Network Security Post-Assessment | CBROPS 2023 2024

  1. Which security device is best for defending Web Servers against the OWASP Top 10 web application security risks?

    • load balancer
    • intrusion prevention system
    • web security appliance
    • stateful firewall
    • web application firewall

      Explanation & Hint:

      To defend against the OWASP (Open Web Application Security Project) Top 10 web application security risks, a Web Application Firewall (WAF) is often considered the most suitable security device. Here’s why:

      1. Load Balancer: While a load balancer can distribute traffic to prevent overloads and can sometimes offer basic security features, it is not primarily designed to protect against the specific types of attacks listed in the OWASP Top 10.
      2. Intrusion Prevention System (IPS): An IPS monitors network and/or system activities for malicious activity. It’s a good security measure but is generally designed to protect against known threats at the network level and may not be as effective against web application attacks, which are often more sophisticated and targeted at application-level vulnerabilities.
      3. Web Security Appliance: This type of security device can include various features like URL filtering, malware detection, and content inspection. While beneficial as part of a security strategy, it does not provide the same level of tailored protection for web applications as a WAF does.
      4. Stateful Firewall: A stateful firewall keeps track of the state of active connections and makes decisions based on the context of the traffic. However, this is more effective at the network level rather than the application level where the OWASP Top 10 risks reside.
      5. Web Application Firewall (WAF): A WAF is specifically designed to monitor, filter, and block harmful HTTP/S traffic to and from a web application. It understands the web application’s logic and can help protect against web application attacks such as SQL injection, cross-site scripting (XSS), and other vulnerabilities listed in the OWASP Top 10.

      Therefore, among the options given, a Web Application Firewall is best suited for defending Web Servers against the OWASP Top 10 risks. It’s important to note that the best defense is often a layered approach, incorporating several types of security measures.

  2. Which two statements are true regarding commercial and Open Source SOC tools? (Choose two.)

    • Commercial tools tend to be polished and full-featured and come with vendor support, but they also tend to be expensive.
    • Open Source tools tend to be polished and full-featured and come with vendor support, but they also tend to be expensive.
    • Technical support is often considered to be an advantage of commercial tools.
    • Technical support is often considered to be an advantage of Open Source tools.
    • Commercial tools are freely distributable; Open Source tools are not.

      Explanation & Hint:

      The two statements that are true regarding commercial and Open Source Security Operations Center (SOC) tools are:

      1. Commercial tools tend to be polished and full-featured and come with vendor support, but they also tend to be expensive.
        • Commercial SOC tools are typically developed by companies that invest significantly in user interface design and comprehensive features. These tools come with customer support and maintenance services provided by the vendor, which can be a crucial advantage. However, this often comes at a higher cost, which includes licensing fees.
      2. Technical support is often considered to be an advantage of commercial tools.
        • One of the main selling points of commercial tools is the technical support that vendors provide. This can include troubleshooting, regular updates, and assistance with configuring and maintaining the tool. Access to dedicated technical support can be particularly valuable for organizations that do not have the in-house expertise to manage SOC tools on their own.

      The other statements provided are incorrect:

      • Open Source tools tend to be polished and full-featured and come with vendor support, but they also tend to be expensive.
        • This statement is incorrect because while some open-source tools can be polished and full-featured, they typically do not come with vendor support since they are community-driven, and they are not expensive since they are free to use.
      • Technical support is often considered to be an advantage of Open Source tools.
        • Open Source tools do not usually offer formal vendor support; support often comes from the community, forums, or in a paid capacity by third parties. It is generally not considered an advantage over commercial tools.
      • Commercial tools are freely distributable; Open Source tools are not.
        • This statement is incorrect because it’s the other way around. Open Source tools are usually freely distributable under their respective licenses, while commercial tools typically have restrictions on distribution according to their licensing agreements.
  3. Which two of the following protocols are most commonly found in AAA? (Choose two.)

