Module 6: Implementing Firewall Technologies and Intrusion Detection Flashcards
A set of rules that is usually used to filter network traffic.
Access Control List (ACL)
It can be configured on network devices with packet filtering capabilities, such as routers and firewalls
Access Control List (ACL)
A type of ACL that allows you to evaluate only the source IP address of a packet.
standard access list
A type of ACL that allows you to evaluate the source and destination IP addresses, the type of Layer 3 protocol, source and destination port, and other parameters
extended access list
What is the Cisco command to apply ACL to an interface?
R(config-std-nacl)# permit 192.168.11.10
R(config-ext-nacl)# permit 192.168.11.10 0.0.0.255 any
R(config-if)# access-group ADMIN out
R(config-line)# access-class ADMIN in
R(config-if)# access-group ADMIN out
What is the Cisco command to apply ACL to a vty lines?
R(config-if)# access-group ADMIN out
R(config-line)# access-class ADMIN in
R(config-std-nacl)# permit 192.168.11.10
R(config-ext-nacl)# permit 192.168.11.10 0.0.0.255 any
R(config-line)# access-class ADMIN in
What is the Cisco command for configuring named ACL?
access-list 150 permit 192.168.1.2
deny host 192.168.11.10
access-list 99 permit 192.168.1.2
ip access-list ADMIN
ip access-list ADMIN
What is the Cisco command for configuring standard numbered ACL?
access-list 150 permit 192.168.1.2
deny host 192.168.11.10
access-list 99 permit 192.168.1.2
ip access-list ADMIN
access-list 99 permit 192.168.1.2
What is the Cisco command for configuring extended numbered ACL?
access-list 150 permit 192.168.1.2
deny host 192.168.11.10
access-list 99 permit 192.168.1.2
ip access-list ADMIN
access-list 150 permit 192.168.1.2
What is the Cisco command for configuring standard ACE?
R(config-if)# access-group ADMIN out
R(config-line)# access-class ADMIN in
R(config-std-nacl)# permit 192.168.11.10
R(config-ext-nacl)# permit 192.168.11.10 0.0.0.255 any
R(config-std-nacl)# permit 192.168.11.10
What is the Cisco command for configuring extended ACE?
R(config-if)# access-group ADMIN out
R(config-line)# access-class ADMIN in
R(config-std-nacl)# permit 192.168.11.10
R(config-ext-nacl)# permit 192.168.11.10 0.0.0.255 any
R(config-ext-nacl)# permit 192.168.11.10 0.0.0.255 any
The act of disguising a communication from an unknown source as being from a known, trusted source.
Spoofing
It is a supporting protocol used by network devices, including routers, to send error messages and operational information indicating success or failure when communicating with another IP address.
Internet Control Message Protocol (ICMP)
It is lessening the gravity of an offense or mistake.
Mitigating
An additional option in mitigating ICMP abuse where a message from one host computer to another telling it to reduce the pace at which it is sending packet to that host.
source quench
An additional option in mitigating ICMP abuse where message is generated as a response for any error not specifically covered by another ICMP message.
Internet Control Message Protocol (ICMP) Parameter problem message
An additional option in mitigating ICMP abuse where it is generated by the host or its inbound gateway to inform the client that the destination is unreachable for some reason.
Internet Control Message Protocol (ICMP) Destination unreachable
A transition technology that gives full IPv6 connectivity for IPv6-capable hosts that are on the IPv4 Internet but have no native connection to an IPv6 network.
Teredo
A protocol uses that uses ICMP messages and solicited-node multicast addresses to determine the link-layer address of a neighbor on the same network (local link), verify the reachability of a neighbor, and track neighboring devices.
Neighbor Discovery (ND) protocol
This is the counter part of ARP reply in the IPv6.
neighbor advertisement
This is the counter part of ARP request in the IPv6.
neighbor solicitation
A simple form of security that is resistant to attack.
firewall
A simple form of security that is the only transit point between networks because all traffic flows through the firewall.
firewall
A simple form of security that enforces the access control policy.
firewall
A firewall technique which is also known as static filtering.
Packet filtering
A firewall that operates on a router to protect private networks.
NAT firewall
A firewall that can be used to deny access to the resources of private networks to distrusted users over the Internet.
Application Gateway
A firewall that provides application-level control over network traffic.
Application Gateway
A firewall that protects the identity of a network and doesn’t show internal IP addresses to the internet.
Network Address Translation (NAT) firewall
A firewall that works by only allowing internet traffic to pass through if a device on the private network requested it.
Network Address Translation (NAT) firewall
A firewall that monitors the full state of active network connections.
stateful firewall
A firewall technique used to control network access by monitoring outgoing and incoming packets and allowing them to pass or halt based on the source and destination Internet Protocol (IP) addresses, protocols and ports.
