Chapter 6 The Basic LAN

Question 1

What is the role of the Physical Layer?

Answer 1

It handles the physical transmission of raw data bits over a communication channel.

Question 2

What does the Data Link Layer do?

Answer 2

It provides error-free transmission of data frames over a physical link and handles flow control.

Question 3

What is the purpose of the Network Layer?

Answer 3

It enables routing and logical addressing, allowing packets to be properly routed across multiple networks.

Question 4

What does the Transport Layer do?

Answer 4

It ensures reliable delivery of data by providing error recovery, flow control, and segmentation of data into smaller units.

Question 5

What is the role of the Session Layer?

Answer 5

It establishes, manages, and terminates sessions between applications, providing synchronization and checkpointing.

Question 6

What does the Presentation Layer handle?

Answer 6

It is responsible for data formatting, encryption, compression, and translation between different data formats.

Question 7

What is the purpose of the Application Layer?

Answer 7

It provides network services directly to end-users and applications, such as email, web browsing, and file transfer.

Question 8

What is Address Resolution Protocol (ARP)?

Answer 8

ARP is a protocol used to map IP addresses to the MAC addresses of network interfaces.

Question 9

Which layer of the OSI model does ARP operate at?

Answer 9

ARP operates at the Data Link Layer (Layer 2) of the OSI model.

Question 10

What is the purpose of ARP?

Answer 10

ARP allows devices on a local area network (LAN) to discover and communicate with each other using MAC addresses.

Question 11

What is a MAC address?

Answer 11

A MAC address, also known as a physical address, is a unique 48-bit hexadecimal identifier assigned to network interfaces.

Question 12

What type of networks does ARP apply to?

Answer 12

ARP applies to local area networks (LANs) where devices communicate using MAC addresses.

Question 13

What information does an ARP packet contain?

Answer 13

An ARP packet includes the source MAC address, source IP address, destination MAC address, and destination IP address.

Question 14

How does ARP work?

Answer 14

When a device wants to communicate with another device on the same LAN, it sends an ARP request to discover the MAC address associated with a given IP address. The destination device replies with an ARP response containing its MAC address.

Question 15

What is ARP cache poisoning?

Answer 15

ARP cache poisoning, also known as an ARP spoofing attack, is a type of man-in-the-middle attack where an attacker alters the ARP cache of a device to redirect network traffic through their system.

Question 16

How can ARP cache poisoning be mitigated?

Answer 16

Mitigation measures include using static ARP cache entries, implementing network access controls, employing multifactor authentication, and applying conditional access policies.

Question 17

Which layer of the OSI model is responsible for MAC addresses?

Answer 17

MAC addresses are handled at the Data Link Layer (Layer 2) of the OSI model.

Question 18

What is a Layer 2 attack?

Answer 18

A Layer 2 attack refers to attacks that exploit vulnerabilities in the Data Link Layer (Layer 2) of the OSI model, specifically related to MAC addresses.

Question 19

What is a MAC address flooding attack?

Answer 19

A MAC address flooding attack involves sending a flood of forged packets with spoofed MAC addresses to overwhelm a switch, causing it to behave like a hub and broadcast all traffic to every switch port.

Question 20

What is a broadcast storm?

Answer 20

A broadcast storm, also known as a switching loop, is a situation where excessive amounts of network traffic flood the network, usually caused by faulty switches, failing network cards, or redundant network links.

Question 21

How can MAC address flooding attacks be mitigated?

Answer 21

Mitigation measures for MAC address flooding attacks include limiting network access through MAC address filtering, using static MAC address assignments, and disabling unused switch ports.

Question 22

How can broadcast storms be mitigated?

Answer 22

Broadcast storms can be mitigated by implementing Spanning Tree Protocol (STP) to prevent switching loops, enabling features like Bridge Protocol Data Unit Guard (BPDU Guard), and ensuring proper network configuration.

Question 23

What are the security risks associated with Layer 2 attacks?

