Cisco IPS/IDS Fundamentals

Ace your homework & exams now with Quizwiz!

Which method requires participation in global correlation involving groups outside your own enterprise? A. Reputation-based IPS B. Policy-based IPS C. Signature-based IPS D. Anomaly-based IPS

Reputation-based IPS

List 6 recommended IPS/IDS best practices.

1. Implement an IPS so that you can analyze traffic going to your critical servers. 2. Use modules or IOS software-based IPS/IDS if you can not afford appliances. 3. Take advantage of global correlation to improve resistance against attacks that may be moving towards your organization. 4. Use a risk-based approach, where countermeasures occur based on the calculated risk rating. 5. Use automated signature updates when possible 6. Continue to tune the IPS/IDS infrastructure as traffic flows and network devices/topologies change.

What are 4 different methods a sensor can be configured for to identify malicious traffic?

1. Signature-based 2. Policy-based 3. Anomaly-based 4. Reputation-based

List 5 factors that influence risk rating.

1. Target Value Rating (TVR) 2. Signature Fidelity Rating (SFR) 3. Attack Severity Rating (ASR) 4. Attack Relevancy (AR) 5. Global Correlation

Which of the following are properties directly associated with signatures? (Choose all that apply) A. ASR B. SVR C. TVR D. RR

ASR SVR

A method of identifying malicious traffic. Ex. Creating a baseline of how many TCP sender requests are generated on average each minute that do not get a response. If the half-formed sessions are increased more than normal, the sensor generates an alert or denies packets.

Anomaly-based

A method of identifying malicious traffic. Self-configuring baselines, detect worms based on anomalies, even if specific signatures have not be created yet for that type of traffic. Difficult to accurately profile extremely large networks. May cause false positives based on significant changes in valid network traffic.

Anomaly-based

Which method of IPS uses a baseline of normal network behavior and looks for deviations from that baseline? A. Reputation-based IPS B. Policy-based IPS C. Signature-based IPS D. Anomaly-based IPS

Anomaly-based IPS

Which of the following is not a best practice? A. Assign aggressive IPS responses to specific signatures B. Assign aggressive IPS responses based on the resulting risk rating generated by the attack C. Tune the IPS and revisit the tuning process periodically D. Use correlation within the enterprise and globally, for an improved security posture

Assign aggressive IPS responses to specific signatures

Micro-Engines (Groupings of signatures). Signatures that can match on a single packet, as compared to a string of packets.

Atomic

Which of the micro-engines contains signatures that can only match on a single packet, as opposed to a flow of packets? A. Atomic B. String C. Flood D. Other

Atomic

Factor that influences Risk Rating. This is a minor contributor to the risk rating. A signature match that is destined to a host where the attack is relevant, such as a Windows server-based attack, which is going to the destination address of a known Windows server, is considered a relevant attack, and the risk rating increases slightly as a result.

Attack Relevancy (AR)

Factor that influences Risk Rating. How critical the attack is as determined by the person who created that signature.

Attack Severity Rating (ASR)

IPS/IDS Evasion Techniques. If an IPS/IDS sees only encrypted traffic, the attacker can build a SSL or IPSec session between himself and the victim and could then send private data over that VPN. Anti-Evasion: Encrypted traffic through the sensor cannot be inspected. If using GRE tunnels, there is support for inspection if the data is not encrypted.

Encryption and tunneling

When there is malicious traffic on the network, and for whatever reason the IPS/IDS did not trigger an alert, so there is no visual indicator that anything negative is going on.

False negative

When the sensor generates an alert about traffic and that traffic is not malicious or important as related to the safety of the network.

False positive

Factor that influences Risk Rating. If the sensor is participating and receives information about specific source addresses that are being used to implement large-scale attacks, attacks coming from the source IP addresses are also given a slightly increased risk rating value.

Global Correlation

A company has hired you to determine whether attacks are happening against the server farm, and they do not want any additional delay added to the network. Which deployment method should be used? A. Appliance based inline B. IOS software based inline C. Appliance based IPS D. IDS

IDS

Which method should you implement when it is not acceptable for an attack to reach its intended victim? A. IDS B. IPS C. Out of band D. Hardware appliance

IPS

This type of device is not inline (Promiscuous mode) with the network and can alert administrators about an attack on the network using signature matching. It does not prevent the initial packet from entering the network. No delay is added to the original packet since it is not inline with production traffic. It does not hinder network performance if it fails.

Intrusion Detection System (IDS)

This type of device is placed inline on a network and can alert administrators about an attack on the network using signature matches. It can prevent the initial packet from entering the network. All traffic is slightly delayed because the traffic is analyzed as it goes through the network. Also acts as a single point of failure.

