IDS and IPS Characteristics

Questions and Answers

In a scenario where an IPS is deployed, what is the most critical implication of sensor overloading on network performance?

• It automatically diverts traffic to a backup IPS, ensuring uninterrupted inspection.
• It leads to fragmented data transmission, causing high latency.
• It results in a complete network shutdown to prevent data loss.
• It may cause the IPS to fail in inspecting traffic, thus missing potential threats. (correct)

What is the key difference between a host-based IPS and a network-based IPS concerning encrypted traffic?

• Network-based IPS cannot examine encrypted traffic, while a host-based IPS could inspect the traffic after it is decrypted on the host. (correct)
• Network-based IPS has the capability to examine encrypted traffic, whereas host-based IPS solutions are unable to do so.
• Host-based IPS solutions can natively decrypt all traffic, while network-based IPS solutions require external decryption appliances.
• Both network-based and host-based IPS solutions have equal capabilities when it comes to examining encrypted traffic.

When considering the limitations of IDS, which of the following scenarios represents the most significant challenge in a modern network environment?

• IDS's inability to actively block malicious traffic in real-time, requiring additional systems for effective mitigation. (correct)
• IDS's dependency on signature updates makes it ineffective against zero-day exploits.
• IDS's passive monitoring mode, which results in high resource utilization and potential network performance degradation.
• IDS's high false positive rate leading to alert fatigue and delayed incident response.

Assume a scenario where an IPS is configured to drop suspicious packets. What impact does this have on network traffic patterns?

Might cause legitimate connections to be terminated, leading to intermittent service disruptions. (D)

Which of the following scenarios would necessitate the most rigorous examination of network topology and traffic patterns when deploying an IPS?

A highly segmented network with multiple VLANs, diverse traffic types, and critical internal resources. (D)

What key characteristic differentiates atomic signatures from composite signatures in IPS operations?

Atomic signatures are simpler and examine a single event, while composite signatures correlate multiple events over time. (A)

What are the relative advantages of using SPAN (Switched Port Analyzer) for intrusion detection in a complex network environment?

SPAN provides a non-intrusive method for monitoring traffic, ensuring minimal impact on network performance, though without direct intervention capabilities. (C)

How does the use of customized policies in an IPS influence the ability to identify and respond to zero-day attacks, and what are the challenges associated with this approach?

Customized policies provide a framework to detect anomalies indicative of zero-day attacks, though careful tuning is required to minimize false positives and avoid blocking legitimate traffic. (A)

How does the use of a 'honeypot' in network security contribute to understanding attack strategies, and what are the potential risks?

It attracts attackers, enabling analysis of threats, but can be a liability if compromised and used to launch attacks. (D)

What is the potential impact of a false negative alarm in an intrusion prevention system (IPS), and how does it compare to the impact of a false positive?

A false negative can be more detrimental as it allows actual threats to go undetected, while a false positive can disrupt legitimate traffic flows. (A)

An IPS, unlike an IDS, operates in an inline mode, enabling it to actively prevent malicious traffic from reaching its intended target.

True (A)

A network-based IPS can effectively examine encrypted traffic, providing full visibility into potential threats hidden within secure communications.

False (B)

Cisco’s IPS solutions, like the Catalyst 3500 Series IDSM-2, are primarily software-based, running as applications on existing hardware.

False (B)

In SPAN configuration, ingress traffic refers to the traffic exiting a switch's interface, whereas egress traffic is the traffic entering the interface.

False (B)

In IPS signature characteristics, 'type' refers to the specific action that the IPS takes upon detecting a match, such as blocking traffic or generating an alert.

False (B)

Cisco Discovery Protocol (CDP) can be used to correlate IPS logs with network device information, enhancing network visibility and threat analysis.

False (B)

Zero-day attacks are easily detected by signature-based IPS systems, as these systems rely on pre-existing patterns of known threats.

