Network Security 1.0 Modules 11-12 Intrusion Prevention Group Exam Answers PDF

Preview

Summary

Network Security Exam Preparation...

Description

Network Security ( Version 1) – Network Security 1.0 Modules 11 – 12: Intrusion Prevention Group Exam Answers 1. What are two characteristics of both IPS and IDS sensors? (Choose two.)  nei t heri nt r oduc el at enc yorj i t t er  both use signatures to detect patterns  bot har edepl oy edi nl i nei nt hedat as t r eam  bot hcans t opt r i ggerpack et s  both can detect atomic patterns Explanation: I DSs ensor swor koffl i neandar epass i v e.Theyaddv er yl i t t l el at enc y ,howev ert hey c annots t opt r i ggerpack et s .AnI PScans t opt r i ggerpac k et sbutbec aus et heyar ei nst al l edi nl i net heyadd s omel at enc yandj i t t ert ot het r affic . 2. What is an advantage of using an IPS? I ti si nst al l edout si deoft hedat at r afficfl ow. I tdoesnoti mpactnet wor kt r affici ft her ei sas ensorov er l oad.  It can stop trigger packets. I thasnoi mpactonnet wor kl at enc y . Explanation: AnI PScans t opt r i ggerpac k et sbutbec aus et heyar ei nst al l edi nl i net heyadds ome l at enc yandj i t t ert ot het r affic .I DSsens or swor koffl i neandar epas si v e.Theyaddv er yl i t t l el at enc y . Howev ert heyc annots t opt r i ggerpack et s . 3. What is a characteristic of an IDS? I tc anaffectnet wor kper f or mancebyi nt r oduc i ngl at enc yandj i t t er .  It often requires assistance from other network devices to respond to an attack. I ti si nst al l edi nl i newi t ht henet wor kt r afficfl ow. I tc anbec onfi gur edt odr opt r i ggerpack et st hatar eas s oci at edwi t haconnect i on. Explanation: AnI DSof t enr equi r esas s i st ancef r om ot hernet wor ki ngdev i ces ,suchasr out er sand fi r ewal l s ,t or es pondt oanat t ac k . 4. What are two characteristics of an IPS operating in promiscuous mode? (Choose two.) I tc anst opmal i ci oust r afficf r om r eac hi ngt hei nt endedt ar getf oral l t ypesofat t ac ks . I ts i t sdi r ect l yi nt hepat hoft het r afficfl ow.  It requires the assistance of another network device to respond to an attack.  It does not impact the flow of packets in forwarded traffic. I ts endsal er t sanddr opsanymal i c i ouspac k et s . Explanation: Anadv ant ageofanI PSoper at i ngi npr omi s cuousmodei st hatt hes ens ordoesnotaffect t hepack etfl owwi t ht hef or war dedt r affic .Adi s adv ant agei st hatt hesens orc annots t opmal i ci oust r affic f r om r eachi ngi t si nt endedt ar getf orc er t ai nt y pesofat t ac ks ,s uc hasat omi cat t ack s( s i ngl epac k et at t ac ks ) . 5. Which tool can perform real-time traffic and port analysis, and can also detect port scans, fingerprinting and buffer overflow attacks?  SI EM  Nmap  Snort  Net fl ow Explanation: Snor ti sanopensour c ei nt r usi onpr ot ect i ons y st em ( I PS)t hati sc apabl eofper f or mi ng r eal t i met r afficandpor tanal y s i s ,pack etl oggi ng,cont ents ear c hi ngandmat c hi ng,aswel lasdet ect i ng pr obes ,at t ack s ,por tsc ans ,fi nger pr i nt i ng,andbufferov er fl owat t ack s .

