Intrusion Prevention Systems (IPS)

Questions and Answers

A network administrator is tasked with identifying attacks that exploit vulnerabilities before patches are available. Which type of attack should the administrator be aware of?

• Man-in-the-middle attack
• Denial of Service (DoS) attack
• Distributed Denial of Service (DDoS) attack
• Zero-day attack (correct)

An organization needs to implement a solution that actively blocks malicious traffic in real-time. Which security technology should they deploy?

• Network Analyzer
• IDS (Intrusion Detection System)
• IPS (Intrusion Prevention System) (correct)
• Firewall with basic ACLs

A security analyst observes that an IDS is configured to receive mirrored traffic from a switch. What is the primary operational characteristic of an IDS in this deployment?

• It passively monitors network traffic without directly influencing the flow of data. (correct)
• It operates in-line, directly processing all network packets.
• It actively blocks malicious traffic by resetting TCP connections.
• It requires explicit configuration of access control lists to function.

Which of the following is a key advantage of deploying an IPS in an inline mode compared to an IDS?

An IPS can actively prevent attacks by dropping malicious packets. (C)

A security engineer needs to ensure an IPS can inspect encrypted traffic. What is a primary limitation that needs to be addressed when using a network-based IPS?

Network-based IPS solutions cannot examine encrypted traffic without decryption. (A)

An organization wants to monitor traffic between two specific servers without impacting overall network performance. What Cisco technology can be used to achieve this?

SPAN (Switched Port Analyzer) (C)

A network security engineer is troubleshooting an IPS that is generating numerous false positive alerts. What action should the engineer take to reduce false positives?

Tune the IPS signatures to better match the network profile and reduce sensitivity. (A)

Which of the following signature types in an IPS identifies malicious activity by recognizing a sequence of operations distributed across multiple hosts over time?

Composite Signature (C)

An administrator wants to receive immediate notifications about critical security events detected by the IPS. Which action can be configured for an IPS signature to achieve this?

Produce alert (C)

What is the major operating difference between an IDS and IPS (Intrusion Prevention System)?

An IPS is deployed in-line, whereas an IDS is deployed off-line. (B)

Which of the following is characteristic of a zero-day attack?

It exploits vulnerabilities that are unknown to the software vendor. (B)

What is a primary advantage of using a host-based intrusion prevention system (HIPS)?

It protects the host after the message is decrypted. (B)

Which of the following scenarios is most suitable for deploying a network-based IPS sensor?

Examining traffic as it crosses the network perimeter (A)

Which factor should an organization prioritize when selecting an IPS solution for their network?

The amount of network traffic the IPS needs to process (C)

How do Intrusion Detection Systems (IDS) primarily function in a network?

By passively monitoring network traffic and alerting on potential threats (D)

In the context of IPS, what is the purpose of a signature?

To define a rule to detect specific malicious activity (B)

An IPS generates an alarm based on a traffic pattern that is actually normal for your network. What type of alarm is this?

False positive (D)

What is the role of a signature file in an Intrusion Prevention System (IPS)?

It contains rule sets an IPS uses to detect malicious traffic. (A)

What does SPAN stand for concerning networking?

Switched Port Analyzer Network (A)

Of the shown options, which is more likely to suffer sensor issues?

An IPS (A)

Which of the following signatures requires a state to examine multiple items to take action?

Composite signature. (B)

Which type of connection would a TCP reset affect?

Only TCP connections. (B)

What is SDEE as related to network security?

Secure Device Event Exchange (B)

What is the purpose of port mirroring?

Copies network traffic from one or more ports to another port for analysis. (D)

Which type of detection is able to detect unknown vulnerabilities?

Policy-based detection. (C)

Given the command Switch (config)# monitor session 1 source interface GigabitEthernet 0/1, what is being configured?

Setting up a SPAN session to monitor traffic from GigabitEthernet 0/1 (C)

Which is a possible action that can be taken by the IPS?

All of these answers. (B)

When configuring a Cisco SPAN session, what is the purpose of designating a destination port?

To specify the port where mirrored traffic should be sent for analysis (D)

Which of the following is a disadvantage of host-based IPS (HIPS) compared to network-based IPS?

HIPS must be installed on all hosts to be protected, increasing management overhead. (A)

Which of the following is a consideration when deploying an IPS solution?

Amount of network traffic. (B)

How can the monitor command be used?

To verify SPAN session. (C)

What is the definition of an atomic signature?

Rules applied using one packet. (A)

What does it mean for an IDS to 'work passively'?

It requires traffic to be mirrored to it. (B)

Which of the following is a disadvantage of network-based IPS?

Cannot determine when an attack has been successful. (D)

How does a false alarm affect tuning?

The tune alarm can be adjusted. (D)

When using Cisco SPAN, which is necessary to mirror the source ports?

Both Destination and Source SPAN. (A)

Which best describes Honey pot-based Detection?

Slow down and avert attacks. (A)

An organization uses both IDS and IPS. Which characteristic is common to both?

Both technologies are deployed as sensors to detect patterns of misuse. (C)

A network security team notices an increase in false positive alarms on their IPS. What action should the team take to address this?

Tune the IPS signatures to better match the network's normal traffic patterns. (B)

A security engineer needs to deploy an IPS solution but has a limited budget. Which type of IPS deployment should the engineer choose to minimize costs while still providing effective security?

A network-based IPS (NIPS) to monitor traffic at the network perimeter. (A)

An organization needs to monitor network traffic for potential threats without disrupting network operations. Which deployment mode is most suitable for their Intrusion Detection System (IDS)?

Promiscuous mode using SPAN or port mirroring. (D)

A security analyst is investigating a zero-day exploit. What is the primary characteristic of this type of attack?

It exploits a vulnerability that is unknown to the software vendor and without a patch. (D)

Flashcards

What is a zero-day attack?

An attack that exploits a vulnerability unknown to the software vendor or security community.

What are the advantages of an IDS?

Works passively, requires mirrored traffic, doesn't pass traffic unless mirrored.

What are the characteristics of an IPS?

Implemented inline, monitors Layer 3 and 4 traffic, stops single-packet attacks, responds immediately to malicious traffic.

What does an IPS do?

Inspects traffic content at the application layer and blocks it.

What are the similarities between IDS and IPS?

Both technologies are deployed as sensors, use signatures to detect misuse, and can detect atomic or composite patterns.

What are the advantages of IDS and IPS?

IDS has no impact on the network and IPS stops trigger packets.

What are the disadvantages of IDS and IPS?

IDS cannot stop the trigger and IPS might affect network traffic.

What are the characteristics of the Host-Based IPS?

Provides specific host protection. Operating system dependent.

What are the characteristics of Network-Based IPS?

Cost-effective, operating system independent; cannot examine encrypted traffic.

What factors affect IPS sensor selection?

Amount of network traffic/topology and budget.

Promiscuous Mode vs Inline Mode?

IDS deployment requires to work passively and IPS inline mode.

What does monitor session command do?

Associate source/destination port with a SPAN session.

What are the three attributes of Signatures?

Type, trigger (alarm), and action.

Atomic vs. Composite Signatures?

Atomic signature is a single event. Composite signature is a sequence of operations.

What's in a signature file?

A package of network signatures.

What are the advantages of Pattern-Based Detection?

Easy configuration, simple and reliable.

What are the advantages of Anomaly-Based Detection?

Simple and reliable, customized policies.

What are the advantages of Policy-Based Detection?

Easy configuration, can detect unknown attacks.

What are the advantages of Honey pot-Based Detection?

Window to view attacks, Distract and confuse attackers

Atomic vs Composite Signature?

Is a single packet, activity, or event, to determine if signature matches a configured signature

Composite Signature?

Identifies a sequence of operations distributed across multiple hosts over an arbitrary period of time.

What is a False positive alarm?

Normal user traffic is flagged as malicious.

Action Generating an alert?

Action used to alert if a security issue occurs.

Log attacker packets, log pair packets, log victim packets?

Actions used to investigate problems

Deny attacker inline, deny connection inline Deny packet inline?

The IPS drops dangerous activity

Request Block connection, Request block host?

Stops future related attacks

Study Notes

Chapter 5: Implementing Intrusion Prevention

• This chapter is about implementing intrusion prevention
• The chapter covers IPS Technologies, IPS Signatures and implementation
• The chapter concludes with a Summary

IPS Technologies

• This section covers zero-day attacks, how to monitor, detect and stop attacks
• Also looks at the advantages and disadvantages of IDS and IPS

IDS and IPS Characteristics

• Zero-day attacks are exploits that occur before a patch is available

Monitoring for Attacks

• Intrusion Detection System (IDS) works passively
• IDS requires traffic to be mirrored to reach it
• Network traffic doesn't pass through the IDS unless mirrored

Detecting and Stopping Attacks

• Intrusion Prevention System (IPS) operates in inline mode
• IPS monitors Layer 3 and Layer 4 traffic
• IPS can stop single packet attacks from reaching the target
• IPS responds immediately, preventing malicious traffic from passing

IPS

• IPS inspects and blocks malicious traffic content at the application layer

Similarities Between IDS and IPS

• Both IDS and IPS are deployed as sensors
• Both use signatures to detect misuse patterns in network traffic
• Both can detect atomic (single-packet) or composite (multi-packet) patterns

Advantages and Disadvantages of IDS and IPS

• IDS has no impact on the network and isn't impacted by sensor failures or overloads
• IDS cannot stop the trigger response
• IPS stops trigger packets
• Sensor issues or overloading can affect network traffic and potentially impact the network and IPS has some impact on network

Network-Based IPS Implementations

• Host-based IPS provides protection specific to a host operating system
• Host-based IPS also provides operating system and application level protection
• Host-based IPS protects the host after message decryption
• A disadvantage of Host-based IPS is that it is Operating system dependent
• Network-based IPS is cost-effective and operating system independent
• A disadvantage of Network-based IPS is that it cannot examine encrypted traffic
• Another disadvantage of Network-based IPS is that it must stop malicious traffic prior to arriving at host

Network-Based IPS Sensors

• Network-based IPS sensors are placed within the network to monitor traffic

Cisco’s Modular and Appliance-Based IPS Solutions

• Cisco offers modular and appliance-based IPS solutions
• Examples include Cisco IPS AIM, Network Module Enhanced (IPS NME), ASA AIP-SSM etc...

Choosing an IPS Solution

• Factors to consider for IPS sensor selection include network traffic amount, network topology, security budget, and available security staff

IPS Advantages and Disadvantages

• Network IPS is cost-effective, not visible on the network, and OS independent
• Network IPS sees lower-level network events
• Network IPS cannot examine encrypted traffic or determine if an attack was successful

Modes of Deployment

• Promiscuous Mode is used in IDS
• Inline Mode is used in IPS

Cisco Switched Port Analyzer

• Cisco Switched Port Analyzer is a feature for port mirroring

Configuring Cisco SPAN Using Intrusion Detection

• The monitor session command associates a source and destination port with a SPAN session
• The show monitor command verifies the SPAN session

IPS Signatures

• Understand IPS signature characteristics
• Explain IPS signature alarms
• Manage and monitor IPS
• Understand the global correlation of Cisco IPS devices

IPS Signature Characteristics

• A signature is a set of rules for IDS/IPS to detect typical intrusion activity
• Signatures have Type, Trigger (alarm), and Action attributes.

Signature Types

• Atomic signatures consist of a single packet, activity, or event
• Composite signatures identify a sequence of operations across multiple hosts over time

Signature File

• New signatures must be created and uploaded to an IPS as new threats are identified
• A signature file contains a package of network signatures

IPS Signature Alarms

• Signature alarms come from various detection types:

Detection Type

• Pattern-based detection uses easy configuration, fewer false positives, and good signature design,
• Anomaly-based detection is simple and reliable with customized policies.
• Policy-based detection offers easy configuration and detects unknown attacks.
• Honey pot-based detection provides a window to view attacks, distract attackers, slow down attacks, and collect information.

Signature Type

• Atomic signatures require no state to examine patterns
• Composite signatures need state or multiple items to determine signature action

Anomaly-Based Detection Signature Type

• Atomic signatures need no state to identify activity that deviates from a normal profile
• Composite signatures require state to identify activity that deviates from a normal profile

Alarm Triggering Mechanisms

• False positive: Normal traffic triggers an alarm, addressed by tuning the alarm
• False negative: An attack occurs, but triggers no alarm, addressed by tuning the alarm
• True positive: An attack occurs and generates an alarm, representing the ideal setting.
• True negative: Normal traffic occurs, triggering no alarm and representing the ideal setting.

IPS Signature Actions

• Action categories include generating alerts, logging activity, dropping/preventing activity, resetting TCP connections, blocking future activity, and allowing activity

Managing and Monitoring IPS

• Actions include producing alerts (verbose or non-verbose), logging attacker/pair/victim packets, denying attackers inline, and resetting TCP connections

Actions for Controlling Traffic

• Actions for controlling traffic include requesting block connections/hosts, requesting SNMP traps, or allowing traffic based on configured exceptions (e.g., approved IT scanning hosts)

Secure Device Event Exchange

• Secure Device Event Exchange is used for alarms
• SDEE protocol and Syslog used for network management console and syslog servers

IPS Configuration Best Practices

• The is a example topology which includes, VPN, Firewall,IPS, Web Server, DNS and Email Servers