IPS vs Application Control

Questions and Answers

What is the main focus of IPS signatures?

• Understanding and exposing the structure of industrial protocols
• Detection of software version-based vulnerabilities
• Protocol detection at various levels
• Detection of exploits of industrial controller software (correct)

What is the primary focus of application control signatures?

• Protocol detection at various levels (correct)
• Detection of exploits of industrial controller software
• Detection of software version-based vulnerabilities
• Understanding and exposing the structure of industrial protocols

Which protocols are mentioned as being understood and exposed by the Fortinet flow engine?

• HTTP, FTP, SMTP, SNMP
• Modbus, IEC 104, DNP3, OPC, Siemens S7 (correct)
• TCP, UDP, IP, ICMP
• SSH, SSL, TLS, RDP

What is the purpose of deep packet inspection (DPI) and intrusion prevention system (IPS) signatures for IC'S protocols and applications context logging?

To detect industrial software and software version-based vulnerabilities (B)

What type of vulnerabilities were several versions of Schneider Electric Accutech Manager vulnerable to?

SQL injection attacks (D)

What do application control signatures detect in the context of protocols and telecontrol messages?

Protocols used in the applications and contents of the telecontrol messages (A)

What is the purpose of the protocol dissectors in the Fortinet flow engine?

To understand and expose the structure of industrial protocols (B)

What is the common action taken by both IPS and application control in terms of log and application context?

Send to syslog servers FortiAnalyzer, FortiSIEM, and so on (B)

What is the focus of IPS in terms of vulnerability detection?

Industrial software and software version-based vulnerabilities (A)

What aspect of the telecontrol messages do application control signatures detect?

Contents of the telecontrol messages, like function codes, object types, and so on (C)

What is the primary purpose of intrusion prevention system (IPS) signatures?

Detection of exploits of industrial controller software (B)

What feature can be used to refuse traffic from an attacker's IP-address?

Source quarantine (A)

What can be done if matching signatures are not found in the database?

Create custom signatures (C)

Which feature can be used to save a copy of packets that match any signatures included in the filter?

Packet logging (A)

What is the subset of signatures in the database that are normally set to monitor?

Rate-based signatures (B)

What does the application control feature consider first if application or filter overrides are configured?

Application and filter overrides (D)

What does the quarantine feature of application control refuse based on?

Attacker's IP-address (D)

What is used to block outgoing connections to botnet sites or record log messages?

Block botnet C&C communication (D)

What does the baseline-built environment provide?

Baseline for anomalous activity (D)

What can be applied to provide alerts on anomalous activity outside of the baseline?

Baseline-built environment (C)

What can be used for more granular application control?

Ingress and egress application sensors (A)

What can be used to detect industrial protocols and perform granular message type identification?

Granular message type identification (B)

What can be used to help define allowlist policy?

Application signatures (B)