S18-Network Monitoring

Question 1

IDS

Answer 1

“Intrusion Detection system”

a cybersecurity tool that monitors network traffic and system activity for suspicious patterns or deviations from normal behavior, potentially indicating an attack or intrusion
- Passive System

Question 2

IPS

Answer 2

“Intrusion Prevention system”

a cybersecurity tool that actively monitors network traffic for malicious activity and takes automated actions to prevent attacks
- Active System
- can drop or block offending traffic

Question 3

What are the 3 main methods for detecting offending traffic?

Answer 3

• Signature
• Policy
• Anomaly

Question 4

Signature-Based detection

Answer 4

Triggered by a signature that contains a unique string of bytes

Question 5

Policy-based detection

Answer 5

Relies on a specific declaration of a security policy

Question 6

Anomaly-based detection

Answer 6

Done through a a statistical or non-statistical anomaly

Question 7

Statistical Anomaly detection

Answer 7

Watches traffic patterns to build baseline and flags things outside the normal

Question 8

Non-statistical Anomaly detection

Answer 8

Admin defines the patterns or baseline

Question 9

What other ways can IPSs and IDSs can be distinguished?

Answer 9

By if their:
- Host-based
- Network-based

Question 10

Network-based IDS/IPS

Answer 10

Protects entire network

Question 11

Host-based IDS/IPS

Answer 11

software-based IDS/IPS installed to Protect a host

Question 12

Simple Network Management Protocol (SNMP)

Answer 12

AN internet protocol for collecting, organizing, and modifying information about managed devices on IP networks

Question 13

Managed Device

Answer 13

Device that communicates with SNMP manager or Management info Base (MIB)

Question 14

SNMP Manager

Answer 14

Machine running SNMP protocol to collect and process information from devices

Question 15

SNMP Agents

Answer 15

Network devices that report info back to the SNMP manager

Question 16

What 3 messages types does an SNMP manager use to communicate with it’s Agents?

Answer 16

• SET
• GET
• TRAP

Question 17

SET Request

Answer 17

Manager to Agent request to change the value of a variable or a list of variables

Question 18

GET Request

Answer 18

Manager to Agent request to retrieve the value of a variable or list of variables

Question 19

TRAP Request

Answer 19

Message that is sent asynchronously as notifications from the agent to the manager

Question 20

What to methods are used to encode trap message data in SNMP?

Answer 20

• Granular Tap
• Verbose Trap

Question 21

Granular Trap

Answer 21

Each SNMP Trap message is sent with a unique object Identifier (OID)

Question 22

Verbose Trap

Answer 22

SNMP traps that contain all the information about a given alert or event as a payload

Question 23

Object Identifier (SNMP)

Answer 23

Identifies a variable that can be read or set via SNMP

Question 24

Management Information Base (MIB)

Answer 24

essentially a “dictionary” that translates numerical Object Identifiers (OIDs) into human-readable descriptions, making it easier to monitor and manage network devices.

Question 25

Variable Binding

Answer 25

Data in SNMP traps are sent and stored in a key value pair configuration

Question 26

SNMPv1 & SNMPv2

Answer 26

Uses a plaintext community string to give them access to the devices as their security mechanism, unsecure

Question 27

Underrun

Answer 27

Number of times the sender has operated faster than the router can handle. causing buffers or dropped packets

Question 28

SNMPv3 over SNMPv1/2

Answer 28

SNMPv3 Features: - Message Hashing - Source validation - Encryption (DES) 56-bit encryption key (weak algo) - newer SNMPv3 devices use stronger encryption (AES, DES3)

Question 29

Network Sensors

Answer 29

Monitor the performance of network devices

Question 30

Packet Capture

Answer 30

Used to capture data going to or from a network device

Question 31

Full Packet Capture (FPC)

Answer 31

Captures the entire packet including the header and payload

Question 32

Flow Analysis

Answer 32

Recording metadata and stats about your network traffic, instead of every single packet, using a flow collector

Question 33

Flow Analysis benefits

Answer 33

Highlights trends and patterns

Question 34

What are some tools used for traffic flow analysis?

Answer 34

- NetFlow - Zeek - MRTG

Question 35

NetFlow

Answer 35

Cisco-Developed means of reporting network flow information to a structured database. Captures meta data but cannot do full packet capture.

Question 36

Zeek

Answer 36

A hybrid tool that passively monitors networks like a sniffer but can be configure to perform Full packet captures for data packets of particular interest.

