APPENDIX D

Memory Tables Answer Key

Chapter 1
Table 1-2 Security Terms
Vocabulary Term Explanation
Asset An asset is an item that is to be protected and can include property,
people, and information/data that have value to the company. This
includes intangible items such as proprietary information or trade
secrets and the reputation of the company. The data could include
company records, client information, proprietary software, and so on.
Vulnerability A vulnerability is an exploitable weakness of some type. That
exploitation might result from a malicious attack, or it might be
accidentally triggered because of a failure or weakness in the policy,
implementation, or software running on the network.
Threat This is what you are protecting against. A threat is anything that
attempts to gain unauthorized access to, compromise, destroy, or
damage an asset. Threats are often realized via an attack or exploit that
takes advantage of an existing vulnerability.
Threats today come in many varieties and spread more rapidly than
ever before. Threats can also morph and be modified over time, and so
you must be ever diligent to keep up with them.
Risk Risk is the potential for unauthorized access to, compromise,
destruction, or damage to an asset. If a threat exists, but proper
countermeasures and protections are in place (it is your goal to provide
this protection), the potential for the threat to be successful is reduced
(thus reducing the overall risk).
Countermeasure A countermeasure is a device or process (a safeguard) that is
implemented to counteract a potential threat, which thus reduces risk.
4 CCNA Security 210-260 Official Cert Guide

Table 1-6 Additional Attack Methods

Method Description
Covert channel This method uses programs or communications in unintended ways. For
example, if the security policy says that web traffic is allowed but peer-
to-peer messaging is not, users can attempt to tunnel their peer-to-peer
traffic inside of HTTP traffic. An attacker may use a similar technique
to hide traffic by tunneling it inside of some other allowed protocol to
avoid detection. An example of this is a backdoor application collecting
keystroke information from the workstation and then slowly sending it out
disguised as Internet Control Message Protocol (ICMP). This is a covert
channel.
A covert channel is the legitimate use of a protocol, such as a user with a
web browser using HTTP to access a web server, for illegitimate purposes,
including cloaking network traffic from inspection.
Trust If the firewall has three interfaces, and the outside interface allows all
exploitation traffic to the demilitarized zone (DMZ) but not to the inside network, and
the DMZ allows access to the inside network from the DMZ, an attacker
could leverage that by gaining access to the DMZ and using that location
to launch his attacks from there to the inside network. Other trust models,
if incorrectly configured, may allow unintentional access to an attacker
including active directory and NFS (Network File System in UNIX).
Brute-force Brute-force (password-guessing) types of attacks are performed when an
(password- attackers system attempts thousands of possible passwords looking for
guessing) attacks the right match. This is best protected against by specifying limits on how
many unsuccessful authentication attempts can occur within a specified
time frame. Password-guessing attacks can also be done through malware,
man-in-the-middle attacks using packet sniffers, or by using key loggers.
Botnet A botnet is a collection of infected computers that are ready to take
instructions from the attacker. For example, if the attacker has the
malicious backdoor software installed on 10,000 computers, from his
central location, he could instruct those computers to all send TCP SYN
requests or ICMP echo requests repeatedly to the same destination. To add
insult to injury, he could also spoof the source IP address of the request so
that reply traffic is sent to yet another victim. The attacker generally uses a
covert channel to manage the individual devices that make up the botnet.
DoS and DDoS Denial-of-service (DoS) attack and distributed denial-of-service (DDoS)
attack. An example is using a botnet to attack a target system. If an
attack is launched from a single device with the intent to cause damage
to an asset, the attack could be considered a DoS attempt, as opposed
to a DDoS. Both types of attacks want the same result, and whether it is
called a DoS or DDoS attack just depends on how many source machines
are used in the attack. A more advanced and increasingly popular type of
DDoS attack is called a reflected DDoS (RDDoS) attack. An RDDoS takes
place when the source of the initial (query) packets is actually spoofed
by the attacker. The response packets are then reflected back from the
unknowing participant to the victim of the attack; that is, the original
(spoofed) source of the initial (query) packets.
 Appendix D: Memory Tables Answer Key 5

Chapter 3
Table 3-2 TACACS+ Versus RADIUS
TACACS+
Functionality Separates AAA functions into
distinct elements. Authentication
is separate from authorization,
and both of those are separate
from accounting.
Standard Cisco proprietary, but very well
known.
L4 protocol TCP.
Confidentiality All packets are encrypted
between the ACS server and the
router (which is the client).
Granular command by This is supported, and the rules
command authorization are defined on the ACS server
about which commands are
allowed or disallowed.
Accounting Provides accounting support.
RADIUS
Combines many of the
functions of authentication
and authorization together. Has
detailed accounting capability
when accounting is configured
for use.
Open standard, and supported
by nearly all vendors AAA
implementation.
UDP.
Only the password is encrypted
with regard to packets sent back
and forth between the ACS
server and the router.
No explicit command
authorization checking rules
can be implemented.
Provide accounting support,
and generally acknowledged
as providing more detailed or
extensive accounting capability
than TACACS+.

