Intrusion Prevention Systems (IPS)

Questions and Answers

Why is it crucial for IPS systems to respond immediately to potential threats?

• To prevent malicious traffic from passing through and causing damage. (correct)
• To provide detailed reports for later analysis without affecting real-time traffic.
• To ensure seamless integration with existing network hardware, regardless of brand.
• To allow prioritization of traffic based on user roles.

In what way do Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) operate similarly?

• Both are deployed as sensors to analyze network traffic. (correct)
• Both modify network packets.
• Both actively block malicious traffic to prevent attacks.
• Both operate inline to monitor all network traffic.

What is a primary disadvantage of using a Host-Based Intrusion Prevention System (HIPS)?

• It is reliant on the host operating system, making it vulnerable to OS-specific exploits. (correct)
• It cannot be installed on all hosts, leaving gaps in network security.
• It has a higher cost due to the need for specialized hardware.
• It cannot be customized.

Which of the following is a key characteristic of network-based IPS sensors?

They are cost-effective and operating system independent. (C)

Which factor is LEAST important when selecting an IPS solution for a network?

The color of the IPS appliance to match the existing hardware. (D)

In which deployment mode does an Intrusion Detection System (IDS) passively monitor network traffic by receiving a copy of the traffic?

Promiscuous Mode (A)

What does the monitor session command achieve in Cisco SPAN configuration?

Mirroring network traffic from a source port to a destination port for analysis. (C)

When configuring a Cisco Switched Port Analyzer (SPAN) session, which action is essential for directing traffic to the intrusion detection system?

Defining a destination port to forward the mirrored traffic to. (B)

Why is it important to regularly update the signature file of an Intrusion Prevention System (IPS)?

To ensure that the IPS can detect and respond to the latest threats. (C)

Which of the following describes a composite signature in Intrusion Prevention Systems (IPS)?

A signature that identifies a sequence of operations distributed across multiple hosts over time. (C)

How does a 'true negative' alarm type impact network security management?

It correctly recognizes normal traffic and does not generate an alarm, indicating an ideal setting. (A)

Which of the following is a crucial action that an IPS can take to actively prevent a detected threat?

Resetting a TCP connection to disrupt malicious communication. (D)

Why is understanding zero-day attacks important in network security?

They exploit vulnerabilities that are unknown to software vendors and without available patches. (B)

Which of the following actions is typically performed by an Intrusion Prevention System (IPS) but not by an Intrusion Detection System (IDS)?

Actively blocking or preventing malicious traffic. (B)

What is a primary advantage of using a Network-Based Intrusion Prevention System (NIPS) over a Host-Based Intrusion Prevention System (HIPS)?

NIPS is cost-effective and operating-system independent. (A)

Which of the following is a disadvantage of Intrusion Detection Systems (IDS)?

IDS response actions might not stop a trigger. (D)

Which of the following is a known disadvantage of using Network IPS?

Network IPS cannot determine whether an attack was ultimately successful. (A)

Why is the use of honeypots in intrusion detection considered advantageous?

Honeypots can distract and confuse attackers, as well as collect information about attacks. (A)

An IPS triggers an alarm but no actual attack or malicious activity is occurring, what type of alarm is this considered?

False Positive (A)

What protocol do IPS systems use to communicate alarms and other events to management consoles and logging servers?

SDEE (B)

An IDS operates in an inline mode, actively blocking malicious traffic in real-time.

False (B)

A zero-day attack is an exploit that targets a vulnerability unknown to the software vendor or security professionals at the time of the attack.

True (A)

Network-based IPS solutions are always operating system dependent.

False (B)

An atomic IPS signature identifies sequences of operations distributed across multiple hosts.

False (B)

In the context of IPS, a 'false negative' alarm type refers to a scenario where normal user traffic is incorrectly identified as malicious.

False (B)

Signature files for IPS contain algorithms rather than network signatures.

False (B)

Disabling all signatures is a recommended best practice for IPS configuration to minimize false positives.

False (B)

Cisco SPAN (Switched Port Analyzer) is used to mirror network traffic for intrusion detection and prevention analysis.

True (A)

In policy-based detection, identifying irregular behavior requires examining state, rather than relying on a single packet.

False (B)

A key advantage of host-based IPS is its ability to analyze encrypted traffic directly.

False (B)

IDS sensors are deployed in-line, requiring all network traffic to pass through them.

False (B)

The monitor session command is used to associate a source port and a destination port with a SPAN session.

True (A)

An IPS is designed to inspect all traffic at every layer of the OSI model.

False (B)

An IPS is effective even if its signature database is not regularly updated.

