CCNA Security v2.0: Intrusion Prevention

Questions and Answers

What best describes a zero-day attack?

• An attack that is easily detectable.
• An attack that occurs on the last day of the month.
• An attack that exploits a vulnerability before a patch is available. (correct)
• An attack that uses only zero packets.

Which of the following is a primary function of an Intrusion Detection System (IDS)?

• To completely isolate the network from external threats.
• To actively block malicious traffic.
• To encrypt all network communications.
• To passively monitor network traffic for suspicious activity. (correct)

How does an Intrusion Prevention System (IPS) operate in the network?

• In offline mode, analyzing stored traffic logs.
• In passive mode, similar to an IDS.
• In standalone mode, not connected to the network.
• In inline mode, directly in the path of network traffic. (correct)

Which OSI layer does an IPS inspect to block malicious traffic?

Application Layer (B)

Which of the following is a common characteristic of both IDS and IPS?

They are both deployed as sensors. (D)

What is an advantage of using an IDS over an IPS?

It has no impact on network performance. (A)

What is a disadvantage of using an IPS?

Sensor issues may affect network traffic. (A)

What is a key advantage of a network-based IPS?

It is cost effective. (C)

Which of the following is true regarding network-based IPS?

It must stop malicious traffic before it reaches the host. (C)

Which is a factor that affects IPS sensor selection and deployment?

The amount of network traffic. (D)

What term describes the method where an IPS analyzes traffic by receiving a copy of it?

Promiscuous Mode (D)

What is the purpose of a SPAN port in network monitoring?

To mirror network traffic to a monitoring device. (A)

Which command is used to configure a SPAN session to monitor traffic?

monitor session (C)

What are the three distinct attributes of IPS Signatures?

Type, Trigger, Action (A)

What is the simplest type of signature that consists of a single packet?

Atomic (A)

What does a signature file contain?

A package of network signatures (A)

Which detection type has easy configuration and fewer false positives?

Pattern-based (C)

Which detection has attacks that can be viewed through a window?

Honey pot-based (A)

Which of the following is true about the advantages of anomaly based detection?

Can detect unknown attacks (D)

Which alarm occurs when normal user traffic is categorized as malicious?

False Positive (C)

Which alarm occurs when attack traffic is allowed without any flagging?

False Negative (A)

Which alarm results in an ideal setting?

Both A and C (A)

What signature action permits traffic to appear as normal based on configured exceptions?

Allow the activity (D)

What signature action can an approved IT scanning host use?

Allow the activity (B)

What is the name of the protocol used for Secure Device Event Exchange?

SDEE (B)

IDS works in an inline mode.

False (B)

IPS can stop single packet attacks.

True (A)

A zero-day attack exploits known vulnerabilities.

False (B)

IDS requires traffic to be mirrored to it.

True (A)

IPS only monitors layer 7 traffic.

False (B)

IDS can actively block malicious traffic.

False (B)

IPS always has a direct impact on network performance.

False (B)

Host-based IPS is cost-effective.

False (B)

Network-based IPS can examine encrypted traffic.

False (B)

Both IDS and IPS can be deployed as sensors.

True (A)

IDS does not provide operating system-level protection.

True (A)

Network topology is not a factor when choosing an IPS solution.

False (B)

When new threats are identified, new signatures do not need to be uploaded to an IPS.

False (B)

IDS and IPS only use atomic patterns.

False (B)

A SPAN port sends copies of traffic.

True (A)

A signature file contains a package of newtwork signatures

True (A)

An atomic signature requires must contain state.

False (B)

Intrusion Detection System (IDS) operationally responds immediately by allowing any malicious traffic to pass.

False (B)

Intrusion Prevention Systems (IPS) sensor overloading does not impacts the network

False (B)

IDS is implemented in an inline mode.

False (B)

IPS triggers packets.

False (B)

Host-based IPS are operating system independent.

False (B)

IPS can be deployed in Inline Mode only.

False (B)

An IDS sensor failure will impact the network.

False (B)

The action 'Request SNMP trap' is a specific alert.

False (B)

Flashcards

What is a zero-day attack?

An attack that exploits a vulnerability before a patch is available.

How does an IDS monitor attacks?

Works passively, requires mirroring, doesn't pass traffic unless mirrored.

How does an IPS detect & stop attacks?

Implemented inline, monitors L3/L4 traffic, stops single packets, responds immediately.

What does an IPS inspect?

Inspects malicious application layer content and blocks it.

Similarities between IDS and IPS

Deployed as sensors, use signatures to detect misuse patterns, detect atomic or composite patterns.

Advantages of IDS

No network impact; no impact on sensor failure/overload.

