The Cisco IOS Firewall Intrusion Detection System has been a feature of a growing list of Cisco router platforms running the firewall feature set since version 12.0(5). The IDS features are currently available on the Cisco uBR900, 1720, 2600, 3600, 7100, 7200, and 7500 series routers, as well as the RSM for Catalyst 5000 switches.
The IOS-based IDS features extend the Cisco Secure IDS appliance and host-based software features to include the router-based firewalls. The IDS features can be especially useful in locations where a router is being deployed to provide additional security between network segments, such as between the organization and a partner site. The key advantage of an IDS-enabled device is the capability to take preconfigured steps to thwart an attack, rather than simply report it.
The most recent Cisco IOS Firewall IDS uses 59 attack signatures representing a broad cross section of intrusion detection signatures that identify severe breaches of security, as well as the most common network attacks and information-gathering scans.
Four basic steps configure the IDS features if the network is using the Cisco Secure Director (NetRanger). Those steps include initializing Cisco IOS Firewall IDS (required), initializing the Post Office (required), configuring and applying audit rules (required), and verifying the configuration (optional).
The MCNS exam objectives only include the first, third, and fourth steps because the IDS Director is covered in the IDS exam. In the configuring audit rules step, it’s possible to disable certain signatures because they’re unneeded or create false positive responses. You can also exempt some hosts from the auditing process reflecting their trusted status or to avoid false positive responses.
1.? |
Which of the following is not a method of categorizing IDS systems covered in this chapter?
|
|
2.? |
True or False. The Cisco IOS Firewall feature set is implemented on all Cisco router series.
|
|
3.? |
Which of the following IOS features is always found with the IDS features on the new IOS?
|
|
4.? |
Which of the following is not an action the IOS IDS can be configured to do?
|
|
5.? |
Cisco IDS is based on matching traffic patterns to which of the following?
|
|
6.? |
Which of the four basic steps to configure the IDS features isn’t required?
|
|
7.? |
Which two of the following are the commands to initialize Cisco IOS IDS on a router?
|
|
8.? |
Which of the following signature keywords means “information-gathering activity, such as a port sweep”?
|
|
9.? |
Which of the following signature keywords means “simple patterns, such as an attempt to access a specific port on a specific host”?
|
|
10.? |
According to the text, how many IDS signatures are supported in the IOS version of IDS?
|
|
11.? |
With the ip audit info and ip audit attack commands, how many actions can be applied?
|
|
12.? |
Which command will disable the IDS signature 1001?
|
|
13.? |
In the command Rtr1(config)#ip audit name Attack.7 list 25, what does the 25 represent?
|
|
14.? |
What does the ip audit audit-name command do?
|
|
15.? |
Which is not a valid IDS show command?
|
|
Answers
1.? |
C. Open vs. proprietary is not a category used. |
2.? |
B. False. This is implemented only on the Cisco 800, uBR900, 1400, 1600, 1700, 2500, 2600, 3600, 7100, 7200, and 7500, and RSM series routers |
3.? |
B. Firewall feature set is always with IDS in the IOS. |
4.? |
B. Shut down |
5.? |
C. Signatures |
6.? |
C. Verifying the configuration |
7.? |
B. and D. Rtr1(config)#ip audit smtp spam recipients and Rtr1(config)#ip audit po max-events number_events |
8.? |
C. Info |
9.? |
B. Atomic |
10.? |
B. 59 |
11.? |
C. 3: Alarm, Drop, and Reset |
12.? |
C. Rtr1(config)#ip audit signature 1001 disable |
13.? |
C. An ACL number |
14.? |
C. Applies an IDS audit specification to an interface |
15.? |
A. show ip audit transactions is not a real command |