Intrusion Detection & Prevention Systems Overview

Questions and Answers

What is the primary function of an IDS?

To detect and log suspicious activity (correct)

To generate network traffic for analysis

To encrypt data stream within a network

To block all incoming network connections

Which of the following statements best describes a network-based IDS (NIDS)?

It is primarily used to encrypt data packets in transit.

It operates at the edge of the network to monitor traffic for multiple systems. (correct)

It runs on a single computer to protect that host only.

It requires a user to be present at all times for monitoring.

How does a forward proxy function in relation to user IP addresses?

It hides internal users' IP addresses when accessing the Internet. (correct)

It restricts users from accessing external websites.

It assigns random IP addresses to internal users for anonymity.

It exposes users' IP addresses to the external servers.

What is one of the key differences between an IDS and an IPS?

An IDS detects threats but does not take action, while an IPS reacts to suspicious activity.

What is a primary purpose of a reverse proxy?

To provide identity protection for servers rather than clients.

In what way does a proxy server manage security?

By filtering traffic at the application layer.

Which type of IDS runs specifically on one computer to monitor that host?

Host-based IDS

What role does a NAT server play in relation to proxies?

It forwards requests and responses between users and external servers.

What is the primary advantage of using DRaaS in disaster recovery planning?

It is highly scalable and cost-effective.

Which UPS classification provides continuous power by switching to a battery only when an outage occurs?

Standby UPS

What does the 3-2-1-1 rule emphasize regarding data backups?

Save backups on two media types and one offline.

What is the primary function of routers in a network?

To connect multiple networks and manage data paths.

Which of the following is true about BGP?

It is the only current EGP in use.

Which routing protocol uses a distance-vector algorithm calculated by hop count to determine routes?

RIP

What aspect does RTO (Recovery Time Objective) primarily define in disaster recovery planning?

Maximum allowable downtime for a network.

What does OSPF utilize to map and determine the best path for data in a network?

Link-state routing mechanisms.

Which statement is accurate regarding RAID 5 configurations?

It splits data evenly across three or more drives with one parity drive.

What differentiates Online UPS from Standby UPS?

Online UPS charges its battery continuously while providing power.

What is the primary function of a packet-filtering firewall?

To filter traffic based on pre-defined rules matching packet headers

Which feature is NOT typically found in a host-based firewall?

Protecting the integrity of a network router

Which type of firewall manages packets independently, without considering existing connections?

Stateless firewall

What is the function of RADIUS in network security?

To authenticate and authorize remote users

Which of the following is NOT a characteristic of malware?

Implementing firewall functions

What typically causes firewall failure?

Improper configuration of the firewall rules

Which of the following is the correct port number used by RADIUS for authentication?

1812

What is NOT a category of disaster recovery contingency?

Virtual site

Which DSL type provides equal download and upload speeds, maxing out around 2 Mbps?

SDSL

Which characteristic describes a Trojan horse in malware?

Disguises itself as legitimate software

Which modulation technique is used in DSL connections for optimal data transfer?

Amplitude or phase modulation

Which SNMP version primarily enhances performance and security compared to its predecessor?

SNMPv2

Which of the following best describes stateful firewalls?

They track established connections and packets in relation to those streams.

What is the main purpose of a disaster recovery plan?

To ensure the restoration of critical functionality and data after a disaster

Study Notes

Intrusion Detection and Prevention Systems (IDS/IPS)

• IDS (Intrusion Detection System) is a stand-alone device, application, or feature on a workstation, server, switch, router, or firewall.
• It monitors network traffic to detect suspicious activity.
• Two main detection methods: statistical anomaly detection and signature-based detection.
• Implementations include:
  • HIDS (Host-based IDS): protects a single computer.
  • NIDS (Network-based IDS): protects a network, usually at the edge or DMZ.
• IDS only detects and logs suspicious activity.
• IPS (Intrusion Prevention System) actively reacts to alerts by preventing malicious traffic, based on the source IP address.
• NIPS (Network-based Intrusion Prevention) protects entire networks.
• HIPS (Host-based Intrusion Prevention) protects individual hosts.

Proxy Servers

• Proxy server acts as an intermediary between internal and external networks, screening traffic.
• Manages security at the application layer.
• Appears as an internal server to the outside world, but is a filtering device.
• Prevents exposure of internal network addresses.
• Reverse proxy provides services to external clients from internal servers, protecting internal servers.
• Reverse proxies are useful for multiple web servers sharing a public IP address.
• Forward and Reverse Proxies act as NAT (Network Address Translation) servers.
• Forward proxy hides internal user IP addresses, while a reverse proxy responds to client requests for internal web servers.

Firewalls

• Firewall is a device or software that filters or blocks network traffic.
• Can be placed between private networks (e.g., internal LANs) and a public network (e.g., internet).
• Host-based firewalls only protect the computer they're installed on.
• Packet-filtering firewall examines packet headers against Access Control Lists (ACLs) to allow or deny traffic based on criteria like IP addresses, ports, and protocol types.
• Common criteria for filtering traffic: Source/destination IP addresses, Source/destination ports, TCP flags, UDP/ICMP protocols, packet sequence status, inbound/outbound status.
• Stateful firewalls monitor existing traffic streams, while stateless firewalls examine each packet independently.
• Firewall rules are similar to ACLs; ACL functions on a single interface.
• Common cause of firewall failure is misconfiguration (too lenient or too strict rules).

Remote Authentication Dial-In User Service (RADIUS)

• RADIUS is a cross-platform, open-source application layer protocol used for user authentication.
• Uses either UDP or TCP in the transport layer.
• Can run on a remote access server or a dedicated RADIUS server.
• Highly scalable, used for authenticating wireless, mobile, and remote users.
• Often combined with other network services (e.g., proxies, VPNs) on a single machine.
• Authentication port: 1812
• Standard port: 1813

DSL (Digital Subscriber Line)

• DSL is a WAN connection method using the PSTN.
• Supports multiple data and voice channels over a single line.
• Requires repeaters for longer distances.
• Distance to the central office (CO) affects throughput.
• Uses advanced data modulation techniques (amplitude/phase modulation).
• Faster than traditional dial-up modems.
• Digital carrier, unlike analog dial-up modems.
• xDSL refers to all DSL varieties (e.g., ADSL, VDSL, SDSL).

Simple Network Management Protocol (SNMP)

• SNMP is part of the TCP/IP suite.
• Three versions: SNMP v1-3.
• SNMPv1 is rarely used today.
• SNMPv2 improved on SNMPv1 with better performance and a slightly better security.
• SNMPv3 augments SNMPv2 with authentication, validation, and encryption.

Malware

• Malware is a program designed to intrude upon or harm a system or resources.
• Types of malware: Viruses, Trojans, Worms, Bots, Ransomware
• Virus: replicates itself to infect more computers
• Trojan: disguises itself as useful but harms the system
• Worm: runs independently and spreads between computers/networks
• Bot: automatically runs without user intervention
• Ransomware: locks user data or systems until a ransom is paid

Business Continuity and Disaster Recovery

• Business continuity is a company's ability to continue operations with minimal disruption.
• Disaster recovery plan details processes for restoring critical functionality and data.
• A disaster recovery plan should include contacts, backup frequency/location/methods/verification, network redundancy/agreements, strategies for testing, and crisis management.
• Three categories of disaster recovery contingencies: cold site, warm site, hot site.
• DRaaS (Disaster Recovery as a Service) is a cloud-based, scalable, inexpensive DR option.
• PDU (Power Distribution Unit) is attached to a power source.
• UPS (Uninterruptible Power Supply) is a battery-powered power source that prevents power fluctuations.
• UPS categories: Standby UPS and Online UPS.
• Backup is a copy of data or program files kept for archiving or safekeeping.
• 3-2-1-1 Rule: 3 copies of data, 2 media types, 1 copy offsite, 1 offline copy. Factors affecting contingency plans and backup options include RTO (recovery time objective) and RPO (recovery point objective).

Routers and Routing Protocols

• Router connects two or more networks and passes packets from one network to another.
• Router functions: connect dissimilar networks (LAN/WAN), interpret Layer 3 and often Layer 4 addressing, determine the best path, and reroute traffic if the primary path is down.
• Router categories: Core/Interior routers (within AS), Edge/Border routers (between AS's), Exterior routers (out of organization's AS).
• Routing protocols enable routers to communicate to find optimal paths.
• Interior Gateway Protocols (IGPs) are used within Autonomous Systems (AS's) (e.g., RIP, OSPF, IS-IS, EIGRP).
• Exterior Gateway Protocols (EGPs) facilitate routing outside of AS's (e.g., BGP).

Description

This quiz covers the fundamentals of Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS), detailing their functions, types, and methods of detection. Additionally, it includes information about proxy servers and their role in network security. Test your knowledge on these critical components of network safety!