False (B)

When selecting an IPS solution, the available amount of security automation is not a crucial factor, since manual analysis provides more accurate insights.

False (B)

In anomaly-based detection, a composite signature type involves no state requirement, focusing solely on immediate deviations from a normal profile to identify threats.

False (B)

The primary advantage of deploying an IDS is its ability to actively stop malicious traffic, thus directly preventing attacks from reaching network assets.

False (B)

In a highly dynamic network environment, how does the 'sticky learning' feature in port security enhance network administration, and what are its limitations when devices frequently move between ports?

It simplifies the initial configuration by learning MAC addresses, but may create administrative overhead if device movement requires frequent manual updates. (C)

If a network administrator configures port security with a maximum MAC address count of 1 and violation mode set to 'restrict,' how does this affect network operation in a scenario where an IP phone is connected to a switchport, and a PC is connected to the phone?

The IP phone is granted access, the PC's MAC address triggers the violation mode, incrementing the violation counter, and packets from the PC are dropped, but the port remains active. (D)

In the context of endpoint security, how does the architecture of Cisco's Advanced Malware Protection (AMP) enhance threat detection and response, especially when dealing with polymorphic malware variants?

AMP leverages its global threat intelligence network to correlate file behavior and system activity, identifying zero-day exploits and adapting defenses against new malware patterns. (B)

Given a scenario where a network is experiencing a slow but persistent degradation in performance, how can network administrators differentiate between a CAM table overflow attack and a broadcast storm, and what mitigation steps are specific to each?

CAM table overflow causes switches to flood traffic due to MAC address exhaustion, detectable via increased unicast flooding; broadcast storms are caused by looping broadcasts, identifiable by analyzing spanning-tree protocol (STP) states; mitigation involves enabling port security for the former and tuning STP for the latter. (A)

In a scenario involving Cisco's Network Admission Control (NAC), how does posture assessment influence endpoint access to network resources, and what measures are necessary to ensure continuous compliance in a BYOD (Bring Your Own Device) environment?

NAC conducts a continuous assessment of endpoint health, quarantining or restricting access for devices failing to meet security policies, supplemented by automated remediation and user education in BYOD scenarios. (B)

How does an attacker exploit the vulnerabilities associated with DHCP in a network, and what steps can a network administrator take to safeguard against both DHCP starvation and DHCP spoofing attacks?

Attackers exhaust the DHCP address pool, preventing legitimate clients from obtaining IP addresses, or provide rogue DHCP servers to redirect traffic; safeguard by enabling DHCP snooping to create a trusted DHCP environment and limiting MAC addresses per port to prevent starvation. (A)

How does the implementation of VLAN Trunking Protocol (VTP) influence VLAN management across a large enterprise network, and what are the critical security considerations to prevent unauthorized VLAN modification or information disclosure?

VTP allows centralized VLAN management but can be vulnerable to VTP domain spoofing; secure implementation requires VTP password protection, pruning unused VLANs, and restricting VTP propagation to trusted switches. (B)

What security measures should a network administrator implement to prevent unauthorized access to sensitive data transmitted over a wireless LAN (WLAN), and how do these measures mitigate common wireless security threats?

Deploy WPA3 encryption with a strong passphrase to protect data confidentiality and integrity; enable rogue access point detection to prevent man-in-the-middle attacks; regularly review and update wireless security configurations. (A)

In an environment where both Email Security Appliance (ESA) and Web Security Appliance (WSA) are deployed, how does the integration between these components enhance protection against phishing attacks, and what specific data is shared between them?

The ESA and WSA share threat intelligence related to malicious URLs and sender reputations, enabling the WSA to block access to phishing sites identified by the ESA, and vice versa, enhancing real-time threat protection. (C)

Given a company's policy to implement hardware encryption on all laptops, what considerations should the IT department address to ensure data accessibility in the event of employee turnover or unforeseen circumstances?