Question 37

Multi Router Traffic Grapher (MRTG)

Answer 37

Creates graphs to show network traffic flows going through different network objects & interfaces

Question 38

System Logging Protocol (Syslog)

Answer 38

Sends System Log or even messages to a central server, called a syslog server

Question 39

T/F Syslog Server configuration requires a Client and a Server

Answer 39

TRUE

Question 40

What does Each component do in a syslog server configuration?

Answer 40

Client - end point device that reports it's log data to syslog server Server - Receives and stores log data from clients

Question 41

What port is used for Syslog traffic?

Answer 41

port 514 with UDP port 1468 with TCP

Question 42

How many Severity levels are there in Syslog?

Answer 42

8 levels starting at 0 counting up to 7, with 0 being the most severe.

Question 43

Syslog Severity levels

Answer 43

0 (emergency) - unstable system 1 (Alert) - requires urgent correction 2 (Critical) - System failure needs immediate attention 3 (Error) - something preventing proper system function 4 (Warning) - Error will occur w/o further action 5 (Notice) - Unusual events 6 (Information) - normal operational message 7 (debugging) - useful Developer information

Question 44

Traffic Logs

Answer 44

Contains information about the traffic flows on the network

Question 45

Audit Log/Audit Trail

Answer 45

Contains a sequence of events for a particular activity

Question 46

what are the 3 main log types for windows systems?

Answer 46

- Application Logs - Security Logs - System Logs

Question 47

Application Log (WIN)

Answer 47

Contains info about software running on a client or server

Question 48

Security Log (WIN)

Answer 48

Contains info about the security of a client or server

Question 49

System Log (WIN)

Answer 49

Contains info about the OS itself

Question 50

What are the 3 severity levels in a windows Application/system log?

Answer 50

- Informational - Warning - Error

Question 51

Security Information and Event Management (SIEM)

Answer 51

Provides real-time or near-real-time analysis of security alerts generated by network hardware and applications

Question 52

What are the 5 essential functions of a SIEM?

Answer 52

- Log collection - Normalization - Correlation - Aggregation - Reporting

Question 53

Log Collection (SIEM)

Answer 53

Forensic tools are used to address compliance reporting requirements

Question 54

Normalization (SIEM)

Answer 54

Maps log messages into a common data model. so related events can be connected and analyzed

Question 55

Correlation (SIEM)

Answer 55

Links logs/events from different systems/apps into a single data feed

Question 56

Aggregation (SIEM)

Answer 56

Reduces the volume of event data by consolidating duplicate event records and merging into a single record

Question 57

Reporting (SIEM)

Answer 57

Presents the correlated, aggregated event data in real-time monitoring dashboards for analysts or long-term summaries for management

Question 58

What ways can a SIEM be implemented?

Answer 58

- As Software - As Hardware - As a Managed Service

Question 59

Network Performance Monitoring

Answer 59

End to End network monitoring of the end user experience

Question 60

Link State

Answer 60

Communicates whether a given interface has a cable connected to it and a valid protocol to use for communication

Question 61

Drop

Answer 61

The Count of dropped packets

Question 62

Flush

Answer 62

The Count of Selective Packet discards (SPD) (when the router decides it needs to load-shed and drops packets selectively)

Question 63

Selective Packet Discards (SPD)

Answer 63

Drops low priority packets when the CPU is too busy, to save capacity for higher priority packets

Question 64

Runt

Answer 64

An Ethernet frame that is less than 64 bytes in size

Question 65

Giant

Answer 65

Ethernet frame that exceeds the 802.3 frame size of 1518 bytes

Question 66

Throttle

Answer 66

Occurs when the interface fails to buffer the incoming packets

Question 67

CRC

Answer 67

Number of packets received that failed the cyclic redundancy checksum, or CRC check upon receipt

Question 68

Frame

Answer 68

Counts the number of packets where a CRC error and a non-integer number of octets was received

Question 69

Overrun

Answer 69

Counts how often the interface was unable to receive traffic due to an insufficient hardware buffer

Question 70

Ignored

Answer 70

Counts the number of packets that the interface ignored since the hardware interface was low on buffers

Question 71

Babble

Answer 71

Used to count any frames that are transmitted and are larger than 1518 bytes

Question 72

Late Collision

Answer 72

Count of collisions that occur after the interface has started transmitting its frame

Question 73

Deferred

Answer 73

Used to count the number of frames that were transmitted successfully after waiting because the media was busy

Question 74

Output Buffer Failure

Answer 74

Number of times a packet was not output from the output hold queue because of a shortage of shared memory

Question 75

Output Buffer Swapped Out

Answer 75

Number of packets stored in main memory when the queue is full

Question 76

Port Mirroring

Answer 76

a technique where network traffic on a specific port is duplicated and sent to another port on the same switch for monitoring and analysis