This chapter covers the following subjects:
The heart of the Cisco IPS is the signatures that the sensor uses to identify intrusive traffic on your network. Each signature can be configured to perform numerous actions whenever the signature fires. Configuring signature responses is vital to efficiently using your Cisco IPS sensors to protect your network.
Besides detecting specific traffic on your network, you can configure numerous actions that the sensor will perform when a signature triggers. These actions vary from simply generating an alert to logging network traffic to denying traffic from a specific IP address for a configured period of time. To effectively protect your network, you need to customize the signature actions to your specific network environment.
"Do I Know This Already?" Quiz
The purpose of the "Do I Know This Already?" quiz is to help you decide if you need to read the entire chapter. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now.
The 10-question quiz, derived from the major sections in the "Foundation and Supplemental Topics" portion of the chapter, helps you determine how to spend your limited study time.
Table 9-1 outlines the major topics discussed in this chapter and the "Do I Know This Already?" quiz questions that correspond to those topics.
Table 9-1. "Do I Know This Already?" Foundation and Supplemental Topics Mapping
Foundation or Supplemental Topic
Questions Covering This Topic
Cisco IPS Response Overview
Configuring IP Blocking
The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark this question wrong for purposes of the self-assessment. Giving yourself credit for an answer you correctly guess skews your self-assessment results and might provide you with a false sense of security.
The Deny Connection Inline action stops traffic that matches which of the following descriptions (where "source" and "destination" refer to the traffic that caused the signature to trigger)?
Source IP address and destination port
Source IP address and destination IP address
Source IP address, destination IP addresses, source port, and destination port
Source IP address, destination IP address, and destination port
When you manually configure IP logging, which parameter is not a valid parameter that you can configure with IDM?
Maximum Number of Packets
Duration (in seconds)
Maximum Number of Bytes
All of these answers are valid parameters
Which of the following is not a valid Cisco IPS response action?
Request SNMP Trap
Produce Verbose Alert
Modify Packet Inline
Deny Packet Inline
Request Block Packet
What is a major difference between Access Control Lists (ACLs) and VLAN Access Control Lists (VACLs)?
ACLs are available only on routers.
ACLs apply to traffic either entering or leaving an interface.
ACLs are directionless.
VACLs are directionless.
VACLs apply to traffic either entering or leaving an interface.
When is a Master Blocking Sensor necessary?
When your managed devices are PIX™ Firewalls
When one sensor manages multiple managed devices
When multiple sensors are configured for IP blocking
When one sensor manages both PIX Firewalls and Cisco IOS® routers
What is the default logging duration when you manually configure IP logging?
Which of the following is true about the Deny Attacker Duration parameter?
It is measured in minutes.
The default is 90 minutes.
The default is 3600 seconds.
It is measured in minutes, and the default is 90 minutes.
By default, which of the following is true about configuring never-block addresses?
You must configure a never-block address to prevent the sensor from being blocked.
The sensor can never block itself.
By default, the sensor will not block its own address.
Which of the following is not a consideration for implementing IP blocking?
Interface ACL requirements
Frequency of attack traffic
By default, what is the maximum number of entries allowed in the blocking ACL?
The answers to the "Do I Know This Already?" quiz are found in the appendix. The suggested choices for your next step are as follows:
8 or less overall score Read the entire chapter, including the "Foundation and Supplemental Topics," "Foundation Summary," and Q&A sections.
9 or 10 overall score If you want more review on these topics, skip to the "Foundation Summary" section and then go to the Q&A section. Otherwise, move to the next chapter.