Module 15: Network Monitoring and Tools Quiz Answers

1. What network monitoring tool can be used to copy packets moving through one port, and send those copies to another port for analysis?

  • SPAN
  • syslog
  • SNMP
  • NAC

Explanation: The Cisco Switched Port Analyzer (SPAN) feature allows traffic that is coming into or out of a port to be copied to a different port so that it can be collected and analyzed.

2. What is the purpose of the Cisco NetFlow IOS technology?

  • to collect operational data from IP networks
  • to periodically poll nodes for network management information
  • to manage the network performance of nodes
  • to log system messages from network devices

Explanation: NetFlow is a Cisco IOS technology that provides statistics on TCP/IP flows on the network. Some of the capabilities of NetFlow include the following: network and security monitoring, network planning, traffic analysis, identification of network bottlenecks, and IP accounting for billing purposes.

3. Which network technology uses a passive splitting device that forwards all traffic, including Layer 1 errors, to an analysis device?

  • NetFlow
  • network tap
  • IDS
  • SNMP

Explanation: A network tap is a common technology that is used to capture traffic for monitoring the network. The tap is typically a passive splitting device implemented inline on the network and that forwards all traffic, including physical layer errors, to an analysis device.

4. Which network monitoring tool can provide a complete audit trail of basic information of all IP flows on a Cisco router and forward the data to a device?

  • Wireshark
  • SPAN
  • NetFlow
  • SIEM

Explanation: NetFlow is a Cisco technology that provides statistics on packets flowing through a Cisco router or multilayer switch.

5. What is a monitoring tool used for capturing traffic statistics?

  • syslog
  • SPAN
  • NetFlow
  • SNMP

Explanation: NetFlow is used by some businesses to monitor the network and capture traffic statistics to determine if the network is performing correctly.

6. Which capability is provided by the aggregation function in SIEM?

  • presenting correlated and aggregated event data in real-time monitoring
  • reducing the volume of event data by consolidating duplicate event records
  • increasing speed of detection and reaction to security threats by examining logs from many systems and applications
  • searching logs and event records of multiple sources for more complete forensic analysis

Explanation: The aggregation function of SIEM reduces the volume of event data by consolidating duplicate event records.

7. What is an essential function of SIEM?

  • forwarding traffic and physical layer errors to an analysis device
  • providing reporting and analysis of security events
  • monitoring traffic and comparing it against the configured rules
  • providing 24×7 statistics on packets flowing through a Cisco router or multilayer switch

Explanation: SIEM provides real-time reporting and analysis of security events. SIEM provides administrators with details on sources of suspicious activity such as user information, device location, and compliance with security policies.

8. Which SIEM function is associated with examining the logs and events of multiple systems to reduce the amount of time of detecting and reacting to security events?

  • forensic analysis
  • correlation
  • aggregation
  • retention

Explanation: SIEM provides administrators with details on sources of suspicious activity such as user information, device location, and compliance with security policies. One of the essential functions of SIEM is correlation of logs and events from different systems in order to speed the detection and reaction to security events.

9. Which network monitoring capability is provided by using SPAN?

  • Real-time reporting and long-term analysis of security events are enabled.
  • Statistics on packets flowing through Cisco routers and multilayer switches can be captured.
  • Network analysts are able to access network device log files and to monitor network behavior.
  • Traffic exiting and entering a switch is copied to a network monitoring device.

Explanation: When enabled on a switch, SPAN or port mirroring, copies frames that are sent and received by the switch and forwards them to another port, known as a Switch Port Analyzer port, which has a analysis device attached.

10. Which network tool uses artificial intelligence to detect incidents and aid in incident analysis and response?

  • SIEM
  • Wireshark
  • NetFlow
  • SOAR

Explanation: SOAR works with SIEMs systems, where SIEM can detect a malicious activity and SOAR helps to respond to the threat. SOAR has many functions and benefits, including these abilities:

  • The use of predefined playbooks to enable automatic response to specific threats
  • The use of artificial intelligence to detect incidents and aid in incident analysis and response

11. Which network monitoring tool allows an administrator to capture real-time network traffic and analyze the entire contents of packets?

  • SIEM
  • Wireshark
  • SOAR
  • nmap

Explanation: Wireshark captures network traffic in real time. The capture enables the entire contents of the packets to be analyzed including the frame, interface, packet information, and time stamps.

12. Which technology is an open source SIEM system?

  • StealthWatch
  • Splunk
  • ELK
  • Wireshark

Explanation: There are many SIEM systems available to network administrators. The ELK suite is an open source option.


guest
0 Comments
Inline Feedbacks
View all comments