Answer 23

Layer 2 attacks can expose sensitive network traffic, compromise network integrity, and disrupt network operations, posing significant security risks to an organization.

Question 24

What is MAC address filtering?

Answer 24

MAC address filtering is a security measure that allows only specific MAC addresses to access the network, limiting unauthorized devices from connecting.

Question 25

What is Spanning Tree Protocol (STP)?

Answer 25

Spanning Tree Protocol (STP) is a network protocol that prevents switching loops and ensures a loop-free topology by dynamically managing redundant network paths.

Question 26

What is Bridge Protocol Data Unit Guard (BPDU Guard)?

Answer 26

BPDU Guard is a feature that prevents unauthorized switches from being connected to a network, protecting against potential switching loops and network disruptions.

Question 27

What is the importance of network access controls and proper network configuration?

Answer 27

Network access controls and proper network configuration help prevent unauthorized access, mitigate Layer 2 attacks, and maintain network security and stability.

Question 28

What is the concept of zero trust in IT security?

Answer 28

Zero trust refers to the approach of not automatically trusting anyone or anything, including insiders, and implementing strict security measures to protect the network.

Question 29

What are insider threats?

Answer 29

Insider threats refer to security risks posed by individuals within an organization who have authorized access to the network and may intentionally or unintentionally compromise its security.

Question 30

How can insider threats be mitigated?

Answer 30

Mitigation measures for insider threats include providing security awareness training to employees, implementing intrusion detection and prevention systems, and monitoring for suspicious activities.

Question 31

Why is having a network diagram important for network security?

Answer 31

A network diagram provides an overview of the network infrastructure, enabling effective incident response, troubleshooting, and security management.

Question 32

What are some best practices for network planning and preparation?

Answer 32

Best practices for network planning include using standardized naming conventions for devices, implementing VLANs for network segmentation, configuring screened subnets for publicly reachable services, and enforcing strict firewall rules.

Question 33

What is a VLAN (Virtual Local Area Network)?

Answer 33

A VLAN is a virtual network created within a physical network infrastructure that allows for network segmentation, isolation, and improved security by separating devices into different logical networks.

Question 34

What is a screened subnet?

Answer 34

A screened subnet, also known as a demilitarized zone (DMZ), is a separate network segment where publicly accessible services are placed, with strict firewall rules to control traffic between the DMZ and the internal network.

Question 35

How does zero trust apply to network security?

Answer 35

Zero trust principles emphasize the need for continuous authentication, authorization, and verification of all devices and users accessing the network, regardless of their location or insider status.

Question 36

Why are standardized naming conventions and IP address schemes important for network security?

Answer 36

Standardized naming conventions and IP address schemes improve network manageability, troubleshooting, and security incident response by providing consistency and easy identification of devices and their roles.

Question 37

What is the role of firewalls in network security?

Answer 37

Firewalls act as a barrier between networks, enforcing security policies and controlling traffic flow to protect against unauthorized access and potential threats from the internet or other networks.

Question 38

What is load balancing in the context of app availability?

Answer 38

Load balancing refers to distributing client traffic across multiple backend servers running the same app, improving performance and increasing availability

Question 39

How does a load balancer work?

Answer 39

Clients connect to the load balancer, which selects the least busy backend server from a pool to handle the client’s request, ensuring even distribution of workload and providing redundancy.

Question 40

What is auto scaling in a load balancing configuration?

Answer 40

Auto scaling allows the load balancer to dynamically add or remove backend servers based on the demand for incoming client requests, optimizing resource utilization and scaling the environment horizontally.

Question 41

What is session persistence in load balancing?

Answer 41

Session persistence, also known as sticky sessions, ensures that a client remains connected to the same backend server for the duration of a session, maintaining session-related data and providing a consistent experience.

Question 42

What are the different scheduling methods in load balancing?

Answer 42

The scheduling methods include Round-Robin (requests are sent sequentially to backend servers), Least Connection (requests are sent to the least busy server), and Weighted (servers are assigned relative weights to distribute traffic).

