Intrusion Prevention Systems (IPS)

Questions and Answers

How does a network-based IPS primarily operate regarding traffic analysis?

• By inspecting traffic in real-time as it traverses the network. (correct)
• By only examining traffic at the application layer to detect exploits.
• By analyzing stored traffic logs to identify suspicious patterns.
• By mirroring traffic to a separate device for analysis.

Which statement accurately differentiates between IDS and IPS technologies?

• IDS passively monitors network traffic, while IPS actively prevents identified threats. (correct)
• IDS and IPS both actively block traffic, but IDS has a higher impact on network performance.
• IDS focuses on preventing external threats, while IPS is designed for internal threat detection.
• IDS operates in-line, actively blocking malicious traffic, while IPS monitors passively.

What is a primary disadvantage of host-based IPS (HIPS) compared to network-based IPS?

• HIPS is ineffective against encrypted traffic.
• HIPS requires installation on every host, increasing administrative overhead. (correct)
• HIPS has a higher cost to implement and maintain.
• HIPS cannot protect against zero-day attacks.

What is the key characteristic of a 'zero-day' attack that makes it particularly challenging to defend against?

It targets vulnerabilities that are unknown to vendors and without available patches. (A)

An administrator notices numerous false positive alarms on the IPS. What action should the administrator take to address this issue?

Tune the IPS signatures to better match legitimate traffic patterns. (B)

Which type of IPS signature examines multiple packets over time to identify malicious activity?

Composite signature (A)

What is the purpose of using SPAN (Switched Port Analyzer) in network monitoring?

To copy network traffic from one or more ports to a designated port for analysis. (B)

When evaluating different vendor IPS solutions, which factor is the MOST important to consider alongside the security budget?

The amount of network traffic and available security staff for managing the IPS. (A)

What is a potential disadvantage of using anomaly-based detection in an IPS?

It may generate a high number of false positives due to deviations from the learned baseline. (D)

In the context of IPS actions, what does 'Request Block Connection' typically accomplish?

It terminates the current TCP session and adds the source IP to a block list. (A)

IDS operates in inline mode, actively blocking malicious traffic as it passes through the network.

False (B)

A key advantage of an IDS is that its deployment typically has a direct impact on network performance, ensuring thorough inspection of all traffic.

False (B)

A zero-day attack refers to an exploit that leverages a vulnerability known by both the vendor and the security community, allowing quick patching.

False (B)

Cisco SPAN (Switched Port Analyzer) is used to mirror network traffic from one or more ports to a dedicated port for analysis by an IDS or IPS system.

True (A)

Network-based IPS can effectively examine encrypted traffic without requiring decryption, providing visibility into potential threats within secure communications.

False (B)

A signature in IPS is a single, unchangeable attribute.

False (B)

Atomic signatures in IPS are designed to detect patterns across multiple network packets, offering a comprehensive view of potential threats.

False (B)

In IPS, a 'false negative' alarm indicates that an attack occurred, and the IPS correctly generated an alarm.

False (B)

The primary goal of 'request block host' action in IPS is to permit traffic based on configured exceptions.

False (B)

Security budget has no impact on the selection and deployment of IPS sensors.

False (B)

What is the primary goal of endpoint security in a borderless network environment?

To answer post-malware attack questions, stop threats, and prevent future incidents. (B)

Which technology provides features such as spam filtering and outbound message control?

Cisco Email Security Appliance (ESA) (C)

How does deploying multiple security technologies enhance Endpoint Security?

It ensures comprehensive protection by addressing threats from different angles. (B)

Which Layer 2 attack involves an attacker flooding the switch's MAC address table with bogus MAC addresses?

CAM table overflow attack (B)

Why is it important to configure port security on a switch?

To prevent unauthorized devices from connecting to the network. (D)

Which port security violation mode drops traffic from unauthorized MAC addresses and increments the violation counter?

Restrict (D)

What is the primary purpose of DHCP snooping?

To prevent unauthorized DHCP servers from providing IP addresses. (D)

In a network with DHCP snooping enabled, how are ports typically configured to differentiate between legitimate and potentially malicious DHCP traffic?