    • TCP/IP
    • TACACS+
    • OSPF MD5
    • RADIUS
    • IPSEC

      Explanation & Hint:

      In the context of AAA, which stands for Authentication, Authorization, and Accounting, the two protocols most commonly associated are:

      1. TACACS+ (Terminal Access Controller Access-Control System Plus)
        • TACACS+ is a protocol developed by Cisco and is commonly used for network device access control. It separates authentication, authorization, and accounting processes for more flexible control over access management.
      2. RADIUS (Remote Authentication Dial-In User Service)
        • RADIUS is an industry-standard protocol for AAA services. It is widely used for network access authentication and accounting, and is supported by a vast number of networking vendors.

      The other protocols listed are not primarily associated with AAA services:

      • TCP/IP refers to the suite of communication protocols used to connect hosts on the Internet. It is not specific to AAA.
      • OSPF MD5 refers to the use of MD5 hashing to secure OSPF (Open Shortest Path First) routing information, not to AAA services.
      • IPSEC is a suite of protocols for securing internet protocol (IP) communications by authenticating and encrypting each IP packet in a data stream. It is more about securing data communications than providing AAA services.
  4. Which statement best describes how a network-based malware protection feature detects a possible event?

    • Using virus signature files locally on the firewall, it will detect incorrect MD5 file hashes.
    • The firewall applies broad-based application and file control policies to detect malware.
    • Malware can be detected correctly by using reputation databases on both the firewall and/or from the cloud.
    • IDS signature files that are located on the firewall are used to detect the presence of malware.
    • Malware can be detected and stopped by using ACLs and the modular policy framework within the firewall appliance.

      Explanation & Hint:

      The statement that best describes how a network-based malware protection feature detects a possible event is:

      “Malware can be detected correctly by using reputation databases on both the firewall and/or from the cloud.”

      This statement describes a common method for detecting malware that relies on reputation databases, which may be stored locally on a firewall or accessed from the cloud. These databases contain information about known malware signatures, URLs, IP addresses, and other attributes associated with malicious activity. When network traffic is analyzed by the firewall, it can check these attributes against the reputation databases to identify potential malware.

      The other statements have the following issues:

      • “Using virus signature files locally on the firewall, it will detect incorrect MD5 file hashes.”
        • While virus signature files are used to detect known malware, the statement about detecting “incorrect MD5 file hashes” is misleading. Malware detection does not typically focus on the correctness of an MD5 hash but rather on whether the hash matches a known malware signature.
      • “The firewall applies broad-based application and file control policies to detect malware.”
        • This statement is somewhat true; however, it’s a general description of what a firewall might do and does not specifically describe the mechanism of malware detection. Application and file control policies are part of the process but do not directly explain how malware is identified.
      • “IDS signature files that are located on the firewall are used to detect the presence of malware.”
        • Intrusion Detection System (IDS) signature files are indeed used to detect a variety of threats, including malware. However, they are generally part of a broader intrusion detection approach rather than a specific malware protection feature.
      • “Malware can be detected and stopped by using ACLs and the modular policy framework within the firewall appliance.”
        • Access Control Lists (ACLs) and modular policy frameworks are used to enforce security policies and control traffic. While they can be configured to block traffic from known malicious sources, they are not inherently capable of detecting malware, which typically requires more sophisticated analysis such as signature or behavior-based detection.
  5. Which access control model originates from the military and uses security labels?

    • access control list
    • discretionary access control
    • mandatory access control
    • role-based access control

      Explanation & Hint:

      The access control model that originates from the military and uses security labels is Mandatory Access Control (MAC). In MAC systems, access decisions are based on security labels, which include classifications (such as top secret, secret, confidential) and categories (that represent sensitivity to certain subjects, like nuclear, military, financial). The system enforces access controls based on these labels, and users cannot change the labels or access controls at their discretion. This model is known for its strictness and is commonly used in environments that require a high level of security.

