True or False: An Intrusion Prevention System (IPS) is always inline on a network?
Because IPS is actively checking traffic and able to drop packets before letting them pass, it can actually prevent network attacks.
What does promiscious mode refer to when talking about Intrusion Detection Systems?
This is when an IDS is sitting outside the network flow and listening to all traffic mirrored to it from the main flow of traffic.
aka: Out of Band
What is the difference between a false positive and a false negative?
False Positive: an alert is generated (or action taken) on traffic that is not malicious or "important" when it comes to the safety of the network.
False Negative: Is when there IS malicious or dangerous traffic on the network and for whatever reason it is not flagged or acted upon by the systems that are supposed to detect it (IDS / IPS).
What is the difference between a True Positive and a True Negative?
True Positive: There was malicious traffic and it was caught!
True Negative: normal non-malicous traffic on the network and no action was taken to stop / hinder its normal activitiy.
How are signature sets used to stop threats in an IDS / IPS?
Cisco provides signatures (patterns or sets of rules) that attacks commonly use which can be identified in packets or in a stream of packets. These can the enabled / disabled / or customized to be looked for by sensors.
What is policy-based IPS / IDS?
If there is a set rule that certain traffic not be allowed on the network, a rule can be made to enforce this. The example in the book is no Telnet traffic. If traffic is found to be destined on port 23, IDS can report this activity, or an IPS can drop the packet (and report it too).
Technically this can be a customized "signature" so some policy-based filtering can be called signature based too.
What is Anomaly-based IPS/IDS?
An IPS / IDS will gather a baseline of activity for certain traffic. When it sees that a certain abnormal amount of this specific traffic hits the network countermeasures are put in place (reported / alerts generated / packets dropped).
Example is 30 half formed TCP requests per minute.
Traffic spikes to 500 half formed TCP requests / minute.
This is not normal operation (an Anomaly) and actions are taken.
What is reputation-based IDS/IPS?
Systems all over the globe participate in identifying dangerous activity from known IP blocks, domains, URLs, etc. These are reported to a cloud service that Cisco manages, is compiled, and can be delivered to IPS/IDS systems that have not been attacked yet to help prevent damage before it happens.
What does an Atomic signature micro-engine look at?
Can match signatures on a single packet, as opposed to a string of packets.
What does a Service signature micro-engine look for?
These signatures examine applicaiton layer services, regardless of the operating system.
What do string or multi-string signature micro-engines look for?
string or multi-string signature micro-engines look for patterns in packets. Sometimes called flexible pattern matching, also looks at sessions.
What does the signature micro-engine group of Other look for in traffic?
These are miscellanous signatures that may not specifically fit into other categories.
When calculating Risk Ratings, what is the Target Value Rating (TVR)?
Target Value Rating is the value that you as an admin assign to specific destination IP's or subnets where critical devices reside.
TVR could be lower on a subnet of all printers.
TVR could be higher on a subnet of all webservers.
When calculating Risk Ratings, what is Signature Fidelity Rating (SFR)?
Signature Fidelity Rating (SFR) is built into an IDS/IPS signature profile and is determined by the person who created the signature.
This is a numeric rating between 0 and 100.
When calculating Risk Ratings, what is the Attack Severity Rating (ASR)?
Attack Severity Rating (ASR) is how critical the attack is as determined by who created the signature. This rating of Inofrmational, Low, Medium, or High is built into the signture itself.
What is Attack Relevancy (AR)?
Attack Relevancy (AR) is a minor contributor to a total Risk Rating (RR). It detarmines how relevant a siganture is to the actual attack.
For example if the signature is for a windows based server attack and the destination of the malicious traffic is an actual window server, this may increase the overall Risk Rating (RR) slightly.
On Cisco ISR routers, what is the realm-cisco.pub encryption key used for?
It is used to verify the digital signature of IPS signature files that are downloaded from Cisco.