Chaprer 6 Network Analysis and Security Technologies Quiz

Questions and Answers

What is the primary purpose of NetFlow in network analysis?

• Monitoring network device hardware status
• Managing IP address allocation
• Capturing and analyzing network traffic data (correct)
• Analyzing user application performance

Which technology is associated with micro-segmentation in Cisco ACI?

• Traffic shaping
• Access control lists
• Software-defined networking (correct)
• VLAN tagging

What is a significant benefit of network telemetry?

• Proactive security threat detection (correct)
• Reduction of data storage requirements
• Enhanced endpoint device compliance
• Increased bandwidth availability

Which of the following is NOT a method of exfiltration techniques?

Smart Contract (D)

What does Cisco Encrypted Traffic Analytics (ETA) help organizations achieve?

Visibility into encrypted traffic flows (D)

What is the primary purpose of using NetFlow in network security?

To analyze and mitigate anomalies in network traffic (D)

How does anomaly-based detection generally work to identify threats?

By monitoring traffic that deviates from established normal behavior (D)

What is a common characteristic of DDoS attacks?

They often use multiple hosts to overwhelm resources (B)

What is the initial step to be taken before implementing anomaly-detection capabilities?

Perform thorough traffic analysis to understand patterns (A)

Which of the following best describes a 'bot host' in the context of network attacks?

A compromised system used to launch coordinated attacks (C)

What is crucial for an anomaly-detection system to do effectively react to network traffic anomalies?

Alert and respond to sudden increases in traffic (A)

In network security, what does the term 'normal behavior' refer to?

The average operational parameters of the network (D)

Which additional mechanisms can be paired with NetFlow to enhance security data collection?

Simple Network Management Protocol (SNMP) and syslog (B)

What characterizes an immediate cache in network monitoring?

It accounts for a single packet, suitable for real-time traffic. (C)

What does the permanent cache allow for?

It tracks flows without expiring them from the cache. (B)

How is traffic in a flow defined in relation to a session?

Flows are distinct from sessions, despite their relatedness. (D)

Which of the following is NOT a purpose of NetFlow?

Enhancing cloud storage capabilities (D)

Which statement about flow aging in the cache is accurate?

Entries are removed based on active and inactive timeout settings. (B)

What role does NetFlow play in achieving network security?

It provides complete visibility necessary for threat detection. (A)

What is a disadvantage of using the immediate cache?

It may lead to increased CPU and memory utilization. (C)

Which statement correctly differentiates IP Accounting from NetFlow?

NetFlow is more well-known and comprehensive than IP Accounting. (A)

What is the primary function of the FlowSensor?

To enhance packet capture capabilities where NetFlow is absent (A)

How does NetFlow assist in historical event tracking?

By maintaining a transactional record of network events (C)

Which of the following statements about syslog is accurate?

Every security professional relies heavily on good logging mechanisms (C)

What role does the logging process serve on Cisco devices?

It controls how logging messages are delivered to various destinations (B)

What can historical records show during an investigation of a security breach?

Details about the initial infection and its communication channels (D)

Which tools are included in the monitoring event correlation systems?

Elastic Search, Logstash, and Kibana (C)

What is a significant limitation of syslog?

Message delivery is solely dependent on the device configuration (A)

When configuring the FlowSensor, what is typically used along with it?

The FlowCollector (A)

What is the most common UDP port used by NetFlow?

UDP port 2055 (D)

Which tool is designed to be highly scalable and can process high-volume traffic?

YAF (B)

What does the Metering Process (MP) do?

It generates flow records from packets. (C)

Which of the following tools is web-based and provides real-time traffic monitoring?

Ntopng (B)

What is the default port used by IPFIX?

UDP port 4739 (B)

What role do IPFIX mediators play in network monitoring?

Transform and re-export IPFIX streams (B)

Which of the following statements about the Exporting Process (EP) is true?

The EP sends flow records to one or more collecting processes (CPs). (B)

Which of the following is NOT a listed open-source tool for IPFIX?

NetFlow Analyzer (B)

What is one of the benefits of combining bandwidth and QoS features?

Enhanced ability to drop non-critical packets to prevent delays (B)

Which performance metric is NOT collected by the Cisco AVC embedded monitoring agent?

Throughput efficiency (D)

What is the purpose of protocol discovery features in Cisco AVC?

To identify the mix of applications and help define QoS policies (A)

What format is used to export metrics collected by the Cisco AVC monitoring agent?

NetFlow v9 or IPFIX (B)

Which QoS feature can be applied after traffic classification by administrators?

Class-based weighted fair queuing (CBWFQ) (A)

Flashcards

Network Visibility

The ability to see and understand network traffic and activity.

NetFlow

A network protocol that gathers and analyzes network traffic data.

Network Segmentation

Dividing a network into smaller, isolated parts to improve security.

Cisco Secure Network Analytics

A security product that analyzes network traffic for security threats.

Micro-segmentation

A method of network segmentation that isolates even smaller parts of the network.

Flow Cache

A temporary storage area used by NetFlow to collect and analyze network traffic data.

Immediate Cache

A type of flow cache designed for real-time analysis of individual packets, commonly used for traffic monitoring and detecting distributed denial-of-service (DDoS) attacks.

Permanent Cache

A type of flow cache designed for long-term tracking of flows without expiration. The data is periodically exported.

Flow vs. Session

A flow refers to traffic moving in one direction, while a session represents a two-way communication between a client and server.

NetFlow's Key Applications

NetFlow is used for network security, traffic engineering, network planning, and network troubleshooting.

NetFlow for Security

NetFlow provides nonrepudiation, anomaly detection, and investigative capabilities to enhance network security.

Complete Network Visibility

The ability to see and understand all network traffic and activity, essential for identifying and mitigating security threats.

NetFlow vs. IP Accounting

NetFlow is a comprehensive and widely adopted network flow analysis protocol, while IP Accounting is a Cisco-specific tool for network accounting.

Anomaly Detection

Identifying network traffic that deviates from normal patterns.

Normal Network Behavior

The typical patterns of network traffic, including volume, type, and source/destination.

DDoS Attack

A malicious attack that floods a network with traffic, overwhelming resources and causing outages.

Zombie Host/Botnet

A compromised computer controlled by an attacker to participate in a coordinated attack.

What does NetFlow monitor?

NetFlow monitors network traffic and provides data for anomaly detection and security analysis.

Traffic Analysis

Examining network traffic patterns to understand normal usage and identify potential anomalies.

Learning Interval

The period of time over which an anomaly detection system observes network traffic to establish normal patterns.

Security Mechanisms

Tools and techniques used to protect a network from threats.

FlowSensor

A network appliance that provides deeper visibility into network traffic beyond NetFlow, connecting to SPAN, mirror ports, or TAPs.

NetFlow Data Storage

NetFlow data is easier to store than packet captures because it only includes transaction records, allowing for longer historical records.

Analyzing Network Transactions

Examining network transactions helps identify the source of an infection, command-and-control channels, and infected hosts accessed.

Syslog Logging Facility

A feature on Cisco devices that allows saving system logs locally or on a remote server.

Syslog Severity Levels

Controls the type of log messages displayed, allowing for filtering of less important events.

Importance of Logs

Essential for security professionals and incident responders to understand what happened during an attack.

Syslog Limitations

Syslog has limitations, indicating its importance to consider alternative methods for network monitoring.

ELK Stack

A suite of open-source tools (Elasticsearch, Logstash, Kibana) used for log analysis and visualization.

QoS benefits

Combining features in QoS allows for control of bandwidth allocation, packet prioritization, and congestion management, leading to better network performance for critical applications.

Cisco AVC Metrics

Cisco AVC uses an embedded monitoring agent and NetFlow to collect various network metrics, including TCP performance metrics (bandwidth usage, response time, latency) and VoIP performance metrics (packet loss, jitter).

Metrics Exporting

Cisco AVC exports collected metrics in NetFlow v9 or IPFIX format to a management and reporting system. Metrics records can be sent directly from the data plane for speed or exported at a lower speed from the route processor for more complex processing.

QoS Capabilities

QoS capabilities can control application prioritization based on protocol discovery and statistics. This helps define QoS classes and policies, such as bandwidth allocation for mission-critical applications and traffic policing.

QoS Features

After classifying traffic, administrators can apply features like Class-based Weighted Fair Queuing (CBWFQ) for guaranteed bandwidth and other QoS techniques to manage network traffic effectively.

NetFlow Standard Port

The default UDP port used by NetFlow protocol is 2055. However, other ports like 9555, 9995, 9025, and 9026 can also be used for NetFlow traffic.

IPFIX Default Port

UDP port 4739 is the default port used by IPFIX protocol, a newer and more advanced version of NetFlow.

