Chapter Review

Chapter Review

The Cisco Secure Intrusion Detection System (CIDS) is a network-based IDS that uses signatures to detect intrusive activity on your network. The CIDS systems rely on both a sensor platform to capture and analyze network traffic, and an Event Viewer that acts as a centralized alarm and event display platform for the distributed CIDS infrastructure. Communication between these two platforms is handled via the Cisco proprietary PostOffice protocol.

Two types of sensors are available with CIDS:

  • 4200 Series Network Sensor Appliance

  • 6000 Series Catalyst Intrusion Detection System Module (IDSM)

The 4200 series network sensor appliance consists of three different models. Each model is uniquely tuned for a specific network requirement. These three models and their associated performance features are

  • 4210—Capable of monitoring and analyzing 45 Mbps

  • 4235—Capable of monitoring and analyzing 200 Mbps

  • 4250—Capable of monitoring and analyzing 500 Mbps

The IDSM is a integrated line card that can be inserted into any 6000 series Catalyst switch. The IDSM is capable of copying packets directly off the switch backplane and can monitor up to 100 Mbps. Because the IDSM monitors copies of packets off the switch backplane, it needn’t be in the forwarding path of network traffic and won’t affect switch throughput performance. Both the 4200 series network appliance and the IDSM can be configured and managed with either director platforms, but the Device Manager can’t be installed on an IDSM.

The director platforms allow for centralized configuration and management of the distributed sensor infrastructure. CIDS offers two director platforms, either of which can be used with any type of CIDS sensors. The two director platforms are as follows:

  • Cisco Secure Policy Manager (CSPM)

  • CIDS Director for UNIX

CSPM is for use on Windows NT 4.0, while CIDS Director for UNIX is an HP OpenView application that runs on Sun Solaris or HPUX. Both offer a GUI interface.

Communication between the sensor and director platforms is facilitated with the Cisco proprietary PostOffice protocol. The PostOffice protocol isn’t an e-mail protocol like SMTP, POP, or IMAP. Instead, it’s a protocol maintained by Cisco that brings reliability, redundancy, and fault tolerance to the CIDS communication architecture.

Each sensor contains a web application called Device Manager. The Device Manager Application can be used to configure and manage each sensor. The CIDS exam focuses on the use of Device Manager for the configuration of network sensors.

The CIDS application system is made up of services or daemons that each performs a unique function within the CIDS architecture. Daemons run on both the sensors and director platforms, and the most critical daemons, such as postofficed, run on both the sensor and director platform. At a minimum, the following daemons must be running on a functioning sensor:

  • packetd

  • postofficed

  • fileXferd

  • loggerd

The daemons that must be installed and running on a director platform include the following:

  • smid

  • postofficed

  • fileXferd

  • loggerd

While monitoring the network, the Cisco Secure Intrusion Detection System generates a wealth of information that’s stored in log files. These log files include information such as the alarms generated, daemon error conditions, commands issued, and IP session information. Four types of log files are generated by CIDS:

  • Event (Alarm) logs

  • Command logs

  • Service Error logs

  • IP Session logs

Questions

1.?

Which of the following sensor models is capable of delivering 200 Mbps or more of monitoring and analyzing?

  1. The IDSM module for the Catalyst 5500

  2. The IDSM module for the Catalyst 6500

  3. The 4235-network sensor appliance

  4. The 4250-network sensor appliance

 C. and D. Both the 4235 and 4250 are capable of 200 Mbps or better

2.?

On which of the following operation systems will CSPM operate properly?

  1. Windows NT 4.0

  2. Windows NT 3.5

  3. Windows 2000

  4. Sun Solaris or HPUX

 A. Windows NT 4.0

3.?

What is the command that can be used to start the IDS system on a 4200 series network sensor appliance?

  1. startids

  2. idsstart

  3. Idsstart

  4. nr.idsstart

 B. idsstart

4.?

Which of the following daemons is responsible for the monitoring and analyzing of network traffic?

  1. packetd

  2. services

  3. auth

  4. managed

 A. packetd

5.?