  6. Which one of the following commands is required on an interface in order to apply an ACL as a packet filter?

    • access-class
    • ip access-group
    • ip access-list
    • <SGA group id>

      Explanation & Hint:

      To apply an Access Control List (ACL) as a packet filter on an interface of a network device such as a router or switch, the command used is:

      ip access-group

      This command is followed by the name or number of the access list and the direction of traffic to be filtered (inbound or outbound). For example:

      ip access-group 101 in
      

      This would apply the ACL numbered 101 to incoming traffic on the interface where the command is entered.

  7. How can the established keyword in an ACL entry be used?

    • to permit only the returning TCP packets from an already existing TCP connection, and deny the initial TCP packet of a new session from an untrusted network
    • to permit both the initial TCP packet of a new session and the returning TCP packets from an existing TCP connection
    • to permit only the initial TCP packet of a new session
    • to change a router into a true stateful firewall controlling the access on a session-by-session basis

      Explanation & Hint:

      The established keyword in an Access Control List (ACL) entry can be used:

      To permit only the returning TCP packets from an already existing TCP connection, and deny the initial TCP packet of a new session from an untrusted network.

      This keyword is used in extended ACLs to allow return traffic from outside to inside on TCP connections that were initiated from the inside. It checks for the ACK or RST bits in the TCP header to be set, which are typically set in packets that are part of an existing connection, rather than packets that are trying to initiate a new connection.

  8. Which three types of devices can do network address translation (NAT)? (Choose three.)

    • routers
    • Layer 3 switches
    • bridges
    • wireless access points
    • firewalls

      Explanation & Hint:

      The three types of devices that can perform Network Address Translation (NAT) are:

      1. Routers: Routers are commonly used to perform NAT. They are capable of translating the internal private addresses of a network to a single public address or a pool of public addresses for use on the internet, conserving public IP addresses and adding a layer of security.

      2. Layer 3 Switches: Layer 3 switches, or multilayer switches, have the capability to perform routing functions in addition to switching. They can perform NAT by routing between VLANs (Virtual Local Area Networks) and translating IP addresses as a router would.

      3. Firewalls: Firewalls often incorporate NAT functionality. They use NAT to mask the internal IP addresses of the network from external networks for security purposes, typically during the process of filtering incoming and outgoing traffic.

      Bridges and wireless access points typically do not perform NAT. Bridges operate at the data link layer and are used to divide network segments, while wireless access points provide network access to wireless devices but usually rely on a router or firewall to perform NAT.

  9. What best describes an amplification attack?

    • A low volume of bad music is played progressively louder to the point that it becomes unbearable for people to listen to it.
    • A small forged packet elicits a large reply from the reflectors.
    • A small radio signal is initially weak and eventually increases the signal strength so that wireless devices will attach to it instead of the legitimate AP.
    • There is no such attack that is called an amplification attack.

      Explanation & Hint:

      An amplification attack in the context of network security is best described as:

      A small forged packet elicits a large reply from the reflectors.

      This type of attack is a form of a Distributed Denial of Service (DDoS) attack, where an attacker sends small queries to vulnerable servers that are configured to send much larger responses to the target of the attack. The difference in request size and response size is referred to as the amplification factor. The attacker spoofs the source IP address in the query packets to be the target’s address, so the server’s large responses flood the target, potentially overwhelming its network resources.

  10. What two types of attacks are examples of ICMP DoS attacks? (Choose two.)

    • smurf attack
    • blooming onion attack
    • ping of death attack
    • DHCP depletion attack

      Explanation & Hint:

      Two types of attacks that are examples of ICMP (Internet Control Message Protocol) DoS (Denial of Service) attacks are:

      1. Smurf Attack

        • In a Smurf attack, an attacker sends a large number of ICMP echo request (ping) packets with a spoofed source IP address (which is the intended victim’s address) to a network’s broadcast address. All the devices on the network respond to this broadcast, thereby flooding the victim with traffic.
      2. Ping of Death Attack

        • A Ping of Death attack involves sending malicious pings to a system. Historically, this attack involved sending an ICMP echo request packet that exceeds the maximum allowed size, causing overflow errors in the target’s TCP/IP stack, leading to a crash or reboot.

