Traffic Management Filters: Flow-Based vs. Non-Flow Based

Questions and Answers

What is the purpose of creating a Traffic Management Filter (TMF) to trust vulnerability scanners or internal IT monitoring scripts?

To avoid unnecessary events and consumption of inspection resources (correct)

To overshadow actual attacks

To consume inspection resources

To block unnecessary events and streams

How can the use of Traffic Management Filters (TMFs) benefit a system?

By generating events to track traffic

By increasing the consumption of inspection resources

By reducing inspection overheads and performance protection alerts (correct)

By causing unnecessary events

In what direction does the traffic flow for the network scanner located at 192.168.1.200 when passing through IPS?

In both directions A to B and B to A (correct)

Segment 1A to 1B

Segment 6B to 6A

Segment 1B to 1A

What is the reason for creating a 4-way trust instead of a single rule for the network scanner?

To catch all possible directions in the environment for both scan and the response

What does a Traffic Management Filter (TMF) use when ordering its rules?

First match

What type of traffic did the staff initially use Exceptions on attack filters for?

Web server traffic

What is the main consequence of Trusting all traffic to and from a network scanner?

Reduced performance protection alerts

How does creating a Traffic Management Filter (TMF) for trust help in protecting web servers?

By reducing unnecessary resource consumption and events related to monitoring scripts

What is the main focus of flow-based inspection filters?

Inspecting packet headers and payload data

What are non-flow-based inspection filters also known as?

User-defined filters

Which type of filter looks at the overall behavior of traffic over time?

Algorithmic filters

What is the primary focus of header-based filters?

Examining IP header information

Which type of filter specifically focuses on detecting vulnerabilities?

Vulnerability filters

What do reconnaissance filters primarily aim to detect?

Port scans and host sweeps

Which type of filter looks at the IP header for detecting specific types of traffic?

Header-based filters

What is the distinguishing feature of flow-based inspection filters compared to non-flow-based ones?

They inspect packet headers and payload data

What is the purpose of creating a 4-way trust for traffic management filters in this scenario?

To ensure that all possible directions of traffic are accounted for

What does creating a 'virtual pipe' achieve when using rate-limiting?

It groups together different types of traffic for easier management

In what scenario would it be advisable to create multiple rules instead of a single rule for traffic management?

When the exact flow of traffic through each IPS device is unknown

What happens if you assign the same rate-limiting Action Set to different filters?

The flows matching those filters will share the same bandwidth restriction

Why might it be necessary to create two Action Sets with different names but the same rate limit value?

To ensure that certain types of traffic have their own dedicated bandwidth restriction

What is the benefit of using a 4-way trust instead of a single rule for traffic management?

It ensures that all possible directions of traffic are included

What is the purpose of assigning a rate-limiting Action Set to a Filter?

To group together different types of traffic under one limitation

When is it advisable to create multiple rules for traffic management?

When there are variations in how the traffic traverses each IPS device