Question 43

What is an active-active load balancing configuration?

Answer 43

An active-active configuration refers to multiple backend servers being actively available simultaneously, handling client requests in parallel, without any servers being in standby mode.

Question 44

What is an active-passive load balancing configuration?

Answer 44

An active-passive configuration involves one active backend server handling client requests, while the standby servers remain idle until the active server becomes unresponsive or overwhelmed, at which point a standby server takes over.

Question 45

How can load balancing improve app availability?

Answer 45

Load balancing enhances availability by distributing client traffic across multiple servers, providing redundancy and failover capabilities in case of server failures or high traffic loads.

Question 46

What are the considerations for load balancer configuration?

Answer 46

Factors to consider include the type of load balancer (hardware or software-based), the application’s specific needs, session persistence requirements, scheduling methods, and the ability to scale horizontally or vertically.

Question 47

How does load balancing contribute to the CIA security triad?

Answer 47

Load balancing improves availability by ensuring that apps are accessible and responsive to client requests, contributing to the “A” (availability) aspect of the CIA security triad.

Question 48

What is network access control (NAC)?

Answer 48

Network access control is a security solution that enforces policies to control and manage device access to a network, considering factors such as device type, location, firewall status, and anti-malware tools.

Question 49

How does IEEE 802.1X contribute to network access control?

Answer 49

IEEE 802.1X is a port-based network access control protocol that enables authentication of devices connecting to network switches, VPN concentrators, or wireless routers, helping to enforce access control policies.

Question 50

What is the purpose of DHCP (Dynamic Host Configuration Protocol)?

Answer 50

DHCP automatically assigns unique IP addresses and network configuration parameters to devices connecting to a network, eliminating the need for manual configuration. However, it can be exploited by malicious users to distribute false information.

Question 51

How can DHCP snooping mitigate rogue DHCP server attacks?

Answer 51

DHCP snooping is a network switch feature that allows the switch to only trust DHCP traffic from known, trusted DHCP servers. It helps prevent unauthorized DHCP servers from distributing false configuration information on the network.

Question 52

What is the concept of a jump server (or jump box)?

Answer 52

A jump server is a secure intermediary server with both a public interface for remote administration and a private interface to connect to internal servers with private IP addresses. It provides a secure access point to manage internal servers without exposing them directly to the public internet.

Question 53

How can network access control solutions improve network security?

Answer 53

Network access control solutions enforce access policies, restrict unauthorized access, and prevent attacks like rogue DHCP servers. They provide visibility and control over network devices, enhancing network security and reducing the risk of unauthorized access or malicious activity.

Question 54

What factors can be considered in a network access control policy?

Answer 54

A network access control policy can consider device type, operating system, device location, firewall status, anti-malware tools, and other parameters to determine whether to allow or deny network access to a device.

Question 55

What is the significance of multilayered security in network access control?

Answer 55

Multilayered security combines different security measures, such as device authentication, firewall rules, and anti-malware tools, to provide a comprehensive defense against unauthorized access and mitigate potential threats in the network.

Question 56

What are the benefits of using IEEE 802.1X in network access control?

Answer 56

IEEE 802.1X provides strong device authentication and port-based access control, ensuring that only authorized devices can connect to the network. It enhances network security by preventing unauthorized access and protecting against rogue devices.

Question 57

How does DHCP snooping contribute to network security?

Answer 57

DHCP snooping helps prevent rogue DHCP server attacks by allowing network switches to validate and filter DHCP traffic. It ensures that DHCP configuration information comes from trusted sources, reducing the risk of unauthorized or malicious network configuration.

Question 58

What is a honeypot?

Answer 58

A honeypot is a decoy or fake system intentionally made to appear vulnerable to attract malicious activity. It allows for tracking and analysis of malicious user behavior, including their methods of attack and potential compromise.

Question 59

How should a honeypot be deployed to ensure security?