      The other options listed are not ICMP-based attacks:

      • Blooming Onion Attack: This is not a recognized or standard term for an ICMP-based attack or any known network attack.
      • DHCP Depletion Attack: This is an attack on the DHCP (Dynamic Host Configuration Protocol) service where an attacker sends numerous DHCP requests with spoofed MAC addresses to exhaust the address space available from the DHCP server, preventing legitimate clients from obtaining an IP address. This is not related to ICMP.
  11. Which part of the UDP header would attackers replace if they change the data payload to prevent the receiver from identifying the change?

    • source port
    • destination port
    • UDP length
    • UDP port
    • UDP checksum

      Explanation & Hint:

      If attackers change the data payload in a UDP (User Datagram Protocol) packet and want to prevent the receiver from identifying the change, they would need to alter the UDP checksum. The UDP checksum is a field in the UDP header that provides a basic level of integrity checking. If the data payload is altered, the checksum would need to be recalculated and replaced in the packet to match the altered data. If not done correctly, the receiver would notice a mismatch between the expected checksum and the checksum of the received packet, indicating that the data has been tampered with.

  12. What type of IP attack occurs when an attacker inserts itself into a communication session and then takes over the session?

    • MAC address flooding attack
    • session hijacking
    • DHCP depletion attack
    • DoS attack

      Explanation & Hint:

      The type of IP attack where an attacker inserts itself into a communication session and then takes over the session is known as session hijacking. This attack involves the exploitation of a valid computer session to gain unauthorized access to information or services in a computer system. The attacker takes control of a session between two machines to intercept and potentially modify the data being exchanged.

  13. A ping attack that exploits the broadcast IP address in a subnet is referred to as what type of attack?

    • red rat
    • fraggle
    • smurf
    • SYN flood
    • firewalk

      Explanation & Hint:

      A ping attack that exploits the broadcast IP address in a subnet is referred to as a smurf attack. This type of distributed denial of service (DDoS) attack involves sending a large number of ICMP (Internet Control Message Protocol) echo request packets to the IP broadcast address of a network, with the intention of overwhelming the network or a specific device within the network with traffic.

  14. What type of spoofing attack uses fake source IP addresses that are different than their real IP addresses?

    • MAC spoofing
    • IP spoofing
    • application spoofing
    • name spoofing

      Explanation & Hint:

      The type of spoofing attack that uses fake source IP addresses that are different from their real IP addresses is known as IP spoofing. In this type of attack, the attacker sends packets from a false source IP address, with the intent of concealing their identity, impersonating another computing system, or both.

  15. What phase of the TCP communication process is attacked during a TCP SYN flood attack?

    • three-way handshake
    • connection established
    • connection closed
    • connection reset

      Explanation & Hint:

      A TCP SYN flood attack targets the three-way handshake phase of the TCP communication process. This attack involves an attacker sending a flood of TCP/SYN packets, often with a spoofed source IP address, to the target’s port. The server responds to each connection request with a SYN-ACK packet, and then waits for a confirming ACK response, which never comes. This can exhaust the server’s connection table, which is typically limited in size, and prevent legitimate connections from being established.

  16. Which protocol or diagnostic tool helps you determine how many hops away a network is and can be exploited by an attacker?

    • SSH
    • traceroute
    • ping
    • TCP

      Explanation & Hint:

      The protocol or diagnostic tool that helps determine how many hops away a network is and can be exploited by an attacker is traceroute. Traceroute is a network diagnostic tool used to track the pathway that a packet of information takes from its source to its destination. It reports the IP addresses of all the routers it passes through until it reaches its destination, or fails to and is discarded. Each router represents a hop in the journey of the packet. Traceroute can be exploited by an attacker to gather information about network topology and the presence of routers and firewalls.

