Lesson 13 Flashcards

1
Q

___________ feature of the ASA appliance monitors the dropped packet rate and security events and, if it sees a threat, the appliance generates a log message .

A

Basic Threat Detection

measures the rates that drops occur over a configured period of time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Basic Threat Detection is enabled by default.

Uses the following command to enable

A

fw1( config )# threat - detection basic - threat

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

These can be seen on the appliance with the __________ command

A

show run all threat - detection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

basic threat detection measures the rates that drops occur over a configured period of time. This period of time is called the ________and can range from ___ seconds to __ days

A

average rate interval (ARI)

600 seconds to 30 days

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

The burst rate is very similar but looks at smaller periods of snapshot data, called the __________.

A

burst rate interval (BRI)

show run all threat-detection [rate]

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Unlike Basic Threat Detection, Advanced Threat Detection can be used to track statistics for more granular objects.

A

fw1( config )# threat - detection statistics [{ access - list | host | port | protocol }]

Without any options, all statistics are enabled

show threat - detection statistics
show threat - detection statistics top

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

_____________ is used in order to keep track of suspected attackers who create connections to too many hosts in a subnet, or many ports on a host/subnet.

A

Scanning Threat Detection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

_____________ is used in order to keep track of suspected attackers who create connections to too many hosts in a subnet, or many ports on a host/subnet.

A

Scanning Threat Detection

threat-detection scanning-threat

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Scanning Threat Detection can optionally react to an attack by ________ the attacker IP.

A

shunning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Once the set threshold for _________________ has been reached, the security appliance will intercept all TCP synchronizations and respond on behalf of the client .

A

TCP synchronizations (also known as SYN scan half - open connections , or embryonic connections )

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

You can limit the number of embryonic connections that can be built with the _______________ with the _____________option using the Modular Policy Framework .

A

set connection command

embryonic - conn - max

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

The ASA AIP - SSM IPS module , on the other hand can detect over 1,500 attacks. • However , if you don’t have this card, you can supplement the security of your appliance with the IPS software feature, commonly called ___________

A

IP audit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

The following signature classes are supported by Cisco Security Appliances:

A

Informational

Attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

To enable default IDS on a security appliance use the command :

A

fw1( config )#
ip audit info action alarm
ip audit attack action alarm

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

IDS attack trigger. 3 possibilities

A

Alarm. Drop. Reset

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

To disable the IP auditing you must use :

A

ip audit info action

17
Q

When a ______ is activated all existing connections from an attacker can be dropped and all future connections can be blocked.

A

shun

18
Q

Two general settings for IDS and IPS in an SSM module in ASA

A

Inline

Promiscuous

19
Q

By default the appliance allows up to __ fragments that will make up a complete IP packet, as well as up to ___ fragments that are waiting to be reassembled back into a complete packet.

A

24

200

20
Q

If you do not expect fragments in your network , then you should have the appliance drop any fragments that it receives. This is accomplished with the following command:

fw1(config)# fragment chain 1 outside

A

The chain parameter specifies the number of fragments that can make up a complete packet; by setting it to 1, you are ensuring that your appliance won’t allow fragments through it, since fragments are commonly used in DoS attacks.

21
Q

Virtual IP Reassembly

A

ASA provides IP fragment protection by performing full reassembly of all ICMP error messages and virtual reassembly of the remaining IP fragments that are routed through the ASA.

22
Q

Sets the maximum number of packets to track/hold in the database – Default is __

A

fragment size

200

23
Q

Sets the maximum number of fragments per packet –Default is __

A

fragment chain

24

24
Q

Sets the time to receive all fragments once the first has been received by the appliance – Default is _ seconds – The maximum is __ seconds

A

fragment timeout

5 > 30

25
Q

The____________ command is most useful in reducing the chances of internal hosts becoming parties to an attack and outsiders spoofing a trusted inside address

A

ip verify reverse - path interface

You must have a default route enabled