Answer 59

A honeypot should be set up in a sandbox environment, such as a virtual machine, that is isolated from production networks and real servers. This prevents the risk of compromising critical systems and ensures the honeypot can be closely monitored.

Question 60

What can be learned from a honeypot?

Answer 60

By analyzing a honeypot, one can gather statistics and telemetry on malicious user activity, including brute force password attempts, unauthorized access, installation of backdoors, and attempts at lateral movement within a network.

Question 61

Why is centralized log forwarding important for honeypots?

Answer 61

Centralized log forwarding ensures that honeypot logs are securely stored in a separate location, even if an attacker compromises the honeypot and attempts to erase logs. It provides a backup of the captured data for analysis and investigation.

Question 62

What is a honey file?

Answer 62

A honey file is an individual file designed to appear enticing to an attacker. It is monitored using trigger alarms and file integrity monitoring to track any activity related to the file, such as unauthorized access, modifications, or deletion.

Question 63

What is a honeynet?

Answer 63

A honeynet is a collection of honeypots deployed on a network. It allows for the monitoring and analysis of malicious activity across multiple decoy systems, providing a broader understanding of attacker techniques and behaviors.

Question 64

How can a honeypot be configured to mimic different systems?

Answer 64

Honeypots can be configured to emulate various systems, such as different versions of Windows servers, Linux servers, UNIX hosts, or even industrial control equipment. This enhances the realism and attractability of the honeypot to potential attackers.

Question 65

Why should honeypot logs be stored externally?

Answer 65

Storing honeypot logs externally ensures their integrity and availability even if the honeypot itself is compromised or tampered with. It enables detailed analysis and forensic investigations without the risk of losing valuable data.

Question 66

How can honeypots be used to enhance network security?

Answer 66

Honeypots provide insights into attacker tactics, techniques, and procedures (TTPs), allowing organizations to strengthen their defenses, identify vulnerabilities, and develop effective countermeasures to protect their production networks.

Question 67

What are some considerations for deploying a honeypot securely?

Answer 67

Deploy honeypots in isolated environments, use centralized log forwarding, maintain backups of honeypot logs, monitor and analyze captured data, and ensure proper permissions and access controls are in place to protect the honeypot and its surrounding systems.

Question 68

What is a firewall?

Answer 68

A firewall is a security device or software that controls and monitors network traffic based on predetermined rules. It acts as a barrier between trusted and untrusted networks, allowing or denying traffic based on defined access control policies.

Question 69

What are the different forms of firewalls?

Answer 69

Firewalls can be hardware appliances, physical devices connected to a network, or virtual machine appliances acting as firewalls. They can also be host-based firewalls, such as Windows Defender, that run on individual devices.

Question 70

What are access control lists (ACLs) in the context of firewalls?

Answer 70

Access control lists (ACLs) are rules configured within a firewall to allow or deny network traffic. They define criteria based on factors such as IP addresses, port numbers, and protocols to determine how traffic is handled.

Question 71

What is a packet filtering firewall?

Answer 71

A packet filtering firewall operates at the network layer (layer 3) or transport layer (layer 4) of the OSI model. It examines packets based on factors like IP addresses, port numbers, and protocol types (TCP, UDP, ICMP) to allow or deny traffic.

Question 72

What is the difference between a stateful and stateless packet filtering firewall?

Answer 72

A stateful packet filtering firewall not only analyzes individual packets but also tracks entire sessions. It maintains information about established connections, enabling more sophisticated filtering based on the context of a session. In contrast, a stateless firewall examines each packet independently without session awareness.

Question 73

What are some criteria used in configuring packet filtering firewall rules?

Answer 73

Packet filtering firewall rules can be based on source and destination IP addresses, source and destination port numbers, protocol types (TCP, UDP, ICMP), and even MAC addresses (layer 2).

Question 74

What is a network security group (NSG)?

Answer 74

A network security group (NSG) is a collection of firewall rules that can be associated with virtual machine interfaces or entire subnets in cloud environments. It enables the configuration of inbound and outbound traffic rules to control network access.