IPFIX Metering Process (MP)

The MP is responsible for generating flow records from network packets. It captures data, timestamps it, samples it, classifies it, and prepares it for forwarding.

IPFIX Exporting Process (EP)

The EP sends IPFIX flow records from one or more MPs to one or more collecting processes (CPs).

IPFIX Collecting Process (CP)

The CP receives IPFIX flow records from one or more EPs. It's responsible for collecting and processing information from various sources.

IPFIX Mediator

A mediator acts as a middleman between different IPFIX components. It gathers IPFIX streams, potentially modifies them, and then re-exports them to one or more IPFIX collectors.

What is Softflowd?

Softflowd is a lightweight tool that analyzes network traffic and generates IPFIX flow records. It's compatible with various operating systems, including Linux, BSD, and macOS.

What is YAF?

Yet Another Flowmeter (YAF) is an open-source flow-based traffic analyzer that generates IPFIX records. It's known for its scalability, handling large volumes of network traffic.

Study Notes

Chapter 5: Network Visibility and Segmentation

• This chapter covers network visibility and segmentation, including topics like NetFlow, IPFIX, Cisco Secure Network Analytics, Cisco Cognitive Intelligence, and Network Segmentation.
• It also covers exam objectives related to secure network access, visibility, and enforcement, including device compliance and application control, exfiltration techniques, network telemetry, and components of security products.

Introduction to Network Visibility

• Network visibility is a crucial element in cybersecurity.
• It involves maintaining a good level of visibility across all environments, especially in multi-cloud environments.
• Good visibility is essential for maintaining services and business continuity.
• Organizations need a flexible architecture with multiple technologies that offer visibility and maintain control during abnormal or malicious events.

NetFlow

• NetFlow is a Cisco technology that provides comprehensive insights into all network traffic traversing a Cisco-supported device.
• Initially designed for billing and accounting network traffic, it also measures bandwidth utilization, application performance, and availability.
• It's a critical tool for network security, providing nonrepudiation, anomaly detection, and investigative capabilities.
• NetFlow gathers information about network traffic, allowing administrators to monitor what's happening throughout the network, identify DoS attacks, quickly identify compromised devices, monitor employee, contractor, or partner network usage, and detect firewall misconfigurations.

IP Flow Information Export (IPFIX)

• IPFIX is an IETF standard for exporting flow information from routers, switches, firewalls, and other network devices.
• IPFIX standardizes the format and transfer of flow information from an exporter to a collector.
• It's based on NetFlow v9 and offers increased features and capabilities compared to older NetFlow versions.

Cisco Secure Network Analytics (formerly known as Cisco Stealthwatch)

• This is a cloud-based solution used for network visibility, threat detection, and incident response.
• It gathers data from various network devices using NetFlow and IPFIX.
• Network telemetry is analyzed to detect anomalies and malicious behavior.
• It helps in identifying suspicious activities, data exfiltration, and anomaly detection, such as DDoS attacks and zero-day exploits. It also allows for incident response and forensics.

Cisco Cognitive Intelligence (ETA)

• Cisco ETA passively monitors encrypted traffic, extracts relevant data, and uses behavioral modeling and machine learning to identify malicious communications.
• It does not decrypt packets and enhances network visibility without needing to decrypt the network traffic, for example, identifying suspected ransomware communications.

Network Segmentation

• Network segmentation logically groups network assets, resources, and applications.
• Segmentation provides flexibility to implement different security and control mechanisms.
• Network segmentation involves separating network into sections or zones where different access control rules apply.

Micro-segmentation using Cisco ACI

• Micro-segmentation allows organizations to place endpoint groups (EPGs) into logical Zones.
• EPGs are used to group VMs to which specific filtering and forwarding policies are applied.
• Flexible policies can be applied to endpoints (VMs) based on network or VM attributes, dynamically.
• Cisco ACI facilitates granular policies and automatic assignment of devices, enhancing security.

Segmentation Using Cisco ISE

• Cisco ISE is a crucial element for network segmentation.
• It facilitates configuring security policies based on users, devices, and other characteristics to segment based on groups of users, applications and devices.

Description

Test your knowledge on key concepts in network analysis and security technologies. This quiz covers NetFlow, micro-segmentation in Cisco ACI, network telemetry benefits, exfiltration techniques, and Cisco Encrypted Traffic Analytics. Perfect for IT professionals and students looking to deepen their understanding of network security.