Module 11

Question 1

____ is a cyberattack that tries to exploit software vulnerabilities that are unknown or undisclosed by the software vendor, as shown in the figure.

____ describes the moment when a previously unknown threat is identified.

____ depicted as a red skull and crossbones trying to enter a LAN through a firewall

Answer 1

A zero-day attack, sometimes referred to as a zero-day threat,

Question 2

_____ were implemented to passively monitor the traffic on a network.

Answer 2

Intrusion Detection Systems (IDS)

Question 3

Working offline, the IDS compares the captured traffic stream with known malicious signatures, similar to software that checks for viruses. Working offline means several things:

Answer 3

The IDS works passively.

The IDS device is physically positioned in the network so that traffic must be mirrored in order to reach it.

Network traffic does not pass through the IDS unless it is mirrored.

Very little latency is added to network traffic flow.

Question 4

Although the traffic is monitored, logged, and perhaps reported, no action is taken on packets by the IDS. This offline IDS implementation is referred to as ____

Answer 4

promiscuous mode.

Question 5

The ___ of operating with a copy of the traffic is that the IDS does not negatively affect the packet flow of the forwarded traffic.

Answer 5

advantage

Question 6

The ____ of operating on a copy of the traffic is that the IDS cannot stop malicious single-packet attacks from reaching the target. An IDS often requires assistance from other networking devices, such as routers and firewalls, to respond to an attack.

Answer 6

disadvantage

Question 7

a device that can immediately detect and stop an attack

Answer 7

Intrusion Prevention System (IPS)

Question 8

Common Characteristics of IDS and IPS

Malicious traffic is sent to the target host that is inside the network.

The traffic is routed into the network and received by an IPS-enabled sensor where it is blocked.

The IPS-enabled sensor sends logging information regarding the traffic to the network security management console.

The IPS-enabled sensor kills the traffic. (It is sent to the “Bit Bucket.”)

Answer 8

Both technologies are deployed as sensors.

Both technologies use signatures to detect patterns of misuse in network traffic.

Both can detect atomic patterns (single-packet) or composite patterns (multi-packet).

Question 9

IDS and IPS technologies are both deployed as sensors. An IDS or IPS sensor can be in the form of several different devices:

Answer 9

A router configured with IPS software

A device specifically designed to provide dedicated IDS or IPS services

A hardware module installed in an adaptive security appliance (ASA), switch, or router

Question 10

IDS and IPS technologies use ___ to detect patterns in network traffic.

A ___ is a set of rules that an IDS or IPS uses to detect malicious activity. ___ can be used to detect severe breaches of security, to detect common network attacks, and to gather information.

Answer 10

signatures

Question 11

IDS and IPS technologies can detect

Answer 11

atomic signature patterns (single-packet) or composite signature patterns (multi-packet).

Question 12

IDS Advantages

Answer 12

No impact on network (latency, jitter)

No network impact if there is a sensor failure

No network impact if there is sensor overload

Question 13

IDS Disadvantages

Answer 13

Response action cannot stop trigger packets

Correct tuning required for response actions

More vulnerable to network security evasion techniques

Question 14

IPS Advantages

Answer 14

Stops trigger packets

Can use stream normalization techniques

Question 15

IDS Disadvantages

Answer 15

Sensor issues might affect network traffic

Sensor overloading impacts the network

Some impact on network (latency, jitter)

Question 16

IDS Advantages

An IDS is deployed in offline mode and therefore:

Answer 16

The IDS does not impact network performance. Specifically, it does not introduce latency, jitter, or other traffic flow issues.

The IDS does not affect network functionality if the sensor fails. It only affects the ability of the IDS to analyze the data.

Question 17

IDS Disadvantages

Disadvantages of an IDS include:

Answer 17

An IDS sensor cannot stop the packets that have triggered an alert and are less helpful in detecting email viruses and automated attacks, such as worms.

