CCNA Security FAQ: Network Security Using Cisco IOS IPS

CCNA Security FAQ: Network Security Using Cisco IOS IPS

Question. True or false. An IDS is a passive technology that only reports when events trigger signatures, whereas an IPS not only reports but also blocks the intrusion.

Answer: False. This is a bit of a trick question. What makes an IDS an intrusion detection system is that it might miss trigger packets from an attack because it is not inline to the traffic like an IPS. An IDS might be able to block attacks after they have started.

Question. Which in the following list are examples of where an IDS or IPS may be deployed? (Choose all that apply.)
A. Separate network device.
B. Option card in a router or security appliance.
C. Software on a router.
D. Add-on blade module on Cisco VPN 3000 Series Concentrator.
E. All of the above

Answers: are A, B, and C. There is no IPS or IDS add-on module for the concentrator.
Question. Which two statements are true about the differences between IDS and IPS? (Choose two.)
A. IPS operates in promiscuous mode.
B. IPS receives a copy of the traffic to be analyzed.
C. IPS operates in inline mode.
D. IDS receives a copy of the traffic to be analyzed

Answers: C and D
Question. What is the primary method used to detect and prevent attacks using IDS and/or IPS technologies?
A. Signature-based detection
B. Policy-based detection
C. Anomaly-based detection
D. Honey pot detection

Answers: A
Question. What two types of interfaces are found on all network-based IPS sensors? (Choose two.)
A. Management interface
B. Monitoring interface
C. Command and control interface
D. Loopback interface

Answers: B and C
Question. Which type of signatures use a set of rules that state how certain protocols should behave on the network?
A. String signatures
B. DoS signatures
C. Exploit signatures
D. Connection signatures

Answers: D
Question. Which protocol used by IPS is preferred over syslog, because it provides a secure communications channel, and it can be used to communicate between IPS clients and servers (for example, a management workstation that collects and correlates events from multiple IPS sensors in the network)?
A. CTIQBE
B. SDEE
C. TLS
D. SRTP

Answers: B

Question. Match the list of IPS technologies below with the letter corresponding to the platform to which it belongs. Letters may be used more than once.

  1. AIP-SSM: _____
  2. IDSM-2:   _____
  3. IPS AIM:  _____
  4. IOS IPS:   _____

Choices:
A. ASA 5500 Series Adaptive Security appliances
B. Catalyst 6500 Series switches
C. Cisco IOS router

Answers: 1—A; 2—B; 3—C; 4—C.

Question. Which of the following is part of Cisco’s suite of IPS Management Software? (Choose one correct answer.)
A. Cisco IPS Device Manager (IDM)
B. Cisco IPS Event Viewer (IEV)
C. Cisco Security Monitoring, Analysis, and Response System (MARS)
D. Cisco Router Security Device Manager (SDM)
E. All of the above.

Answer: E.

Question. Fill in the blank. Cisco _____ Agent is Cisco’s Host IPS (HIPS) software solution.
A. Integrity
B. Accountability
C. Information
D. Security
E. Trust

Answer: D.

Question. Which of the following is not considered an advantage of Network IPS? (Choose all that apply.)
A. New end system hosts and devices can be added without the need for new sensors.
B. A single sensor can monitor traffic from many hosts.
C. Network IPS can be deployed on every end system in the network.
D. Network IPS can see all traffic inside encrypted data streams.
E. None of the above.

Answer: The correct answers are C and D. C is correct because one of the advantages of a network IPS is that you don’t have to deploy it on every end system in the network. D is also correct because one of the disadvantages of network IPS is that they are blind to encrypted data. Only a Host IPS (HIPS) can see the data in the encrypted data stream because they operate above the network and transport layers where encryption occurs. (Review Chapter 7, “Virtual Private Networks with IPsec,” if you’re not sure about this last point.)
Question. Which four of the following are configurable responses to an IPS alarm being triggered? (Choose four.)
A. Create a log entry
B. Drop the offending packet
C. Reset the TCP connection
D. Send an ICMP Source Quench to the attacker’s IP address
E. Block the attacker’s IP address

Answer: A, B, C, and E
Question. The Intrusion Prevention Wizard is launched from within which administrative utility?
A. SMS
B. QPM
C. SDM
D. IPM