  17. What is an example of a reconnaissance attack tool that will cycle through all well-known ports to provide a complete list of all services that are running on the hosts?

    • Netuse
    • ipconfig
    • NMAP
    • show run

      Explanation & Hint:

      An example of a reconnaissance attack tool that cycles through all well-known ports to provide a complete list of all services running on the hosts is NMAP (Network Mapper). NMAP is a powerful and versatile port scanner used for network discovery and security auditing. It can be used by network administrators to identify what devices are running on their networks, discovering hosts that are available and the services they offer, finding open ports, and detecting security risks. It is also commonly used by attackers for reconnaissance purposes to find potential vulnerabilities.

  18. What type of attack occurs when an attacker sends a flood of protocol request packets to various IP hosts and the attacker spoofs the source IP address of the packets, such that each packet has the IP address of the intended target rather than the IP address of the attacker as its source address?

    • reflection attack
    • amplification attack
    • MITM attack
    • Trojan virus ARP

      Explanation & Hint:

      The type of attack described is known as a reflection attack. In a reflection attack, the attacker sends packets to a network’s IP broadcast address using a forged source IP address (which is the victim’s IP address). The systems on the network then respond to this address, flooding the victim with traffic. This can be combined with amplification if the reply packets are larger than the request packets, significantly multiplying the volume of data sent to the victim.

  19. Which two of the following statements are true regarding early TCP/IP development? (Choose two.)

    • TCP/IP was the only network protocol suite available and was developed for internet work environments.
    • The focus was on solving the technical challenges of moving information quickly and reliably, not to secure it.
    • The model was developed as a flexible, fault-tolerant set of protocols.
    • The design and architecture of TCP/IP have not changed since its adoption in the early 1970s.

      Explanation & Hint:

      The two statements that are true regarding early TCP/IP development are:

      1. The focus was on solving the technical challenges of moving information quickly and reliably, not to secure it.

        • Early development of TCP/IP was indeed centered on creating a robust and efficient method for transmitting data across diverse networks. Security was not a primary consideration at the time.
      2. The model was developed as a flexible, fault-tolerant set of protocols.

        • The TCP/IP model was designed to be flexible and resilient, capable of rerouting traffic around failed nodes and continuing communication even in adverse conditions, which was a key feature that contributed to its widespread adoption.

      The other statements are incorrect:

      • TCP/IP was the only network protocol suite available and was developed for internet work environments.

        • This statement is false because TCP/IP was not the only network protocol suite available at the time. There were other competing protocols, such as the OSI (Open Systems Interconnection) model and proprietary protocols like IPX/SPX used by Novell Netware, among others.
      • The design and architecture of TCP/IP have not changed since its adoption in the early 1970s.

        • This statement is also false. The design and architecture of TCP/IP have undergone significant evolution since the early days to support the explosive growth of network scale, address security concerns, and enable new applications. Although the fundamental principles remain, many aspects have been updated and new standards have been developed.
  20. What best describes an attack surface?

    • a way to classify which tools were used in an attack
    • the sum of the different points (attack vectors) in a given computing device or network that are accessible to an unauthorized user (attacker)
    • the people who are involved in protecting the network perimeter
    • only describes the data that is gathered about an attack

      Explanation & Hint:

      The term “attack surface” refers to:

      The sum of the different points (attack vectors) in a given computing device or network that are accessible to an unauthorized user (attacker).

      An attack surface encompasses all the possible entry points through which an attacker can gain unauthorized access to a system to extract data or execute commands. It includes all the exposed and potentially vulnerable spots in the software, hardware, and network environments. The goal of security is often to minimize the attack surface to reduce the risk of unauthorized access.

  21. What type of attack occurs when the attacker spoofs the IP address of the victim, sending a continuous stream of small requests, which produce a continuous stream of much larger replies that are to be sent to the victim’s IP address?

    • reflection attack
    • amplification attack
    • MITM attack
    • Trojan virus

      Explanation & Hint:

      The type of attack you’re describing is known as an amplification attack. This is a form of a reflection attack that is characterized by the attacker sending small queries to vulnerable servers configured to send much larger responses to the spoofed IP address of the victim. This results in the victim receiving a much larger amount of data than the attacker originally sends, thereby amplifying the volume of traffic directed at the victim, which can lead to a denial of service.

  22. What two are examples of UDP-based attacks? (Choose two.)

    • SYN flood
    • SQL slammer
    • UDP flooding
    • MAC address flooding

      Explanation & Hint:

      Two examples of UDP (User Datagram Protocol) based attacks are:

      1. SQL Slammer

        • SQL Slammer is a famous worm that caused a widespread denial of service on the internet in January 2003. It spread rapidly by generating random IP addresses and sending itself to those addresses using the UDP protocol on port 1434 (the default port for Microsoft SQL Server).
      2. UDP Flooding

        • UDP flooding is a type of denial of service attack where the attacker overwhelms random ports on the targeted host with IP packets containing UDP datagrams. The host checks for the application listening at that port; when it finds none, it will respond with a ‘destination unreachable’ packet. This process can saturate the network and the resources of the host, leading to denial of service.
  23. What best describes an attack vector?

    • the resolution of an attack
    • a path, method, or route by which an attack was carried out
    • the result of, or damage from, an attack
    • the last stage of the attack continuum

      Explanation & Hint:

      An attack vector is best described as:

      A path, method, or route by which an attack is carried out.

      It refers to the means by which an attacker can gain access to a computer or network server in order to deliver a payload or malicious outcome. Attack vectors enable attackers to exploit system vulnerabilities, including the human element.

  24. Which two are software vulnerability scanners? (Choose two.)

    • VmStat
    • Nessus
    • fingerprint
    • open VAS

      Explanation & Hint:

      Two examples of software vulnerability scanners are:

      1. Nessus

        • Nessus is a widely known and used vulnerability scanner, designed to detect vulnerabilities, misconfigurations, and potential risks in network systems, and it can also evaluate compliance with various security frameworks.
      2. OpenVAS (Open Vulnerability Assessment Scanner)

        • OpenVAS is an open-source framework consisting of several services and tools offering comprehensive and powerful vulnerability scanning and vulnerability management capabilities.

      VmStat is a performance monitoring utility for Unix/Linux systems, not a vulnerability scanner. “Fingerprint” could refer to various types of fingerprinting (like digital or network fingerprinting), which is a technique used to identify certain characteristics of a system or user, but it is not the name of a specific vulnerability scanner.

  25. Which two attacks can be caused by a rogue DHCP server? (Choose two.)

    • Trojan virus
    • Compromised-Key
    • DoS
    • TCP SYN flood
    • MITM

      Explanation & Hint:

      Two attacks that can be caused by a rogue DHCP server are:

      1. DoS (Denial of Service)

        • A rogue DHCP server can issue incorrect IP configurations or exhaust the IP address space of a legitimate DHCP server, preventing legitimate network clients from obtaining the correct IP configuration and thus denying them service.
      2. MITM (Man-in-the-Middle)

        • By posing as a legitimate DHCP server, a rogue server can provide false IP configurations, including DNS and default gateway settings, to direct a client’s traffic through an attacker-controlled device. This allows the attacker to intercept, monitor, or alter the client’s network traffic.
  26. What best describes a DoS attack?

    • attempts to consume all of a critical computer or network resource in order to make it unavailable for valid use
    • poses as legitimate software or email attachment in order to launch a malicious attack when opened
    • can steal data such as user names and passwords without the user realizing that they have been compromised
    • rarely seen because DoS attacks are extremely difficult to engineer and almost impossible to deliver

      Explanation & Hint:

      A DoS (Denial of Service) attack is best described as:

      Attempts to consume all of a critical computer or network resource in order to make it unavailable for valid use.

