Chapter 9. Cisco IPS Response Configuration

This chapter covers the following subjects:

  • Cisco IPS response overview

  • Inline actions

  • Logging actions

  • IP blocking

  • Configuring IP blocking

  • Manual blocking

  • TCP reset

The heart of the Cisco IPS is the signatures that the sensor uses to identify intrusive traffic on your network. Each signature can be configured to perform numerous actions whenever the signature fires. Configuring signature responses is vital to efficiently using your Cisco IPS sensors to protect your network.

Besides detecting specific traffic on your network, you can configure numerous actions that the sensor will perform when a signature triggers. These actions vary from simply generating an alert to logging network traffic to denying traffic from a specific IP address for a configured period of time. To effectively protect your network, you need to customize the signature actions to your specific network environment.

"Do I Know This Already?" Quiz

The purpose of the "Do I Know This Already?" quiz is to help you decide if you need to read the entire chapter. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now.

The 10-question quiz, derived from the major sections in the "Foundation and Supplemental Topics" portion of the chapter, helps you determine how to spend your limited study time.

Table 9-1 outlines the major topics discussed in this chapter and the "Do I Know This Already?" quiz questions that correspond to those topics.

Table 9-1. "Do I Know This Already?" Foundation and Supplemental Topics Mapping

Foundation or Supplemental Topic

Questions Covering This Topic

Cisco IPS Response Overview


Inline Actions


Logging Actions


IP Blocking


Configuring IP Blocking


Manual Blocking


TCP Reset



The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark this question wrong for purposes of the self-assessment. Giving yourself credit for an answer you correctly guess skews your self-assessment results and might provide you with a false sense of security.


The Deny Connection Inline action stops traffic that matches which of the following descriptions (where "source" and "destination" refer to the traffic that caused the signature to trigger)?

  1. Source IP address and destination port

  2. Source IP address and destination IP address

  3. Source IP address, destination IP addresses, source port, and destination port

  4. Source IP address, destination IP address, and destination port


When you manually configure IP logging, which parameter is not a valid parameter that you can configure with IDM?

  1. Maximum Number of Packets

  2. Duration (in seconds)

  3. Maximum Number of Bytes

  4. All of these answers are valid parameters


Which of the following is not a valid Cisco IPS response action?

  1. Request SNMP Trap

  2. Produce Verbose Alert

  3. Modify Packet Inline

  4. Deny Packet Inline

  5. Request Block Packet


What is a major difference between Access Control Lists (ACLs) and VLAN Access Control Lists (VACLs)?

  1. ACLs are available only on routers.

  2. ACLs apply to traffic either entering or leaving an interface.

  3. ACLs are directionless.

  4. VACLs are directionless.

  5. VACLs apply to traffic either entering or leaving an interface.


When is a Master Blocking Sensor necessary?

  1. When your managed devices are PIX™ Firewalls

  2. When one sensor manages multiple managed devices

  3. When multiple sensors are configured for IP blocking

  4. When one sensor manages both PIX Firewalls and Cisco IOS® routers


What is the default logging duration when you manually configure IP logging?

  1. 10 minutes

  2. 15 minutes

  3. 20 minutes

  4. 30 minutes

  5. 60 minutes


Which of the following is true about the Deny Attacker Duration parameter?

  1. It is measured in minutes.

  2. The default is 90 minutes.

  3. The default is 3600 seconds.

  4. It is measured in minutes, and the default is 90 minutes.


By default, which of the following is true about configuring never-block addresses?

  1. You must configure a never-block address to prevent the sensor from being blocked.

  2. The sensor can never block itself.

  3. By default, the sensor will not block its own address.


Which of the following is not a consideration for implementing IP blocking?

  1. Antispoofing mechanisms

  2. Critical hosts

  3. Blocking duration

  4. Interface ACL requirements

  5. Frequency of attack traffic


By default, what is the maximum number of entries allowed in the blocking ACL?

  1. 100

  2. 200

  3. 250

  4. 500

  5. 1000

The answers to the "Do I Know This Already?" quiz are found in the appendix. The suggested choices for your next step are as follows:

  • 8 or less overall score Read the entire chapter, including the "Foundation and Supplemental Topics," "Foundation Summary," and Q&A sections.

  • 9 or 10 overall score If you want more review on these topics, skip to the "Foundation Summary" section and then go to the Q&A section. Otherwise, move to the next chapter.

CCSP IPS Exam Certification Guide
CCSP IPS Exam Certification Guide
ISBN: 1587201461
EAN: 2147483647
Year: 2004
Pages: 119
Authors: Earl Carter © 2008-2017.
If you may any questions please contact us: