IPS

Question 1

Explain Exploits and Anomalies

Answer 1

Exploits are known confirmed attacked and detectable by IPS, WAF, or AV. Anomalies are unknown, or zero-day like high CPU on a device.

Question 2

What other features does the IPS engine help with (hint four answers)

Answer 2

App Control, and flow-based AV, Web filter, and email filter.

Question 3

What are the two IPS databases?

Answer 3

Regular
Extended

Question 4

When would you use the extended signature database?

Answer 4

When you have a high security environment, it may cause performance issues.

Question 5

How can you handle a false positive outbreak of IPS signatures?

Answer 5

You can set the action to monitor while you investigate.

Question 6

What is a signature exemption?

Answer 6

You can specify the ip addresses to exempt from the signature while investigating false-positives outbreaks.

Question 7

Where are DoS policies processed?

Answer 7

They are processed early, in the kernel.

Question 8

What are the tree types of DoS attacks?

Answer 8

TCP SYN flood
ICMP sweep
TCP port scan

Question 9

What is a TCP SYN flood DoS?

Answer 9

Attacker floods victim with incomplete TCP/IP connection requests, victim’s connection table becomes full

Question 10

What is an ICMP sweep?

Answer 10

Attacker sends ICMP traffic to find targets. Attacker can then attack hosts that reply

Question 11

What is a TCP port Scan

Answer 11

Scans using TCP/IP request to varying destination ports. Identifies what ports are open.

Question 12

What protocols can you configured for DoS Policy?

Answer 12

TCP, UDP, ICMP, STMP

Question 13

What types of DoS can you configure in a DoS Policy?

Answer 13

Flood, sweep/scan, Source, destination

Question 14

How can you determine thresholds for DoS?

Answer 14

If you are not sure what threshold to configure you could put the policy in monitor mode.

Question 15

Should you turn on all IPS signatures?

Answer 15

No, you should start with the most business-critical services.

Question 16

Do DoS policies need SSL Inspection mode?

Answer 16

No, it doesn’t look at the packet payload, just volume, source etc,

Question 17

Does IPS require SSL inspection?

Answer 17

If you want to protect from attackers hiding attacks in encrypted environments.

Question 18

What does set np-accel-mode basic do?

Answer 18

offloads IPS processing to NP

Question 19

What does set cp-accel-mode basic do?

Answer 19

offloads basic IPS pattern matching to CP8 or CP9

Question 20

What does set cp-accel-mode advanced do?

Answer 20

offloads more basic IPS pattern matching to CP8 or CP9 z

Question 21

Which chipset uses Turbo to accelerate IPS sessions

Answer 21

SoC4

Question 22

should IPS cause high CPU usage?

Answer 22

no, if it is you can use diagnose test application ipsmonitor

Question 23

What does set fail-open enable do? (IPS)

Answer 23

traffic bypasses IPS inspection

Question 24

What does set fail-open disabled do?

Answer 24

packets are dropped when the IPS socket buffer is full.