Intrusion Prevention Systems (IPS)

Questions and Answers

What is a zero-day attack?

• An attack that occurs on a system that is fully up to date
• An attack that exploits a vulnerability before a patch is available (correct)
• An attack that occurs at midnight
• An attack on older, unsupported software

What is a key advantage of an Intrusion Detection System (IDS)?

• Requires traffic to be mirrored in order to reach it (correct)
• Does not require network traffic monitoring
• Instantly stops all malicious traffic
• Works in-line to actively block threats

Which of the following describes how an IPS is implemented?

• In an inline mode (correct)
• Without monitoring traffic
• As a passive monitoring tool
• In an offline mode

Which layer of the OSI model does an IPS inspect for malicious traffic?

Application Layer (D)

Which of the following is a common characteristic of both IDS and IPS?

Both are deployed as sensors. (D)

Which of these is an advantage of using an IDS?

It has no impact on the network (C)

What factor does NOT affect IPS sensor selection?

Color of the device (D)

What is a disadvantage of network-based IPS?

Cannot examine encrypted traffic (B)

In which mode does an IPS operate when it is directly in the path of network traffic?

Inline Mode (B)

What is the purpose of a SPAN port?

To send copies of traffic to another port (C)

A zero-day attack exploits vulnerabilities that are unknown to the vendor.

True (A)

An Intrusion Detection System (IDS) operates in-line, actively blocking malicious traffic.

False (B)

An IPS is deployed to only monitor network traffic and generate alerts.

False (B)

IDS and IPS technologies both cannot be deployed as sensors.

False (B)

An advantage of an IDS is that it has a significant impact on network performance.

False (B)

A disadvantage of using an IPS is that sensor issues might affect network traffic.

True (A)

Host-based IPS is operating system independent.

False (B)

In promiscuous mode, an IPS sensor sits directly in the path of network traffic.

False (B)

SPAN ports are configured to mirror network traffic for analysis by security devices.

True (A)

A signature only uses a trigger and action attribute.

False (B)

What is the primary focus of endpoint security?

Protecting individual devices connected to a network. (C)

Which of these is considered a traditional method of endpoint security?

Implementing host-based firewalls. (C)

What is the purpose of URL filtering in host-based protection?

Blocking access to malicious websites. (A)

What does NAC primarily do in network security?

Authenticates users and enforces security policies. (C)

What is the function of a Web Security Appliance (WSA)?

Securing web traffic and preventing web-based threats. (C)

What is a key feature of Cisco Email Security solutions?

Spam blocking. (A)

Which OSI layer is most associated with Ethernet frames?

Data Link Layer (C)

What is a CAM table overflow attack designed to do?

Overload the switch's MAC address table. (A)

What is the primary function of port security?

Limiting the number of MAC addresses on a port. (D)

What type of attack is DHCP snooping used to prevent?

DHCP spoofing. (B)

Endpoint security only focuses on protecting devices physically connected to the LAN.

False (B)

Cisco AMP helps ensure endpoint security.

True (A)

A host-based firewall is an example of traditional endpoint security.

True (A)

URL filtering is a reactive approach to host-based protection.

False (B)

NAC stands for Network Authentication Control.

False (B)

Cisco Email Security solutions include advanced malware protection.

True (A)

A web server sends a reply directly to the client, bypassing the Cisco Web Security Appliance.

False (B)

Layer 3 vulnerabilities are the primary focus of LAN security.

False (B)

CAM table overflow attacks rely on flooding the network with legitimate MAC addresses.

False (B)

DHCP snooping helps prevent DHCP spoofing attacks.

True (A)

Flashcards

What are Zero-Day Attacks?

Attacks that exploit previously unknown vulnerabilities, leaving systems with no existing defenses.

What is an IDS?

An Intrusion Detection System is the passive monitoring of network traffic, requiring mirroring to reach it.

What is an IPS?

An Intrusion Prevention System acts immediately on malicious traffic, operating in an inline mode to monitor Layers 3 and 4.

Similarities: IDS and IPS?

Both deployed as sensors, they detect misuse patterns using signatures, and can spot single or multi-packet attacks.

Advantages and Disadvantages: IDS vs IPS?

IDS has no network impact and tolerates sensor failures but can't stop triggers. IPS stops triggers but is vulnerable to sensor issues and overloads.

What are Host-Based IPS?

Provides specific host protection, operates at the OS/Application level, and secures post-decryption.

What are Network-Based IPS?

Cost-effective, operating system independent, but can't examine encrypted traffic and must stop threats before they reach the host.

Cisco SPAN's Role?

