SIMBC - Cisco Security Information Management Boot Camp
Course v1.0 | MARS v6.x and CSM v3.2 | Prepares you for Cisco Exam 642-544 MARS.
This course is not currently offered by Global Knowledge. Information here is provided for reference only.
We have taken our Authorized MARS and SMN courses and combined them into a custom Boot Camp where you will get the training you need to manage a comprehensive security management solution that encompasses security provisioning, event monitoring, and threat detection and mitigation using your MARS appliance and Cisco Security Manager (CSM), both elements of the Cisco Security Management Suite. You will learn scalable, policy-based configuration management with Cisco Security Manager 3.2, and you will learn enterprise monitoring and security threat mitigation with the Cisco Secure MARS appliance 6.x. The Cisco Security Management Suite is an integral part of the Cisco Self-Defending Network architecture.
During the first three days of the Boot Camp, you'll cover MARS using the latest version of the MARS software. The class will transition to CSM through a MARS-to-CSM cross-launch, demonstrating the integration of the products in an attach scenario.
What You'll Learn
- MARS design solutions, features, and functions as they relate to security incidents and security information in an enterprise network
- Add Cisco and non-Cisco security and network devices into the MARS appliance
- Configure network devices including ASAs, routers, switches, and an IPS to generate events that constitute an attack scenario and have MARS collect the events for incident investigation
- Attack mitigation and false positive confirmation in context of MARS appliance
- Configure appliance to perform Incident Investigation and Mitigation
- Configure rules that detect interesting patterns of network activity
- Configure hardware maintenance chores such as viewing audit trails, data archiving, and upgrading software on MARS appliance
- Overview of MARS Global Controller
- Overview of Distributed Threat Mitigation using the Cisco IOS IPS
- Configure antivirus software to report a live virus
- MARS interaction with CSM
- Basic configuration of a Cisco IPS in Cisco Security Manager
- Configure various Windows Servers (2003 and 2000) to use SNARE and RPC to report log events to MARS
- CSM overview, including defining your expectations and investigating real-world deployment scenarios
- Create policies and learn how to manage them
- Policy inheritance and policy sharing features in CSM
- The concept of objects in CSM and how to use and manage them
- Use Map View to create site-to-site VPNs and remote access VPNs, including SSL VPNs with the use of the Cisco AnyConnect client
- Various firewall services and objects that are used to manage firewall-related policies
- How to configure platform-specific services and policies on Cisco IPS sensors and Cisco IOS IPS devices
- The tight integration and cross-launch functionality of the Cisco MARS-to-CSM by using an IPS event
- FlexConfig and how to best use its features
- How to manage deployments and configuration changes by using Workflow and Non-Workflow mode; View emails that management will review and take action on
- Monitoring, troubleshooting, and diagnostic tools that are available in CSM
Who Needs to Attend
Any network professional who needs to centralize configuration management, policy management, and monitoring using CSM and MARS
- CCNA Security certification or the equivalent knowledge
- Passing score on any Cisco CCSP Security exam
- At least six months of practical experience configuring Cisco Security products
- Familiarity with implementing network security policies and the following
networking components and concepts:
- Security technologies: NAT, PAT, ASA, VPN, IPS, CSA, ACS, MARS, PIX, IOS integrated router and switch security, and security management software
- Security protocols: AAA, IPSec, IKE, and various tunneling protocols
- Application protocols: HTTP, HTTPS, ICMP, SSH, SSL, NTP, FTP, TFTP, DNS, etc.
There are no follow-ons for this course.
Why Global Knowledge?
We've enhanced our labs well beyond what you'll find in the standard Cisco MARS and SMN training courses, incorporating more real-world labs, network devices, and software applications. You'll benefit from the expertise of our skilled instructors, who have experience deploying this appliance in the field going back to the days when MARS was a Perfigo appliance.
With the comprehensive training you'll receive in our Boot Camp, you'll gain confidence in your familiarity with the MARS appliance and its integration with most Cisco equipment, Windows Servers, and other common software applications. Our enhanced labs provide access to the latest MARS software, while the standard course is based on 4.3.4 code.