Tuning IDS sensors to achieve expected levels of intrusion detection can be very time-consuming.
Users deploying IDS sensor response actions must have a well-designed security policy and a good operational understanding of their IDS deployments.

An IDS implementation is more vulnerable to network security evasion techniques because it is not inline.

Question 18

IPS Advantages

Advantages of an IPS include:

Answer 18

An IPS sensor can be configured to drop the trigger packets, the packets associated with a connection, or packets from a source IP address.

Because IPS sensors are inline, they can use stream normalization. Stream normalization is a technique used to reconstruct the data stream when the attack occurs over multiple data segments.

Question 19

IPS Disadvantages

Disadvantages of an IPS include:

Answer 19

Because it is deployed inline, errors, failure, and overwhelming the IPS sensor with too much traffic can have a negative effect on network performance.

An IPS sensor can affect network performance by introducing latency and jitter.

An IPS sensor must be appropriately sized and implemented so that time-sensitive applications, such as VoIP, are not adversely affected.

Question 20

Deployment Considerations

Answer 20

You can deploy both an IPS and an IDS. Using one of these technologies does not negate the use of the other. In fact, IDS and IPS technologies can complement each other.

For example, an IDS can be implemented to validate IPS operation because the IDS can be configured for deeper packet inspection offline. This allows the IPS to focus on fewer but more critical traffic patterns inline.

Deciding which implementation to use is based on the security goals of the organization as stated in their network security policy.

Question 21

More vulnerable to network security evasion techniques enabled by various network attack methods

Answer 21

IDS

Question 22

Can affect network performance by introducing latency and jitter

Answer 22

IPS

Question 23

Must be implemented so that time-sensitive applications are not adversely affected

Answer 23

IPS

Question 24

Cannot stop the trigger packet and is not guaranteed to stop a connection

Answer 24

IDS

Question 25

Deployed in offline mode

Answer 25

IDS

Question 26

Can use stream normalization techniques to reduce or eliminate many of the network security evasion capabilities that exist

Answer 26

IPS

Question 27

Can be configured to perform a packet drop to stop the trigger packet

Answer 27

IPS

Question 28

Primarily focused on identifying possible incidents, logging information about the incidents, and reporting the incidents

Answer 28

IDS

Question 29

Must be deployed inline, and traffic must be able to pass through it

Answer 29

IPS

Question 30

Less helpful in stopping email viruses and automated attacks, such as worms

Answer 30

IDS

Question 31

There are two primary kinds of IPS available:

Answer 31

host-based IPS and network-based IPS.

Question 32

____ is software installed on a host to monitor and analyze suspicious activity.

Answer 32

Host-based IPS (HIPS)

Question 33

Advantages of Host-based IPS (HIPS)

Answer 33

Provides protection specific to a host operating system Provides operating system and application level protection Protects the host after the message is decrypted

Question 34

Disadvantages of Host-based IPS (HIPS)

Answer 34

Operating system dependent Must be installed on all hosts

Question 35

A _____ can be implemented using a dedicated or non-dedicated IPS device such as a router. ___ implementations are a critical component of intrusion prevention.

Answer 35

network-based IPS

Question 36

Network-based IPS Sensors can be implemented in several ways:

Answer 36

On a Cisco Firepower appliance On an ASA firewall device On an ISR router As a virtual Next-Generation IPS (NGIPSv) for VMware

Question 37

An example of a network-based IPS is the ____ . It is tuned for intrusion prevention analysis. The underlying operating system of the platform is stripped of unnecessary network services, and essential services are secured. This is known as____

Answer 37

Cisco Firepower NGIPS hardening.

Question 38

The hardware of all network-based sensors includes three components:

Answer 38

NIC - The network-based IPS must be able to connect to any network, such as Ethernet, Fast Ethernet, and Gigabit Ethernet. Processor - Intrusion prevention requires CPU power to perform intrusion detection analysis and pattern matching. Memory - Intrusion detection analysis is memory-intensive. Memory directly affects the ability of a network-based IPS to efficiently and accurately detect an attack.