False (B)

An IPS can positively impact network performance due to its ability to filter out malicious traffic.

False (B)

Implementing an IPS provides complete protection against all types of network attacks.

False (B)

A composite signature in IPS only examines a single packet to determine malicious intent.

False (B)

Requesting an SNMP trap counts as dropping or preventing activity.

False (B)

IPS solutions should be placed as far away from internal networks as possible.

False (B)

When setting up intrusion prevention, less security staff is required as much of the work is automated.

False (B)

Flashcards

What are Zero-Day Attacks?

Attacks that exploit vulnerabilities which are unknown to the software vendor or security community.

What is an IDS?

An intrusion detection system (IDS) monitors network traffic passively for suspicious activity. It requires traffic mirroring to reach it.

What is an IPS?

An intrusion prevention system (IPS) is implemented in-line and actively blocks or prevents detected threats.

What is port mirroring?

A method where network traffic is duplicated and sent to a monitoring device, enabling passive analysis of network data.

What is Cisco SPAN?

A Cisco feature offering flexible traffic mirroring, sending copies of traffic to a destination port for analysis.

What is an Atomic Signature in IPS?

Atomic signatures consist of a single packet, activity, or event.

What is a Composite Signature in IPS?

Composite signatures identify a sequence of operations distributed across multiple hosts over time.

What is an IPS Signature File?

A file containing a collection of signatures used by an IPS to detect malicious activity.

What does 'Allow the activity' mean in IPS?

The action of allowing traffic to proceed normally, often used for trusted sources or when specific exceptions are configured.

What is Pattern-based Detection?

A detection method with easy configuration and fewer false positives, relies on predefined patterns.

What is a False Positive Alarm?

An alarm triggered when normal user traffic is incorrectly identified as malicious.

What is a False Negative Alarm?

An alarm not triggered when malicious traffic is present, resulting in a missed attack.

What is a SPAN port?

The action of sending copies of network traffic from one or more ports to a specified destination port for analysis.

IDS Traffic Flow Characteristic

Network traffic does not pass through the IDS unless mirrored.

IPS Functionality

Works inline, monitors Layer 3 and 4 traffic, and can stop attacks reaching the target.

Host-Based IPS advantage

Protection specific to a host operating system and application level.

Network-Based IPS advantage

Cost-effective and operating system independent, but can't examine encrypted traffic.

Factors for IPS selection

Amount of network traffic, network topology, security budget and available security staff.

IPS Signature Attributes

Type, Trigger (alarm), and Action.

What is a True Positive Alarm?

An alarm triggered when attack traffic is correctly identified as malicious.

What is a True Negative Alarm?

An ideal outcome when normal user traffic is correctly identified as non-malicious and no alarm is generated.

Study Notes

Introduction to Intrusion Prevention

• Chapter 5 focuses on implementing intrusion prevention.

IPS Technologies

• Section 5.1 discusses various IPS (Intrusion Prevention System) technologies.
• Students should be able to explain zero-day attacks upon completion of this section
• Students will learn how to monitor, detect, and stop attacks.
• Students will be able to describe the advantages and disadvantages of both Intrusion Detection Systems (IDS) and IPS.

IDS and IPS Characteristics

• An Intrusion Detection System (IDS) operates passively.
• IDS requires network traffic to be mirrored in order to analyze it.
• IDS does not handle network traffic directly unless traffic is mirrored to it.
• An Intrusion Prevention System (IPS) operates inline.
• IPS monitors Layer 3 and Layer 4 traffic.
• IPS can stop single-packet attacks before they reach the target.
• IPS responds immediately to block malicious traffic.
• IPS inspects traffic content at the application layer.
• Both IDS and IPS technologies are deployed as sensors.
• Both IDS and IPS use signatures to detect misuse patterns in network traffic.
• Both IDS and IPS can detect atomic patterns (single-packet) or composite patterns (multi-packet).
• IDS has no impact on network performance.
• IDS is not affected by sensor failures or overloads.
• IDS response action cannot stop the triggering event.
• IPS can stop trigger packets.
• IPS networks are affected by sensor issues or sensor overloading.
• IPS may have some impact on network performance.

