Intrusion Prevention Systems (IPS)

Questions and Answers

What type of attack is one for which no signature exists?

• Phishing attack
• Zero-day attack (correct)
• Brute force attack
• Malware attack

Which action does an IDS take regarding network traffic?

• Generates new traffic
• Modifies traffic
• Passively monitors traffic (correct)
• Actively blocks traffic

What is a primary function of an IPS?

• Blocking malicious traffic (correct)
• Accelerating network speed
• Decrypting encrypted data
• Compressing data packets

What Layer does IPS inspect malicious traffic content?

Application layer (B)

Which characteristic is common to both IDS and IPS?

Operate as sensors (B)

What is an advantage of an IDS?

Zero network impact (C)

What action does an IPS take that an IDS does not?

Stops trigger packets (C)

Which implementation provides operating system and application-level protection?

Host-based IPS (A)

Which implementation is operating system independent?

Network-based IPS (B)

What is a disadvantage of network-based IPS?

Cannot examine encrypted traffic (A)

What is an IPS deployment mode?

Inline mode (B)

What does SPAN stand for?

Switched Port Analyzer (A)

What command is used to associate a destination port with a SPAN session?

monitor session number destination (A)

In IPS a signature is defined by which three attributes?

Type, Trigger, Action (D)

What type of IPS signature consists of a single packet, activity, or event?

Atomic (C)

Which of the following contains a package of network signatures used by an IPS?

Signature File (D)

What is a false positive alarm type?

Normal user traffic generating an alarm (C)

What is a true negative alarm type?

Normal user traffic generating no alarm (D)

What action is performed when an event triggers the produce alert?

Generates an alert (C)

What action is performed when an event triggers the deny attacker inline?

Drops packets (C)

What is the purpose of the Secure Device Event Exchange (SDEE)?

Event management (A)

Which of the following is a consideration when choosing an IPS solution?

Amount of network traffic (A)

Which deployment mode has the IPS being directly in the path of the network traffic?

Inline Mode (D)

What are the key advantages of Host-Based IPS?

Security and Operating System Protection (A)

How do IDS and IPS technologies detect misuse in network traffic?

Signatures (C)

What is the best way for an IPS appliance to block undesirable traffic?

Inline Mode (A)

What do IDS and IPS use to detect typical intrusion activitiy?

A set of rules. (A)

How does IPS operate?

Inline mode (C)

Which SPAN command allows you to see if a SPAN session is configured?

show monitor (B)

What are IPS required to do with malicious traffic coming to a host?

Must stop malicious traffic prior to arriving at host (B)

What kind of signatures identify a sequence of operations distributed across multiple hosts?

Composite (B)

Which trigger can be used to initiate an alarms?

Trigger (C)

Which can assist in preventing malware attacks?

Cisco IPS (B)

How fast does an IPS respond to malicious traffic?

Immediately (D)

What helps IPS detects patterns of misuse in network traffic?

Signature (B)

Where are Network-Based IPS sensors placed?

Inline Network (A)

Which deployment mode does IDS use?

Promiscuous Mode (C)

What kind of pattern does IDS and IPS detect?

Atomic and Composite patterns (D)

Which of the following is a valid action performed by an IPS on TCP connections?

Deny packet inline (C)

What is required for Anomaly-based detection to properly identify malicious traffic?

Historical or Normal traffic profile (D)

What term describes an attack for which no signature exists?

Zero-Day Attack (B)

What does a signature contain?

Rules to detect typical intrusion activity (A)

IPS works passively.

False (B)

IDS requires traffic to be mirrored in order to reach it.

True (A)

IDS can stop single packet attacks from reaching their target.

False (B)

IPS responds immediately, preventing malicious traffic from passing.

True (A)

IDS inspects malicious traffic and blocks it at the application layer.

False (B)

IDS and IPS are both always deployed as inline devices.

False (B)

Both IDS and IPS use signatures to detect patterns of misuse in network traffic.

True (A)

IDS has an impact on network performance.

False (B)

IPS often stops trigger packets.

True (A)

A disadvantage of IPS is that sensor issues never affect network traffic.

False (B)

Host-based IPS is operating system independent.

False (B)

Network-based IPS can examine encrypted traffic.

False (B)

Network-Based IPS is cost effective.

True (A)

Network IPS is visible on the network.

False (B)

In promiscuous mode, an IPS sensor is deployed inline.

False (B)

An inline mode deployment sends copies of traffic to the IPS sensor.

False (B)

Switched Port Analyzer (SPAN) is also known as port mirroring.

True (A)

The monitor session command is used to configure SPAN sessions.

True (A)

Atomic signatures identify distributed sequences of operations.

False (B)

IPS signatures have only two distinct attributes.

False (B)

A signature file contains only one network signature.

False (B)

A false positive alarm indicates normal user traffic is incorrectly identified as malicious.

True (A)

The best outcome is identifying a true negative, where ideal settings are achieved.

True (A)

Policy-based signature detection can NOT detect unknown attacks.

False (B)

Request block connection is an example of a resetting a TCP connection action.

False (B)

Deny attacker inline is an example of a dropping or preventing the activity action.

True (A)

SPAN ports send a copy of network traffic.

True (A)

Zero-day attacks target vulnerabilities that are unknown to the vendor.

True (A)

An IDS actively blocks malicious traffic.

False (B)

An IPS analyzes Layer 3 and Layer 4 traffic.

True (A)

The ACL does not permit traffic on TCP port 443.

False (B)

IDS and IPS use only atomic patterns to detect misuse.

False (B)

The policy must be created for Anomaly-Based Detection.

True (A)

IDS is an older technology that is hardly ever used in modern systems.

False (B)

IDS implementation comes with some impact to network.

False (B)

Security budget is not a deciding factor when choosing an IPS Solution.

False (B)

SNMP stands for Simple Network Management Protocol.

True (A)

A signature is only a set of rules for IPS.

False (B)

A trigger for an alarm is a signature attribute.

True (A)

Signatures are static and do not need to be updated.

False (B)

A zero-day attack is an attack that is well-known and has existing patches.

False (B)

IDS operates in an inline mode, actively blocking malicious traffic.

False (B)

IPS can stop single packet attacks from reaching a target.

True (A)

A signature in intrusion detection systems is a set of guidelines used to detect potential intrusive actions.

True (A)

Atomic signatures are those that require examining multiple packets to identify a malicious activity.

False (B)

Flashcards

What is a Zero-Day Attack?

An attack that exploits a vulnerability unknown to the software vendor or security professionals.

Advantages of an IDS

It works passively, requires mirrored traffic, and doesn't usually pass network traffic unless mirrored.

How does an IPS work?

An IPS is inline, monitors Layers 3 and 4 traffic, can stop single packet attacks, and responds immediately to block malicious traffic.

IDS vs IPS

An IDS operates passively, while an IPS actively blocks detected threats.

How are IDS and IPS similar?

Sensors are deployed, signatures are used, and atomic/composite patterns are detected.

What are the advantages of IDS and IPS?

IDS has no network impact, and IPS stops trigger packets.

Disadvantages of IDS and IPS

IDS cannot stop triggers, and IPS may affect network traffic.

Host-Based vs. Network-Based IPS

Host-based IPS provides specific protection to a host operating system, while network-based IPS is cost-effective and OS independent.

Factors affecting IPS sensor selection

Amount of traffic, network topology, security budget, and available security staff.

Deployment modes: Promiscuous vs Inline?

Promiscuous mode (IDS) uses SPAN; Inline mode (IPS) uses IPS sensors.

What is a SPAN port?

A SPAN port sends copies of traffic to a monitoring device for analysis.

What does a monitor session command do?

It associates a source port and a destination port with a SPAN session.

What are the three attributes of signatures?

Type, Trigger (alarm), and Action.

Atomic vs composite signature

An atomic signature consists of a single packet, and a composite signature identifies a sequence of operations.

What is a signature file?

It contains a package of network signatures used by an IPS.

What are the different detection types?

Pattern-based, anomaly-based, policy-based, and honey pot-based

What is a false positive alarm?

Normal user traffic triggers an alarm.

What is a false negative?

Attack traffic doesn't trigger an alarm.

What actions can an IPS take?

Produce alert, log activity, drop activity, reset connection, block future activity, or allow activity.

What is an IPS?

Works by inspecting malicious traffic content at the application layer and blocking it.

What is host-based IPS?

Protection specific to a host OS; must be installed on all hosts.

What are the disadvantages of network-based IPS?

Cannot examine encrypted traffic; must stop malicious traffic prior to host.

What is Cisco IPS AIM?

Cisco IPS appliance used in network module.

What does the show monitor command do?

Verifies the SPAN session

How should signature files be handled as new threats emerge?

New signatures must be created and uploaded

What type of signature is detecting an ARP request?

Atomic signatures

What is stateful inspection?

State required to identify activity that deviates from a normal profile.

What is a constraint of composite signatures?

Previous activity is required to identify undesirable behavior.

What is a true negative?

Ideal setting; Normal user traffic and no alarm generated.

What does SDEE provide?

Sends security alerts to a network management console and syslog server.

What is a signature in network security?

A set of rules used by an IDS and IPS to detect typical intrusion activity.

What is the function of 'blocking' in IPS?

Stops trigger packets and any further malicious actions.

What are the advantages of pattern-based detection?

Easy configuration, fewer false positives, and good signature design.

What is a disadvantage of honey pot-based detection?

A traffic profile that must be constant.

What's a property of Atomic Signatures?

No state is required to examine a pattern.

Study Notes

<existing_notes>
### Chapter 5: Implementing Intrusion Prevention

- This chapter provides an overview of intrusion prevention systems (IPS).

### 5.1 IPS Technologies

- This section covers zero-day attacks, monitoring, detection, stopping attacks and the advantages and disadvantages of IDSs and IPSs.

### 5.1.1: IDS and IPS Characteristics

- Zero-day attacks exploit vulnerabilities before they are known publicly.

### Monitor for Attacks

- Intrusion Detection Systems (IDS) work passively.
- An IDS requires traffic mirroring to analyze it.
- Network traffic doesn't pass through the IDS unless mirrored.

### Detect and Stop Attacks

- Intrusion Prevention Systems (IPS) operate inline.
- An IPS monitors Layer 3 and Layer 4 traffic.
- IPS can stop single-packet attacks to prevent reaching a target.
- IPS responds immediately to block malicious traffic.
- An IPS inspects malicious traffic content at the application layer

### Similarities Between IDS and IPS

- Both intrusion detection systems (IDS) and intrusion prevention systems (IPS) are deployed as sensors.
- Both IDS and IPS use signatures to detect patterns of misuse in network traffic.
- IDS and IPS can detect atomic patterns (single-packet) and composite patterns (multi-packet).

### Advantages and Disadvantages of IDS and IPS

- The advantages of IDS include no impact on the network.
- The advantages of IDS include no network impact if there is a sensor failure or overload.
- The disadvantages of IDS include response actions not stopping the trigger.
- The advantages of IPS include stopping trigger packets.
- The disadvantages of IPS include sensor issues potentially affecting network traffic.
- The disadvantages of IPS include sensor overloading impacting the network and some impact on the network.

### 5.1.2: Network-Based IPS Implementations

- Network-Based IPS implementations and Host-Based IPS Implementations

### Host-Based and Network-Based IPS

- Host-based IPS provides protection specific to a host operating system and application-level protection. It also protects the host after the message is decrypted. However, it's operating system-dependent and must be installed on all hosts.
- Network-Based IPS is cost-effective and operating system-independent. However, it cannot examine encrypted traffic and must stop malicious traffic before it reaches the host.

### Network-Based IPS Sensors

- A corporate network is protected from untrusted network with firewall and sensors in place

### Cisco’s Modular and Appliance-Based IPS Solutions

- Cisco offers various IPS solutions, including IPS AIM, Network Module Enhanced (IPS NME), ASA AIP-SSM, IPS 4300 Series Sensors, and Catalyst 6500 Series IDSM-2.

### Choose an IPS Solution
- Factors affecting IPS sensor selection and deployment are the amount of network traffic, the network topology, the security budget, and the availability of security staff.

### IPS Advantages and Disadvantages
- Network IPS is cost-effective, not visible on the network, operating system independent, and able to see lower-level network events.
- Network IPS cannot examine encrypted traffic and cannot determine whether an attack was successful.

### Modes of Deployment
- Promiscuous mode is associated with IDS
- Inline mode is associated with IPS

### 5.1.3: Cisco Switched Port Analyzer

- Cisco Systems provides SPAN (Switched Port Analyzer) for port mirroring.

### Port Mirroring

- Traffic can be analyzed using a hub by sniffing the traffic

### Cisco SPAN

- Traffic can be analysed using a switch to copy the traffic to a port analyzer

### Configuring Cisco SPAN Using Intrusion Detection

- Configuring Cisco SPAN uses the monitor session command to associate a source port and a destination port with a SPAN session.
- The show monitor command is used to verify the SPAN session.

### 5.2: IPS Signatures

- Covers IPS signature characteristics, IPS signature alarms, managing and monitoring IPS and understanding the global correlation of Cisco IPS devices.

### 5.2.1: IPS Signature Characteristics

- A signature is a set of rules used by IDS and IPS to detect intrusions.
- Signatures have three attributes: type, trigger (alarm), and action.

### Signature Types

- Atomic signatures consist of a single packet, activity, or event.
- Composite signatures identify a sequence of operations distributed across multiple hosts over time.

### Signature File

- New signatures are created and uploaded to an IPS as new threats are identified.
- A signature file contains a package of network signatures.

### Download a Signature File

- A signature file can be downloaded

### 5.2.2: IPS Signature Alarms

- Explanation of IPS signature alarms

### Signature Alarm

- Detection types include pattern-based detection, anomaly-based detection, policy-based detection, and honey pot-based detection.
- Pattern-based detection is easy to configure and has fewer false positives.
- Anomaly-based detection is simple, reliable, and uses customized policies.
- Policy-based detection is easy to configure and can detect unknown attacks.
- Honey pot-based detection provides a window to view attacks, distracts/confuses attackers, slows down/averts attacks, and collects information about attacks.

### Pattern-Based Detection

- Atomic signatures don't require state to examine patterns.
- Composite Signatures must contain state or examine multiple items to determine if signal action should be applied

### Anomaly-Based Detection
- State is required to identify activity that deviates from normal profile for composite signature type

### Policy-Based and Honey Pot-Based Detection
- State is not required to identify undesirable behavior for atomic signatures

### Alarm Triggering Mechanisms

- Alarm types are detailed along with their associated network activity, IPS activity, and outcomes.
- A false positive, normal user traffic triggers alarm generation, requiring alarm tuning.
- A false negative refers to attack traffic not generating an alarm, also requiring tuning.
- A true positive is attack traffic generating an alarm, which is ideal.
- A true negative represents normal user traffic not triggering an alarm, which is ideal.

### 5.2.3: IPS Signature Actions

- Covers the summary of action categories

### Signature Actions

- Action categories are defined, including generating an alert, logging activity, dropping or preventing activity, resetting a TCP connection, blocking future activity, and allowing activity.

### 5.2.4: Manage and Monitor IPS

- Covers everything to do with management and monitoring of IPS

### Secure Device Event Exchange

- Syslog and SDEE protocol is used in secure divide event exchange

### IPS Configuration Best Practices
- VPN, ESA/WSA, Webserver, Email server and DNS with firewall and IPS in place
</existing_notes>