Hardware encryption keys should be backed up to a secure, centralized key management system, with documented procedures for authorized personnel to recover data in case of employee turnover or emergencies, while maintaining compliance with data protection regulations. (B)

Host-based firewalls, antivirus software, and host-based intrusion prevention systems (IPS) are the components of traditional endpoint security.

True (A)

Advanced Malware Protection (AMP) focuses solely on pre-infection prevention, neglecting detection and remediation after a breach.

False (B)

Talos, the threat intelligence team, does not play a role in email and web security.

False (B)

Cisco NAC functions only to halt network access, not to provide remediation guidance.

False (B)

Layer 2 vulnerabilities are not related to the data link layer of the OSI model.

False (B)

Address spoofing attacks, STP attacks, and ARP attacks can be classified as examples of Layer 3 Attacks.

False (B)

CAM table overflow attacks involve legitimate MAC addresses sent to a switch in order to reach capacity.

False (B)

Upon a port security violation using 'shutdown' mode, the port immediately enters an active forwarding state.

False (B)

DHCP starvation attacks aim to exhaust the pool of available DHCP addresses.

True (A)

DHCP snooping inspects DHCP traffic and filters DHCP messages, which assists in preventing unauthorized DHCP servers from providing IP addresses to clients.

True (A)

Flashcards

Zero-Day Attacks

Attacks that exploit previously unknown vulnerabilities, meaning no patch is available.

IDS (Intrusion Detection System)

An Intrusion Detection System works passively, mirroring traffic to detect intrusions without directly impacting network flow.

IPS (Intrusion Prevention System)

An Intrusion Prevention System operates inline, actively monitoring and blocking malicious Layer 3 and 4 traffic in real-time.

IPS Signature

A set of rules used by IDS/IPS to identify and respond to suspicious or malicious activity.

Atomic Signature

Single packet activity examined to determine matches. Alarm is triggered and a signature action is performed.

Composite Signature

Identifies a sequence of operations distributed across multiple hosts over a period of time.

SPAN (Switched Port Analyzer)

Sending copies of traffic to be analyzed by an intrusion detection system.

Alarm Types

False positives trigger alarms on normal traffic, while false negatives fail to detect actual attacks.

Signature Actions

Includes producing alerts, logging activity, dropping traffic, resetting connections and blocking future activity.

Host-Based and Network-Based IPS

A host-bases IPS is specific to the operating system while a network-based IPS stops unwanted traffic prior to arriving at the host.

IPS Function

Inspects application layer content, blocking malicious traffic.

IDS vs IPS Operation

An IDS works passively, mirroring traffic for analysis. An IPS operates inline, actively blocking threats.

IDS Traffic Monitoring

Requires all traffic to be mirrored, doesn't pass through IDS.

IPS Sensor Selection Factors

Amount of network traffic, network topology, security budget and staff.

Network IPS

Cost effective, independent; cannot examine encrypted traffic or know attack success.

Monitor Session Command

Associate a source/destination port with a SPAN session.

Signature Types

Atomic signatures examine single packets, composite signatures analyze traffic over time.

Pattern Detection Advantages

Easy setup, fewer false positives, good signature design.

Policy-based Detection

Easy to configure but are able to detect unknown attacks.

Endpoint Security

Securing individual devices (laptops, desktops, servers) connected to a network to prevent unauthorized access and malicious activities.

Antimalware Software

Software designed to prevent, detect, and remove malicious software (malware) from a computer or network.

Cisco AMP

Cisco's Advanced Malware Protection; a comprehensive security solution that discovers, understands, and protects from advanced malware.

Cisco NAC

Cisco's Network Admission Control; authenticates users and their devices before allowing network access and enforces security policies.

Data Encryption

Using encryption methods in both hardware and software to protect data stored locally on a device from unauthorized access.

Spam Blocking

A security measure that blocks unwanted email messages, such as spam, from reaching users' inboxes.

URL Filtering

The process of filtering website content to block access to malicious or inappropriate sites.

Cisco Email Security Appliance

A security appliance that scans network traffic and blocks malicious content in emails.

Cisco Web Security Appliance

A security appliance that filters web traffic to block malware and control web access.

CAM Table Overflow Attack

A Layer 2 switch vulnerability where attackers flood the switch's MAC address table, causing it to forward traffic inefficiently or fail.

Antivirus/Antimalware

Software designed to block and eliminate viruses and malware.

Study Notes

Section 6.0: Introduction

• Chapter 6 focuses on securing the Local Area Network (LAN)

6.1: Endpoint Security

• Endpoint security and enabling technologies are described

6.2: Layer 2 Security Threats

• Layer 2 Vulnerabilities must be described

6.1.1: Introducing Endpoint Security

• Securing LAN elements requires perimeter firewalls, intrusion prevention systems (IPSs), and VPNs.
• Securing LAN elements requires web and email security appliances, DNS security, and host security.

Securing Endpoints in the Borderless Network

• Considerations include determining the source, method, and affected systems post-malware attack.
• Actions comprise stopping the threat, recovering from it, and preventing recurrence
• Host-based protection methods include antivirus/antimalware, SPAM filtering, URL filtering, and blacklisting.

Modern Endpoint Security Solutions

• Centralized modern solution examples include AMP, NAC, ESA, and WSA

6.1.2: Antimalware Protection

• Advanced Malware Protection takes place before, during, and after attacks

AMP and Managed Threat Defense

• Talos teams gather real-time threat intelligence from 1.6 million deployed security devices.
• Security devices include firewalls, IPS, web, and email appliances, also including 150 million endpoints.
• Talos analyzes 100 TB of security intelligence daily.
• It also analyzes 13 billion web requests per day and 35% of the world’s enterprise email traffic.

6.1.3: Email and Web Security

• Features and benefits of Cisco Email Security solutions include spam blocking, advanced malware protection, and outbound message control.
• Cisco Web Security Appliance (WSA) forwards requests

6.1.4: Controlling Network Access

• Cisco NAC (Network Admission Control) functions to give network access

6.2: Layer 2 Security Considerations

• Layer 2 vulnerabilities exist

6.2.1: Layer 2 Security Threats

• Layer 2 vulnerabilities exist in the Data Link, Physical, and Network layers

Switch Attack Categories

• Types of switch attacks are CAM table attacks and VLAN attacks
• Switch attack types are STP, DHCP, ARP and address spoofing attacks

6.2.2: CAM Table Attacks

• A CAM table attack involves running an attack tool so that the CAM table is full
• When it is full there is flooding of all traffic enabling the attacker to capture traffic

CAM Table Attack Tools

• 'macof -i eth1' is an example of a CAM table attack tool

6.2.3: Mitigating CAM Table Attacks

• Port security can act as a countermeasure to prevent CAM table attacks

Port Security

• Port security options include aging, mac-address, maximum, and violation
• Port security can be enabled through command line interface

Enabling Port Security Options

• The command switchport port-security maximum value sets the maximum number of MAC addresses.
• Mac addresses can be configured manually via the command switchport port-security mac-address mac-address {vlan | { access | voice}}
• Mac addresses can be learned dynamically using the command switchport port-security mac-address sticky

Port Security Violations

• Security violation modes are protect, restrict, and shutdown
• In protect mode, traffic is forwarded and there are no logs
• In restrict mode, traffic is dropped and there are logs
• In shutdown mode, the port shuts down because of traffic being dropped and there being logs

Mitigating DHCP Attacks

• A DHCP spoofing attack entails servers sending spoofed IP addresses

DHCP Starvation Attack

• A DHCP starvation attack can be initiated by an attacker
• In DHCP starvation, the attacker requests all offers

Configuring DHCP Snooping Example

• DHCP snooping can be configured using the command line interface

Configuring DHCP Snooping

• DHCP snooping can be configured using trusted and untrusted ports,