Question 39

Modes of Deployment IDS and IPS sensors can operate in

Answer 39

inline mode (also known as inline interface pair mode) or promiscuous mode (also known as passive mode).

Question 40

True or False? A HIPS can be configured in either promiscuous or inline mode.

Answer 40

False. A host-based IPS is installed on a host computer. Only network-based IPS can be run in promiscuous or inline mode.

Question 41

What is true of a NIPS that is running in inline mode?

Answer 41

An inline NIPS can add latency to the network because traffic must be processed before being forwarded to its destination

Question 43

What is true of a HIPS?

Answer 43

HIPS software combines anti-virus, anti-malware, and firewall functionality.

Question 44

What is an example of a HIPS?

Answer 44

Windows Defender is an example of a HIPS that is included with Microsoft Windows.

Question 45

An IPS sensor has two components:

Answer 45

IPS detection and enforcement engine - To validate traffic, the detection engine compares incoming traffic with known attack signatures that are included in the IPS attack signature package. IPS attack signatures package - This is a list of known attack signatures that are contained in one file. The signature pack is updated frequently as new attacks are discovered. Network traffic is analyzed for matches to these signatures.

Question 46

the IPS detection and enforcement engine that can be implemented depends on the router platform:

Answer 46

Cisco IOS Intrusion Prevention System (IPS) - This is available on older Cisco 800, 1900, 2900, and 3900 Series ISRs. IOS IPS is no longer supported and should not be used. Cisco Snort IPS - This is available on the Cisco 4000 Series ISRs and Cisco Cloud Services Routers in the 1000v Series.

Question 47

When Cisco IOS IPS detected suspicious activity, it responded before network security could be compromised. It logged the event as _____

Answer 47

Cisco IOS syslog messages or through Security Device Event Exchange (SDEE).

Question 48

when packets in a session matched a signature, Cisco IOS IPS could be configured to respond as follows:

Answer 48

Send an alarm to a syslog server or a centralized management interface Drop the packet Reset the connection Deny traffic from the source IP address of the threat for a specified amount of time Deny traffic on the connection for which the signature was seen for a specified amount of time

Question 49

___ is available on Cisco ISR 4000 devices.

Answer 49

Snort IPS

Question 50

The Snort engine runs as a ____ on Cisco 4000 Series ISRs.

Answer 50

virtual service container

Question 51

In ___, Snort inspects traffic and reports alerts, but does not take any action to prevent attacks.

Answer 51

IDS mode,

Question 52

Snort IPS is available on which router platform?

Answer 52

Cisco 4000

Question 53

Where does the Snort engine run?

Answer 53

service container

Question 54

In which operating mode does Snort IDS inspect traffic and report alerts, but does not take any action to prevent attacks?

Answer 54

IDS mode

Question 55

Snort can be enabled in either of the following modes:

Answer 55

IDS mode - Snort inspects the traffic and reports alerts, but does not take any action to prevent attacks. IPS mode - In addition to intrusion detection, actions are taken to prevent attacks.

Question 56

In the network intrusion detection and prevention mode, Snort performs the following actions:

Answer 56

Monitors network traffic and analyzes against a defined rule set. Performs attack classification. Invokes actions against matched rules.

Question 57

Feature of Snort Signature-based intrusion detection system (IDS) and intrusion prevention system (IPS)

Answer 57

Benefit Snort open-source IPS, capable of performing real-time traffic analysis and packet logging on IP networks, runs on the 4000 Series ISR service container without the need to deploy an additional device at the branch.

Question 58

Feature of Snort Snort rule set updates

Answer 58

Snort rule set updates for 4000 Series ISRs are generated by Cisco Talos, a group of leading-edge network security experts who work around the clock to proactively discover, assess, and respond to the latest trends in hacking activities, intrusion attempts, malware, and vulnerabilities.

