Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

NetSec > Module 12 > Flashcards

Module 12 Flashcards

1
Q

a ____ is a set of rules that an IDS and an IPS use to detect typical intrusion activity.

___ uniquely identify specific viruses, worms, protocol anomalies, and malicious traffic (e.g., a DoS attacks).

malicious traffic displays distinct characteristics or _____

A

signature

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Signatures also have three distinctive attributes:

A

Type - Atomic or Composite

Trigger - Also called the alarm

Action - What the IPS will do

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

There are two types of signatures:

A

Atomic Signature -

Composite Signature -

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

This is the simplest type of signature because a single packet, activity, or event identifies an attack. The IPS does not need to maintain state information and traffic analysis can usually be performed very quickly and efficiently.

A

Atomic Signature -

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Also called a stateful signature because the IPS requires several pieces of data to match an attack signature. The IPS must also maintain state information, which is referred to as the event horizon. The length of an event horizon varies from one signature to the next.

A

Composite Signature -

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

The heart of any IPS signature is the___ which is often referred to as the signature trigger.

A

signature alarm,

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

There are four general IPS signature trigger categories

A

Pattern-based detection

Anomaly-based detection

Policy-based detection

Honey Pot-Based detection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Also known as signature-based detection.

Simplest triggering mechanism as it searches for a specific and pre-defined atomic or composite pattern.

A IPS sensor compares the network traffic to a database of known attacks, and triggers an alarm or prevents communication if a match is found.

A

Pattern-based detection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Also known as profile-based detection.

Involves first defining a profile of what is considered normal network or host activity.

This normal profile is usually defined by monitoring traffic and establishing a baseline.

Once defined, any activity beyond a specified threshold in the normal profile will generate a signature trigger and action.

A

Anomaly-based detection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Also known as behavior-based detection.

Although similar to pattern-based detection, an administrator manually defines behaviors that are suspicious based on historical analysis.

The use of behaviors enables a single signature to cover an entire class of activities without having to specify each individual situation.

A

Policy-based detection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

uses a server as a decoy server to attract attacks.

The purpose of a decoy server is to lure attacks away from production devices.

Allows administrators time to analyze incoming attacks and malicious traffic patterns to tune their sensor signatures.

A

Honey Pot-Based detection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Generate an alert

A

Produce alert
- The IPS sends events as alerts.

Produce verbose alert
- The IPS sends a detailed event alert.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Log the activity

A

Log attacker packets
- Logs packets from the attacker IP address and sends an alert.

Log pair packets
- Logs packets from the victim and attacker IP addresses and sends an alert.

Log victim packets
- Logs packets from the victim IP address and sends an alert.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Deny the activity

A

Deny packet inline
- Terminates the packet.

Deny connection inline
- Terminates the current packet and future packets on this TCP flow.

Deny attacker inline
- Terminates the current packet and future packets from this attacker address for a specified period of time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Reset the TCP connection

A

Reset TCP connection
- Sends TCP resets to hijack and terminate the TCP flow.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Block future activity

A

Request block connection
- Sends a request to a blocking device to block this connection.

Request block host
- Sends a request to a blocking device to block this attacker host.

Request SNMP trap
- Sends a request to the notification application component of the sensor to perform SNMP notification.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

are desirable and indicate the IPS is functioning properly.

A

True positives and true negatives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

are undesirable and must be investigated.

A

False positives and false negatives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Alerts can be classified as follows:

A

True positive - (Desirable) This is used when the IPS generates an alarm because it detected known attack traffic. The alert has been verified to be an actual security incident and also indicates that the IPS rule worked correctly.

True negative - (Desirable) This is used when the system is performing as expected. No alerts are issued because the traffic that is passing through the system is clear of threats.

False positive - (Undesirable) This is used when an IPS generates an alarm after processing normal user traffic that should not have triggered an alarm. The IPS must be tuned to change these alarm types to true negatives. The alert does not indicate an actual security incident. Benign activity that results in a false positive is sometimes referred to as a benign trigger. False positives are costly because they must be investigated.

False negative - (Dangerous) This is used when an IPS fails to generate an alarm and known attacks are not being detected. This means that exploits are not being detected by the security systems that are in place. These incidents could go undetected for a long time, and ongoing data loss and damage could result. The goal is for these alarm types to generate true positive alarms.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

The ____ action logs the attacker IP address and sends an alert.

A

log attacker packets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

The ____ action drops a malicious packet only.

A

deny packet inline

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

The ____ action generates a packet for the connection with a special flag set.