Packet filtering
A firewall that constantly analyzes the complete context of traffic and data packets, seeking entry to a network rather than discrete traffic and data packets in isolation.
stateful firewall
A firewall that operates on a router to protect private networks.
Network Address Translation (NAT) firewall
This configuration model offers intuitive policies for multiple-interface routers, increased granularity of firewall policy application, and a default deny-all policy that prohibits traffic between firewall security zones until an explicit policy is applied to allow desirable traffic.
Zone-Based Policy Firewall
What are the considerations for network layered defense?
- network core security
- perimeter security
- endpoint security
- communications security
What are common ZPF designs?
- lan-to-internet
- firewalls between public servers
- redundant firewalls
- complex firewalls
A ZPF action that configures Cisco IOS stateful packet inspections.
inspect
A ZPF action that is analogous to a deny statement in an ACL.
drop
A ZPF action that is analogous to a permit statement in an ACL.
Pass
An attack that refers to a newly discovered software vulnerability where the patch or update to fix the issue has not been released.
zero-day
It detect and stop attacks. Responds immediately, not allowing any malicious traffic to pass
intrusion prevention system (IPS)
It monitors attacks only.
intrusion detection system (IDS)
Factors affecting the IPS sensor selection and deployment
- Amount of network traffic
- Network topology
- Security budget
- Available security staff to manage IPS
A mode of deployment for IPS where it allows the sensor to stop attacks by dropping malicious traffic before it reaches the intended target, thus providing a protective service.
inline mode
A mode of deployment for IPS where IPS is put directly into the traffic flow and affects packet-forwarding rates making them slower by adding latency.
inline mode
A mode of deployment for IPS where IPS does not affect the packet flow with the forwarded traffic.
promiscuous mode
A mode of deployment for IPS where IPS cannot stop malicious traffic from reaching its intended target for certain types of attacks, such as atomic attacks (single-packet attacks).
promiscuous mode
A mode of deployment for IPS where the packets do not flow through the IPS.
promiscuous mode
It is a technique in which localize the target device and analyzer system on the same network segment by plugging them directly into a hub.
Hubbing out
The most basic networking device that connects multiple computers or other network devices together
hub
A Cisco Feature that duplicates network traffic to one or more monitor interfaces as it transverse the switch.
switch port analyzer
A Cisco Feature that is an efficient, high performance traffic monitoring system.
switch port analyzer
A Cisco SPAN command used to associate a source port and a destination port with a SPAN session.
Monitor session command
A Cisco SPAN command used to verify the SPAN session.
Show monitor command
It is a set of rules that an IDS and an IPS use to detect typical intrusion activity.
signature
What are the distinct attributes of signature?
- Type
- Trigger (alarm)
- Action
A signature type that consists of a single packet, activity, or event that is examined to determine if it matches a configured signature.
atomic
A signature type that identifies a sequence of operations distributed across multiple hosts over an arbitrary period of time.
composite
A Cisco IOS micro-engine where the internal engine handles miscellaneous signatures.
Other
A Cisco IOS micro-engine that supports flexible pattern matching and Trend Labs signatures.
Multi-string
A Cisco IOS micro-engine that examine simple packets.
Atomic
A Cisco IOS micro-engine that examine the many services that are attacked.
Service
A Cisco IOS micro-engine that use regular expression-based patterns to detect intrusions.
String
A detection type of signature alarm where it is easy to configure, fewer false positive and a good signature design.
Pattern-based
A detection type of signature alarm where it is simple, reliable and has a customizable policy.
Anomaly-based
A detection type of signature alarm where it is easy to configure, and can detect unknown attacks.
Policy-based
A detection type of signature alarm where there is a window to view attacks, distract and confuse attackers, slow down and avert attacks, and collect information about the attack.
Honey pot-based
IPS Planning and Monitoring Considerations
- Management method
- Event correlation
- Security staff
- Incident response plan
A new standard proposed by the International Computer Security Association that specifies the format of messages and protocol used to communicate events generated by security devices.
Security Device Event Exchange (SDEE)
A standard protocol used to send system log or event messages to a specific server, called a syslog server.
System Logging Protocol
A feature is Cisco IPS that contains detailed information about known threats on the Internet, including serial attackers, Botnet harvesters, Malware outbreaks, and dark nets.
cisco sensorbase network
It works by blocking traffic to or from IP addresses that have a known bad reputation.
Security Intelligence
A feature is Cisco IPS feature that allows you to immediately blacklist (block) connections based on the latest reputation intelligence, removing the need for a more resource-intensive, in-depth analysis.
Security Intelligence feature
A term related to signature that means Cisco IOS IPS will compile that signature into memory and use the signature to scan traffic.
unretiring
A term related to signature that means Cisco IOS IPS will NOT compile that signature into memory for scanning.
retiring
