Guide to Network Defense and Countermeasures 3e Randy Weaver Dawn Weaver Dean Farwood

Guide to Network Defense and Countermeasures 3e Randy Weaver Dawn Weaver Dean Farwood

Chapter 8 –

Intrusion Detection and Prevention Systems

TRUE/FALSE

1. An IDPS consists of a single device that you install between your firewall and the Internet. ANS: F PTS: 1 REF: 266 2. A weakness of a signature-based system is that it must keep state information on a possible attack. ANS: T PTS: 1 REF: 269 3. No actual traffic passes through a passive sensor; it only monitors copies of the traffic. ANS: T PTS: 1 REF: 277 4. An NIDPS can tell you whether an attack attempt on the host was successful. ANS: F PTS: 1 REF: 282 5. A hybrid IDPS combines aspects of NIDPS and HIDPS configurations. ANS: T PTS: 1 REF: 283 MULTIPLE CHOICE 1. Which of the following is NOT a network defense function found in intrusion detection and prevention systems? a. prevention c. identification b. response d. detection ANS: C PTS: 1 REF: 266 2. Which of the following is NOT a primary detection methodology? a. signature detection c. anomaly detection b. baseline detection d. stateful protocol analysis ANS: B PTS: 1 REF: 267 3. The period of time during which an IDPS monitors network traffic to observe what constitutes normal network behavior is referred to as which of the following? a. training period c. profile monitoring b. baseline scanning d. traffic normalizing ANS: A PTS: 1 REF: 267 4. What is an advantage of the anomaly detection method? a. makes use of signatures of well-known attacks c. easy to understand and less difficult to configure than a signature-based system b. system can detect attacks from inside the network by people with stolen accounts d. after installation, the IDPS is trained for several days or weeks ANS: B PTS: 1 REF: 268-269 5. Which approach to stateful protocol analysis involves detection of the protocol in use, followed by activation of analyzers that can identify applications not using standard ports? a. Protocol state tracking c. Traffic rate monitoring b. IP packet reassembly d. Dynamic Application layer protocol analysis ANS: D PTS: 1 REF: 269 6. Which of the following is an advantage of a signature-based detection system? a. the definition of what constitutes normal traffic changes c. each signature is assigned a number and name b. it is based on profiles the administrator creates d. the IDPS must be trained for weeks ANS: C PTS: 1 REF: 268-269 7. Which method for detecting certain types of attacks uses an algorithm to detect suspicious traffic, is resource intensive, and requires extensive tuning and maintenance? a. brute force c. signature b. heuristic d. anomaly ANS: B PTS: 1 REF: 270 8. Which of the following is NOT a typical IDPS component? a. network sensors c. database server b. command console d. Internet gateway ANS: D PTS: 1 REF: 270 9. Where is a host-based IDPS agent typically placed? a. on a workstation or server c. between remote users and internal network b. at Internet gateways d. between two subnets ANS: A PTS: 1 REF: 270 10. Which IDPS customization option is a list of entities known to be harmless? a. thresholds c. blacklists b. whitelists d. alert settings ANS: B PTS: 1 REF: 272 11. Which of the following is considered a problem with a passive, signature-based system? a. profile updating c. custom rules b. signature training d. false positives ANS: D PTS: 1 REF: 273 12. Which type of IDPS can have the problem of getting disparate systems to work in a coordinated fashion? a. inline c. hybrid b. host-based d. network-based ANS: C PTS: 1 REF: 282 13. Which of the following is NOT a method used by passive sensors to monitor traffic? a. spanning port c. packet filter b. network tap d. load balancer ANS: C PTS: 1 REF: 277 14. Which of the following is a sensor type that uses bandwidth throttling and alters malicious content? a. passive only c. active only b. inline only d. online only ANS: B PTS: 1 REF: 278 15. Which of the following is true about an HIDPS? a. monitors OS and application logs c. tracks misuse by external users b. sniffs packets as they enter the network d. centralized configurations affect host performance ANS: A PTS: 1 REF: 279-280 16. Which of the following is true about an NIDPS versus an HIDPS? a. an NIDPS can determine if a host attack was successful c. an HIDPS can detect intrusion attempts on the entire network b. an HIDPS can detect attacks not caught by an NIDPS d. an NIDPS can compare audit log records ANS: B PTS: 1 REF: 282 17. Which of the following is an IDPS security best practice? a. to prevent false positives, only test the IDPS at initial configuration c. all sensors should be assigned IP addresses b. communication between IDPS components should be encrypted d. log files for HIDPSs should be kept local ANS: B PTS: 1 REF: 284 18. If you see a /16 in the header of a snort rule, what does it mean? a. a maximum of 16 log entries should be kept c. the subnet mask is 255.255.0.0 b. the size of the log file is 16 MB d. the detected signature is 16 bits in length ANS: C PTS: 1 REF: 284 19. Why might you want to allow extra time for setting up the database in an anomaly-based system? a. the installation procedure is usually complex and time consuming c. it requires special hardware that must be custom built b. to add your own custom rule base d. to allow a baseline of data to be compiled ANS: D PTS: 1 REF: 286 20. Which of the following is true about the steps in setting up and using an IDPS? a. anomaly-based systems come with a database of attack signatures c. alerts are sent when a packet doesn’t match a stored signature b. sensors placed on network segments will always capture every packet d. false positives do not compromise network security ANS: D PTS: 1 REF: 288 COMPLETION 1. Anomaly detection systems make use of _______________ that describe the services and resources each authorized user or group normally accesses on the network. ANS: profiles PTS: 1 REF: 267 2. In a _______________ based detection system, the IDPS can begin working immediately after installation. ANS: signature PTS: 1 REF: 269 3. An IDPS __________________ server is the central repository for sensor and agent data. ANS: management PTS: 1 REF: 271 4. A network ____________ is a type of passive sensor that consists of a direct connection between a sensor and the physical network medium. ANS: tap PTS: 1 REF: 277 5. __________________ procedures are a set of actions that are spelled out in the security policy and followed if the IDPS detects a true