Question 59

Feature of Snort Snort rule set pull

Answer 59

The router will be able to download rule sets directly from cisco.com or snort.org to a local server, using one-time commands or periodic automated updates.

Question 60

Feature of Snort Snort rule set push

Answer 60

A centralized management tool can push the rule sets based on preconfigured policy, instead of the router directly downloading on its own.

Question 61

Feature of Snort Signature allowed listing

Answer 61

Allowed listing allows the disabling of certain signatures from the rule set. Disabled signatures can be reenabled at any time.

Question 62

To run the service container infrastructure with IDS/IPS functionality, Snort IPS requires

Answer 62

an ISR 4000 (i.e., 4300 or higher) with a minimum of 8 GB of memory (DRAM) and 8 GB of flash.

Question 63

____ is required to activate Snort IPS functionality.

Answer 63

A security K9 license (SEC)

Question 64

There are two types of term-based subscriptions:

Answer 64

Community Rule Set - This set offers limited coverage against threats, focusing on reactive response to security threats versus proactive research work. There is 30-day delayed access to updated signatures in the Community Rule Set, and this subscription does not entitle the customer to Cisco support. Subscriber Rule Set - This set offers the best protection against threats. It includes coverage in advance of exploits by using the research work of the Cisco Talos security experts. The Subscriber Rule Set also provides the fastest access to updated signatures in response to a security incident or the proactive discovery of a new threat. This subscription is fully supported by Cisco.

Question 65

____ is a rule management application that can be used to automatically download Snort rule updates. In order to use PulledPork, you must obtain an authorization code, called an ____ from your snort.org account. The ___ is free with registration.

Answer 65

PulledPork oinkcode,

Question 66

To determine normal network behavior, network monitoring must be implemented. Various tools are used to help discover normal network behavior including ___

Answer 66

IDS, packet analyzers, SNMP, NetFlow, and others. Some of these tools require captured network data.

Question 67

here are two common methods used to capture traffic and send it to network monitoring devices:

Answer 67

Network taps, sometimes known as test access points (TAPs) Traffic mirroring using Switch Port Analyzer (SPAN) or other port mirroring approaches

Question 68

A ____ is typically a passive splitting device implemented inline between a device of interest and the network.

Answer 68

network tap

Question 69

A ____ forwards all traffic, including physical layer errors, to an analysis device while also allowing the traffic to reach its intended destination.

Answer 69

tap

Question 70

are also typically fail-safe, which means if a ___ fails or loses power, traffic between the firewall and internal router is not affected.

Answer 70

Taps

Question 71

SPAN Term Ingress traffic Egress traffic

Answer 71

Traffic that enters the switch.

Question 72

SPAN Term Egress traffic

Answer 72

Traffic that leaves the switch.

Question 73

SPAN Term Source (SPAN) port

Answer 73

Source ports are monitored as traffic entering them is replicated (mirrored) to the destination ports.

Question 74

SPAN Term Destination (SPAN) port

Answer 74

A port that mirrors source ports. Destination SPAN ports often connect to analysis devices such as a packet analyzer or an IDS.

Question 75

A session number is used to identify a SPAN session. show the ____ command, which is used to associate a source port and a destination port with a SPAN session. A separate ____ command is used for each session. A VLAN can be specified instead of a physical port.

Answer 75

Switch(config)# monitor session number source [interface interface | vlan vlan] Switch(config)# monitor session number destination [interface interface | vlan vlan] __monitor session S1(config)# monitor session 1 source interface fastethernet 0/1 S1(config)# monitor session 1 destination interface fastethernet 0/2

Question 76

Session 1 --------- Type : Local Session Source Ports : Both : Fa0/1 Destination Ports : Fa0/2 Encapsulation : Native Ingress : Disabled

Answer 76

S1# show monitor

Question 77

What is an IPS signature?