Where are archived IP session log files located?

  1. /usr/nr/var

  2. /usr/nr/var/new

  3. /usr/nr/var/iplog

  4. /usr/nr/var/iplog/new

 D.  / usr/nr/var/iplog/new

6.?

Which file would you open to see the IP address and UDP port associated with the host name of a CIDS component?

  1. auth

  2. routes

  3. destinations

  4. hosts

 B. routes

7.?

What is the default installation directory on all CIDS sensors?

  1. root\usr

  2. \usr\var

  3. \usr\nr

  4. \usr\nr\etc

 C.  / usr/nr

8.?

What command would return the current services running and their versions?

  1. idsvers

  2. showidsver

  3. showver

  4. idsshowver

 A. idsvers

9.?

What is the protocol used as a communication vehicle between the sensor and director platforms?

  1. postofficed

  2. SMTP

  3. IMAP

  4. PostOffice

 D. PostOffice

10.?

The CIDS Director for UNIX will run on which of the following operating systems?

  1. HPUX

  2. HPOV

  3. Sun Solaris

  4. HP OpenView

 A. and C. HPUX and Sun Solaris

11.?

Why should IP blocking be used cautiously?

  1. Because it’s difficult to configure

  2. Because it gives too much control to the sensor

  3. Because it’s impossible to unblock an address once it’s been blocked

  4. Because hackers can use this feature to attack your infrastructure

 D. Because hackers can use this feature to attack your infrastructure

12.?

What type of files are stored in the /usr/nr/etc directory?

  1. Configuration files

  2. System files

  3. IP session log files

  4. Archived log files

 A. and B. Configuration and System files

13.?

What is a token?

  1. A configuration parameter

  2. A configuration file

  3. A daemon installed on a sensor

  4. A device used in video games

 A. A configuration parameter

14.?

What script can assist administrators in troubleshooting communication issues between CIDS devices?

  1. auths

  2. idscomm

  3. idsconn

  4. idsstatus

 C. idsconn

15.?

Which of the following files should not be changed unless directed by Cisco?

  1. signature

  2. hosts

  3. auth

  4. destinations

 A. signature

16.?

What are the four types of log files?

  1. packetd, postofficed, fileXferd, loggerd

  2. idsstart, idsstop, idsstatus, idsvers

  3. alarm, notification, event, error

  4. event, error, IP session, command

 D. event, error, IP session, command

17.?

The director platform can be configured to respond automatically to an attack by what?

  1. Blocking the offending IP address

  2. Sending a TCP reset packet

  3. Creating an IP Session log

  4. None of the above

 D. None of the above

18.?

Which of the following daemons are responsible for file deletion and for moving log files to the database staging area?

  1. loggerd

  2. packetd

  3. fileXferd

  4. sapd

 D. sapd

19.?

Which of the following daemons allow the director platforms to configure sensors remotely?

  1. fileXferd

  2. managed

  3. postofficed

  4. smid

 A. .fileXferd

20.?

Which of the following daemons runs only on the sensor or only on the director, but doesn’t run on both?

  1. loggerd

  2. smid

  3. packetd

  4. fileXferd

 B. and C. packetd (sensor), smid (director)

Answers

1.?

C. and D. Both the 4235 and 4250 are capable of 200 Mbps or better

2.?

A. Windows NT 4.0

3.?

B. idsstart

4.?

A. packetd

5.?

D. /usr/nr/var/iplog/new

6.?

B. routes

7.?

C. /usr/nr

8.?

A. idsvers

9.?

D. PostOffice

10.?

A. and C. HPUX and Sun Solaris

11.?

D. Because hackers can use this feature to attack your infrastructure

12.?

A. and B. Configuration and System files

13.?

A. A configuration parameter

14.?

C. idsconn

15.?

A. signature

16.?

D. event, error, IP session, command

17.?

D. None of the above

18.?

D. sapd

19.?

A. .fileXferd

20.?

B. and C. packetd (sensor), smid (director)




Part III: Virtual Private Networks (VPNs)