireSIGHT management system.

Rest assured that if you make it through the SSFIPS and are still interested in Cisco and security, you're headed down a path to certain success!

What Does This Book Cover?

This book covers everything you need to know to pass the SSFIPS 500-285 exam.

You will learn the following information in this book:

Chapter 1: Getting Started with FireSIGHT What is FirePOWER? What is FireSIGHT? What is Sourcefire? Understand Sourcefire by building a solid foundation in defining key, industry-wide, and Cisco-specific terms that we'll be using throughout this book. Various FireSIGHT appliance models will be discussed as well as licensing, policies, and initial system setup.

Chapter 2: Object Management This chapter will provide you with the understanding of object types that are used by the FireSIGHT System. And as with the other chapters, this chapter includes review questions and a hands-on lab to help you build a strong foundation.

Chapter 3: IPS Policy Management This chapter provides you with the background necessary for success on the exam as well as in the real world with a thorough presentation of IPS policy management. This in-depth chapter covers IPS policies, which precisely describe the suspicious and/or malicious traffic that the system must watch out for, and they also control how evil traffic is dealt with when it's discovered.

Chapter 4: Access Control Policy Chapter 4 covers the heart of the FireSIGHT system. An Access Control policy acts kind of like the central traffic cop for FireSIGHT because all traffic passing through a device is processed through it. And you'll find plenty of help in this chapter as long as you don't skip the review questions and hands-on lab at the end.

Chapter 5: FireSIGHT Technologies FireSIGHT is the name given to a technology built into the Cisco FirePOWER NGIPS to provide us with contextual awareness regarding events, IP addresses, users on the network, and even background about the hosts in the system. As with Chapter 4, plenty of help is there for you if don't skip the review questions and hands-on labs at the end.

Chapter 6: Intrusion Event Analysis In this chapter, we'll review using the FireSIGHT System to analyze intrusion event data. We'll explore some of the workflows available when analyzing events and show you examples of how to drill into relevant event data. We'll also cover how to use the Dashboards and Context Explorer. As always, before tackling the hands-on lab in this chapter, complete the review questions.

Chapter 7: Network-Based Malware Detection A nickname derived from the term malicious software, malware comes in a variety of vile flavors, from coded weapons fashioned to damage, control, or disable a computer system to reconnaissance tools for stealing data or identity theft. FireSIGHT's Advanced Malware Protection (AMP) is designed to tackle one of the worst and arguably most prevalent threat vectors today-malware! As always, don't skip the review questions and hands-on lab at the end.

Chapter 8: System Settings This chapter will cover how to apply settings on the systems to control user preferences, time zones, and other key factors plus configuring health checks to alert you to conditions within your devices. Remember the review questions and hands-on labs at the end.

Chapter 9: Account Management In this chapter, we're going to cover a variety of administrative functions for user account management. We'll discuss creating and managing both internal and external users. The hands-on labs and review questions will help you master this chapter.

Chapter 10: Device Management In this chapter we'll discuss and demonstrate registering the device with the Defense Center as well as touring each of the device's properties. You'll discover the different settings for the interfaces and switch and router configurations, plus, we'll survey the different VPN and NAT types available to managed devices as well.

Chapter 11: Correlation Policy Correlation Policy is an often overlooked but useful feature of the FireSIGHT System. The features available in this area concentrate on detection of unusual activity rather than specific intrusion or malware events. By using correlation rules, white lists, and traffic profiles, we can detect network or host behaviors that may be an indication of malicious activity.

Chapter 12: Advanced IPS Policy Settings This chapter is the perfect time to introduce you to some essential advanced IPS policy settings, and we'll also survey important application layer preprocessor settings, network and transport layer preprocessors, and specific threat detection preprocessors. We'll also talk about the significant advantages gained via detection enhancements and performance settings.

Chapter 13: Creating Snort Rules In this chapter, we're going to focus exclusively on the fundamentals of Snort rules, detailing their structure, syntax, and options. We'll also explore how Snort performs rule optimization for better performance and show you how rule matching takes place internally.

Chapter 14: FireSIGHT version 5.4 Facts and Features Last, but definitely not least, this key chapter covers all the great new features in FireSIGHT Version 5.4 that launched in February 2015. Don't be fooled when you hear people refer to this release as a "point" upgrade because that's a serious understatement. Version 5.4 is a major-league upgrade with substantial new capabilities. In addition to all the bright new features, the user interface has been updated, changing the location of some configuration settings. The settings remain largely unchanged from previous versions, but they've been moved in the user interface.

Appendix A: Answers to Chapter Review Questions This appendix contains the answers to the book's review questions.

Be sure to check the announcements section of my forum to find out how to download bonus material I created specifically for this book.

Interactive Online Learning Environment and Test Bank

We've worked hard to provide some really great tools to help you with your certification process. The interactive online learning environment that accompanies the SSFIPS Securing Cisco Networks with Sourcefire Intrusion Prevention System Study Guide, Exam 500-285, provides a test bank with study tools to help you prepare for the certification exam-and increase your chances of passing it the first time! The test bank includes the following:

Sample Tests All of the questions in this book are provided, including the assessment test, which you'll...