6. Which Snort IPS feature enables a router to download rule sets directly from cisco.com or snort.org?  Snort rule set pull  Si gnat ur eal l owedl i s t i ng  Snor tr ul es etpus h  Snor tr ul es etupdat es Explanation: Wi t ht heSnor tr ul es etpul lf eat ur e,ar out ercandownl oadr ul es et sdi r ect l yf r om c i s co. com ors nor t . or gt oal oc als er v er .Thedownl oadc anoc c urus i ngonet i mec ommandsorper i odi c aut omat edupdat es . 7. What is a minimum system requirement to activate Snort IPS functionality on a Cisco router?  atl eas t4GBRAM  atl eas t4GBflas h I SR2900orhi gher  K9 license Explanation: Ther equi r ement st or unSnor tI PSi ncl udeI SR4300orhi gher ,K9l i c ens e,8GBRAM, and8GBfl ash. 8. What is PulledPork?  anopens our cenet wor kI PSt hatper f or msr eal t i met r afficanal y s i sandgener at esal er t swhen t hr eat sar edet ect edonI Pnet wor ks  acent r al i z edmanagementt oolt opus ht her ul es et sbasedonpr econfi gur edpol i c y ,t oCi s c o r out er s  avi r t uals er v i c econt ai nert hatr unsont heCi s c oI SRr out eroper at i ngs y st em  a rule management application that can be used to automatically download Snort rule updates Explanation: Pul l edPor ki sar ul emanagementappl i c at i ont hatc anbeus edt oaut omat i c al l ydownl oad Snor tr ul eupdat es .Us i ngPul l edPor kr equi r esanaut hor i z at i onc ode,cal l edanoi nk c ode,obt ai nedf r om a s nor t . or gacc ount . 9. What are two actions that an IPS can perform whenever a signature detects the activity for which it is configured? (Choose two.)  di s abl et hel i nk r econv er get henet wor k  drop or prevent the activity  allow the activity r es t ar tt hei nf ect eddev i ce Explanation: Dependi ngont hes i gnat ur et y peandt hepl at f or m,whenev erasi gnat ur edet ect st he ac t i v i t yf orwhi chi ti sconfi gur edt heI PSmay : l ogt heac t i v i t y dr oporpr ev entt heac t i v i t y r es etaTCPconnec t i on bl ockf ut ur eact i v i t y al l owt heac t i v i t y 10. Which IPS signature trigger category uses a decoy server to divert attacks away from production devices?  honey pot-based detection  pol i c y bas eddet ect i on  pat t er nbas eddet ect i on  anomal y baseddet ect i on Explanation: Honeypot bas eddet ect i onus esadecoyser v ert oat t r ac tat t ac ksandt odi v er tat t ack s awayf r om pr oduct i ondev i ces .Us eofahoneypotcangi v eadmi ni s t r at or st i met oanal y z ei ncomi ng at t ac ksandmal i ci oust r afficpat t er nst ot unes ens ors i gnat ur es .

11. What situation will generate a true negative IPS alarm type?  nor malt r affict hatgener at esaf al s eal ar m  av er i fi eds ec ur i t yi nc i dentt hati sdet ect ed  aknownat t ac kt hati snotdet ect ed  normal traffic that is correctly being ignored and forwarded Explanation: Thet r uenegat i v eal ar mt ypei sus edwhennor malnet wor kt r afficfl owst hr oughan i nt er f ace.Nor malt r affics houl dnot ,anddoesnotgener at eanact ualal ar m.At r uenegat i v ei ndi c at est hat beni gnnor malt r affici scor r ec t l ybei ngi gnor edandf or war dedwi t houtgener at i nganal er t . 12. Match each intrusion protection service with the description.