SPAN mirrors traffic for analysis. Command: monitor session number source/destination.

What is a Signature?

Consists of rules used by IDS/IPS to detect intrusions, characterized by type, trigger (alarm), and action.

Signature Types?

Atomic signatures assess single actions; composite signatures identify operation sequences over time.

How does an IDS monitor attacks?

Works passively by mirroring traffic to reach it.

How does an IPS detect and stop attacks?

Implemented in an inline mode, monitors Layer 3 and Layer 4 traffic, and can stop single packet attacks from reaching target. Responds immediately.

What part of traffic does IPS focus on?

Inspects malicious traffic content at the application layer and blocks it.

Advantages and Disadvantages of Network IPS?

Advantages: Cost-effective and operating system independent. Disadvantages: Cannot examine encrypted traffic and Must stop malicious traffic prior to arriving at host.

What is Pattern-based Detection?

Easy to configure; fewer false positives; good signature design. But No detection of unknown signatures and Signatures must be created, updated, and tuned

Atomic Signature with Pattern-Based Detection?

No state required to examine pattern to determine if signature action should be applied.

Pattern Detection: Composite Signature?

Must contain state or examine multiple items to determine if signature action should be applied.

IPS Alarm: False Positive?

Normal user traffic triggers an alarm requiring adjustment.

IPS Alarm: False Negative?

Attack traffic that goes un-noticed

IPS Signature Actions?

Stops a problem inline, may reset a TCP connection, could block future activity and permits the traffic to appear as normal based on configured exceptions.

Endpoint Security

Securing individual computers and devices connected to a network.

Anti-malware software

Software that prevents, detects, and removes malicious software.

Borderless network

An approach that considers the entire network for security

Web Security Appliance (WSA)

Filters web connections and prevents malicious content from reaching hosts

Email Security Appliance (ESA)

Filters email traffic to block spam and malware before reaching users.

Network Admission Control (NAC)

Authenticates users/devices, enforcing security policies before granting network access.

Layer 2 Security Threats

Attacks exploiting vulnerabilities at Layer 2 of the OSI model.

CAM Table Overflow Attack

Flooding a switch with fake MAC addresses, overflowing the MAC address table.

Port Security

Limiting MAC addresses per port to prevent MAC flooding attacks.

DHCP Spoofing Attack

Attack where a rogue server provides incorrect IP addresses to network clients.

Traditional Endpoint Security

Host-based protection implemented with Antivirus/Antimalware, Host-Based IPS, and Host-Based Firewall.

What is AMP?

Advanced Malware Protection; covers before, during, and after an attack.

Cisco Email Security Benefits

Spam blocking, malware protection for email and outbound control.

What is NAC?

Security that controls access via authentication and policy enforcement.

What are Layer 2 Vulnerabilities?

Vulnerabilities residing in the data link layer

What is Macof?

Used to begin sending unknown bogus MAC addresses.

What are Switch Attack Categories?

An attack category that includes, CAM table overflows, ARP attacks, and spanning tree protocol attacks.

CAM Table Attack Result

Floods frames, exposing traffic to the attacker who initiated the overflow.

Port Security Countermeasure

Allows specific MAC addresses on a port.

What is DHCP Spoofing?

A rogue DHCP server gives out bad IP info.

Study Notes

Chapter 6: Securing the Local Area Network

• This chapter focuses on securing local area networks, covering endpoint security and Layer 2 security threats.
• Authored by Dr. Nadhir Ben Halima

6.0 Introduction

• The chapter introduces the concepts and methods for securing LANs.

6.1 Endpoint Security

• Endpoint security and its enabling technologies are a key focus.
• How Cisco AMP is used for endpoint security is examined.
• Cisco NAC's role in authenticating and enforcing network security policies is explained.

Securing LAN Elements

• A typical LAN setup includes elements like the internet, web server, VPN, email server, firewall, ESA/WSA, DNS, IPS, hosts, and ACS (Access Control System).

Traditional Endpoint Security

• Traditional endpoint security involves host-based protection, including antivirus/antimalware software, host-based IPS, and host-based firewalls.

Securing Endpoints in the Borderless Network

• Securing endpoints considers questions post-attack, such as origin, threat method, affected systems, impact, mitigation, recovery, and prevention.
• Host-based protection measures include antivirus/antimalware, SPAM filtering, URL filtering, and blacklisting.

Modern Endpoint Security Solutions

• Modern solutions incorporate AMP (Advanced Malware Protection), NAC (Network Admission Control), ESA (Email Security Appliance), and WSA (Web Security Appliance).

Antimalware Protection

• Advanced Malware Protection involves stages: before (discover, enforce, harden), during (detect, block, defend), and after (scope, contain, remediate).

AMP and Managed Threat Defense

• Talos teams gather real-time threat intelligence from 1.6 million deployed security devices, including firewalls, IPS, web, and email appliances, and 150 million endpoints.
• 100 TB of security intelligence is analyzed daily, along with 13 billion web requests per day, and 35% of global enterprise email traffic

Email and Web Security

• Focuses on securing email and web traffic in the LAN environment.

Cisco Email Security Appliance

• Features include spam blocking, advanced malware protection, and outbound message control.

Cisco Web Security Appliance

• Handles web requests, forwards them, and filters replies to protect the network.
• Client initiates a web request, the WSA forwards the request, and then the reply is sent to WSA and then to the client.

Controlling Network Access

• Managing and securing network access are critical components of LAN security.

Cisco NAC Functions

• NAC functions include authentication, authorization, and posture assessment for network access.

6.2 Layer 2 Security Threats

• The section focuses on Layer 2 vulnerabilities.
• CAM table overflow attacks are discussed.
• Mitigating attacks by configuring port security is covered.
• VLAN Trunk security minimizes VLAN hopping attacks.
• DHCP Snooping is implemented to mitigate DHCP attacks.
• Dynamic ARP Inspection is implemented to mitigate ARP attacks.
• IP Source Guard mitigates address spoofing attacks.

Layer 2 Vulnerabilities

• Layer 2 vulnerabilities exist at the Data Link layer, corresponding to Ethernet frames; initial compromise occurs at this level.

Switch Attack Categories

• Switch attacks fall into categories: CAM table attacks, STP attacks, VLAN attacks, address spoofing attacks, DHCP attacks, and ARP attacks.

CAM Table Attacks

• CAM table attacks exploit the switch's MAC address table.

Basic Switch Operation

• Switches maintain a MAC address table, mapping MAC addresses to ports.

CAM Table Operation Example

• Shows how a switch forwards traffic based on the CAM table.

CAM Table Attack Explained

• CAM table attack involves flooding the switch with bogus MAC addresses to fill the CAM table, causing the switch to flood all traffic.
• Intruder uses a tool to begin sending unknown bogus MAC addresses.
• Fill the CAM table to cause switch flooding.

CAM Table Attack Tools

• Tools are available to flood the network with MAC addresses for CAM table attacks.

Mitigating CAM Table Attacks

• Port security can limit MAC addresses allowed on a port.

Countermeasures for CAM Table Attacks

• Implementing port security allows only specific MAC addresses on a port, blocking unauthorized traffic.

Port Security

• Provides options to secure switch ports. Verification and implementation commands of switch-port security are featured.

Port Security Options

• Includes aging settings, MAC address control, maximum MAC addresses, and violation settings.

Enabling Port Security Options

• Setting the maximum number of MAC addresses that can be learned on the port.
• Configuring MAC addresses manually.
• Dynamically learning connected MAC addresses.

Port Security Violations

• Security violation modes include Protect, Restrict, and Shutdown.
• Protect forwards traffic, sends no syslog message, and does not increase the violation counter, whilst not shutting down the port.
• Restrict does not forward traffic, sends a syslog message, increases the violation counter but does not shut down the port.
• Shutdown does not forward traffic, sends a syslog message, increases the violation counter and also shuts down the port.

Port Security with IP Phones

• Securing ports used by IP phones is discussed.

Mitigating DHCP Attacks

• DHCP attacks, like spoofing and starvation, are considered.

DHCP Spoofing Attack

• A rogue DHCP server provides incorrect IP configuration information to clients.

DHCP Starvation Attack

• An attacker exhausts the DHCP address pool, preventing legitimate clients from obtaining IP addresses. -Attacker initiates discovery protocol request (size of scope), the DHCP server sends out offers(size of scope), attacker then requests all offers(size of scope) which are then acknowledged(size of scope).

Configuring DHCP Snooping

• Trusted and untrusted ports are specified and used to combat rogue DHCP servers.

Configuring DHCP Snooping Example

• DHCP snooping is configured on trusted interfaces to forward DHCP traffic and on untrusted interfaces to prevent rogue DHCP servers

• Includes configuring a maximum number of MAC addresses for DHCP snooping.

• Verifying DHCP snooping through the command line.

S1# show ip dhcp snooping binding
MacAddress    IpAddress        Lease(sec)  Type           VLAN  Interface
- -------------------- --------------- ---------- --------------- ---- --------------------
00:03:47:B5:9F:AD  192.168.10.10   193185     dhcp-snooping  5    FastEthernet0/5