Intrusion Detection & Prevention Systems Overview

Questions and Answers

What is the primary function of an IDS?

To detect and log suspicious activity (correct)

To generate network traffic for analysis

To encrypt data stream within a network

To block all incoming network connections

Which of the following statements best describes a network-based IDS (NIDS)?

It is primarily used to encrypt data packets in transit.

It operates at the edge of the network to monitor traffic for multiple systems. (correct)

It runs on a single computer to protect that host only.

It requires a user to be present at all times for monitoring.

How does a forward proxy function in relation to user IP addresses?

It hides internal users' IP addresses when accessing the Internet. (correct)

It restricts users from accessing external websites.

It assigns random IP addresses to internal users for anonymity.

It exposes users' IP addresses to the external servers.

What is one of the key differences between an IDS and an IPS?

An IDS detects threats but does not take action, while an IPS reacts to suspicious activity. (A)

What is a primary purpose of a reverse proxy?

To provide identity protection for servers rather than clients. (D)

In what way does a proxy server manage security?

By filtering traffic at the application layer. (C)

Which type of IDS runs specifically on one computer to monitor that host?

Host-based IDS (C)

What role does a NAT server play in relation to proxies?

It forwards requests and responses between users and external servers. (D)

What is the primary advantage of using DRaaS in disaster recovery planning?

It is highly scalable and cost-effective. (C)

Which UPS classification provides continuous power by switching to a battery only when an outage occurs?

Standby UPS (D)

What does the 3-2-1-1 rule emphasize regarding data backups?

Save backups on two media types and one offline. (B)

What is the primary function of routers in a network?

To connect multiple networks and manage data paths. (B)

Which of the following is true about BGP?

It is the only current EGP in use. (C)

Which routing protocol uses a distance-vector algorithm calculated by hop count to determine routes?

RIP (B)

What aspect does RTO (Recovery Time Objective) primarily define in disaster recovery planning?

Maximum allowable downtime for a network. (A)

What does OSPF utilize to map and determine the best path for data in a network?

Link-state routing mechanisms. (D)

Which statement is accurate regarding RAID 5 configurations?

It splits data evenly across three or more drives with one parity drive. (D)

What differentiates Online UPS from Standby UPS?

Online UPS charges its battery continuously while providing power. (C)

What is the primary function of a packet-filtering firewall?

To filter traffic based on pre-defined rules matching packet headers (C)

Which feature is NOT typically found in a host-based firewall?

Protecting the integrity of a network router (A)

Which type of firewall manages packets independently, without considering existing connections?

Stateless firewall (C)

What is the function of RADIUS in network security?

To authenticate and authorize remote users (C)

Which of the following is NOT a characteristic of malware?

Implementing firewall functions (D)

What typically causes firewall failure?

Improper configuration of the firewall rules (D)

Which of the following is the correct port number used by RADIUS for authentication?

1812 (B)

What is NOT a category of disaster recovery contingency?

Virtual site (B)

Which DSL type provides equal download and upload speeds, maxing out around 2 Mbps?

SDSL (B)

Which characteristic describes a Trojan horse in malware?

Disguises itself as legitimate software (C)

Which modulation technique is used in DSL connections for optimal data transfer?

Amplitude or phase modulation (B)

Which SNMP version primarily enhances performance and security compared to its predecessor?

SNMPv2 (C)

Which of the following best describes stateful firewalls?

They track established connections and packets in relation to those streams. (C)

What is the main purpose of a disaster recovery plan?

To ensure the restoration of critical functionality and data after a disaster (B)

Flashcards

IDS (Intrusion Detection System)

A system that monitors network traffic and alerts about suspicious activity. It cannot prevent attacks.

NIDS (Network-based IDS)

IDS deployed at the edge of the network to monitor and detect suspicious network traffic.

HIDS (Host-based IDS)

IDS running on a single computer to monitor and detect suspicious activity on that host.

IPS (Intrusion Prevention System)

A system that reacts to suspicious activity—detects AND blocks potential threats from entering the network.

Proxy Server

An intermediary server between internal and external networks, filtering traffic.

Forward Proxy

A proxy that acts as a NAT (Network Address Translation) server, hiding internal users' IP addresses from the internet. It requests web pages on behalf of a user.

Reverse Proxy

A proxy that receives requests from the internet and forwards them to internal servers. It protects internal servers.

Network Address Translation (NAT)

A technology that translates private IP addresses into public ones, allowing multiple devices behind a gateway to share a single public IP address, improving security and saving public IP addresses.

DRaaS

A cloud-based disaster recovery solution offering high scalability and cost-effectiveness. It enables rapid takeover of business processes during a disaster.

PDU

A power distribution unit that connects to a wall outlet and provides power to devices within a rack.

UPS

A battery-powered backup providing continuous power to a device during power outages.

Backup

A copy of data or program files created for archiving or safekeeping.

3-2-1-1 Rule

A backup principle: 3 copies, 2 media types, 1 offsite, 1 offline. Ensures data protection.

RTO

Recovery Time Objective: The maximum allowable time for a network to be down after a disaster.

RPO

Recovery Point Objective: The amount of data loss a system can tolerate during an outage.

RAID 0

RAID level 0 splits data evenly across multiple disks, offering speed but no redundancy.

Router

A network device that connects and routes data packets between different networks.

Routing Protocol

A set of rules routers use to communicate and discover the best path for data to travel.

Firewall

A specialized device or software that filters or blocks network traffic, often placed between a private and public network.

Packet-filtering firewall

The simplest type of firewall that examines packet headers (information about the packet) to decide whether to allow or deny traffic based on rules.

Stateful firewall

A firewall that monitors packets based on existing traffic streams, tracking connections.

Stateless firewall

A firewall that treats each packet as independent, without considering ongoing connections.

Firewall misconfiguration

A common cause of firewall failure, often due to rules being too strict or too lenient, potentially causing issues with network access.

RADIUS

Remote Authentication Dial-In User Service; a protocol for authenticating users, often used for remote access.

Malware

Malicious software designed to harm or intrude upon computer systems.

Virus

A type of malware that replicates itself and infects more computers.

Trojan horse

Malware that disguises itself as useful software but actually harms the system.

Business Continuity

A company's ability to continue its operations with minimal disruption after a disaster or event.

Disaster Recovery Plan

A detailed plan for restoring critical functionality and data after a significant disruption.

Cold Site

A disaster recovery contingency with minimal infrastructure set up, requiring extensive configuration.

SNMP

Simple Network Management Protocol; part of TCP/IP for managing network devices.

Firewall rule

Instructions in a firewall that specify how to filter traffic.

Study Notes

Intrusion Detection and Prevention Systems (IDS/IPS)

• IDS (Intrusion Detection System) is a stand-alone device, application, or feature on a workstation, server, switch, router, or firewall.
• It monitors network traffic to detect suspicious activity.
• Two main detection methods: statistical anomaly detection and signature-based detection.
• Implementations include:
  • HIDS (Host-based IDS): protects a single computer.
  • NIDS (Network-based IDS): protects a network, usually at the edge or DMZ.
• IDS only detects and logs suspicious activity.
• IPS (Intrusion Prevention System) actively reacts to alerts by preventing malicious traffic, based on the source IP address.
• NIPS (Network-based Intrusion Prevention) protects entire networks.
• HIPS (Host-based Intrusion Prevention) protects individual hosts.

Proxy Servers

• Proxy server acts as an intermediary between internal and external networks, screening traffic.
• Manages security at the application layer.
• Appears as an internal server to the outside world, but is a filtering device.
• Prevents exposure of internal network addresses.
• Reverse proxy provides services to external clients from internal servers, protecting internal servers.
• Reverse proxies are useful for multiple web servers sharing a public IP address.
• Forward and Reverse Proxies act as NAT (Network Address Translation) servers.
• Forward proxy hides internal user IP addresses, while a reverse proxy responds to client requests for internal web servers.

Firewalls

• Firewall is a device or software that filters or blocks network traffic.
• Can be placed between private networks (e.g., internal LANs) and a public network (e.g., internet).
• Host-based firewalls only protect the computer they're installed on.
• Packet-filtering firewall examines packet headers against Access Control Lists (ACLs) to allow or deny traffic based on criteria like IP addresses, ports, and protocol types.
• Common criteria for filtering traffic: Source/destination IP addresses, Source/destination ports, TCP flags, UDP/ICMP protocols, packet sequence status, inbound/outbound status.
• Stateful firewalls monitor existing traffic streams, while stateless firewalls examine each packet independently.
• Firewall rules are similar to ACLs; ACL functions on a single interface.
• Common cause of firewall failure is misconfiguration (too lenient or too strict rules).

Remote Authentication Dial-In User Service (RADIUS)

• RADIUS is a cross-platform, open-source application layer protocol used for user authentication.
• Uses either UDP or TCP in the transport layer.
• Can run on a remote access server or a dedicated RADIUS server.
• Highly scalable, used for authenticating wireless, mobile, and remote users.
• Often combined with other network services (e.g., proxies, VPNs) on a single machine.
• Authentication port: 1812
• Standard port: 1813

DSL (Digital Subscriber Line)

• DSL is a WAN connection method using the PSTN.
• Supports multiple data and voice channels over a single line.
• Requires repeaters for longer distances.
• Distance to the central office (CO) affects throughput.
• Uses advanced data modulation techniques (amplitude/phase modulation).
• Faster than traditional dial-up modems.
• Digital carrier, unlike analog dial-up modems.
• xDSL refers to all DSL varieties (e.g., ADSL, VDSL, SDSL).

Simple Network Management Protocol (SNMP)

• SNMP is part of the TCP/IP suite.
• Three versions: SNMP v1-3.
• SNMPv1 is rarely used today.
• SNMPv2 improved on SNMPv1 with better performance and a slightly better security.
• SNMPv3 augments SNMPv2 with authentication, validation, and encryption.

Malware

• Malware is a program designed to intrude upon or harm a system or resources.
• Types of malware: Viruses, Trojans, Worms, Bots, Ransomware
• Virus: replicates itself to infect more computers
• Trojan: disguises itself as useful but harms the system
• Worm: runs independently and spreads between computers/networks
• Bot: automatically runs without user intervention
• Ransomware: locks user data or systems until a ransom is paid

Business Continuity and Disaster Recovery

• Business continuity is a company's ability to continue operations with minimal disruption.
• Disaster recovery plan details processes for restoring critical functionality and data.
• A disaster recovery plan should include contacts, backup frequency/location/methods/verification, network redundancy/agreements, strategies for testing, and crisis management.
• Three categories of disaster recovery contingencies: cold site, warm site, hot site.
• DRaaS (Disaster Recovery as a Service) is a cloud-based, scalable, inexpensive DR option.
• PDU (Power Distribution Unit) is attached to a power source.
• UPS (Uninterruptible Power Supply) is a battery-powered power source that prevents power fluctuations.
• UPS categories: Standby UPS and Online UPS.
• Backup is a copy of data or program files kept for archiving or safekeeping.
• 3-2-1-1 Rule: 3 copies of data, 2 media types, 1 copy offsite, 1 offline copy. Factors affecting contingency plans and backup options include RTO (recovery time objective) and RPO (recovery point objective).

Routers and Routing Protocols

• Router connects two or more networks and passes packets from one network to another.
• Router functions: connect dissimilar networks (LAN/WAN), interpret Layer 3 and often Layer 4 addressing, determine the best path, and reroute traffic if the primary path is down.
• Router categories: Core/Interior routers (within AS), Edge/Border routers (between AS's), Exterior routers (out of organization's AS).
• Routing protocols enable routers to communicate to find optimal paths.
• Interior Gateway Protocols (IGPs) are used within Autonomous Systems (AS's) (e.g., RIP, OSPF, IS-IS, EIGRP).
• Exterior Gateway Protocols (EGPs) facilitate routing outside of AS's (e.g., BGP).

Description

This quiz covers the fundamentals of Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS), detailing their functions, types, and methods of detection. Additionally, it includes information about proxy servers and their role in network security. Test your knowledge on these critical components of network safety!