A

reset TCP connection

23
Q

Which action logs the IP address from a malicious source only and sends an alert?

A

log attacker packets

24
Q

Which action terminates a malicious packet only?

A

deny packet inline

25
Q

Which action makes the IPS device send TCP resets to hijack and terminate a TCP flow?

A

reset TCP connection

26
Q

Which two options are components of Snort IPS that is running on an ISR 4000?

A

The two components of running Snort IPS on an ISR 4000 are the Snort engine and the Snort rule set.

27
Q

What are the three actions supported by Snort IDS? (Choose three.)

A

Snort IDS mode actions are alert, log, and pass.

28
Q

Organizations now have three options available to provide intrusion prevention services.

A

Cisco Firepower Next-Generation IPS (NGIPS) -
These are dedicated in-line threat prevention appliances that provide industry leading effectiveness against both known and unknown threats.

Cisco Snort IPS -
This is an IPS service that can be enabled on a second generation ISR (ISR G2) (i.e., ISR 4000s). Note that Cisco 4000 ISRs no longer support Cisco IOS IPS.

External Snort IPS Server -
This is similar to the Cisco Snort IPS solution but requires a promiscuous port (i.e., a SPAN switch port) and an external Snort IDS/IPS.

29
Q

are dedicated IPS appliances. They are built on Snort’s core open technology and use vulnerability-focused IPS rules and embedded IP-, URL-, and DNS-based security intelligence provided by Cisco Talos.

A

NGIPSs

30
Q

NGIPS features include the following:

A

IPS rules that identify and block attack traffic targeted at network vulnerabilities.

Tightly integrated defense against advanced malware by incorporating advanced analysis of network and endpoint activity.

Sandboxing technology that uses hundreds of behavioral indicators to identify zero-day and evasive attacks.

Also includes Application Visibility and Control (AVC), Cisco Advanced Malware Protection (AMP) for Networks, and URL Filtering.

31
Q

Snort IPS on the 4000 Series ISR provides the following functionalities:

A

IDS and IPS mode -
Configure threat detection or prevention mode. In prevention mode, attack traffic will be dropped.

Three signature levels -
Snort provides three levels of signature protection: connectivity (least secure), balanced (middle option), and security (most secure). The security level is the most secure as it enables the highest number of signatures to be verified.

An allowed list -
This provides the ability to turn off certain signatures and helps to avoid false positives such as legitimate traffic triggering an IPS action. Up to 1000 entries can be supported in the allowed list.

Snort health monitoring -
Cisco IOS Software keeps track of the health of the Snort engine that is running in the service container.

Fail open and close -
In the event of IPS engine failure, the router can be configured to block the traffic flow or to bypass IPS checking until the Snort engine recovers.

Signature update -
Automatic and manual updates are supported. Snort IPS can download the signature package directly from cisco.com or a local resource location over HTTP and HTTPS.

Event logging -
IPS logs can be sent to an independent log collector or included along with the router syslog stream. Sending IPS logs separately helps if the security event management tool is different from the regular syslog server.

32
Q

Snort IPS for 4000 Series ISRs consists of two components:

A

Snort engine -
This is the IPS detection and enforcement engine that is included in the Security (SEC) license for 4000 Series ISRs.

Snort rule software subscriptions for signature updates -
Snort rule sets to keep current with the latest threat protection are term-based subscriptions, available for one or three years.

33
Q

There are two types of term-based subscriptions:

A

Community Rule Set -
Available for free, this subscription offers limited coverage against threats. The community rule set focuses on reactive response to security threats versus proactive research work. There is also a 30-day delayed access to updated signatures meaning that newest rule will be a minimum of 30 days old. In addition, there is no Cisco customer support available.

Subscriber Rule Set -
Available for a fee, this service provides the best protection against threats. It includes coverage of advance exploits by using the research work of the Cisco Talos security experts. The Subscriber Rule Set also provides the fastest access to updated signatures in response to a security incident or the proactive discovery of a new threat. This subscription is fully supported by Cisco.

34
Q

Snort IDS mode can perform the following three actions:

A

Alert - Generate an alert using the selected alert method.

Log - Log the packet.

Pass - Ignore the packet.

35
Q

Snort IPS mode can perform all the IDS actions plus the following:

A

Drop - Block and log the packet.

Reject - Block the packet, log it, and then send a TCP reset if the protocol is TCP or an ICMP port unreachable message if the protocol is UDP.

Sdrop - Block the packet but do not log it.

