6.4.5 Intrusion Detection and Prevention

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Which of the following is true about an intrusion detection system? - An intrusion detection system monitors data packets for malicious or unauthorized traffic. - An intrusion detection system can block malicious activities. - An intrusion detection system maintains an active security role within the network. - An intrusion detection system can terminate or restart other processes on the system.

An intrusion detection system monitors data packets for malicious or unauthorized traffic. An intrusion detection system (IDS) monitors data packets for malicious or unauthorized traffic. However, an IDS takes no action to stop or prevent the attack. It maintains a passive, not an active, role in network security. It cannot terminate or restart other processes, and it cannot block malicious activities.

Which IDS method defines a baseline of normal network traffic and then looks for anything that falls outside of that baseline? - Pattern matching - Dictionary recognition - Anomaly-based - Misuse detection

Anomaly-based Anomaly-based detection defines a baseline of normal network traffic and then looks for anything that falls outside of that baseline. Dictionary recognition is a detection method. However, this method does not define a baseline of normal network traffic and then look for anything that falls outside of that baseline. Pattern matching is a detection method. However, this method does not define a baseline of normal network traffic and then look for anything that falls outside of that baseline. Misuse detection is a detection method. However, this method does not define a baseline of normal network traffic and then look for anything that falls outside of that baseline.

Which IDS traffic assessment indicates that the system identified harmless traffic as offensive and generated an alarm or stopped the traffic? - Negative - Positive - False positive - False negative

False positive A false positive traffic assessment means that the system identified harmless traffic as offensive and generated an alarm or stopped the traffic. A positive traffic assessment means that the system detected an attack and the appropriate alarms and notifications were generated or the correct actions were performed to prevent or stop the attack. A negative traffic assessment means that the system deemed the traffic harmless and let it pass. A false negative traffic assessment means that harmful traffic passed without any alerts being generated or any actions being taken to prevent or stop it. This is the worst possible scenario.

As a security precaution, you've implemented IPsec to work between any two devices on your network. IPsec provides encryption for traffic between devices. You would like to implement a solution that can scan the contents of the encrypted traffic to prevent any malicious attacks. Which solution should you implement? - Protocol analyzer - Port scanner - Host-based IDS - VPN concentrator - Network-based IDS

Host-based IDS A host-based IDS is installed on a single host and monitors all traffic coming into the host. A host-based IDS can analyze encrypted traffic because the host operating system decrypts that traffic as it's received. A network-based IDS is a dedicated device installed on the network. It analyzes all traffic on the network. It cannot analyze encrypted traffic because the packet's contents are encrypted so that only the recipient can read them. A protocol analyzer examines packets on the network, but it cannot look at the contents of encrypted packets. A port scanner probes a device to identify open protocol ports. A VPN concentrator is a device used to establish remote access VPN connections.

You're concerned about attacks directed at your network firewall. You want to be able to identify and be notified of any attacks. In addition, you want the system to take immediate action to stop or prevent the attack, if possible. Which tool should you use? - Port scanner - Packet sniffer - IPS - IDS

IPS Use an intrusion prevention system (IPS) to both detect and respond to attacks. An intrusion detection system (IDS) can detect attacks and send notifications, but it cannot respond to attacks. Use a port scanner to check for open ports on a system or a firewall. Use a packet sniffer to examine packets on your network.

Which of the following is true about an NIDS? - It can analyze fragmented packets. - It can access encrypted data packets. - It detects malicious or unusual incoming and outgoing traffic in real time. - It can monitor changes that you've made to applications and systems.

It detects malicious or unusual incoming and outgoing traffic in real time. An NIDS (network-based intrusion detection system) detects malicious or unusual incoming and outgoing traffic in real time. An NIDS cannot analyze encrypted data or analyze fragmented packets. An HIDS (host-based intrusion detection system) can monitor changes that you've made to applications and systems.

Which IDS type can alert you to trespassers? - NIDS - HIDS - VMIDS - PIDS

PIDS A PIDS (perimeter intrusion detection system) can alert you to physical trespassers. VMIDS, NIDS, and HIDS are IDS types. However, they cannot alert you to physical trespassers.

Which IDS method searches for intrusion or attack attempts by recognizing patterns or identifying entities listed in a database? - Signature-based IDS - Stateful inspection-based IDS - Anomaly analysis-based IDS - Heuristics-based IDS

Signature-based IDS A signature-based IDS, or pattern matching-based IDS, is a detection system that searches for intrusion or attack attempts by recognizing patterns that are listed in a database. A heuristics-based IDS is able to perform some level of intelligent statistical analysis of traffic to detect attacks. Anomaly analysis-based IDSs look for changes in the normal patterns of traffic. Stateful inspection-based IDSs search for attacks by inspecting packet contents and associating one packet with another. These searches look for attacks in overall data streams rather than individual packets.

Which of the following describes the worst possible action by an IDS? - The system identified harmless traffic as offensive and generated an alarm. - The system detected a valid attack and the appropriate alarms and notifications were generated. - The system identified harmful traffic as harmless and allowed it to pass without generating any alerts. - The system correctly deemed harmless traffic as inoffensive and let it pass.

The system identified harmful traffic as harmless and allowed it to pass without generating any alerts. The worst possible action an IDS can perform is identifying harmful traffic as harmless and allowing it to pass without generating any alerts. This condition is known as a false negative. Positive traffic assessment means that the system detected a valid attack and the appropriate alarms and notifications were generated. Negative traffic assessment means that the system correctly deemed harmless traffic as inoffensive and let it pass. False positive traffic assessment means that the system identified harmless traffic as offensive and triggered an alarm.

You've just installed a new network-based IDS system that uses signature recognition. What should you do on a regular basis? - Check for backdoors. - Modify clipping levels. - Update the signature files. - Generate a new baseline.

Update the signature files. Signature recognition (also referred to as pattern matching, dictionary recognition, or misuse detection) looks for patterns in network traffic and compares them to known attack patterns called signatures. Signature-based recognition cannot detect unknown attacks. It can only detect attacks identified by published signature files. For this reason, it's important to update signature files on a regular basis. Anomaly recognition (also referred to as behavioral, heuristic, or statistical recognition) monitors traffic to define a standard activity pattern as normal functionality. Clipping levels or thresholds identify deviations from that norm. When the threshold is reached, the system generates an alert or takes an action.


Ensembles d'études connexes

World Regional Geography - Chapter 8

View Set

Food Production-Chapters 11 and 12

View Set

Humanistic and Positive psychology

View Set

Chapter 7: Legal Dimensions of Nursing Practice

View Set