Module 11 Flashcards
____ is a cyberattack that tries to exploit software vulnerabilities that are unknown or undisclosed by the software vendor, as shown in the figure.
____ describes the moment when a previously unknown threat is identified.
____ depicted as a red skull and crossbones trying to enter a LAN through a firewall
A zero-day attack, sometimes referred to as a zero-day threat,
_____ were implemented to passively monitor the traffic on a network.
Intrusion Detection Systems (IDS)
Working offline, the IDS compares the captured traffic stream with known malicious signatures, similar to software that checks for viruses. Working offline means several things:
The IDS works passively.
The IDS device is physically positioned in the network so that traffic must be mirrored in order to reach it.
Network traffic does not pass through the IDS unless it is mirrored.
Very little latency is added to network traffic flow.
Although the traffic is monitored, logged, and perhaps reported, no action is taken on packets by the IDS. This offline IDS implementation is referred to as ____
promiscuous mode.
The ___ of operating with a copy of the traffic is that the IDS does not negatively affect the packet flow of the forwarded traffic.
advantage
The ____ of operating on a copy of the traffic is that the IDS cannot stop malicious single-packet attacks from reaching the target. An IDS often requires assistance from other networking devices, such as routers and firewalls, to respond to an attack.
disadvantage
a device that can immediately detect and stop an attack
Intrusion Prevention System (IPS)
Common Characteristics of IDS and IPS
Malicious traffic is sent to the target host that is inside the network.
The traffic is routed into the network and received by an IPS-enabled sensor where it is blocked.
The IPS-enabled sensor sends logging information regarding the traffic to the network security management console.
The IPS-enabled sensor kills the traffic. (It is sent to the “Bit Bucket.”)
Both technologies are deployed as sensors.
Both technologies use signatures to detect patterns of misuse in network traffic.
Both can detect atomic patterns (single-packet) or composite patterns (multi-packet).
IDS and IPS technologies are both deployed as sensors. An IDS or IPS sensor can be in the form of several different devices:
A router configured with IPS software
A device specifically designed to provide dedicated IDS or IPS services
A hardware module installed in an adaptive security appliance (ASA), switch, or router
IDS and IPS technologies use ___ to detect patterns in network traffic.
A ___ is a set of rules that an IDS or IPS uses to detect malicious activity. ___ can be used to detect severe breaches of security, to detect common network attacks, and to gather information.
signatures
IDS and IPS technologies can detect
atomic signature patterns (single-packet) or composite signature patterns (multi-packet).
IDS Advantages
No impact on network (latency, jitter)
No network impact if there is a sensor failure
No network impact if there is sensor overload
IDS Disadvantages
Response action cannot stop trigger packets
Correct tuning required for response actions
More vulnerable to network security evasion techniques
IPS Advantages
Stops trigger packets
Can use stream normalization techniques
IDS Disadvantages
Sensor issues might affect network traffic
Sensor overloading impacts the network
Some impact on network (latency, jitter)
IDS Advantages
An IDS is deployed in offline mode and therefore:
The IDS does not impact network performance. Specifically, it does not introduce latency, jitter, or other traffic flow issues.
The IDS does not affect network functionality if the sensor fails. It only affects the ability of the IDS to analyze the data.
IDS Disadvantages
Disadvantages of an IDS include:
An IDS sensor cannot stop the packets that have triggered an alert and are less helpful in detecting email viruses and automated attacks, such as worms.
Tuning IDS sensors to achieve expected levels of intrusion detection can be very time-consuming.
Users deploying IDS sensor response actions must have a well-designed security policy and a good operational understanding of their IDS deployments.
An IDS implementation is more vulnerable to network security evasion techniques because it is not inline.
IPS Advantages
Advantages of an IPS include:
An IPS sensor can be configured to drop the trigger packets, the packets associated with a connection, or packets from a source IP address.
Because IPS sensors are inline, they can use stream normalization. Stream normalization is a technique used to reconstruct the data stream when the attack occurs over multiple data segments.
IPS Disadvantages
Disadvantages of an IPS include:
Because it is deployed inline, errors, failure, and overwhelming the IPS sensor with too much traffic can have a negative effect on network performance.
An IPS sensor can affect network performance by introducing latency and jitter.
An IPS sensor must be appropriately sized and implemented so that time-sensitive applications, such as VoIP, are not adversely affected.