Question 75

What is an application layer (Layer 7) firewall?

Answer 75

An application layer firewall operates at Layer 7 of the OSI model, focusing on application-specific protocols like HTTP. It can analyze packet payloads, HTTP details, URLs, and more to provide granular control and protection against web application attacks.

Question 76

What are some common web application attacks protected by a web application firewall (WAF)?

Answer 76

A web application firewall (WAF) protects against common web application attacks such as cross-site scripting (XSS), cryptographic downgrade attacks, directory traversal, SQL injection, and more. It helps prevent unauthorized access, data breaches, and other malicious activities.

Question 77

Why is it important to understand the OSI model when configuring and discussing firewalls?

Answer 77

The OSI model provides a framework for understanding the different layers of network communication. Understanding the OSI model helps in determining which layer a specific firewall operates on, what factors it can analyze, and what types of attacks it can mitigate.

Question 78

What is a proxy server?

Answer 78

A proxy server acts as an intermediary between client devices and the internet. It can be used to fetch content on behalf of internal users (forward proxy) or protect and route incoming connections to internal servers (reverse proxy).

Question 79

What is a forward proxy?

Answer 79

A forward proxy sits between internal users and the internet, fetching requested content on their behalf. It hides the IP addresses of internal clients and can be configured as a transparent proxy, where clients point to the proxy server as their default gateway.

Question 80

What is a transparent proxy configuration?

Answer 80

A transparent proxy configuration involves setting the proxy server as the default gateway for internal clients, eliminating the need for individual client configurations. It simplifies the setup but requires proper network routing and configuration.

Question 81

What is caching in the context of a forward proxy?

Answer 81

Caching is a feature of forward proxies where the proxy server stores fetched internet content. This allows subsequent requests for the same content to be served locally by the proxy server, improving response times.

Question 82

What is a reverse proxy?

Answer 82

A reverse proxy protects servers by acting as an intermediary between external internet clients and internal servers. It forwards external requests to the appropriate internal server based on the public IP address and port configured on the reverse proxy.

Question 83

How does a reverse proxy enhance security?

Answer 83

A reverse proxy hides the true identity and location of internal servers by mapping external requests to internal IP addresses and ports. It helps protect servers from direct exposure to the internet and can provide additional security features such as SSL/TLS termination and load balancing.

Question 84

What is load balancing in the context of a reverse proxy?

Answer 84

Load balancing is a feature often found in reverse proxies. It distributes incoming requests across multiple internal servers, improving performance, scalability, and availability of services.

Question 85

What is SSL/TLS offloading or termination?

Answer 85

SSL/TLS offloading or termination is a feature of reverse proxies where the proxy server handles the encryption and decryption of SSL/TLS traffic on behalf of backend servers. This relieves the backend servers from the processing burden, allowing them to focus on other tasks.

Question 86

What are some additional security components that can be included in a reverse proxy?

Answer 86

Reverse proxies can include additional security components such as access control, authentication, and application-level security features like web application firewalls (WAFs). These components enhance the security of the protected services.

Question 87

What is the key difference between a forward proxy and a reverse proxy?

Answer 87

A forward proxy sits between internal users and the internet, fetching content on their behalf. A reverse proxy sits between external internet clients and internal servers, forwarding requests to the appropriate server and protecting the servers from direct exposure to the internet.

Question 88

What is Port Address Translation (PAT)?

Answer 88

Port Address Translation (PAT) is a method of network address translation that allows multiple internal devices to access the internet using a single public IP address. It maps each internal device’s private IP address to a unique port number on the public IP address.

Question 89

How does PAT differ from a forward proxy?

Answer 89

PAT operates at layer 4 of the OSI model and does not require authentication or caching. It allows internal clients to access the internet using a single public IP address. A forward proxy operates at layer 7 and can require authentication, perform caching, and act as an intermediary between internal clients and the internet.