36
Q

Snort IPS requires two VPG interfaces:

A

Management interface -
This is the interface that is used to source logs to the log collector and for retrieving signature updates from Cisco.com. For this reason, this interface requires a routable IP address.

Data interface -
This is the interface that is used to send user traffic between the Snort virtual container service and the router forwarding plane.

37
Q

To deploy Snort IPS on supported devices, perform the following steps:

A

Step 1. Download the Snort OVA file.
An Open Virtualization Archive (OVA) is a file that contains a compressed, installable version of a virtual machine.

Step 2. Install the OVA file.
R1# virtual-service install name virtual-service-name package file-url media file-system

Step 3. Configure Virtual Port Group interfaces.
R1# configure terminal
R1(config)# interface VirtualPortGroup0
R1(config-if)# description Management interface
R1(config-if)# ip address 209.165.201.1 255.255.255.252
R1(config-if)# exit

Two VirtualPortGroup (VPG) interfaces must then be configured along with their guest IP addresses.

VGP0 - This is for management traffic to exchange information with IPS servers. The guest IP address needs to be routable to connect to the signature update server and external log server. It is also used to log traffic to log collectors.
VPG1 - This is for user traffic marked for inspections. This should not be routable and therefore use a non-routable private IP address.

Step 4. Activate the virtual services.
R1(config)# virtual-service MYIPS
R1(config-virt-serv)# vnic gateway VirtualPortGroup0
R1(config-virt-serv-vnic)# guest ip address 209.165.201.2
R1(config-virt-serv-vnic)# exit
R1(config-virt-serv)# vnic gateway VirtualPortGroup1
R1(config-virt-serv-vnic)# guest ip address 192.168.0.2
R1(config-virt-serv-vnic)# exit
R1(config-virt-serv)# activate

Step 5. Configure Snort specifics.
R1(config)# utd engine standard
R1(config-utd-eng-std)# logging host 10.10.10.254
R1(config-utd-eng-std)# logging syslog
R1(config-utd-eng-std)#
R1(config-utd-eng-std)# threat-inspection
R1(config-utd-engstd-insp)# threat protection
R1(config-utd-engstd-insp)# policy balanced
R1(config-utd-engstd-insp)#
R1(config-utd-engstd-insp)# signature update occur-at daily 0 0
R1(config-utd-engstd-insp)# signature update server cisco username Bob password class
R1(config-utd-engstd-insp)# logging level warning
R1(config-utd-engstd-insp)#
R1(config-utd-engstd-insp)# exit
R1(config-utd-eng-std)# exit
R1(config)#

Step 6. Enable IPS globally or on desired interfaces.
R1(config)# utd
R1(config-utd)# all-interfaces
R1(config-utd)#
R1(config-utd)# engine standard
R1(config-engine-std)# fail close
R1(config-engine-std)# exit
R1(config-utd)# exit
R1(config)#

Step 7. Verify Snort IPS.
show virtual-service list - The command displays an overview of resources that are utilized by the applications.
show virtual-service detail - The command displays a list of resources that are committed to a specified application, including attached devices.
show utd engine standard config - The command displays the UTD configuration.
show utd engine standard status - The command displays the status of the UTD engine.
show platform hardware qfp active feature utd stats - The command checks the data plane. It verifies increments for encap, decap, redirect, and reinject and displays a health of “Green”.

38
Q

The threat-inspection command configures threat inspection for the Snort engine. From here you can specify which mode Snort will be in:

A

threat protection - Snort will be in IPS mode.

threat detection - Snort will be in IDS mode.

39
Q

The three policy settings in order from least protection to most protection are:

A

connectivity -
This provides the least protection as it prioritizes connectivity over security. Approximately 1,000 rules are pre-loaded using this policy.

balanced -
This is the default policy. It is recommended for initial deployments. This policy attempts to balance security needs and performance characteristics of the network. Approximately 8,000 rules are pre-loaded using this policy.

security -
This provides the most protection. It is designed for organizations that are exceptionally concerned about security. Customers deploy this policy in protected networks, that have a lower bandwidth requirements, but much higher security requirements. Approximately 12,000 rules are pre-loaded using this policy.

40
Q

Snort can be configured to:

A

fail-open (default) -
When there is a UTD engine failure, this option allows all of the IPS/IDS traffic through without being inspected.

fail-close -
If enabled, this option drops all the IPS/IDS traffic when there is an UTD engine failure. Therefore, no traffic will be allowed to leave.

41
Q

Which type of file contains a compressed, installable version of the Snort IPS virtual machine?