Advantage of IPS

Stops trigger packets.

Disadvantage of IDS

Response cannot stop the trigger.

Disadvantages of IPS

Sensor issues affect traffic; overloading impacts network, some impact on network.

Advantages of Host-Based IPS

Protection specific to host OS, provides OS and app level protection, protects host after decryption.

Advantages of Network-Based IPS

Cost-effective, OS independent.

Disadvantages of Host-Based IPS

OS dependent, must install on all hosts.

Disadvantages of Network-Based IPS

Can't examine encrypted traffic and stop malicious traffic prior to arriving at the host.

Factors for choosing an IPS solution

Amount of traffic, network topology, security budget available and security staff to manage IPS.

Network IPS advantages

Cost-effective not visible on network, operating system independent, lower level network events seen.

Network IPS disadvantages

Cannot examine encrypted traffic and cannot determine whether an attack was successful.

Promiscuous Mode for IDS

SPAN port sends copies of traffic, IDS-enabled Sensor, and Management Server

Inline Mode for IPS

Traffic passes through the IPS sensor.

Monitor Session command

Associate a source port and destination port with a SPAN session.

What is a Signature?

Set of rules that an IDS and an IPS use to detect typical intrusion activity.

Attributes of a signature

Type, trigger (alarm), and action.

What is Atomic Signature?

Single packet/activity is examined.

What is composite signature?

Sequence of operations distributed across multiple hosts.

What is a signature file?

Network signatures are uploaded onto an IPS.

What is an Intrusion Prevention System (IPS)?

A network security device that monitors network traffic for suspicious activity and takes automated preventative actions.

What is port mirroring?

The method by which network traffic is copied and sent to an intrusion detection system (IDS) for analysis.

What is Cisco Switched Port Analyzer (SPAN)?

A Cisco feature that allows network traffic from one or more ports to be mirrored to another port for analysis.

What is an atomic signature?

Simplest signature type; examines a single packet, activity, or event.

Generating an alert

Alerts the administrator and logs information about suspicious activity.

Logging the activity

Records network traffic related to an attack.

Dropping or preventing activity

Stops the malicious activity from reaching its target.

Resetting a TCP connection

Terminates a TCP connection involved in suspicious activity.

Blocking future activity

Prevents future connections from the source of malicious activity.

Allow the activity

Allows traffic to flow normally, with potential exceptions configured.

Anomaly-based detection

A type of intrusion detection that establishes a baseline of normal network behavior and flags any activity that deviates significantly from this baseline.

Policy-based detection

A type of intrusion detection that uses pre-defined rules or policies to identify malicious activity.

Honeypot-based detection

A type of intrusion detection that uses decoy systems to attract and detect attacks.

False positive

Normal user traffic categorized, by mistake, to be malicious

False negative

Failure to flag malicious traffic that is attacking

True positive

Attack traffic correctly categorized as malicious

True negative

Normal user traffic correctly identified as harmless traffic

Study Notes

- Implementing Intrusion Prevention is covered in Chapter 5 of CCNA Security v2.0
- Dr. Nadhir Ben Halima is the author

### IPS Technologies
- This section explains zero-day attacks
- It covers how to monitor, detect, and stop attacks
- It also describes the advantages and disadvantages of IDS and IPS

### IDS and IPS Characteristics
- A zero-day attack is an attack that exploits a previously unknown vulnerability
- The monitor traffic passively and require mirroring to reach it 
- Network traffic does not pass through IDS unless mirrored
- IPS is implemented in an inline mode
- IPS monitors Layer 3 and Layer 4 traffic
- IPS stops single packet attacks from reaching target
- IPS responds immediately and will not allow malicious traffic to pass
- IPS inspects malicious traffic content at the application layer and blocks it
- Both IDS and IPS are deployed as sensors
- Both IDS and IPS use signatures to detect patterns of misuse in network traffic
- Both can detect atomic patterns, ie single-packed, or composite patterns, ie multi-packet

### IDS vs IPS - Advantages and Disadvantages
- IDS: No impact on network, no impact given sensor failure/overload. Disadvantage = response action cannot stop trigger
- IPS: Stops trigger packets. Disadvantage = sensor issues/overloading affects network traffic, some impact on network

### Network-Based IPS Implementations
- Host-Based IPS Advantages: Provides protection specific to a host operating system along with the operating system and application level protection, and protects the host after the message is decrypted
- Host-Based IPS Disadvantages: Operating system dependent, and must be installed on all hosts
- Network-Based IPS Advantages: Cost effective and the OS is independent
- Network-Based IPS Disadvantages: Cannot examine encrypted traffic and must stop malicious traffic prior to arriving at the host