Boot Camp Hours
Class begins each day at 8:00 AM and may extend until 6:00 PM or later. Students should expect class to run late into the evening on most days. In a typical Boot Camp, it is not uncommon for some students to remain past 6:00 PM, depending upon the class size and experience of the students.
1. Course Introduction
- Learner Skills and Knowledge
- Course Goals and Knowledge
- Course Flow
- Additional Resources
2. Introducing Cisco Security Monitoring, Analysis, and Response System (CS-MARS)
- Effective Security Monitoring and Management
- The Self-Defending Network and Role of CS-MARS
- Understanding CS-MARS
- CS-MARS Terminology
- CS-MARS Technologies User Interface
- CS-MARS Product Portfolio
3. System Architecture
- CS-MARS Software Components
- CS-MARS Process Flow Details
4. Appliance Setup and Configuration
- Initial CS-MARS Appliance Configuration
- Deployment Planning Guidelines
5. Overview of Reporting and Mitigation Devices
- Data Enabling Features of CS-MARS
- Integrating CS-MARS with Non-Cisco Applications
6. Summary Page
- Network Status
- My Reports
7. Managing Rules
- Rules Overview
- Working with System and User Inspection Rules
- Working with Drop Rules
- Rule Groups Overview
8. Understanding Queries and Reports
- Queries Page
- Reports Page
9. Incident Investigation and Mitigation
- Incidents Overview
- False Positives
- Case Management
- Configuring Notifications
- Case Study: Preventing the W32 Blaster Worm
10. Working with User-Defined Log Parser Templates
- Configuring Custom Parser
11. Integrating with Cisco Security Manager (CSM)
- Overview of CSM Policy Table Lookup
- Invoking CSM Policy Table Lookup from CS-MARS
12. General Management and System Administration
- Management Overview
- System Maintenance Tasks
- IPS Signature Dynamic Update Settings
- Upgrading the CS-MARS Appliance Software
- Migrating Data from CS-MARS 4.3.x to 5.3.x
13. Troubleshooting and Optimizing CS-MARS
- Hardware Installation Issues
- Device Configuration Issues
- Global Controller-to-Local Controller Communications
- Sizing CS-MARS Deployment
- Tuning CS-MARS
- Securing CS-MARS
14. CS-MARS Global Controller
- CS-MARS Global Controller Overview
- Configuring the CS-MARS Global Controller
- Summary Tab
- Incidents Tab
- Queries and Reports
- Rules Tab
- Management Tab
- System Maintenance
15. Course Review: CS-MARS at Work
- Adding Reporting Devices into CS-MARS
- Constructing an Inspection Rule
- Configuring Queries and Creating a Custom Report
- Investigating an Incident
- Configuring Custom Parser
- Authenticating CS-MARS Accounts with External AAA Server
Lab 1: Remote Lab Familiarity
Get an introduction to the Global Knowledge Remote Lab Environment used for this class in this lab. You will have access to three Microsoft Windows XP PC system desktops, four Windows 2003 Servers, one Windows 2000 Server, one Windows 2000 Workstation, an ASA 5520 firewall, a Catalyst 3560 L3 switch, 1841 IOS router, a Cisco 4200 series IPS, a PIX 515, three 2600/2800 IOS routers and a MARS 20. This lab will demonstrate how to access the various pieces of equipment, what features are available with them, and how they are connected in the topology.
Lab 2: Bootstrapping the MARS
Learn to bootstrap the MARS appliance by performing basic configurations and command line options within the MARS. Explore several newer commands available in versions 6.x. Perform initial login to the MARS and enter the appropriate licensing information. Become comfortable with the GUI and the MARS interface. Once the configuration is verified, you will identify your network reporting devices in a generic template to be used in subsequent labs.
Lab 3: Importing Hardware Devices into MARS
The MARS appliance is only as good as the data the reporting devices are sending it. In this lab, you will provide three methods for loading the networking devices into the MARS: Auto Discovery, Manual, and Seed File import. You will configure the appropriate SNMP settings in the MARS to support your various networking devices. You'll configure MARS to explore routers, switches, and an ASA, adding the required commands yourself to see the configuration first-hand. Use ASA 8.x code, as do most customers. After all the devices are added to the MARS appliance, perform a basic query against the MARS database.