Ports are designated as either 'trusted' or 'untrusted'. (D)

What type of Layer 2 attack involves an attacker overwhelming a DHCP server by sending numerous requests for IP addresses, exhausting the available address pool?

DHCP starvation attack (B)

Which action does Cisco's AMP (Advanced Malware Protection) take before a potential malware attack?

Harden (A)

Cisco AMP focuses on security measures applied before, during, and after a malware attack.

True (A)

In a CAM table overflow attack, macof is used to flood a switch with legitimate MAC addresses, overwhelming the switch's memory.

False (B)

Implementing DHCP snooping involves configuring switch ports as either 'trusted' or 'protected' to filter DHCP traffic.

False (B)

Cisco Email Security solutions offer solely spam blocking and inbound message control.

False (B)

Host-based protection methods include antivirus/antimalware, spam filtering and URL filtering.

True (A)

In port security, 'Protect' violation mode increases the violation counter, sends a syslog message, and shuts down the port.

False (B)

NAC authenticates users and enforces network security policies, but does not assess endpoint compliance.

False (B)

Traditional endpoint security primarily relies on perimeter firewalls and network intrusion prevention systems.

False (B)

A DHCP starvation attack occurs when a rogue DHCP server provides incorrect IP configuration information to clients.

False (B)

Layer 3 vulnerabilities are mitigated using ethernet frames and MAC address filtering.

False (B)

Flashcards

Zero-Day Attack

An attack that exploits a vulnerability before a patch is available.

IDS (Intrusion Detection System)

Operates passively, mirroring traffic for analysis without directly intervening.

IPS (Intrusion Prevention System)

Operates inline, actively blocking or preventing malicious traffic.

Atomic Signature

Looks at a single packet, activity, or event to determine if it matches a configured signature

Composite Signature

Identifies a sequence of operations distributed across multiple hosts over an arbitrary period of time.

False Positive

An alarm triggered when normal traffic is incorrectly identified as malicious.

False Negative

Attack traffic is not detected i.e. no alarm generated, and passes through the network.

True Positive

Packets are detected through the attack traffic and alarms are generated

True Negative

Specifies the network behavior which does not violate security policies.

Monitor Session Command

Used to associate a source port and a destination port with a SPAN session.

IDS Operation

Traffic is mirrored to the IDS for analysis; it works passively.

IPS Function

Inspects traffic content at the application layer and blocks malicious content.

Network-Based IPS advantages

Cost-effective, operating system independent network security solution.

IPS inline mode

A configuration where the IPS sensor analyzes all traffic as it passes through the network.

Promiscuous mode

Analyzing network traffic passively, using a SPAN port to copy traffic

Signature

A set of rules that an IDS and an IPS use to identify intrusion activity.

Policy-based detection advantages

Detects unknown attacks and is easy to configure.

Anomaly-based Detection Advantages

Simple and reliable detection. Can also be customized

Endpoint Security

Security measures focused on individual devices to protect networks.

Antivirus/Antimalware Software

Software that identifies and neutralizes malware threats.

URL Filtering

Filters web access, blocking malicious or inappropriate sites.

Blacklisting

Prevents access from specific, known malicious domains or IP addresses.

Cisco NAC

Prevents unauthorized network access based on security posture.

Spam Blocking

Blocks unwanted email to reduce spam and phishing attacks.

Mitigating CAM Table Attacks

Leverages port security to restrict MAC addresses on a port.

CAM Table Overflow Attack

An attack that overwhelms a switch's CAM table.

DHCP Starvation Attack

An attack that floods the network with DHCP requests.

DHCP Spoofing Attack

Attack that injects rogue DHCP server to provide false information.

What is Endpoint Security?

Protecting individual devices like computers from threats.

Antimalware Software

Software designed to identify & remove malicious software.

What is URL Filtering?

Filter web access, blocking access to malicious sites.

What is Blacklisting?

Prevents access from known malicious IP addresses or domain names.

Data Encryption

Hardware & Software encryption to protect locally stored info.

What is Spam Blocking?

Blocks unwanted emails to protect against spam & phishing.

What is Cisco NAC?

A Cisco solution that controls network access based on policy.

Switch Flooding

Switching frames out all ports besides the incoming port.

What is DHCP Spoofing?

Attack where rogue devices provide incorrect network settings.

IP Source Guard

Prevents IP address spoofing by validating source IP addresses.

Study Notes

Chapter 6: Securing the Local Area Network

• This chapter covers endpoint security and layer 2 security threats

6.1 Endpoint Security

• This section introduces endpoint security, Cisco AMP, and Cisco NAC for authenticating and enforcing network security policies.

Securing LAN Elements

• LAN elements include the internet, web server, email server, VPN, firewall, perimeter, ESA/WSA, DNS, IPS, hosts and ACS

Traditional Endpoint Security

• Traditional endpoint security is comprised of three elements
• Host-based IPS
• Antivirus/Antimalware Software
• Host-based firewall

Securing Endpoints in the Borderless Network

• Post Malware questions include determining source, threat method, entry point, affected systems, and the nature/prevention/recovery of the threat
• Host-Based Protection includes antivirus/antimalware, SPAM filtering, URL filtering, and blacklisting.

Modern Endpoint Security Solutions

• Modern endpoint security includes AMP, NAC, ESA, and WSA.

6.1.2 Antimalware Protection

• Protects against malware

Advanced Malware Protection

• Advanced malware protection works “Before, During, and After”
• Discover, Enforce, and harden (Before)
• Detect, Block, and Defend (During)
• Scope, Contain, and Remediate (After)

AMP and Managed Threat Defense

• Talos teams gather real-time threat intelligence.
• 1.6 million deployed security devices, including firewall, IPS, web, and email appliances
• 150 million endpoints are used by Talos teams to gather real-time threat intelligence
• They analyze data: 100 TB of security intelligence daily, 13 billion web requests per day, and 35% of the world's enterprise email traffic.

6.1.3 Email and Web Security

• Secures email and web

Cisco Email Security Appliance

• Cisco Email Security solutions include Spam blocking, advanced malware protection, and outbound message control.

Cisco Web Security Appliance

• The client initiates a web request, the WSA forwards the request, and a reply is sent to WSA and then to the client.

6.1.4 Controlling Network Access

• This involves controlling network access

Cisco NAC Functions

• NAC functions allow to control network access
• Enforcement of network access policies

6.2 Layer 2 Security Considerations

• It is important to understand Layer 2 vulnerabilities and how to mitigate CAM table overflow attacks.
• VLAN Trunk security, DHCP snooping, dynamic ARP inspection and IP Source Guard mitigate other attacks.

6.2.1 Layer 2 Security Threats

• Ethernet frames operates at the Data Link Layer

Switch Attack Categories

• CAM Table Attacks
• STP Attacks
• VLAN Attacks
• Address Spoofing Attacks
• DHCP Attacks
• ARP Attacks

6.2.2 CAM Table Attacks

• Attackers add bogus addresses to the CAM table until it is full
• This causes the switch to flood all traffic and allow the attacker to capture the traffic

CAM Table Attack Tools

• Macof is a CAM Table Attack Tool

6.2.3 Mitigating CAM Table Attacks

• Configure countermeasures for CAM Table Attacks

Port Security

• Port security enables
• Allows to enable command
• Allows to choose aging commands
• Allows to choose max secure addresses
• Allows to choose security violation mode

Port Security Options

• Configuration options include setting the maximum number of MAC addresses, manually configuring MAC addresses, and dynamically learning connected MAC addresses.

Port Security Violations

• Security Violation Modes include Protect, Restrict, and Shutdown.

6.2.3 Mitigating DHCP Attacks

• Prevents any DHCP attacks.

DHCP Spoofing Attack

• Spoofing the DHCP server

DHCP Starvation Attack

• Attacker initiates a starvation attack
• DHCP server will offer parameters
• Client requests all offers
• DHCP server acknowledges all requests

Configuring DHCP Snooping

• Trusted ports are needed for DHCP servers.
• Untrusted ports are used for DHCP Clients

Configuring DHCP Snooping Example

• Command example to configure a maximum number of MAC addresses