Question 90

What is Network Address Translation (NAT)?

Answer 90

Network Address Translation (NAT) is a method of translating IP addresses and port numbers between internal and external networks. It is commonly used to allow internet clients to access internal services by mapping a public IP address and port to an internal private IP address and port.

Question 91

How does a reverse proxy differ from NAT?

Answer 91

A reverse proxy operates at layer 7 and is used to protect internal services by acting as an intermediary between external clients and internal servers. It hides the internal IP addresses of servers and allows connections to be made using a public IP address and port. NAT operates at layer 4 and translates IP addresses and port numbers between internal and external networks.

Question 92

What is the purpose of Port Address Translation (PAT)?

Answer 92

The purpose of PAT is to allow multiple internal devices to access the internet using a single public IP address. It provides a way to hide the true identities of internal clients and conserve public IP addresses.

Question 93

What is the purpose of Network Address Translation (NAT)?

Answer 93

The purpose of NAT is to allow internet clients to access internal services by translating the IP addresses and port numbers between the internal and external networks. It provides a way to hide the internal IP addresses of servers and allows connections to be made using a public IP address and port.

Question 94

How does a PAT router maintain translation tables?

Answer 94

A PAT router maintains translation tables in its memory. These tables map each internal device’s private IP address and port number to the shared public IP address and a unique port number. This allows the router to track and manage multiple client sessions using a single public IP address.

Question 95

How does a NAT device perform IP and port mapping?

Answer 95

A NAT device maps a public IP address and port to an internal private IP address and port. It maintains translation tables to associate external client connections with the corresponding internal server addresses. This enables external clients to connect to internal services using the public IP address and port.

Question 96

What is the role of a reverse proxy in network security?

Answer 96

A reverse proxy enhances network security by hiding the internal IP addresses of servers and acting as a protective barrier between external clients and internal services. It can perform authentication, SSL/TLS termination, load balancing, and other security functions to protect the internal servers from direct exposure to the internet.

Question 97

What are the key differences between PAT and NAT?

Answer 97

PAT operates at layer 4 and allows multiple internal devices to access the internet using a single public IP address. NAT operates at layer 3 and translates IP addresses and port numbers between internal and external networks. PAT is used for outbound connections, while NAT is used for both inbound and outbound connections.

Question 98

What is a Virtual Private Network (VPN)?

Answer 98

A VPN is a secure communication tunnel that allows for encrypted traffic over an untrusted network. It provides a point-to-point encryption tunnel through which traffic can be transmitted securely.

Question 99

How does a VPN provide security?

Answer 99

A VPN encrypts the traffic that passes through it, protecting it from unauthorized access or interception. It allows for secure communication over an untrusted network, such as the internet.

Question 100

What are the authentication methods used in VPNs?

Answer 100

VPN authentication can be done using various methods, including username and password, multifactor authentication, smart cards with PINs, device certificates, or hardware/software tokens. Multifactor authentication is recommended for enhanced security.

Question 101

What are the two main types of VPN tunneling protocols?

Answer 101

The two main types of VPN tunneling protocols are Layer 2 Tunneling Protocol (L2TP) and Secure Socket Layer/Transport Layer Security (SSL/TLS). L2TP operates at layer 2 of the OSI model and is often used with IPsec for encryption. SSL/TLS VPNs use the HTTPS port (port 443) and are firewall-friendly.

Question 102

How does an Always-On VPN configuration benefit sysadmins?

Answer 102

An Always-On VPN configuration allows devices to establish a VPN connection automatically upon startup, providing centralized control for sysadmins to apply updates and patches to remote devices. It simplifies the management of remote devices and ensures their connection to the VPN.

Question 103

What is split tunneling in VPNs?

Answer 103

Split tunneling is an option in VPN configurations that allows users to access both the internet and internal resources simultaneously. When split tunneling is enabled, internet traffic goes through the user’s local internet connection, while internal resource access goes through the VPN tunnel.