13. Match each Snort IPS rule action with the description.

14. What is provided by the fail open and close functionality of Snort IPS?  pr ov i dest heabi l i t yt oaut omat i cal l ydi s abl epr obl emat i csi gnat ur est hatr out i nel ycaus ef al s e posi t i v esandpas st r affic  blocks the traffic flow or bypasses IPS checking in the event of an IPS engine failure k eepsSnor tc ur r entwi t ht hel at estt hr eatpr ot ect i onandt er mbasedsubs cr i pt i ons k eepst r ackoft heheal t hoft heSnor tengi net hati sr unni ngi nt hes er v i cec ont ai ner Explanation: TheSnor tI PSf ai l openandc l os ef unc t i onal i t yc anbec onfigur edt obl ockt het r afficfl ow ort obypas sI PSc hec ki ngi nt heev entofI PSengi nef ai l ur e. 15. What is a characteristic of the Community Rule Set type of Snort term-based subscriptions? i thas60daydel ay edac cesst oupdat eds i gnat ur es i tus esCi s c oTal ost opr ovi dec ov er agei nadv anc eofex pl oi t s i ti sf ul l ys uppor t edbyCi sc o  it is available for free Explanation: Ther ear et wot ypesofSnor tt er mbas eds ubs cr i pt i ons : Communi t yRul eSet–Av ai l abl ef orf r eeandpr ov i desl i mi t edcov er ageagai nstt hr eat s .Ther ei sal s oa30daydel ay edacc es st oupdat eds i gnat ur esandt her ei snoCi s coc us t omersuppor tav ai l abl e. Subsc r i berRul eSet–Av ai l abl ef oraf eeandpr ov i dest hebes tpr ot ec t i onagai ns tt hr eat s .I ti ncl udes c ov er agei nadv anc eofex pl oi t sbyus i ngt her esear c hwor koft heCi sc oT al oss ecur i t yex per t s .Thi s s ubs c r i pt i oni sf ul l ys uppor t edbyCi s co. 16. What is a characteristic of the connectivity policy setting when configuring Snort threat protection? i tat t empt st obal ancenet wor ks ec ur i t ywi t hnet wor kper f or mance i tpr i or i t i z ess ec ur i t yov erc onnec t i v i t y  it provides the lowest level of protection i tenabl est hehi ghes tnumberofsi gnat ur est obev er i fied

Explanation: Oneoft hef unc t i onal i t i esofSnor tI PSi st hati tpr ovi dest hr eel ev el sofs i gnat ur e pr ot ect i on. Connec t i vi t y–Thel eas tsecur eopt i on. Bal anced–Themi dr angeopt i onofsec ur i t y . Secur i t y–Themos ts ec ur eopt i on. 17. What is contained in an OVA file?  ac ur r entcompi l at i onofk nownt hr eat sandpr ev ent i onmec hani s ms  an installable version of a virtual machine  al i stofat omi candc ompos i t es i gnat ur es  as etofr ul esf oranI DSorI PSt odet ec ti nt r us i onac t i v i t y Explanation: St ep1oft hec onfigur at i onofSnor tI PSi st odownl oadanOpenVi r t ual i z at i onAr c hi v e ( OVA)fi l e.Thi sfi l ec ont ai nsac ompr ess ed,i ns t al l abl ev er s i onofav i r t ualmac hi ne. 18. What is a network tap?  aCi s cot ec hnol ogyt hatpr ov i dess t at i st i c sonpack et sfl owi ngt hr oughar out erormul t i l ay ers wi t c h  at ec hnol ogyusedt opr ov i der eal t i mer epor t i ngandl ongt er m anal y si sofs ec ur i t yev ent s  af eat ur es uppor t edonCi s cos wi t c hest hatenabl est hes wi t cht oc opyf r amesandf or war dt hem t oananal y s i sdevi c e  a passive device that forwards all traffic and physical layer errors to an analysis device Explanation: Anet wor kt api sus edt oc apt ur et r afficf ormoni t or i ngt henet wor k .Thet api st y pi cal l ya pas s i v espl i t t i ngdev i cei mpl ement edi nl i neont henet wor kandf or war dsal l t r affic ,i nc l udi ngphy si call ay er er r or s ,t oananal y s i sdev i ce. 19. Which statement describes the function of the SPAN tool used in a Cisco switch? I ti sasec ur ec hannelf oras wi t cht os endl oggi ngt oas y sl ogs er v er . I tpr ov i desi nt er connec t i onbet weenVLANsov ermul t i pl es wi t c hes . I ts uppor t st heSNMPt r apoper at i ononas wi t ch.  It copies the traffic from one switch port and sends it to another switch port that is connected to a monitoring device. Explanation: Toanal y z enet wor kt r afficpass i ngt hr oughas wi t c h,s wi t c hedpor tanal yz er( SPAN)c an beus ed.SPANc ans endac opyoft r afficf r om onepor tt oanot herpor tont hes ames wi t chwher ea net wor kanal y z erormoni t or i ngdevi c ei sconnec t ed.SPANi snotr equi r edf ors y sl ogorSNMP.SPANi s us edt omi r r ort r affic ,whi l es y sl ogandSNMPar ec onfigur edt os enddat adi r ect l yt ot heappr opr i at e s er v er . 20. A network administrator is trying to download a valid file from an internal server. However, the process triggers an alert on a NMS tool. What condition describes this alert? f al s enegat i v e  false positive t r uenegat i v e t r ueposi t i v e Explanation: Al er t scanbecl as si fiedasf ol l ows : Tr uePosi t i v e:Theal er thasbeenv er i fiedt obeanact uals ec ur i t yi nc i dent . Fal s ePos i t i v e:Theal er tdoesnoti ndi c at eanact uals ec ur i t yi nc i dent .Beni gnact i v i t yt hatr esul t si naf al s e posi t i v ei ss omet i mesr ef er r edt oasabeni gnt r i gger . Anal t er nat i v es i t uat i oni st hatanal er twasnotgener at ed.Theabs enceofanal er tcanbec l ass i fiedas : Tr ueNegat i v e:Nosecur i t yi nc i denthasocc ur r ed.Theac t i v i t yi sbeni gn. Fal s eNegat i v e:Anundet ect edi nci denthasocc ur r ed. 21. What is an advantage of HIPS that is not provided by IDS?  HI PSpr ovi desqui c kanal y si sofev ent st hr oughdet ai l edl oggi ng.  HI PSdepl oy ss ens or satnet wor kent r ypoi nt sandpr ot ect sc r i t i c alnet wor ks egment s .

