Lesson 13

Question 1

___________ feature of the ASA appliance monitors the dropped packet rate and security events and, if it sees a threat, the appliance generates a log message .

Answer 1

Basic Threat Detection

measures the rates that drops occur over a configured period of time.

Question 2

Basic Threat Detection is enabled by default.

Uses the following command to enable

Answer 2

fw1( config )# threat - detection basic - threat

Question 3

These can be seen on the appliance with the __________ command

Answer 3

show run all threat - detection

Question 4

basic threat detection measures the rates that drops occur over a configured period of time. This period of time is called the ________and can range from ___ seconds to __ days

Answer 4

average rate interval (ARI)

600 seconds to 30 days

Question 5

The burst rate is very similar but looks at smaller periods of snapshot data, called the __________.

Answer 5

burst rate interval (BRI)

show run all threat-detection [rate]

Question 6

Unlike Basic Threat Detection, Advanced Threat Detection can be used to track statistics for more granular objects.

Answer 6

fw1( config )# threat - detection statistics [{ access - list | host | port | protocol }]

Without any options, all statistics are enabled

show threat - detection statistics
show threat - detection statistics top

Question 7

_____________ is used in order to keep track of suspected attackers who create connections to too many hosts in a subnet, or many ports on a host/subnet.

Answer 7

Scanning Threat Detection

Question 8

_____________ is used in order to keep track of suspected attackers who create connections to too many hosts in a subnet, or many ports on a host/subnet.

Answer 8

Scanning Threat Detection

threat-detection scanning-threat

Question 9

Scanning Threat Detection can optionally react to an attack by ________ the attacker IP.

Answer 9

shunning

Question 10

Once the set threshold for _________________ has been reached, the security appliance will intercept all TCP synchronizations and respond on behalf of the client .

Answer 10

TCP synchronizations (also known as SYN scan half - open connections , or embryonic connections )

Question 11

You can limit the number of embryonic connections that can be built with the _______________ with the _____________option using the Modular Policy Framework .

Answer 11

set connection command

embryonic - conn - max

Question 12

The ASA AIP - SSM IPS module , on the other hand can detect over 1,500 attacks. • However , if you don’t have this card, you can supplement the security of your appliance with the IPS software feature, commonly called ___________

Answer 12

IP audit

Question 13

The following signature classes are supported by Cisco Security Appliances:

Answer 13

Informational

Attack

Question 14

To enable default IDS on a security appliance use the command :

Answer 14

fw1( config )#
ip audit info action alarm
ip audit attack action alarm

Question 15

IDS attack trigger. 3 possibilities

Answer 15

Alarm. Drop. Reset

Question 16

To disable the IP auditing you must use :

Answer 16

ip audit info action

Question 17

When a ______ is activated all existing connections from an attacker can be dropped and all future connections can be blocked.

Answer 17

shun

Question 18

Two general settings for IDS and IPS in an SSM module in ASA

Answer 18

Inline

Promiscuous

Question 19

By default the appliance allows up to __ fragments that will make up a complete IP packet, as well as up to ___ fragments that are waiting to be reassembled back into a complete packet.

Answer 19

24

200

Question 20

If you do not expect fragments in your network , then you should have the appliance drop any fragments that it receives. This is accomplished with the following command:

fw1(config)# fragment chain 1 outside

Answer 20

The chain parameter specifies the number of fragments that can make up a complete packet; by setting it to 1, you are ensuring that your appliance won’t allow fragments through it, since fragments are commonly used in DoS attacks.

Question 21

Virtual IP Reassembly

Answer 21

ASA provides IP fragment protection by performing full reassembly of all ICMP error messages and virtual reassembly of the remaining IP fragments that are routed through the ASA.

Question 22

Sets the maximum number of packets to track/hold in the database – Default is __

Answer 22

fragment size

200

Question 23

Sets the maximum number of fragments per packet –Default is __

Answer 23

fragment chain

24

Question 24

Sets the time to receive all fragments once the first has been received by the appliance – Default is _ seconds – The maximum is __ seconds

Answer 24

fragment timeout

5 > 30

Question 25

The____________ command is most useful in reducing the chances of internal hosts becoming parties to an attack and outsiders spoofing a trusted inside address

Answer 25

ip verify reverse - path interface

You must have a default route enabled