positive. ANS: Escalation PTS: 1 REF: 288 MATCHING a. accountability f. passive sensor b. escalated g. profiles c. event horizon h. sensor d. inline sensor i. stateful protocol analysis e. intrusion j. true positive 1. an attempt to gain unauthorized access to network resources 2. the entire length of an attack 3. a genuine attack detected successfully by an IDPS 4. an NIDPS sensor positioned so that all traffic on the network segment is examined as it passes through 5. an IDPS component that monitors traffic on a network segment 6. increasing an intrusion response to a higher level 7. sets of characteristics that describe network services and resources a user or group normally accesses 8. the process of maintaining a table of current connections so that abnormal traffic can be identified 9. the ability to track an attempted attack or intrusion back to its source 10. an NIDPS sensor that examines copies of traffic on the network 1. ANS: E PTS: 1 REF: 291,266 2. ANS: C PTS: 1 REF: 291,269 3. ANS: J PTS: 1 REF: 291,267 4. ANS: D PTS: 1 REF: 291,276 5. ANS: H PTS: 1 REF: 291,270 6. ANS: B PTS: 1 REF: 290,273 7. ANS: G PTS: 1 REF: 291,267 8. ANS: I PTS: 1 REF: 291,269 9. ANS: A PTS: 1 REF: 290,289 10. ANS: F PTS: 1 REF: 291,277 SHORT ANSWER 1. What are the three network defense functions performed by an IDPS? ANS: prevention, detection, and response PTS: 1 REF: 266 2. Contrast anomaly detection with signature detection. ANS: An anomaly detection system makes use of profiles that describe the services and resources each authorized user or group normally accesses on the network. Network baselines are also associated with profiles. Once these profiles are in place, the system can monitor users and groups for suspicious activity (anomalies) that does not fit the profiles. In contrast to anomaly-based detection, which triggers alarms based on deviations from normal network behavior, signature detection triggers alarms based on characteristic signatures of known external attacks. You might decide to use signature detection if you have the time and ability (and perhaps the software) to analyze the large amount of log file data this system generates. PTS: 1 REF: 267-268 3. Describe two advantages and two disadvantages of an anomaly-based system. ANS: Advantages: Because an anomaly detection system is based on profiles an administrator creates, an attacker cannot test the IDPS beforehand and anticipate what will trigger an alarm. As new users and groups are created, IDPS profiles can be updated to keep up with these changes. Because an anomaly detection system does not rely on published signatures, it can detect new attacks. The system can detect attacks from inside the network by employees or attackers who have stolen employee accounts. Disadvantages: Configuring the IDPS to use profiles of network users and groups requires considerable time. Updating IDPS profiles can be time consuming. The definition of what constitutes normal traffic changes constantly, and the IDPS must be reconfigured to keep up. After installation, the IDPS must be trained for days or weeks to recognize normal traffic. PTS: 1 REF: 268 4. Describe two advantages and two disadvantages of a signature-based system. ANS: Advantages: This approach makes use of signatures of well-known attacks. This IDPS can begin working immediately after installation. This IDPS is easy to understand and less difficult to configure than an anomaly-based system. Each signature in the database is assigned a number and name so that the administrator can specify which attacks should set off an alarm. Disadvantages: The database of signatures must be updated to maintain the IDPS’s effectiveness. New types of attacks might not be included in the database. By making minor alterations to an attack, attackers can avoid matching a signature in the database. Because a misuse-based system requires a database, extensive disk storage space might be needed. PTS: 1 REF: 268-269 5. Define stateful protocol analysis. Include in your answer the concept of the event horizon. ANS: When an IDPS receives a packet, information about the connection between the host and remote computer is compared to entries in the state table. A state table maintains a record of connections between computers that includes the source IP address and port, destination IP address and port, and protocol. Furthermore, the IDPS needs to maintain state information for the entire length of the attack, which is called the event horizon. Maintaining this information might require an IDPS to review many packets of data; during long attacks, such as those that last from user logon to user logoff, the IDPS might not be able to maintain the state information long enough, and the attack could circumvent the system. PTS: 1 REF: 269 6. List two approaches to stateful protocol analysis. ANS: Traffic rate monitoring Protocol state tracking Dynamic Application layer protocol analysis IP packet reassembly PTS: 1 REF: 269 7. What are the four typical components of an IDPS? ANS: Network sensors or host-based agents that analyze and report activity; they are used with management servers that receive and manage information from sensors, analyze data, and identify some events Detection and prevention capabilities A command console for interfacing with the IDPS A database server that stores attack signatures or behaviors an IDPS uses to identify potentially suspicious traffic PTS: 1 REF: 270 8. What are the four common entry points to a network where sensors should be placed? ANS: Internet gateways Connections between one network and another or between subnets separated by switches A remote access server that receives dial-up connections from remote users VPN devices that connect a LAN to a business partner’s LAN PTS: 1 REF: 271 9. What is an inline sensor and how is it used to stop attacks? ANS: An inline sensor is positioned so that network traffic must pass through it. This type of sensor is used to stop attacks from blocking network traffic and is usually placed where firewalls and other security devices are positioned, such as between network segments or at connections to external networks. PTS: 1 REF: 276 10. List four types of information that an NIDPS typically logs. ANS: Timestamps Event or alert types Protocols Connection or session IDs Source and destination IP addresses and ports Size of transmissions, usually in bytes State-related information Application requests and responses Network, Transport, and Application layer protocols Preventive action taken, if any PTS: 1 REF: 278