A

The Open Virtualization Archive (OVA) file contains a compressed, installable version of a virtual machine.

42
Q

Which Snort IPS interface statement is true?

A

Snort IPS requires a virtual port group interface for management traffic and another for user traffic to be inspected.

43
Q

Which IPS signature trigger category uses the simplest triggering mechanism and searches for a specific and pre-defined atomic or composite pattern?

A

Topic 12.1.0 - The pattern-based detection trigger is also known as signature-based. This is the simplest triggering mechanism because it searches for specific pre-defined patterns known as signatures.

pattern-based detection

44
Q

What term describes a set of rules used by an IDS or IPS to detect typical intrusion activity?

A

Topic 12.1.0 - A signature is a set of rules that an IDS and an IPS use to detect typical intrusion activity, such as DoS attacks. These signatures uniquely identify specific worms, viruses, protocol anomalies, and malicious traffic​.

signature

45
Q

Which type of alert is generated when an IPS incorrectly identifies normal network user traffic as attack traffic?

A

Topic 12.1.0 - A false positive occurs when an IPS generates an alarm after processing normal user network traffic. The IPS must be tuned to change these alarm types to true negatives. The alert does not indicate an actual security incident. Benign activity that results in a false positive is sometimes referred to as a benign trigger. False positives are costly because they must be investigated.

false positive

46
Q

What is a characteristic of the Snort subscriber rule set term-based subscription?

A

Topic 12.2.0 - There are two types of Snort term-based subscriptions:
Community Rule Set - Available for free and provides limited coverage against threats. There is also a 30-day delayed access to updated signatures and there is no Cisco customer support available.
Subscriber Rule Set - Available for a fee and provides the best protection against threats. It includes coverage in advance of exploits by using the research work of the Cisco Talos security experts. This subscription is fully supported by Cisco.

it is available for a fee

47
Q

Which classification indicates that an alert is verified as an actual security incident?

A

Topic 12.1.0 -
Alerts can be classified as follows:
True Positive: The alert has been verified to be an actual security incident.
False Positive: The alert does not indicate an actual security incident. Benign activity that results in a false positive is sometimes referred to as a benign trigger.
An alternative situation is that an alert was not generated. The absence of an alert can be classified as follows:
True Negative: No security incident has occurred. The activity is benign.
False Negative: An undetected incident has occurred.

true positive

48
Q

Which intrusion prevention service was available on first-generation ISR routers and is no longer supported by Cisco?

A

Topic 12.2.0 - Cisco IOS IPS was available on the first-generation of Integrated Services Routers, however support was discontinued in 2018. As a result, IOS IPS is no longer recommended by Cisco on branch routers.

cisco IOS IPS

49
Q

Which statement correctly describes the configuration of a Snort VPG interface?

A

Topic 12.3.0 - The VPG0 interface is used for management traffic to exchange information with IPS servers. The guest IP address needs to be routable on the internet to connect to the signature update server and external log server. The VPG1 interface is for user traffic that should be inspected. The VPG1 interface address should not be routable and therefore should use a non-routable private IP address.

the VPG0 interface must have a routable address with access to the internet

50
Q

What are three actions that can be performed by Snort in IDS mode? (Choose three.)

A

Topic 12.2.0 - Snort in IDS mode can perform the following three actions:
Alert - Generate an alert using the selected alert method, and then log the packet.
Log - Log the packet.
Pass - Ignore the packet.

alert, log, pass

51
Q

Which device is a dedicated inline threat prevention appliance that is effective against both known and unknown threats?

A

Topic 12.2.0 - The Cisco FirePOWER NGIPS is a dedicated inline threat prevention appliance. It is effective in preventing both known and unknown threats.

Cisco FirePOWER NGIPS

52
Q

Which rule action will cause Snort IPS to block a packet without logging it?

A

Topic 12.2.0 - There are several rule actions that can be configured for Snort:
Alert - Generate an alert using the selected alert method, and then log the packet.
Log - Log the packet.
Pass - Ignore the packet.
Drop - Block and log the packet.
Reject - Block the packet, log it, and then send a TCP reset if the protocol is TCP or an ICMP port unreachable message if the protocol is UDP.
Sdrop - Block the packet but do not log it.

Sdrop

53
Q

What is the source for IPS rule updates when using a Cisco intrusion prevention service?

A

Topic 12.2.0 - All Cisco supported IPS solutions use Cisco Talos to receive IPS rule updates.

Cisco talos

NetSec (21 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions