CCNA Security: Intrusion Prevention

Questions and Answers

Which of the following is a primary characteristic of a zero-day attack?

• Relying on social engineering tactics.
• Exploitation of a vulnerability with a known patch.
• Targeting only high-profile servers.
• Exploitation of a vulnerability that is unknown to the software vendor or antivirus vendors. (correct)

What is the primary function of an Intrusion Detection System (IDS)?

• To provide secure remote access to the network.
• To encrypt all network communications.
• To passively monitor network traffic and alert administrators to potential threats. (correct)
• To actively block malicious traffic.

In which operational mode does an Intrusion Prevention System (IPS) work to actively prevent malicious traffic?

• Inline mode. (correct)
• Monitoring mode.
• Promiscuous mode.
• Passive mode.

Which OSI layers are typically monitored by an Intrusion Prevention System (IPS) for threat detection?

Layers 3 and 4 (A)

What is a key advantage of using an Intrusion Detection System (IDS) over an Intrusion Prevention System (IPS)?

IDS has no impact on network performance during a sensor failure. (C)

Which of the following statements accurately describes a key disadvantage of an Intrusion Prevention System (IPS)?

Sensor overloading can impact network performance. (D)

Which characteristic is common to both Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)?

The use of signatures to detect patterns of misuse. (C)

Which of the following is a benefit of using a Host-Based Intrusion Prevention System (HIPS)?

Protection specific to the host operating system. (B)

What is a limitation of a Network-Based Intrusion Prevention System (NIPS) regarding encrypted traffic?

It cannot inspect encrypted traffic. (A)

What factor should be considered when choosing an appropriate IPS solution for a network?

The amount of network traffic. (C)

In a network which uses Cisco SPAN(Switched Port Analyzer), what is the primary purpose of configuring a monitor session?

To associate a source port and a destination port for traffic mirroring. (B)

What command is used on a Cisco device to configure a SPAN session for intrusion detection?

monitor session (D)

What does an IPS signature define?

Set of rules used to detect typical intrusion activity. (A)

An IPS signature has how many distinct attributes?

Three (C)

Which type of IPS signature consists of a single packet activity or event?

Atomic (B)

An IT department has configured their IPS to trigger an alarm when any traffic matches a specific signature, however the alarm is generated even when legitimate users access those resources. What type of alarm is the IPS generating?

False positive (A)

An IT department deployed an IPS but has been receiving a lot of false positive alarms. Which action should the IT department take to reduce the number of false positive alarms?

Tune the alarm (B)

An IPS is configured to reset a TCP connection whenever it detects suspicious activity on a particular port. Which category of action does this IPS employ?

Resetting a TCP connection (B)

Which security practice is crucial for maintaining an effective Intrusion Prevention System (IPS)?

Ensuring IPS signatures are regularly updated. (B)

What is the purpose of Secure Device Event Exchange (SDEE) in network security?

To provide a secure method for transferring event data from security devices to management consoles. (A)

Which detection type compares current network traffic activity with pre-established traffic patterns?

Anomaly-based Detection (D)

Which configuration is a best practice for an IPS?

Placing the IPS behind the firewall. (A)

Which of the following actions can an IPS utilize but an IDS can't?

Dropping malicious packets (C)

Which form of attack is particularly effective due to the fact that no official patch or protection exists?

Zero-day attack (D)

What step should a network administrator perform after installing a new IPS device on the network?

Download the latest signature file (D)

Flashcards

Zero-Day Attacks

Attacks that exploit vulnerabilities that are unknown to the software vendor or the public.

Intrusion Detection System (IDS)

A system that passively monitors network traffic and alerts administrators to potential security breaches.

Intrusion Prevention System (IPS)

A system that actively blocks or prevents detected intrusions, operating in-line to stop malicious traffic.

Application Layer Inspection

Analyzing packets for malicious content at layer 7.

Signature

A set of rules used by IDS/IPS to detect intrusion activity.

Atomic Signature

A signature that consists of a single packet, activity, or event.

Composite Signature

A signature that identifies a sequence of operations distributed across multiple hosts over time.

Signature File

A file containing a package of network signatures used by an IPS.

False Positive

An alarm triggered when normal user traffic is falsely identified as malicious.

IPS Tuning

The process of tuning an IPS to minimize false positives and false negatives for a given network environment.

Secure Device Event Exchange (SDEE)

A security protocol that allows devices to exchange event information securely.

Port Mirroring/SPAN

A method to copy traffic from one or more switch ports to another port for analysis.

Atomic Signature

The simplest type of signature which consists of a single packet.

Host-Based IPS

Refers to having protection specific to a host's operating system.

Network-Based IPS

Describes protection that is cost-effective and independent of the operating system.

Study Notes

Implementing Intrusion Prevention

• Chapter 5 focuses on intrusion prevention implementation, as part of the CCNA Security v2.0 curriculum.

IPS Technologies

• Section 5.1 explores IPS technologies and explains zero-day attacks.
• Monitoring, detecting, and stopping attacks are key elements in IPS.
• Aims to describe the advantages and disadvantages of both Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS).

IDS and IPS Characteristics

• Zero-day attacks exploit vulnerabilities that are unknown to the software vendor.
• IDS operates passively, requiring traffic mirroring.
• Mirrored network traffic will not pass through the IDS.
• IPS operates in inline mode and monitors traffic at Layers 3 and 4.
• IPS stops single-packet attacks and immediately responds, preventing malicious traffic from passing.
• IPS inspects traffic content at the application layer and blocks it.
• There are a few similarities between IDS and IPS which include deployment as sensors, use signatures to detect patterns of misuse, and detect atomic or composite patterns in traffic.

Advantages and Disadvantages of IDS and IPS

• IDS advantages include no network impact and continued operation even with sensor failure or overload.
• IDS disadvantages include the inability to stop the triggering event.
• IPS advantages includes abilities to stop trigger packets
• IPS disadvantages include potential network traffic disruption from sensor issues, network impact from overloading, and some impact on overall network performance.

Network-Based IPS Implementations

• Host-Based IPS provides protection specific to a host operating system.
• Host-Based IPS offers OS and application level protection, securing the host after message decryption.
• Host-Based IPS is usually dependent on the operating system and needs to be installed on all hosts.
• Network-Based IPS is cost-effective and OS independent.
• Network-Based IPS cannot examine encrypted traffic and must stop malicious traffic before it reaches a host.

IPS Solutions

• Cisco offers modular and appliance-based IPS solutions.
• These include Cisco IPS AIM, Network Module Enhanced (IPS NME), ASA AIP-SSM, IPS 4300 Series Sensors, and Catalyst 6500 Series IDSM-2.
• IPS sensor selection and deployment considers factors like network traffic volume, network topology, security budget, and available security staff.

Promiscuous Mode

• "Promiscuous Mode" uses the switch SPAN port to sends copies of traffic for analysis.
• The IDS then analyses a duplicate of all traffic, rather than the actual traffic.

Inline Mode

• Inline Mode is where the IPS Sensor sits to analyze all traffic

Modes of Deployment

• The common method of deployment includes "Promiscuous Mode" for IDS.
• The common method of deployment includes "Inline Mode" for IPS.

Cisco Switched Port Analyzer

• Port mirroring can be used to sniff traffic on both Hubs and Switches
• Cisco SPAN is used to monitor network traffic
• The monitor session command associates a source port and destination port with a SPAN session.
• Show monitor command is used to verify the SPAN session.

IPS Signatures

• Section 5.2 focuses on IPS signatures, their characteristics, alarms, management, monitoring, and global correlation of Cisco IPS devices.
• IPS signatures consist of a set of rules used to detect intrusion activity.
• Signatures have three attributes which include a type, a trigger (alarm), and an action
• Signatures are categorized as either atomic or composite.
• Atomic signatures consist of a single packet, activity, or event for detection.
• Composite signatures identify a sequence of operations across multiple hosts over time.
• The latest should be uploaded to an IPS as threats evolve.
• Signature Alarm has both advantages and disadvantages.
• IPS signatures actions include the generation of an alert, logging of activity, preventing activities

Signature Alarms

• Pattern-based detection is easy to configure and has fewer false positives with good signature design.
• Anomaly-based detection is simple and reliable with customized policies.
• Policy-based detection is readily configured and detects unknown attacks.
• Honey pot-based detection enables window to view attacks, confuse attackers, slow down and avert attacks

Pattern-Based Detection example

• Atomic signature looks for no state to examine pattern to determine an appropriate action.
• An atomic signature example will detect a ARP request that has a source ethernet address of FF:FF:FF:FF:FF:FF:FF.
• Composite signature has to examine what state has to be appied, or even multiple states.
• An example composite signature is searching for a "confidential" string in a TCP session

Anomaly-Based Detection example

• Atomic signatures have no state required to identify activity that deviates from the configured profile.
• The composite signature looks at what state is required to identify if the profile deviates from its initial configuration

Policy Detection Example

Policy will identify what type of packets are detected, and compare them against the profile.

Alarm Triggering Mechanism

• False positives: Normal traffic triggers an alarm, requiring tuning of the alarm.
• False negatives: An attack occurs, but no alarm is generated, requiring alarm tuning.
• True positives: An attack occurs which triggers an alarm, representing an ideal setting.
• True negatives: Normal traffic with no alarm generated, also representing an ideal setting.

Secure Device Event Exchange

• Secure Device Event Exchange is used for network managmen and to monitor alarms over Syslog