Traffic Management Filters: Flow-Based vs. Non-Flow Based

Questions and Answers

What is the purpose of creating a Traffic Management Filter (TMF) to trust vulnerability scanners or internal IT monitoring scripts?

• To avoid unnecessary events and consumption of inspection resources (correct)
• To overshadow actual attacks
• To consume inspection resources
• To block unnecessary events and streams

How can the use of Traffic Management Filters (TMFs) benefit a system?

• By generating events to track traffic
• By increasing the consumption of inspection resources
• By reducing inspection overheads and performance protection alerts (correct)
• By causing unnecessary events

In what direction does the traffic flow for the network scanner located at 192.168.1.200 when passing through IPS?

• In both directions A to B and B to A (correct)
• Segment 1A to 1B
• Segment 6B to 6A
• Segment 1B to 1A

What is the reason for creating a 4-way trust instead of a single rule for the network scanner?

To catch all possible directions in the environment for both scan and the response (B)

What does a Traffic Management Filter (TMF) use when ordering its rules?

First match (B)

What type of traffic did the staff initially use Exceptions on attack filters for?

Web server traffic (D)

What is the main consequence of Trusting all traffic to and from a network scanner?

Reduced performance protection alerts (D)

How does creating a Traffic Management Filter (TMF) for trust help in protecting web servers?

By reducing unnecessary resource consumption and events related to monitoring scripts (A)

What is the main focus of flow-based inspection filters?

Inspecting packet headers and payload data (D)

What are non-flow-based inspection filters also known as?

User-defined filters (D)

Which type of filter looks at the overall behavior of traffic over time?

Algorithmic filters (C)

What is the primary focus of header-based filters?

Examining IP header information (A)

Which type of filter specifically focuses on detecting vulnerabilities?

Vulnerability filters (B)

What do reconnaissance filters primarily aim to detect?

Port scans and host sweeps (B)

Which type of filter looks at the IP header for detecting specific types of traffic?

Header-based filters (A)

What is the distinguishing feature of flow-based inspection filters compared to non-flow-based ones?

They inspect packet headers and payload data (C)

What is the purpose of creating a 4-way trust for traffic management filters in this scenario?

To ensure that all possible directions of traffic are accounted for (C)

What does creating a 'virtual pipe' achieve when using rate-limiting?

It groups together different types of traffic for easier management (A)

In what scenario would it be advisable to create multiple rules instead of a single rule for traffic management?

When the exact flow of traffic through each IPS device is unknown (C)

What happens if you assign the same rate-limiting Action Set to different filters?

The flows matching those filters will share the same bandwidth restriction (D)

Why might it be necessary to create two Action Sets with different names but the same rate limit value?

To ensure that certain types of traffic have their own dedicated bandwidth restriction (B)

What is the benefit of using a 4-way trust instead of a single rule for traffic management?

It ensures that all possible directions of traffic are included (B)

What is the purpose of assigning a rate-limiting Action Set to a Filter?

To group together different types of traffic under one limitation (C)

When is it advisable to create multiple rules for traffic management?

When there are variations in how the traffic traverses each IPS device (B)