Answer: C
Question. The IPS Policies Wizard helps you with which three of the following tasks? (Choose three.)
A. Selecting the interface to which the IPS rule will be applied
B. Selecting the direction of traffic that will be inspected
C. Selecting the inspection policy that will be applied to the interface
D. Selecting the Signature Definition File (SDF) that the router will use

Answer: A, B, and D
Question. Which of the following is an implicit command that is the last rule in a list of IPS rules?
A. permit ip any any
B. deny ip any any
C. permit tcp 127.0.0.1 any
D. deny tcp any 255.255.255.255

Answer: B
Question. When editing global IPS settings, which option determines if the IOS-based IPS feature will drop or permit traffic for a particular IPS signature engine while a new signature for that engine is being compiled?
A. Enable Engine Fail Closed
B. Enable Default IOS Signature
C. Enable Fail Opened
D. Enable Signature Default
Answer: A
Question. In SDM’s Edit Signature window, you click a green square next to the parameter you want to configure to make it editable. What color and symbol does the green square change into after you click it?
A. Blue circle
B. Yellow triangle
C. Red diamond
D. Orange oval

Answer: C

Question. Review the information in Figure 8.27. Which of the following statements is correct about the information it contains? (Choose all that apply.)
A. Only inbound traffic from untrusted to trusted zones will be scanned for signs of intrusion since only the Inbound Filter radio button is pressed in the bottom pane.

B. VFR (Virtual Fragmentation Reassembly) is enabled on every interface.

C. Inbound inspection of packets for intrusive activity is enabled on every interface.

D. You cannot tell whether the IPS is active or not by looking at this screenshot.

E. None of the above.

Answer: B and C are correct. Answer A is incorrect because the notice in the bottom pane of the Edit IPS screenshot just means what it says—all inbound traffic will be scanned by the IPS since no filter is set. The word “inbound” is with respect to the interface itself and has nothing to do with zones and zone pairs and levels of trust. Answer D is incorrect because this screen is used to verify that IPS is enabled on the interfaces. You can see that all the interfaces have an IPS policy enabled in the inbound direction.
8-1

Question. Fill in the blanks in the following sentence with a choice from the list below. The IPS signature file that you download to your PC will end with a _____ file extension, whereas the file that you push to the IOS IPS will end with a _____ file extension. Both can be downloaded from Cisco.
A. .zip, .pkg
B. .cab, .zip
C. .tar, .zip
D. .pkg, .zip
E. .cab, .pkg

Answer: A. When you elect to download the signature files from CCO in the course of configuring the IOS IPS, the Create IPS Wizard will ask you if you want to push the files to the router in addition to downloading them to your local PC. The file names that are pushed to the router are in the form of IOS-Sxxx-CLI.pkg, and the file names that are downloaded to your PC are in the form of sigv5-SDM-Sxxx.zip, where xxx is the version number of the signature set.

Question. View the CLI output below of an incomplete IPS configuration. Which of the following statements best describes what is missing?
8-2
A. The basic category of IPS signatures should not be used because it is unlikely to capture trigger packets.

B. The basic category of IPS signatures should not be used because it is known to cause memory allocation errors on IOS IPS routers with less than 128MB of DRAM.

C. Only retired signatures are being used.

D. The IPS is inactive because the configuration has not been applied to an interface.

E. The IPS is inactive because the configuration has not been applied globally to the device.

Answer: D. Answers A and B are incorrect because the basic signature category is for Cisco IOS IPS routers, which have less than 128MB of DRAM. This doesn’t turn off the inline nature of the IPS either, so trigger packets (at least in the applied signatures) will not be missed. Answer C is incorrect because the word “retired” in the CLI output refers to whether retired signatures are used in a certain category. Answer E is incorrect because the IPS policy is only applied to interfaces and not globally to the entire device.
Here is an example of a complete configuration. Note that the IPS policy sdm_ips_rule has been applied in the inbound direction to interfaces Vlan1 and FastEthernet4:
8-3

Question. True or false. SDEE is a push-logging protocol that can optionally use encryption, whereas syslog uses a pull-logging protocol.

Answer: False. One of SDEE’s strengths is that it is a pull protocol that can optionally use HTTPS (vs. HTTP) for transport for encryption. Syslog is unencrypted, uses UDP port 514 for transport, and is a push protocol, meaning that a syslog server cannot query the IPS for alert message entries unlike SDEE.

About the author

Scott

Leave a Comment