Intrusion Prevention System (IPS)

Micro-Engines (Groupings of signatures). Miscellaneous signatures that may not specifically fir into other categories.

Other

A method of identifying malicious traffic. It can be implemented based on the policy for your network. Ex. If network policy states no telnet traffic is allowed, you can configure a custom rule on the IPS/IDS to generate an alert and drop packets.

Policy-based

A method of identifying malicious traffic. Simple, reliable, customizable, only allows policy-based traffic that could deny unknown attacks. Must be manually created. Implementation is only as good as the signatures you manually create.

Policy-based

Which type of implementation requires custom signatures to be created by the administrator? A. Reputation-based IPS B. Policy-based IPS C. Signature-based IPS D. Anomaly-based IPS

Policy-based IPS

IPS/IDS Evasion Techniques. An attacker may attempt to cause a sensor to misinterpret the end-to-end meaning of a network protocol and so perhaps not catch an attack in progress. Anti-Evasion: IP Time-To-Live (TTL) analysis, TCP checksum validation.

Protocol level misinterpretation

A method of identifying malicious traffic. Leverages enterprise and global correlation, providing info based on the experience of other systems. Requires timely updates and participation in the correlation process.

Reputation-based

A method of identifying malicious traffic. Collects input from systems all over the planet that are participating in global correlation; so what other sensors have learned collectively, your local sensor can use locally. May include descriptors such as blocks of IP addresses, URLs, DNS domains.

Reputation-based

IPS/IDS Evasion Techniques. If thousands of alerts are being generated by distractor attacks, and attack may just be trying to disguise the single attack that they are trying to accomplish. It could be overwhelming the sensor and the admin team who has to view the events. Anti-Evasion: Dynamic and configurable event summarization.

Resource exhaustion

What is the name of Cisco cloud-based services for IPS correlation? A. SIO B. EBAY C. ISO D. OSI

SIO

The protocol used for real-time delivery of alerts, and is the most secure method for delivering alerts.

Security Device Event Exchange (SDEE)

Micro-Engines (Groupings of signatures). Signatures that examine application layer services, regardless of the OS.

Service

Factor that influences Risk Rating. The accuracy of the signature as determined by the person who created that signature.

Signature Fidelity Rating (SFR)

A method of identifying malicious traffic. A set of rules looking for some specific pattern or characteristics in either a single packet or a stream of packets. A sensor may come with thousands of defaults, and can be enabled/disabled by the admin. This is the most significantly used method with IPS/IDS.

Signature-based

A method of identifying malicious traffic. Easy to configure, simple to implement. Does not detect attacks outside of the rules. May need to disable some signatures that are creating false positives. Must keep updated periodically to be current.

Signature-based

Which IPS/IDS method is the most prominent way to identify malicious traffic?

Signature-based

Micro-Engines (Groupings of signatures). Supports flexible pattern matching, and can be identified in a single packet or group of packets, such as a session.

String or Multistring

Factor that influences Risk Rating. The value that an administrator has assigned to specific destination IP addresses or subnets where the critical servers/devices live.

Target Value Rating (TVR)

Why does IPS have the ability to prevent an ICMP-based attack from reaching the intended victim? A. Policy-based routing B. TCP resets are used C. The IPS is inline with the traffic D. The IPS is in promiscuous mode

The IPS is inline with the traffic

IPS/IDS Evasion Techniques. An attacker sends packets at a rate so low enough so as to not trigger a signature. Anti-Evasion: Configurable intervals and use of third-party correlation.

Timing attacks

IPS/IDS Evasion Techniques. The attacker splits malicious traffic into multiple parts with the intent that any detection system will not see the attack for what it really is. Anti-Evasion: Complete session reassembly so that the IPS/IDS can see the big picture.

Traffic fragmentation

IPS/IDS Evasion Techniques. The attacker substitutes characters in the data using different formats that have the same final meaning. Anti-Evasion: Looking for Unicode, case sensitivity, substitution of spaces with tabs, and other similar anti-evasion techniques

Traffic substitution and insertion

When there was normal non-malicious traffic, and the sensor did not generate any type of alert, which is normal sensor behavior regarding non-malicious traffic.

True negative

When there was malicious traffic and the sensor saw it and reported on it. If the sensor is an IPS it may have dropped the malicious traffic based on your current set of rules in place.

True positive


Related study sets

Szerződések csoportosítása, tipizálása, klasszifikáció

View Set

APES test - Primary Productivity and Energy Flow

View Set

CHAPTER 19 Exam 2 PrepU Questions

View Set

Management Decision-Making Process and Incremental Analysis

View Set