      In a DoS attack, the attacker typically floods a target system or network with an overwhelming amount of traffic, which exhausts the target’s resources, such as bandwidth, computing power, or network connectivity, leading to service disruption for legitimate users.

  27. What is checked when the Snort engine starts up?

    • Snort log files for any Snort processes errors.
    • Syntax of all the Snort rules in the Snort rules file.
    • Version of the Snort rules.
    • Snort license is valid.

      Explanation & Hint:

      When the Snort engine starts up, it checks:

      The syntax of all the Snort rules in the Snort rules file.

      Snort parses the rule files to ensure that the rules are correctly written and can be understood by the engine. Syntax errors in the rules file can prevent Snort from starting or from correctly detecting the network traffic patterns it is supposed to monitor. While Snort may perform other checks during startup, the syntax of the rules is a fundamental part of the initialization process to ensure that it can operate correctly.

  28. Which statement is true regarding Cisco Cloud-Delivered Firewall?

    • Cisco Cloud-Delivered Firewall is supported by constructing a GRE tunnel between the on-premise network device and the Cisco Umbrella cloud.
    • Cisco Cloud-Delivered Firewall is supported by constructing an IPsec tunnel between the on-premise network device and the Cisco Umbrella cloud.
    • Cisco Cloud-Delivered Firewall only supports layer 3/4 inspections.
    • Cisco Cloud-Delivered Firewall requires the Umbrella Roaming Clients.

      Explanation & Hint:

      The statement that is true regarding Cisco Cloud-Delivered Firewall is:

      Cisco Cloud-Delivered Firewall is supported by constructing an IPsec tunnel between the on-premise network device and the Cisco Umbrella cloud.

      Cisco Umbrella’s Cloud-Delivered Firewall secures internet access by creating an IPsec tunnel from the customer’s network to the Cisco Umbrella cloud infrastructure. This allows for the inspection and filtering of traffic without the need for additional hardware or complex manual configurations. It’s part of a broader suite of security services offered by Cisco Umbrella.

  29. Which two of the following are true statements about the Snort detection system? (Choose two.)

    • Source code became proprietary after the Cisco acquisition.
    • It is an anomaly-based intrusion system.
    • The Base Ruleset is updated automatically and in real-time.
    • Snort is a signature-based intrusion detection system.
    • The NIDS mode of operation is the only mode that provides intrusion prevention functionality.

      Explanation & Hint:

      Two true statements about the Snort detection system are:

      1. Snort is a signature-based intrusion detection system.

        • Snort is widely known as a signature-based intrusion detection system (IDS), which means it uses predefined signatures of known threats to identify malicious activity. This allows Snort to detect and potentially prevent intrusions by looking for specific patterns or anomalies that match these signatures.
      2. The Base Ruleset is updated automatically and in real-time.

        • While Snort rule updates are not necessarily in real-time, the base ruleset can be configured to update automatically. Users can subscribe to the Snort rule feed for regular updates, which are then applied to their Snort installation to maintain up-to-date detection capabilities.

      The other statements are not accurate:

      • Source code became proprietary after the Cisco acquisition.

        • This statement is false; the source code for Snort remained open source after Cisco’s acquisition. Cisco has continued to support the Snort community with updates and new versions of the software.
      • It is an anomaly-based intrusion system.

        • Snort is primarily known as a signature-based IDS, not an anomaly-based IDS. Anomaly-based systems typically use machine learning or statistical analysis to identify threats, which is different from Snort’s approach.
      • The NIDS mode of operation is the only mode that provides intrusion prevention functionality.

        • This statement is misleading. Snort can be configured in various modes, including as a Network Intrusion Detection System (NIDS) or an Inline Intrusion Prevention System (IPS). When deployed inline and with the appropriate response configurations, it can block traffic, providing intrusion prevention capabilities.
  30. Which three of the followings are major categories of Snort rule options? (Choose three.)