Answer 77

Topic 11.1.0 - An IPS signature uniquely identifies specific malware, protocol anomalies, or malicious traffic. IPS sensors are tuned to look for matching signatures or abnormal traffic patterns. IPS signatures are conceptually similar to the virus.dat file used by virus scanners. It is a set of rules used to detect typical intrusive activity

Question 78

Which network technology uses a passive splitting device that forwards all traffic, including Layer 1 errors, to an analysis device?

Answer 78

Topic 11.4.0 - A network tap is a common technology that is used to capture traffic for monitoring the network. The tap is typically a passive splitting device implemented inline on the network and that forwards all traffic, including physical layer errors, to an analysis device. Network Tap

Question 79

What is a characteristic of an IPS operating in inline-mode?

Answer 79

Topic 11.2.0 - An IPS in inline-mode is directly in the traffic flow and adds latency. Inline-mode allows the sensor to stop attacks by dropping malicious traffic before it reaches the intended target, thus providing a protective service. It can stop malicious traffic from reaching the intended target

Question 80

What is a zero-day attack?

Answer 80

Topic 11.1.0 - A zero-day attack is an attack on a system that uses vulnerabilities that have not yet been reported to, and mitigated by, the vendor. It is a computer attack that exploits unreported software vulnerabilities

Question 81

What is a feature of an IPS?

Answer 81

Topic 11.1.0 - An advantage of an intrusion prevention systems (IPS) is that it can identify and stop malicious packets. However, because an IPS is deployed inline, it can add latency to the network. It can stop malicious packets

Question 82

Which network monitoring technology passively monitors network traffic to detect attacks?

Answer 82

Topic 11.1.0 - Intrusion Detection Systems (IDSs) are network devices that passively monitor the traffic on a network. IDS

Question 83

Which open source network monitoring technology performs real-time traffic analysis and generates alerts when threats are detected on IP networks?

Answer 83

Topic 11.3.0 - Snort is an open source network IPS that performs real-time traffic analysis and generates alerts when threats are detected on IP networks. The legacy Cisco IOS IPS allowed a Cisco ISR router to be enabled as an IPS sensor to scan packets and sessions to match any of the Cisco IOS IPS signatures. Port mirroring allows a switch to copy frames that are received on one or more ports to a Switch Port Analyzer (SPAN) that is connected to an analysis device. Remote SPAN (RSPAN) is a variation of SPAN that enables a network administrator to use the flexibility of VLANs to monitor traffic on remote switches. Snort IPS

Question 84

Which Cisco platform supports Cisco Snort IPS?

Answer 84

Topic 11.3.0 - The newer ISR routers, Cisco 4000 series, no longer support IOS IPS. The 4000 series routers provide IPS services using Snort. 4000 Series ISR

Question 85

Which device supports the use of SPAN to enable monitoring of malicious activity?

Answer 85

Topic 11.4.0 - SPAN is a Cisco technology that allows all of the traffic from one port to be redirected to another port. Cisco Catalyst Switch

Question 86

What is a host-based intrusion detection system (HIDS)?

Answer 86

Topic 11.2.0 - A current HIDS is a comprehensive security application that combines the functionalities of antimalware applications with firewall protection. An HIDS not only detects malware but also prevents it from executing. Because the HIDS runs directly on the host, it is considered an agent-based system. It combines the functionalities of antimalware applications with firewall protection

Question 87

Which network monitoring capability is provided by using SPAN?

Answer 87

Topic 11.4.0 - When enabled on a switch, SPAN or port mirroring, copies frames that are sent and received by the switch and forwards them to another port, known as a Switch Port Analyzer port, which has a analysis device attached. Traffic exiting and entering a switch is copied to a networking monitoring device

Question 88

What network monitoring tool can be used to copy packets moving through one port, and send those copies to another port for analysis?

Answer 88

Topic 11.4.0 - The Cisco Switched Port Analyzer (SPAN) feature allows traffic that is coming into or out of a port to be copied to a different port so that it can be collected and analyzed. SPAN