Deployment Considerations
You can deploy both an IPS and an IDS. Using one of these technologies does not negate the use of the other. In fact, IDS and IPS technologies can complement each other.
For example, an IDS can be implemented to validate IPS operation because the IDS can be configured for deeper packet inspection offline. This allows the IPS to focus on fewer but more critical traffic patterns inline.
Deciding which implementation to use is based on the security goals of the organization as stated in their network security policy.
More vulnerable to network security evasion techniques enabled by various network attack methods
IDS
Can affect network performance by introducing latency and jitter
IPS
Must be implemented so that time-sensitive applications are not adversely affected
IPS
Cannot stop the trigger packet and is not guaranteed to stop a connection
IDS
Deployed in offline mode
IDS
Can use stream normalization techniques to reduce or eliminate many of the network security evasion capabilities that exist
IPS
Can be configured to perform a packet drop to stop the trigger packet
IPS
Primarily focused on identifying possible incidents, logging information about the incidents, and
reporting the incidents
IDS
Must be deployed inline, and traffic must be able to pass through it
IPS
Less helpful in stopping email viruses and automated attacks, such as worms
IDS
There are two primary kinds of IPS available:
host-based IPS and network-based IPS.
____ is software installed on a host to monitor and analyze suspicious activity.
Host-based IPS (HIPS)
Advantages of Host-based IPS (HIPS)
Provides protection specific to a host operating system
Provides operating system and application level protection
Protects the host after the message is decrypted
Disadvantages of Host-based IPS (HIPS)
Operating system dependent
Must be installed on all hosts
A _____ can be implemented using a dedicated or non-dedicated IPS device such as a router. ___ implementations are a critical component of intrusion prevention.
network-based IPS
Network-based IPS Sensors can be implemented in several ways:
On a Cisco Firepower appliance
On an ASA firewall device
On an ISR router
As a virtual Next-Generation IPS (NGIPSv) for VMware
An example of a network-based IPS is the ____ . It is tuned for intrusion prevention analysis. The underlying operating system of the platform is stripped of unnecessary network services, and essential services are secured. This is known as____
Cisco Firepower NGIPS
hardening.
The hardware of all network-based sensors includes three components:
NIC - The network-based IPS must be able to connect to any network, such as Ethernet, Fast Ethernet, and Gigabit Ethernet.
Processor - Intrusion prevention requires CPU power to perform intrusion detection analysis and pattern matching.
Memory - Intrusion detection analysis is memory-intensive. Memory directly affects the ability of a network-based IPS to efficiently and accurately detect an attack.
Modes of Deployment
IDS and IPS sensors can operate in
inline mode (also known as inline interface pair mode) or promiscuous mode (also known as passive mode).
True or False? A HIPS can be configured in either promiscuous or inline mode.
False. A host-based IPS is installed on a host computer. Only network-based IPS can be run in promiscuous or inline mode.
What is true of a NIPS that is running in inline mode?
An inline NIPS can add latency to the network because traffic must be processed before being forwarded to its destination
What is true of a HIPS?
HIPS software combines anti-virus, anti-malware, and firewall functionality.
What is an example of a HIPS?
Windows Defender is an example of a HIPS that is included with Microsoft Windows.
An IPS sensor has two components:
IPS detection and enforcement engine -
To validate traffic, the detection engine compares incoming traffic with known attack signatures that are included in the IPS attack signature package.
IPS attack signatures package -
This is a list of known attack signatures that are contained in one file. The signature pack is updated frequently as new attacks are discovered. Network traffic is analyzed for matches to these signatures.
the IPS detection and enforcement engine that can be implemented depends on the router platform:
Cisco IOS Intrusion Prevention System (IPS) -
This is available on older Cisco 800, 1900, 2900, and 3900 Series ISRs. IOS IPS is no longer supported and should not be used.
Cisco Snort IPS -
This is available on the Cisco 4000 Series ISRs and Cisco Cloud Services Routers in the 1000v Series.
When Cisco IOS IPS detected suspicious activity, it responded before network security could be compromised. It logged the event as _____
Cisco IOS syslog messages or through Security Device Event Exchange (SDEE).
when packets in a session matched a signature, Cisco IOS IPS could be configured to respond as follows:
Send an alarm to a syslog server or a centralized management interface
Drop the packet
Reset the connection
Deny traffic from the source IP address of the threat for a specified amount of time
Deny traffic on the connection for which the signature was seen for a specified amount of time
___ is available on Cisco ISR 4000 devices.
Snort IPS
The Snort engine runs as a ____ on Cisco 4000 Series ISRs.
virtual service container
In ___, Snort inspects traffic and reports alerts, but does not take any action to prevent attacks.
IDS mode,
Snort IPS is available on which router platform?
Cisco 4000
Where does the Snort engine run?
service container
In which operating mode does Snort IDS inspect traffic and report alerts, but does not take any action to prevent attacks?
IDS mode
Snort can be enabled in either of the following modes:
IDS mode -
Snort inspects the traffic and reports alerts, but does not take any action to prevent attacks.
IPS mode -
In addition to intrusion detection, actions are taken to prevent attacks.
In the network intrusion detection and prevention mode, Snort performs the following actions:
Monitors network traffic and analyzes against a defined rule set.
Performs attack classification.
Invokes actions against matched rules.
Feature of Snort
Signature-based intrusion detection system (IDS) and intrusion prevention system (IPS)
Benefit
Snort open-source IPS, capable of performing real-time traffic analysis and packet logging on IP networks, runs on the 4000 Series ISR service container without the need to deploy an additional device at the branch.
Feature of Snort
Snort rule set updates
Snort rule set updates for 4000 Series ISRs are generated by Cisco Talos, a group of leading-edge network security experts who work around the clock to proactively discover, assess, and respond to the latest trends in hacking activities, intrusion attempts, malware, and vulnerabilities.
Feature of Snort
Snort rule set pull
The router will be able to download rule sets directly from cisco.com or snort.org to a local server, using one-time commands or periodic automated updates.
Feature of Snort
Snort rule set push
A centralized management tool can push the rule sets based on preconfigured policy, instead of the router directly downloading on its own.
Feature of Snort
Signature allowed listing
Allowed listing allows the disabling of certain signatures from the rule set. Disabled signatures can be reenabled at any time.
To run the service container infrastructure with IDS/IPS functionality, Snort IPS requires
an ISR 4000 (i.e., 4300 or higher) with a minimum of 8 GB of memory (DRAM) and 8 GB of flash.
____ is required to activate Snort IPS functionality.
A security K9 license (SEC)
There are two types of term-based subscriptions:
Community Rule Set -
This set offers limited coverage against threats, focusing on reactive response to security threats versus proactive research work. There is 30-day delayed access to updated signatures in the Community Rule Set, and this subscription does not entitle the customer to Cisco support.
Subscriber Rule Set -
This set offers the best protection against threats. It includes coverage in advance of exploits by using the research work of the Cisco Talos security experts. The Subscriber Rule Set also provides the fastest access to updated signatures in response to a security incident or the proactive discovery of a new threat. This subscription is fully supported by Cisco.
____ is a rule management application that can be used to automatically download Snort rule updates. In order to use PulledPork, you must obtain an authorization code, called an ____ from your snort.org account. The ___ is free with registration.
PulledPork
oinkcode,
To determine normal network behavior, network monitoring must be implemented. Various tools are used to help discover normal network behavior including ___
IDS, packet analyzers, SNMP, NetFlow, and others.
Some of these tools require captured network data.
here are two common methods used to capture traffic and send it to network monitoring devices:
Network taps, sometimes known as test access points (TAPs)
Traffic mirroring using Switch Port Analyzer (SPAN) or other port mirroring approaches
A ____ is typically a passive splitting device implemented inline between a device of interest and the network.
network tap
A ____ forwards all traffic, including physical layer errors, to an analysis device while also allowing the traffic to reach its intended destination.
tap
are also typically fail-safe, which means if a ___ fails or loses power, traffic between the firewall and internal router is not affected.
Taps
SPAN Term
Ingress traffic
Egress traffic
Traffic that enters the switch.
SPAN Term
Egress traffic
Traffic that leaves the switch.
SPAN Term
Source (SPAN) port
Source ports are monitored as traffic entering them is replicated (mirrored) to the destination ports.
SPAN Term
Destination (SPAN) port
A port that mirrors source ports. Destination SPAN ports often connect to analysis devices such as a packet analyzer or an IDS.
A session number is used to identify a SPAN session.
show the ____ command, which is used to associate a source port and a destination port with a SPAN session.
A separate ____ command is used for each session. A VLAN can be specified instead of a physical port.
Switch(config)# monitor session number source [interface interface | vlan vlan]
Switch(config)# monitor session number destination [interface interface | vlan vlan]
__monitor session
S1(config)# monitor session 1 source interface fastethernet 0/1
S1(config)# monitor session 1 destination interface fastethernet 0/2
Type : Local Session
Source Ports :
Both : Fa0/1
Destination Ports : Fa0/2
Encapsulation : Native
Ingress : Disabled
S1# show monitor
What is an IPS signature?
Topic 11.1.0 - An IPS signature uniquely identifies specific malware, protocol anomalies, or malicious traffic. IPS sensors are tuned to look for matching signatures or abnormal traffic patterns. IPS signatures are conceptually similar to the virus.dat file used by virus scanners.
It is a set of rules used to detect typical intrusive activity
Which network technology uses a passive splitting device that forwards all traffic, including Layer 1 errors, to an analysis device?
Topic 11.4.0 - A network tap is a common technology that is used to capture traffic for monitoring the network. The tap is typically a passive splitting device implemented inline on the network and that forwards all traffic, including physical layer errors, to an analysis device.
Network Tap
What is a characteristic of an IPS operating in inline-mode?
Topic 11.2.0 - An IPS in inline-mode is directly in the traffic flow and adds latency. Inline-mode allows the sensor to stop attacks by dropping malicious traffic before it reaches the intended target, thus providing a protective service.
It can stop malicious traffic from reaching the intended target
What is a zero-day attack?
Topic 11.1.0 - A zero-day attack is an attack on a system that uses vulnerabilities that have not yet been reported to, and mitigated by, the vendor.
It is a computer attack that exploits unreported software vulnerabilities
What is a feature of an IPS?
Topic 11.1.0 - An advantage of an intrusion prevention systems (IPS) is that it can identify and stop malicious packets. However, because an IPS is deployed inline, it can add latency to the network.
It can stop malicious packets
Which network monitoring technology passively monitors network traffic to detect attacks?
Topic 11.1.0 - Intrusion Detection Systems (IDSs) are network devices that passively monitor the traffic on a network.
IDS
Which open source network monitoring technology performs real-time traffic analysis and generates alerts when threats are detected on IP networks?
Topic 11.3.0 - Snort is an open source network IPS that performs real-time traffic analysis and generates alerts when threats are detected on IP networks. The legacy Cisco IOS IPS allowed a Cisco ISR router to be enabled as an IPS sensor to scan packets and sessions to match any of the Cisco IOS IPS signatures. Port mirroring allows a switch to copy frames that are received on one or more ports to a Switch Port Analyzer (SPAN) that is connected to an analysis device. Remote SPAN (RSPAN) is a variation of SPAN that enables a network administrator to use the flexibility of VLANs to monitor traffic on remote switches.
Snort IPS
Which Cisco platform supports Cisco Snort IPS?
Topic 11.3.0 - The newer ISR routers, Cisco 4000 series, no longer support IOS IPS. The 4000 series routers provide IPS services using Snort.
4000 Series ISR
Which device supports the use of SPAN to enable monitoring of malicious activity?
Topic 11.4.0 - SPAN is a Cisco technology that allows all of the traffic from one port to be redirected to another port.
Cisco Catalyst Switch
What is a host-based intrusion detection system (HIDS)?
Topic 11.2.0 - A current HIDS is a comprehensive security application that combines the functionalities of antimalware applications with firewall protection. An HIDS not only detects malware but also prevents it from executing. Because the HIDS runs directly on the host, it is considered an agent-based system.
It combines the functionalities of antimalware applications with firewall protection
Which network monitoring capability is provided by using SPAN?
Topic 11.4.0 - When enabled on a switch, SPAN or port mirroring, copies frames that are sent and received by the switch and forwards them to another port, known as a Switch Port Analyzer port, which has a analysis device attached.
Traffic exiting and entering a switch is copied to a networking monitoring device
What network monitoring tool can be used to copy packets moving through one port, and send those copies to another port for analysis?
Topic 11.4.0 - The Cisco Switched Port Analyzer (SPAN) feature allows traffic that is coming into or out of a port to be copied to a different port so that it can be collected and analyzed.
SPAN