    • General
    • Payload
    • Protocol
    • Operator
    • Postdetection

      Explanation & Hint:

      The major categories of Snort rule options can be understood as the types of detection capabilities they provide within Snort rules. While the specific terminology like “General,” “Operator,” or “Postdetection” isn’t standard for categorizing Snort rule options, here are three important categories that align more closely with how Snort rules are typically discussed:

      1. Payload Options: These options inspect the payload of packets for specific content. They allow you to set criteria based on the data within the packet, such as specific byte sequences, regular expressions, and more.

      2. Header Options: Not explicitly listed in your options, but header options are crucial and refer to the inspection of the IP, TCP, UDP, and ICMP headers. This includes options that specify source and destination IP addresses, source and destination ports, and more.

      3. Non-Payload Options: Also not listed but significant, these options inspect attributes of the packet other than the payload. They include options to check for fragmentation, IP options, and certain protocol-specific characteristics.

      The term “Protocol” might refer to the protocol-specific options, but it is not a major category by itself in the context of Snort rules. “General” and “Postdetection” do not directly correspond to Snort rule categories. “Operator” is not a Snort category either; it could refer to the specific operations used within Snort rule options, such as match operators.

      In Snort, rule options are typically categorized into what they inspect or the type of action they perform, such as alerting, logging, or modifying packets.

  31. Which Cisco Umbrella feature provides content filtering by category or specific URLs to block destinations that violate policies or compliance regulations?

    • DNS Layer Security (DLS)
    • Cloud Access Security Broker (CASB)
    • Secure Web Gateway (SWG)
    • Cloud Delivered Firewall (CDFW)
    • Applications Firewall (AFW)

      Explanation & Hint:

      The Cisco Umbrella feature that provides content filtering by category or specific URLs to block destinations that violate policies or compliance regulations is:

      Secure Web Gateway (SWG)

      Cisco Umbrella’s Secure Web Gateway has the capability to filter content on the web and enforce policies by categorizing URLs and applying rules that align with an organization’s policies or compliance requirements. It can block or allow access to websites based on these categories or lists of specific URLs.

  32. You are currently configuring and tuning a new IPS on your development network. You have confirmed that traffic to and from the internet is being inspected by the IPS, but traffic between the local LAN segments are not being inspected by the IPS. What could be the problem?

    • You neglected to enable some of the Snort rules.
    • You neglected to enable anomaly-based processing.
    • You placed the IPS on a network segment that has no access to the traffic between the local LAN segments.
    • You placed the IPS in detection mode instead of prevention mode.

      Explanation & Hint:

      The issue you’re experiencing is likely due to the placement of the IPS:

      You placed the IPS on a network segment that has no access to the traffic between the local LAN segments.

      An Intrusion Prevention System (IPS) needs to be positioned such that it can analyze the traffic it is meant to inspect. If the IPS is only placed in the path of traffic to and from the internet, it will not be able to see or inspect the traffic that is strictly local to the LAN, which often doesn’t need to pass through the gateway where the IPS might be located. To rectify this, you need to ensure that the IPS is also inline with the internal traffic you wish to monitor or that it has access to mirrored traffic from those segments.

  33. Which statement is correct about the Cisco Secure Firewall Threat Defense IPS functionality?

    • Can be deployed as as IDS or IPS.
    • Can drop malicious packets when deployed in IDS mode.
    • Can only be deployed inline.
    • Can analyze traffic only at layer 3 and layer 4.

      Explanation & Hint:

      The correct statement about the Cisco Secure Firewall Threat Defense IPS functionality is:

      Can be deployed as an IDS or IPS.

      Cisco’s Secure Firewall Threat Defense can be configured to run as an Intrusion Detection System (IDS) or as an Intrusion Prevention System (IPS). In IDS mode, it monitors network traffic and generates alerts on suspicious activities, while in IPS mode, it is deployed inline and can actively block or prevent those threats from carrying out potentially harmful activities.

Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments