What is a Zero-Day Attack?

A computer attack that tries to exploit software vulnerabilities that are unknown or undisclosed by the software vendor.

Describe the functions of an IDS

-Passively monitors the traffic on a network
-Copies the traffic stream, and analyzes the monitored traffic rather than the actual forwarded packets
-Working offline, it compares the captured traffic stream with known malicious signatures
-Generates an al

Name advantages and disadvantages of an IDS

-The advantage of operating with a copy of the traffic is that the IDS does not negatively affect the actual packet flow of the forwarded traffic. (Slow the network)
-The disadvantage of operating on a copy of the traffic is that the IDS cannot stop malic

Describe the functions of an IPS

-An IPS device is implemented in inline mode
-All traffic must flow through it for processing
-An IPS does not allow packets to enter the trusted side of the network without first being analyzed
-It can detect and immediately address a network problem

Name advantages and disadvantages of an IPS

-The advantage of operating in inline mode is that the IPS can stop single-packet attacks from reaching the target system
-The disadvantage is that a poorly configured IPS or an inappropriate IPS solution can negatively affect the packet flow of the forwa

Describe the Advantages of Promiscuous Mode (IDS)

-No impact on network (latency, jitter).
-No network impact if there is a sensor failure or a sensor overload.

Describe the Disadvantages of Promiscuous Mode (IDS)

-Response action cannot stop trigger packets.
-Correct tuning required for response actions.
-More vulnerable to network evasion techniques.

Describe the Advantages of Inline Mode (IPS)

-Stops trigger packets, the packets in a connection, or packets from a source IP address
-Can use stream normalization techniques to reduce or eliminate many of the network security evasion capabilities that exist

Describe the Disadvantages of Inline Mode (IPS)

-Some impact on network (latency, jitter) because traffic has to go through the IPS sensor
-Sensor failure or overloading impacts the network negatively
-Must be appropriately sized and implemented so that time-sensitive applications, such as VoIP, are no

Name three ways sensors can be implemented

-Added to an ISR router
-Added to an ASA firewall appliance
-Added to a Catalyst 6500 switch

Name Advantages of using a Network IPS

A network-based monitoring system can easily see attacks that are occurring across the entire network

Name disadvantages of using a Network IPS

-If network data is encrypted this can essentially blind network IPS, allowing attacks to go undetected
-Another problem is that IPS has a difficult time reconstructing fragmented traffic for monitoring purposes
-Finally, as networks become larger in term

What is a "Signature" and how does an IPS use it?

-Malicious traffic displays distinct characteristics or "signatures."
-A signature is a set of rules that an IDS and an IPS use to detect typical intrusive activity
-Signatures uniquely identify specific worms, viruses, protocol anomalies, or malicious tr

Name the Signatures three distinctive attributes

Type (Either Atomic or Composite)
Trigger (alarm)

Describe an Atomic Type Signature

-An atomic signature is the simplest type of signature
-It consists of a single packet, activity, or event that is examined to determine if it matches a configured signature
-If it does, an alarm is triggered, and a signature action is performed

Describe State Information in regards to an Atomic Type Signature

-State refers to situations in which multiple packets of information are required that are not necessarily received at the same time.
-With atomic signatures, the entire inspection can be accomplished in an atomic operation that does not require any knowl

Describe a LAND Attack and why it is an atomic signature

-A LAND attack is an atomic signature because it sends a spoofed TCP SYN packet (connection initiation) with the IP address of the target host and an open port as both source and destination
-The reason a LAND attack works is because it causes the machine

Describe a Composite Type Signature

-A composite signature is also called a stateful signature
-This type of signature identifies a sequence of operations distributed across multiple hosts over an arbitrary period of time
-Unlike atomic signatures, the stateful properties of composite signa

Define and Describe the "Event Horizon

-The length of time that the signatures must maintain state is known as the event horizon.
-The length of an event horizon varies from one signature to another
-An IPS cannot maintain state information indefinitely without eventually running out of resour

Define and Describe a Signature File and how it is used by the IPS

-All signatures are contained in a signature file and are uploaded to an IPS on a regular basis
-The signature file contains a package of network signatures intended as an update to the signature database
-This signature database is used by the IPS or IDS

Describe Signature Micro-Engines

-They categorize common signatures in groups
-Cisco IOS software can then scan for multiple signatures based on group characteristics, instead of one at a time
The available SMEs vary depending on the platform, Cisco IOS version, and version of the signat

List the five micro engines that Cisco IOS Release 12.4(6)T has

-Atomic - Signatures that examine simple packets, such as ICMP and UDP.
-Service - Signatures that examine the many services that are attacked.
-String - Signatures that use regular expression-based patterns to detect intrusions.
-Multi-string - Supports

List some information about Updating Signatures

-Cisco investigates and creates signatures for new threats and malicious behavior as they are discovered and publishes them regularly
-Typically, lower priority IPS signature files are published biweekly
-If the threat is severe, Cisco publishes signature

Define the Signature Trigger "Alarm

The signature trigger for an IPS sensor could be anything that can reliably signal an intrusion or security policy violation.
EX: a packet with a payload containing a specific string going to a specific port.

List the four types of Signature Triggers

Pattern-based detection
Policy-based detection
Anomaly-based detection
Honey pot-based detection

Describe Pattern-based Detection

-Pattern-based detection, also known as signature-based detection, is the simplest triggering mechanism because it searches for a specific, pre-defined pattern
-A signature-based IDS or IPS sensor compares the network traffic to a database of known attack

List the Advantages of Pattern-based Detection

Easy configuration
Fewer false positives
Good signature design

List the Disadvantages of Pattern-based Detection

No detection of unknown signatures
Initially a lot of false positives
Signatures must be created, updated, and tuned

Describe Anomaly-based Detection

-Anomaly-based detection, also known as profile-based detection, involves first defining a profile of what is considered normal for the network or host
-This normal profile can be learned by monitoring activity on the network or specific applications on t

List the Advantage of Anomaly-based Detection

The advantage of anomaly-based detection is that new and previously unpublished attacks can be detected

List the Disadvantages of Anomaly-based Detection

-An alert from an anomaly signature does not necessarily indicate an attack. It indicates only a deviation from the defined normal activity, which can sometimes occur from valid user traffic
-As the network evolves, the definition of normal usually change

Describe Policy-based Detection "Behavior-Based Detection

-Policy-based detection, also known as behavior-based detection, is similar to pattern-based detection, but instead of trying to define specific patterns, the administrator defines behaviors that are suspicious based on historical analysis.
-The use of be

List the Advantages of Policy-based Detection

Simple and reliable
Customized policies
Can detect unknown attacks

List the Disadvantages of Policy-based Detection

Generic output
Policy must be created

Describe Honey Pot-based Detection

-Honey pot-based detection uses a dummy server to attract attacks.
-The purpose of the honey pot approach is to distract attacks away from real network devices.
-By staging different types of vulnerabilities in the honey pot server, administrators can ana

Define a "False Positive

Normal User Traffic
Alarm Generated
Tune Alarm

Define a "False Negative

Attack Traffic
No Alarm Generated
Tune Alarm

Define a "True Positive

Attack Traffic
Alarm Generated

Define a "True Negative

Normal User Traffic
No Alarm Generated

List the Four Levels a Signature can be tuned to

Low: Abnormal network activity is detected that could be perceived as malicious, but an immediate threat is not likely.
Medium: Abnormal network activity is detected that could be perceived as malicious, and an immediate threat is likely.
High: Attacks us

List the Actions that can be performed when a signature detects activity

Generate an alert.
Log the activity.
Drop or prevent the activity.
Reset a TCP connection.
Block future activity.
Allow the activity.

Name the two types of alerts that a signature uses

atomic alerts
summary alerts.

Describe an Atomic Alert

-Atomic alerts are generated every time a signature triggers
-An attacker might be able to flood the monitor console with alerts by generating thousands of bogus alerts

Describe a Summary Alert

-A summary alert is a single alert that indicates multiple occurrences of the same signature from the same source address or port
-Alarm summary modes limit the number of alerts generated and make it difficult for an attacker to consume resources on the s

Describe why logging the activity is important

-In some situations, an administrator does not necessarily have enough information to stop an activity
-Therefore, logging the actions or packets that are seen so that they can be analyzed later in more detail is very important

Dropping or Preventing the Activity

-The IPS drops packets or prevent an activity from occurring. This action enables the device to stop an attack before it has the chance to perform malicious activity
-The drop action can be expanded to drop all packets for a specific session or even all p

Resetting a TCP Connection

-The TCP Reset Signature Action is a basic action that can be used to terminate TCP connections by generating a packet for the connection with the TCP RST flag set
-Many IPS devices use the TCP reset action to abruptly end a TCP connection that is perform

Blocking Future Activity

-Most IPS devices have the capability to block future traffic by having the IPS device update the access control lists (ACLs) on one of the infrastructure devices
-The ACL stops traffic from an attacking system without requiring the IPS to consume resourc

Allowing the Activity

The allow action is necessary so that an administrator can define exceptions to configured signatures. When an IPS device is configured to disallow certain activities, sometimes there is a need to allow a few systems or users to be exceptions to the confi

Describe Cisco Global Correlation and how it is used

-With global correlation, Cisco IPS devices receive regular threat updates from a centralized Cisco threat database called the Cisco SensorBase Network
-The Cisco SensorBase Network contains real-time, detailed information about known threats on the Inter

Name the two key functions of event monitoring and management

-Real-time event monitoring and management.
-Analysis based on archived information (reporting).

More info about monitoring

Event monitoring and management can be hosted on a single server or on separate servers for larger deployments.
It is recommended that a maximum of 25 well-tuned sensors report to a single IPS management console.
The Cisco IOS IPS feature can send a syslo