Part I: Cisco IPS Overview


Part I: Cisco IPS Overview

 

Chapter 1 Cisco Intrusion Prevention System (IPS) Overview


Chapter 1. Cisco Intrusion Prevention System (IPS) Overview

This chapter covers the following subjects:

  • Cisco Intrusion Prevention Solution

  • Intrusion Prevention Overview

  • Cisco Intrusion Prevention System Hardware

  • Inline Mode Versus Promiscuous Mode

  • Software Bypass

  • Cisco Sensor Deployment

  • Cisco Sensor Communications Protocols

  • Cisco Sensor Software Architecture

The latest technology to protect your network is known as an Intrusion Prevention System (IPS). Unlike a traditional Intrusion Detection System (IDS), intrusion prevention technology enables you to stop intrusion traffic before it enters your network by placing the sensor as a forwarding device in the network. This chapter provides an overview of this technology and how you can use it to protect your network from attack.

IPSs are the latest addition to the set of tools available to secure your network. This chapter defines the characteristics of an IPS and explains the terminology associated with IPS products. Cisco security devices that support this functionality are also identified. If you are unfamiliar with Intrusion Prevention technology, reading this chapter is vital to understanding the terminology used throughout the rest of the book.

"Do I Know This Already?" Quiz

The purpose of the "Do I Know This Already?" quiz is to help you decide if you really need to read the entire chapter. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now.

The 10-question quiz, derived from the major sections in the "Foundation and Supplemental Topics" portion of the chapter, helps you determine how to spend your limited study time.

Table 1-1 outlines the major topics discussed in this chapter and the corresponding "Do I Know This Already?" quiz questions.

Table 1-1. "Do I Know This Already?" Foundation and Supplemental Topics Mapping

Foundation or Supplemental Topic

Questions Covering This Topic

Intrusion Prevention Overview

1, 2

Cisco Intrusion Prevention System Hardware

3, 6

Inline Mode Versus Promiscuous Mode

5

Software Bypass

4

Cisco Sensor Deployment

9, 10

Cisco Sensor Communications Protocols

7, 8

Cisco Sensor Architecture


Caution

The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark this question wrong for purposes of the self-assessment. Giving yourself credit for an answer you correctly guess skews your self-assessment results and might provide you with a false sense of security.


1.

What do you call a signature that does not fire after observing normal user traffic?

  1. False positive

  2. True negative

  3. False negative

  4. True positive

2.

Which of the following is a valid risk rating?

  1. High

  2. Severe

  3. 80

  4. Critical

  5. Catastrophic

3.

Which of the following sensors does not support inline mode?

  1. IDS 4215

  2. IDS 4255

  3. IDS 4240

  4. IDS Network Module

  5. IDS 4235

4.

Which software bypass mode causes the sensor to stop passing traffic if the analysis engine stops running?

  1. Auto

  2. Off

  3. On

  4. Fail open

  5. None of these

5.

In which processing mode does your sensor passively monitor network traffic as it looks for intrusive activity? How many interfaces does it require?

  1. Promiscuous, 1 interface

  2. Inline, 1 interface

  3. Promiscuous, 2 interfaces

  4. Inline, 2 interfaces

6.

Which of the following appliance sensors is diskless so that it can provide greater reliability?

  1. IDS 4215

  2. IDS 4235

  3. IDS 4240

  4. IDS 4250

  5. IDS 4210

7.

Which standard defines a product independent standard for communicating security device events?

  1. SDEE

  2. LDAP

  3. RDEP

  4. TLS

  5. IDIOM

8.

Which communication protocol does your sensor use to communicate event messages to other Cisco IPS devices on the network?

  1. IDIOM

  2. SMTP

  3. RDEP

  4. SDEE

  5. None of these

9.

What is the name of the boundary between your network and your business partner's network?

  1. Internet boundary

  2. Extranet boundary

  3. Intranet boundary

  4. Remote-access boundary

10.

Which of the following are internal boundaries that separate network segments within a network?

  1. Intranet boundaries

  2. Internet boundaries

  3. Extranet boundaries

  4. Segment boundaries

  5. None of these

The answers to the "Do I Know This Already?" quiz are found in the appendix. After correcting your quiz, count the number of correct answers to determine your next objective:

  • 8 or less overall score —Read the entire chapter, including the "Foundation and Supplemental Topics," "Foundation Summary," and Q&A sections.

  • 9 or 10 overall score —If you want more review on these topics, skip to the "Foundation Summary" section of this chapter and then go to the Q&A section. Otherwise, move to the next chapter.