Network-Based IPS Implementations

• Host-based IPS protects a specific host operating system
• Host-based IPS provides OS and application-level protection
• Host-based IPS protects a host after the message is Decrypted
• Host-based IPS is operating system dependent and must be installed of all host
• Network-based IPS is cost effective and the operating system is independent.
• Network-based IPS cannot examine encrypted traffic
• Network-based IPS must stop malicious traffic prior to arriving at the host.
• Cisco offers modular and appliance-based IPS solutions, including:
  • Cisco IPS AIM and Network Module Enhanced (IPS NME)
  • Cisco ASA AIP-SSM
  • Cisco IPS 4300 Series Sensors
  • Cisco Catalyst 6500 Series IDSM-2
• Factors affecting IPS sensor selection include:
  • Amount of network traffic
  • Network topology
  • Security budget
  • Available security staff for IPS management
• Network IPS is cost-effective and not visible on the network.
• Network IPS is operating system independent and monitor lower-level network events.
• Network IPS cannot examine encrypted traffic.
• Network IPS cannot determine whether an attack was successful.

Modes of Deployment

• Promiscuous Mode is commonly used with IDS.
• Inline Mode is commonly used with IPS.

Cisco Switched Port Analyzer

• SPAN (Switched Port Analyzer) is used for port mirroring in Cisco networks.
• Monitor sessions can be configured using the monitor session command
• show monitor command is used to verify SPAN sessions.

IPS Signatures

• Section 5.2 overviews IPS signatures.
• Students should understand IPS signature characteristics.
• Students should be able to explain IPS signature alarms.
• Students should be able to manage and monitor IPS.
• Students should understand global correlation of Cisco IPS devices.

IPS Signature Characteristics

• A signature is a set of rules used by IDS and IPS to detect intrusion activity.
• The three main attributes of signatures are Type, Trigger (alarm), and Action.

Signature types

• Atomic signatures are a single packet, activity, or event.
• Composite signatures are a sequence of operations across multiple hosts.

Signature Files

• Signature files package network signatures and must be uploaded to an IPS when new threats are identified.

IPS Signature Alarms

• Pattern-based detection involves easy configuration, fewer false positives, and good signature design.
• Anomaly-based detection provides simple, reliable and customized policies.
• Policy-based detection allows for easy configuration and detection of unknown attacks.
• Honey pot-based detection is a window to viewing attacks, designed to distract confuses attackers and slow down and avert attacks as well as collect information on attacks.
• The disadvantages of Pattern based detections are that have no detection of Unknown signatures, initially there are a lot of false positives and Signatures must be created updated and tuned.
• The disadvantage of Anomaly based detection is that generic Output and Policy must be created.
• The disadvantage of Policy based detections are difficult to profile typical activity in large network, and Traffic profile must be constant.
• Ths disadvantage of Honey pot based detection id that it requires a dedicated honey pot server, and a hot pot server must not be trusted.
• Atomic signatures do not state to examine pattern to determine if a signature action should be applied.
  • Detecting an ARP request with a source Ethernet address of FF:FF:FF:FF:FF:FF would be an example
• Composite signatures must contain state or examine multiple items to determine if signature action should be applied.
• Searching for the string "confidential" across multiple packets in a TCP session. would be an example
• Anomaly based atomic signatures do not need to identify activity that deviates from normal profile; An example would be detecting traffic that is going to a destination port which is non in the normal profile.
• Anomaly based Composite signatures need State required to identify activity that deviates from normal profile; An example would be Verifying protocol compliance for HTTP traffic.
• Policy based Atomic signatures no state or required to identify undesirable behaviour; An example may include Detecting abnormally large fragmented packets by examining only the last fragment.
• Policy based Composite signatures uses a Previous activity (state) required to identify undesirable behaviour; An example may include a Sun Unix host sending RPC requests to remote hosts without initially consulting the Sun PortMapper program.

Alarm triggering Mechanisms

• False positive
• Has a Network Activity of Normal user traffic
• IPS Activity includes Alarm generated
• The outcome is Tune alarm
• False negative
• Has a Network Activity of Attack traffic
• IPS Activity includes No alarm generated
• The outcome is Tune alarm
• True positive
• Has a Network Activity of Attack traffic
• IPS Activity includes Alarm generated
• The outcome is Ideal setting
• True negative
• Has a Network Activity of Normal user traffic
• IPS Activity includes No alarm generated
• The outcome is Ideal setting

Signature Actions

• Generating an alert, Produce alert or Produce verbose alert.
• Logging the activity includes Log attacker packets, Log pair packets, Lor victim packets.
• Dopping or preventing the activity includes Deny attacker inline, Deny connection inline and Deny packet inline.
• Resetting a TCP connection will Reset the TCP connection.
• Blocking future activity includes Request block connection Request block host and Request SNMP trap.
• The activity May be allowed if the action will permit the traffic to appear as normal based on configured exceptions. An example would be allowing alerts from an approved IT scanning host.

Manage and Monitor IPS

• Secure Device Event Exchange (SDEE) and Syslog are use to manage and monitor IPS

IPS Configuration Best Practices

• Configure the Firewall and VPN before implementation IPs