Network Security (Version1.0) Modules 11 – 12: Intrusion Prevention Group Test Online

Hint

IDS sensors work off line and are passive. They add very little latency, however they cannot stop trigger packets. An IPS can stop trigger packets but because they are installed inline they add some latency and jitter to the traffic.

Hint

An IPS can stop trigger packets but because they are installed inline they add some latency and jitter to the traffic. IDS sensors work off line and are passive. They add very little latency. However they cannot stop trigger packets.

Hint

An IDS often requires assistance from other networking devices, such as routers and firewalls, to respond to an attack.

Hint

An advantage of an IPS operating in promiscuous mode is that the sensor does not affect the packet flow with the forwarded traffic. A disadvantage is that the sensor cannot stop malicious traffic from reaching its intended target for certain types of attacks, such as atomic attacks (single-packet attacks).

Hint

Snort is an open source intrusion protection system (IPS) that is capable of performing real-time traffic and port analysis, packet logging, content searching and matching, as well as detecting probes, attacks, port scans, fingerprinting, and buffer overflow attacks.

Hint

With the Snort rule set pull feature, a router can download rule sets directly from cisco.com or snort.org to a local server. The download can occur using one-time commands or periodic automated updates.

Hint

The requirements to run Snort IPS include ISR 4300 or higher, K9 license, 8 GB RAM, and 8 GB flash.

Hint

PulledPork is a rule management application that can be used to automatically download Snort rule updates. Using PulledPork requires an authorization code, called an oinkcode, obtained from a snort.org account.

Hint

Depending on the signature type and the platform, whenever a signature detects the activity for which it is configured the IPS may:

• log the activity
• drop or prevent the activity
• reset a TCP connection
• block future activity
• allow the activity

Hint

Honey pot-based detection uses a decoy server to attract attacks and to divert attacks away from production devices. Use of a honey pot can give administrators time to analyze incoming attacks and malicious traffic patterns to tune sensor signatures.

Hint

The true negative alarm type is used when normal network traffic flows through an interface. Normal traffic should not, and does not generate an actual alarm. A true negative indicates that benign normal traffic is correctly being ignored and forwarded without generating an alert.

Hint

The Snort IPS fail open and close functionality can be configured to block the traffic flow or to bypass IPS checking in the event of IPS engine failure.

Hint

There are two types of Snort term-based subscriptions:

• Community Rule Set – Available for free and provides limited coverage against threats. There is also a 30-day delayed access to updated signatures and there is no Cisco customer support available.
• Subscriber Rule Set – Available for a fee and provides the best protection against threats. It includes coverage in advance of exploits by using the research work of the Cisco Talos security experts. This subscription is fully supported by Cisco.

Hint

One of the functionalities of Snort IPS is that it provides three levels of signature protection.

• Connectivity – The least secure option.
• Balanced – The mid-range option of security.
• Security – The most secure option.

Hint

Step 1 of the configuration of Snort IPS is to download an Open Virtualization Archive (OVA) file. This file contains a compressed, installable version of a virtual machine.

Hint

A network tap is used to capture traffic for monitoring the network. The tap is typically a passive splitting device implemented inline on the network and forwards all traffic, including physical layer errors, to an analysis device.

Hint

To analyze network traffic passing through a switch, switched port analyzer (SPAN) can be used. SPAN can send a copy of traffic from one port to another port on the same switch where a network analyzer or monitoring device is connected. SPAN is not required for syslog or SNMP. SPAN is used to mirror traffic, while syslog and SNMP are configured to send data directly to the appropriate server.

Hint

• Alerts can be classified as follows:
• True Positive: The alert has been verified to be an actual security incident.
• False Positive: The alert does not indicate an actual security incident. Benign activity that results in a false positive is sometimes referred to as a benign trigger.
• An alternative situation is that an alert was not generated. The absence of an alert can be classified as:
• True Negative: No security incident has occurred. The activity is benign.
• False Negative: An undetected incident has occurred.

Hint

Network-based IDS (NIDS) sensors are typically deployed in offline mode. They do not protect individual hosts. Host-based IPS (HIPS) is software installed on a single host to monitor and analyze suspicious activity. It can monitor and protect operating system and critical system processes that are specific to that host. HIPS can be thought of as a combination of antivirus software, antimalware software, and a firewall.

Hint

A composite signature is called a stateful signature. It identifies a sequence of operations distributed across multiple hosts over an arbitrary period of time. Because this type of attack involves multiple packets, an IPS sensor must maintain the state information. However, an IPS sensor cannot maintain the state information indefinitely. A composite signature is configured with a time period to maintain the state for the specific attack when it is first detected. Thus, an IPS may not be able to maintain all the information related to an attack such as total number of packets, total length of attack time, and the amount of bandwidth consumed by the attack.