Module 11: Quiz - IPS Technologies (Answers) Network Security

1. What is an IPS signature?

It is the timestamp that is applied to logged security events and alarms.
It is the authorization that is required to implement a security policy.
It is a set of rules used to detect typical intrusive activity.
It is a security script that is used to detect unknown threats.

Explanation: An IPS signature uniquely identifies specific malware, protocol anomalies, or malicious traffic. IPS sensors are tuned to look for matching signatures or abnormal traffic patterns. IPS signatures are conceptually similar to the virus.dat file used by virus scanners.

2. Which network technology uses a passive splitting device that forwards all traffic, including Layer 1 errors, to an analysis device?

IDS
network tap
SNMP
NetFlow

Explanation: A network tap is a common technology that is used to capture traffic for monitoring the network. The tap is typically a passive splitting device implemented inline on the network and that forwards all traffic, including physical layer errors, to an analysis device.

3. What is a characteristic of an IPS operating in inline-mode?

It does not affect the flow of packets in forwarded traffic.
It requires the assistance of another network device to respond to an attack.
It can only send alerts and does not drop any packets.
It can stop malicious traffic from reaching the intended target.

Explanation: An IPS in inline-mode is directly in the traffic flow and adds latency. Inline-mode allows the sensor to stop attacks by dropping malicious traffic before it reaches the intended target, thus providing a protective service.

4. What is a zero-day attack?

It is an attack that results in no hosts able to connect to a network.
It is an attack that has no impact on the network because the software vendor has mitigated the vulnerability.
It is a computer attack that exploits unreported software vulnerabilities.
It is a computer attack that occurs on the first day of the month.

Explanation: A zero-day attack is an attack on a system that uses vulnerabilities that have not yet been reported to, and mitigated by, the vendor.

5. What is a feature of an IPS?

It has no impact on latency.
It can stop malicious packets.
It is deployed in offline mode.
It is primarily focused on identifying possible incidents.

Explanation: An advantage of an intrusion prevention systems (IPS) is that it can identify and stop malicious packets. However, because an IPS is deployed inline, it can add latency to the network.

6. Which network monitoring technology passively monitors network traffic to detect attacks?

IDS
TAP
RSPAN
IPS

Explanation: Intrusion Detection Systems (IDSs) are network devices that passively monitor the traffic on a network.

7. Which open source network monitoring technology performs real-time traffic analysis and generates alerts when threats are detected on IP networks?

Snort IPS
RSPAN
SPAN
IOS IPS

Explanation: Snort is an open source network IPS that performs real-time traffic analysis and generates alerts when threats are detected on IP networks. The legacy Cisco IOS IPS allowed a Cisco ISR router to be enabled as an IPS sensor to scan packets and sessions to match any of the Cisco IOS IPS signatures. Port mirroring allows a switch to copy frames that are received on one or more ports to a Switch Port Analyzer (SPAN) that is connected to an analysis device. Remote SPAN (RSPAN) is a variation of SPAN that enables a network administrator to use the flexibility of VLANs to monitor traffic on remote switches.

8. Which Cisco platform supports Cisco Snort IPS?

800 series ISR
3900 series ISR
4000 series ISR
2900 series ISR

Explanation: The newer ISR routers, Cisco 4000 series, no longer support IOS IPS. The 4000 series routers provide IPS services using Snort.

9. Which device supports the use of SPAN to enable monitoring of malicious activity?

Cisco Security Agent
Cisco IronPort
Cisco NAC
Cisco Catalyst switch

Explanation: SPAN is a Cisco technology that allows all of the traffic from one port to be redirected to another port.

10. What is a host-based intrusion detection system (HIDS)?

It is an agentless system that scans files on a host for potential malware.
It combines the functionalities of antimalware applications with firewall protection.
It detects and stops potential direct attacks but does not scan for malware.
It identifies potential attacks and sends alerts but does not stop the traffic.

Explanation: A current HIDS is a comprehensive security application that combines the functionalities of antimalware applications with firewall protection. An HIDS not only detects malware but also prevents it from executing. Because the HIDS runs directly on the host, it is considered an agent-based system.

11. Which network monitoring capability is provided by using SPAN?

Statistics on packets flowing through Cisco routers and multilayer switches can be captured.
Traffic exiting and entering a switch is copied to a network monitoring device.
Real-time reporting and long-term analysis of security events are enabled.
Network analysts are able to access network device log files and to monitor network behavior.

Explanation: When enabled on a switch, SPAN or port mirroring, copies frames that are sent and received by the switch and forwards them to another port, known as a Switch Port Analyzer port, which has a analysis device attached.

12. What network monitoring tool can be used to copy packets moving through one port, and send those copies to another port for analysis?

SPAN
syslog
NAC
SNMD

Explanation: The Cisco Switched Port Analyzer (SPAN) feature allows traffic that is coming into or out of a port to be copied to a different port so that it can be collected and analyzed.