Question 104

What is a client-to-site VPN?

Answer 104

A client-to-site VPN is a type of VPN where individual client devices establish an encrypted tunnel to a remote network. It enables remote users to access resources on the remote network securely. Client devices require VPN client software for establishing the connection.

Question 105

What is a site-to-site VPN?

Answer 105

A site-to-site VPN is a type of VPN that connects two or more networks (typically branch offices) over the internet securely. Each site has a VPN appliance, and the VPN tunnel is established between these appliances. Client devices do not require VPN client software in a site-to-site VPN.

Question 106

What are the benefits of a site-to-site VPN?

Answer 106

Site-to-site VPNs provide secure connectivity between remote networks, allowing for seamless communication and resource sharing. They eliminate the need for individual client VPN configurations and ensure the privacy and integrity of data transmitted between sites.

Question 107

What are the key features of VPNs?

Answer 107

VPNs provide secure communication over untrusted networks, encrypt traffic, authenticate users, establish encrypted tunnels, and protect data privacy and integrity. They enable remote access to networks and secure communication between sites or individuals.

Question 108

What are intrusion detection systems (IDS) and intrusion prevention system (IPS) sensors?

Answer 108

IDS and IPS sensors are appliances or software configurations that monitor network and host activity for suspicious behavior. IDS detects and alerts, while IPS can take action to prevent or stop suspicious activity.

Question 109

Why is network placement crucial for IDS/IPS sensors?

Answer 109

Proper network placement ensures that IDS/IPS sensors can capture and analyze all network traffic effectively. In a switched environment, the switch port needs to be configured to forward or copy all traffic to the sensor to ensure comprehensive monitoring.

Question 110

What is an inline sensor in the context of IDS/IPS?

Answer 110

An inline sensor refers to an IDS/IPS sensor placed on the network where it receives all traffic and can actively monitor and analyze it. It allows for real-time detection and prevention of suspicious activity.

Question 111

How does encryption impact network intrusion detection?

Answer 111

Encrypted traffic can pose challenges for network intrusion detection as it cannot be analyzed in its encrypted form. IDS configurations often require decryption keys to decrypt and analyze encrypted traffic, but this can impact performance due to the additional processing overhead.

Question 112

What is signature-based intrusion detection?

Answer 112

Signature-based intrusion detection involves looking for known patterns of malicious behavior. It relies on predefined signatures or patterns of known attacks or anomalies to identify and alert on suspicious network or host activity.

Question 113

What is unified threat management (UTM)?

Answer 113

Unified Threat Management (UTM) refers to network security devices or appliances that offer multiple security functionalities in a single solution. These functionalities may include firewall, content filtering, intrusion detection/prevention, VPN, antivirus, spam filtering, and more.

Question 114

How can IDS/IPS sensors report alerts?

Answer 114

IDS/IPS sensors can generate alerts that can be sent to administrators via email, text messages, or integrated with centralized security information and event monitoring (SIEM) systems. Centralized reporting allows for efficient monitoring and management of alerts.

Question 115

How can IDS/IPS sensors be configured using open-source software like Snort?

Answer 115

Snort is an open-source intrusion detection and prevention system. It can be installed on Linux or Windows machines. Snort uses rule-based configurations, where custom rules can be defined to detect specific network traffic patterns or behavior. The sensor can generate alerts when those patterns are detected.

Question 116

What is the importance of testing IDS/IPS configurations?

Answer 116

Testing IDS/IPS configurations helps ensure their effectiveness and identifies any configuration errors or issues. By simulating various network activities or attacks, administrators can verify if alerts are generated appropriately and fine-tune the configurations as needed.

Question 117

What is the role of IDS/IPS in an organization’s security posture?

Answer 117

IDS/IPS plays a crucial role in detecting and preventing unauthorized activities on the network. By continuously monitoring network and host activity, IDS/IPS sensors help identify potential threats and security incidents, allowing organizations to take proactive measures to protect their systems and data.