- Exclusive - Use version 6.x of code
- Exclusive - Use live Cisco equipment, not virtual
- Perform a Manual device entry
- Auto Discover devices
- Use a Seed File to import devices
Lab 4: Generating Summary Reports
Gain familiarity with the GUI and create generic summary reports. Take a look at how Netflow is used on the MARS appliance for anomaly detection, and walk through the configuration of Netflow on your Cisco IOS Routers. Step through various graphs available on the MARS.
- Exclusive - Configure the Netflow on the IOS routers
- Maneuvering the GUI
- Reviewing queries
Lab 5: Exploring Rules
In this lab, you will explore what makes an incident fire. Step through creation of a basic rule to generate an incident when a VPN user logs into the network. Explore day-to-day tasks performed by a MARS administrator to create a drop rule; that is, investigate incidents and generate false positives from the incidents.
- Create a basic rule
- Investigate an incident to mark as a false positive, thereby creating a drop rule
Lab 6: Generating Queries and Reports
Learn how to create a query with different search parameters. Investigate various reports from Cisco included in MARS. Issue the appropriate IOS/ASA commands to allow detailed logging to take place and tune messages from being sent to MARS. Configure newer commands available in IOS to allow command logging, and create a rule in MARS to generate an incident when such a command is entered.
- Entering appropriate logging commands on an IOS device
- Explore newer IOS commands to allow command logging to MARS
- Run queries with different search parameters
Lab 7: Case Management and Rule Actions
In this lab, you will learn to configure an action for a rule. In this case, you will have an e-mail generated and sent to your admin user when a particular incident is created. With an environment complete with a SMTP server, you can see your e-mails being generated and sent. You will also explore the newer CASE Management feature, which allows notes and a trace log associated with one or many incidents. You will delegate control of the case to a particular user.
- Create a case and have the case e-mailed to a user
- Modify the action on a rule to automatically generate an e-mail when the incident is created
Lab 8: Incident Handling and Mitigation
Create several incidents by generating attacks in your network. Launch an attack against your DMZ to create the incident. Learn to investigate these incidents and attack vector graphs as well as review the suggested mitigation techniques MARS offers.
- Launch an attack against your DMZ from the outside of the network
- Investigate the incident and attack vector graphs
- Review the recommended mitigation response from MARS
Lab 9: Tuning the MARS
Discover false positives and learn to tune your networking devices not to generate incidents for this traffic. Explore the options to perform device-side tuning or appliance-side tuning.
- Tune networking devices from generating incidents
- Investigate an Incident and create a False Positive rule
- Explore device-side tuning and appliance-side tuning
Lab 10: IPS and MARS Integration
This detailed lab covers the integration of the MARS appliance and a Cisco IPS device, including the 42xx product line and the AIP-SSM modules. Load a baseline configuration file and examine the IPS configuration reporting to MARS. Walk through the steps of configuring the IPS with SNMP settings. Use IPS version 6.x software (the latest) and perform command line troubleshooting on the IPS to verify subscriptions. Using the latest code on the MARS enables you to configure IPS Dynamic Signature Updates, which you will also investigate.
- Load the baseline config into the IPS
- Exclusive - Work with IPS version 6.x code directly on a live working IPS Sensor (not a virtual device)
- Configure the IPS for SNMP support
- Create a MARS account in the IPS
- Add the IPS to MARS
- Configure Dynamic Signature Updates
- Use Command Line options in the IPS to verify that MARS is configured correctly
Lab 11: Adding a Software Reporting Device
Install the latest version of SNARE to send IIS events and standard Windows events to MARS. Examine the various free SNARE programs available from InterSect Alliance. Symantec AntiVirus Server is also included in this lab. You'll walk through setting up the Alert Server so that MARS can report on any virus activity. You'll then send a virus to a workstation in the lab, and see the virus generate an alert in MARS.