 HI PSmoni t or snet wor kpr ocess esandpr ot ect sc r i t i c alfi l es .  HIPS protects critical system resources and monitors operating system processes.== Explanation: Net wor k bas edI DS( NI DS)s ensor sar et y pi cal l ydepl oy edi noffli nemode.Theydonot pr ot ecti ndi v i dualhost s .Hos t bas edI PS( HI PS)i ss of t war ei nst al l edonas i ngl ehos tt omoni t orand anal y z es us pi c i ousact i vi t y .I tcanmoni t orandpr ot ectoper at i ngs y st em andc r i t i c als y st em pr oces sest hat ar es pec i fict ot hathos t .HI PSc anbet houghtofasac ombi nat i onofant i v i r uss of t war e,ant i mal war e s of t war e,andafir ewal l . 22. What information must an IPS track in order to detect attacks matching a composite signature? t het ot al numberofpack et si nt heat t ac k  the state of packets related to the attack== t heat t ac ki ngper i odus edbyt heat t ack er t henet wor kbandwi dt hc ons umedbyal lpac k et s Explanation: Ac ompos i t es i gnat ur ei scal l edas t at ef uls i gnat ur e.I ti dent i fi esas equenceofoper at i ons di s t r i but edac r os smul t i pl ehos t sov eranar bi t r ar yper i odoft i me.Becaus et hi st y peofat t ac ki nv ol v es mul t i pl epac k et s ,anI PSs ens ormustmai nt ai nt hest at ei nf or mat i on.Howev er ,anI PSs ens orc annot mai nt ai nt hes t at ei nf or mat i oni ndefini t el y .Ac ompos i t es i gnat ur ei sc onfigur edwi t hat i meper i odt o mai nt ai nt hes t at ef ort hes peci fi cat t ackwheni ti sfi r stdet ect ed.Thus ,anI PSmaynotbeabl et omai nt ai n al l t hei nf or mat i onr el at edt oanat t acks uc hast ot alnumberofpac k et s ,t ot all engt hofat t ackt i me,andt he amountofbandwi dt hcons umedbyt heat t ack ....