### Cisco IPS Solutions
- Cisco offers Modular and Appliance-Based IPS Solutions
- Cisco IPS AIM and Network Module Enhanced (IPS NME)
- Cisco ASA AIP-SSM
- Cisco IPS 4300 Series Sensors
- Cisco Catalyst 6500 Series IDSM-2

### Choosing/Deploying an IPS Sensor
- Factors include amount of network traffic, network topology, the security budget and security staff available to manage IPS

### IPS Advantages and Disadvantages
- Network IPS Advantages: cost-effective, not visible on the network, OS independent and can see lower level network events
- Network IPS Disadvantages: Cannot determine if the attack was successful, nor can they examine encrypted traffic

### Modes of Deployment
- Promiscuous Mode and Inline Mode exist
- Promiscuous mode is associated with IDS
- Inline mode is associated with IPS

### SPAN 
- Cisco Switched Port Analyzer sends copies of the traffic

### Cisco SPAN usage
-  Associate a source port and a destination port with a SPAN session
- To Verify the SPAN session use the Show monitor command

### IPS Signatures
- IPS Signatures: Understand IPS signature characteristics, explain IPS signature alarms, manage and monitor IPS, and understand the global correlation of Cisco IPS devices

### IPS Signature Characteristics
- A signature is a set of rules that an IDS and an IPS use to detect typical intrusion activity
- Signatures have three distinct attributes: type, trigger (alarm), action

### Signature Type details
- Atomic signature: this simplest type includes a single packet, activity, or event that is examined to determine if it matches a configured signature
- Composite signature: identifies a sequence of operations distributed across multiple hosts over an arbitrary period of time

### Signature File details
- As new threats are identified, signatures need to be created and uploaded to an IPS
- A signature file contains a package of network signatures

### IPS Signature Alarms
- Categories include Pattern-based, Anomaly-based, Policy-based and Honey pot-based Detection,

### Signature Alarm types
- Pattern-based Detection, is easy easy to configure due to fewer false positives and a superior signatures design
- Anomaly-based Detection is reliable because of customized policies
- Policy-based Detection is easy to configure and can detect unknown attacks
- Honey pot-based Detection allows you to view attacks, distract and confuse attackers, slow down and avert attacks, and collect information about attack

### Signature Alarms - Disadvantages
- Pattern-based Detection: Cannot detect unknown signatures must be created, updated, and tuned and initially include a lot of false positives
- Anomaly-based Detection: Produces generic output and the policy must be created
- Policy-based Detection: Difficult to profile typical activity in large networks and the traffic profile must be constant
- Honey pot-based Detection: Requires a dedicated honey pot server (hot pot) that must not be trusted

### Signature Type Example
- Atomic Signature: No state required to examine pattern to determine if signature action applied given Pattern-based Detection
- Composite Signature: With Pattern-based Detection, must contain state or examine multiple items to determine if signature action should be applied.

### Atomic Signature Action
- An example is when detecting an Address Resolution Protocol (ARP) request that has a source Ethernet address of FF:FF:FF:FF:FF:FF.

### Composite Signature Action
- An example is when searching for the string "confidential" across multiple packets in a TCP session.

### Composite Signature example with Anomaly-based Detection
-  State required to identify activity that deviates from normal profile
- An example is verifying protocol compliance for HTTP traffic.

### Action Trigger types
- Normal user traffic: Indicates a false positive whereby an alarm is generated when there is no actual threat necessitating a tune alarm
- Attack traffic: Indicates a true positive where there is alarm generated in order to reach ideal settings
- Attack traffic: Indicates a false negative whereby  No alarm generated when there is one necessitating a tune alarm
- Normal user traffic: Indicates a true negative (an ideal setting) when the alarm generated is normal user traffic

### Signature Actions
- Actions include: Generating an alert, Logging the activity, Dropping or preventing the activity, Resetting a TCP connection, Blocking future activity and allowing the activity

### Details on Signature Actions
- Generating an alert: Produce an alert or a verbose alert
- Logging the activity: Log attacker packets, a log pair of packets (attacker and defendant packets), Log victim packets
- Dropping or preventing the activity: Deny attacker inline, deny connection inline,  deny packet inline
- Resetting a TCP connection: Reset a TCP connection
- Blocking future activity: Request block connection, request block host, request SNMP trap
- Allow the activity: Allow the traffic to appear as normal based on configured exceptions

### Secure Device Event Exchange
- Consists of Alarm, SDEE and Syslog protocols that are used by the Network Management Console and the Syslog Server

### IPS Configuration Best Practices
- A firewall and IPS will provide the most effective outcome