- Exclusive - Install the latest SNARE software and configure it
- Add a Windows Server as a reporting device using SNARE and RPC
- Add an IIS Server as a reporting device
- Exclusive - Add a Symantec AV Server as a reporting device and trigger an event with a virus infection
Exclusive - Lab 12: Maintaining the MARS Appliance
Learn to retrieve raw messages from the MARS database for a particular time range. Download the raw messages from the database to a server in the lab environment and allow you to review the contents as an auditor would. Explore the Data Archiving feature, which is crucial in your production environment. Since NFS is a requirement in MARS for data archiving and most organizations in production have Windows Servers, you will install a Microsoft-provided utility to allow you to share your standard Windows shares as an NFS share that MARS can attach to. Explore newer commands only available in newer versions of code to allow you to manually back up your configuration and raw message information separately. Configure a newer option only available in newer code which allows your engineering team to use a RADIUS server (Microsoft IAS or ACS) to authenticate to the MARS appliance. Walk through that configuration as well as the lockout feature for security.
- Extract raw messages from MARS
- Archive Data to a Windows NFS share
- Set up NFS on Windows using a Microsoft Utility
- Explore newer commands available only in newer versions of MARS code
- Configure your MARS to authenticate to a Cisco Secure ACS using RADIUS
Lab 13: Bootstrapping Network Devices
Learn to bootstrap all your network devices in the lab topology. You will login to each individual network device and configure the required settings to allow Cisco Security Manager to access your network equipment. You will also perform a restore on the Cisco MARS database in order to get the correct configuration that we preconfigured back into the appliance. At the end of this lab, you will test device access.
Lab 14: Device Import
In this lab, you will access the Cisco Security Manager interface for the first time. Create Location groupings for the devices in the lab, and add physical network devices to CSM. Explore various methods of importing these devices into the CSM database, including adding static devices, adding devices from the network, and importing devices from a pre-built configuration file. You will also explore the credential requirements for device import.
Lab 15: Creating Policy Objects
Investigate Policy Objects and their role in CSM. Review an Access List policy on an ASA firewall and add editing the ACL via the CSM interface. At the same time, you will build Policy Objects directly from the ACL workspace window and from the Policy Object Manager. To paint a complete picture, we will explore Interface Roles, reviewing the default CSM Interface Roles and making modifications to these default settings using the override feature.
Lab 16: Managing Policies
This lab is the heart of CSM. You will create new lines in an access list called an ACE (Access Control Entry). You will share this ACL policy among different devices in a common region. You'll then modify the policy on two different devices to see the behavior of policy locking. You will create local policies on certain devices to have different policies than the parent-assigned policy. Finally, you will investigate Policy Inheritance and compare the differences between Assigning polices and Inheriting policies.
Lab 17: Exploring VPNs in CSM
Go deep inside the VPN policies and get familiar with the VPN Manager feature within CSM to create site-to-site VPN tunnels. You will walk through modifying IKE Proposals as well as some feature-rich configuration options such as automatic Pre-Shared Key regeneration. You will then view your VPN Map and examine how to share policies to create a Remote Access VPN. After all is configured and deployed, you will test the tunnels for connectivity.
Lab 18: Configuring SSL VPNs in CSM
Building off previous labs, you will add the SSL VPN functionality to your already created group policy. Examine how to modify policies to support the SSL VPN feature and how to apply the policy. In this lab, you will support the Cisco AnyConnect client using version 8.0(4) of code on your ASA. At the end of the lab, you will test the VPN function to see what your users will experience in a production environment.
Lab 19: CSM, IPS, and MARS
There is a newer feature available in CSM and MARS that allows a cross-launch function. This lab will expose the new feature. You will configure a Cisco IPS and its signatures from within CSM. You will investigate signatures, signature actions, and signature event counts in the CSM interface for the IPS. You will walk through the configuration of the Cisco MARS in CSM and configuring CSM in Cisco MARS. Once the devices are bootstrapped for communication, you will create an event on the network that the IPS will report to the MARS appliance. During investigation, you will review the incident in MARS and review the cross-launch feature from MARS to the CSM server.
Lab 20: Workflow and Administrative Tasks
In this lab, you will focus on management tasks as you work through workflow mode and non-workflow mode configuration. Configure CiscoWorks Common Services for SMTP. You will create a new activity and have the activity approved by an administrator in CiscoWorks. You'll see the contents of the e-mail as the admin receives it and the response the admin will need to complete in order to approve the job. Towards the end of the lab, you will examine the proper steps to export the devices you added in an earlier lab for backup purposes. Of course, steps are not complete until you perform a backup of the CSM database. You will perform a manual backup and see the status e-mail sent to the admin after the backup has successfully completed.