Table 3-4 Key Components for Configuring ACS

Component of ACS
Network device groups
Network devices (ACS clients/
routers/switches)
Identity groups (user/admin groups)
User accounts
Authorization profiles
How It Is Used
Groups of network devices, normally based on routers
or switches with similar functions/devices managed by
the same administrators.
D
The individual network devices that go into the device
groups.
Groups of administrators, normally based on users
who will need similar rights and access to specific
groups of network devices.
Individual administrator/user accounts that are placed
in identity groups.
These profiles control what rights are permitted. The
profile is associated with a network device group and a
user/administrator identity group.
6 CCNA Security 210-260 Official Cert Guide

Chapter 5
Table 5-2 VPN Components
Component Function Examples of Use
Symmetrical Use the same key for encrypting and decrypting DES, 3DES, AES,
encryption data. IDEA
algorithms
Asymmetrical Uses a public and private key. One key encrypts RSA, Diffie-Hellman
encryption the data, and the other key in the pair is used to
decrypt.
Digital signature Encryption of hash using private key, and RSA signatures
decryption of hash with the senders public key.
Diffie-Hellman key Uses a public-private key pair asymmetrical Used as one of the
exchange algorithm, but creates final shared secrets (keys) many services of
that are then used by symmetrical algorithms. IPsec
Confidentiality Encryption algorithms provide this by turning DES, 3DES, AES,
clear text into cipher text. RSA, IDEA
Data integrity Validates data by comparing hash values. MD5, SHA-1
Authentication Verifies the peers identity to the other peer. PSKs, RSA signatures

Table 5-3 Key PKI Components

Component Description
RSA digital Using its private key to encrypt a generated hash, a digital signature is
signatures created. The receiver uses the public key of the sender to validate the
digital signature and verify the identity of the peer.
Digital certificate File that contains the public key of the entity, a serial number, and the
signature of the CA that issued the certificate
Public and private Used as a pair to encrypt and decrypt data in an asymmetrical fashion.
keys
Certificate The CAs job is to fulfill certificate requests and generate the digital
authority certificates for its clients to use. It also maintains a list of valid
certificates that have been issued, and maintains a CRL listing any
revoked certificates.
X.509v3 A common certificate format used today.
Subordinate CA/ Assistant to the CA, which can issue certificates to clients. Clients
RA need both the certificates from the root and the subordinate to verify
signatures all the way to the root. Used in a hierarchical PKI topology.
PKCS Public Key Cryptography Standards, agreed to and implemented by
vendors who want the ability to have compatibility with other devices in
the PKI.
 Appendix D: Memory Tables Answer Key 7

Chapter 6
Table 6-2 IPsec Goals and the Methods Used to Implement Them
Goal Method That Provides the Feature
Confidentiality Encryption
Data integrity Hashing
Peer authentication Pre-shared keys, RSA digital signatures
Antireplay Integrated into IPsec, basically applying serial numbers to packets

Chapter 7
Table 7-3 IKEv1 Phase 1 Policy Options
Function Strong Method Stronger Method
Hashing MD5, 128-bit SHA1, 160-bit
Authentication Pre-shared Key (PSK) RSA-Sigs (digital signatures)
Group # for DH 1,2,5 IKE Groups 14 and 24 use 2048-bit
key exchange DH. Groups 15 and 16 use 3072-bit
and 4096-bit DH. Groups 19 and 20
support the 256-bit and 384-bit ECDH
groups, respectively.
Lifetime 86400 seconds (1 day, default) Shorter than 1 day, 3600
Encryption 3DES AES-128 (or 192, or 256)

Table 7-4 IKEv1 Phase 2 Policy Options

Item to Plan Implemented By Notes
Peer IP Crypto map Having a known reachable IP address for the VPN
addresses peer is critical for the traditional IPsec site-to-site
tunnel to negotiate and establish the VPN (both
phases).
Traffic to Crypto ACL, which Extended ACL that is not applied to an interface but D
encrypt is referred to in the is referenced in the crypto map. This should only
crypto map reference outbound (egress) traffic, which should be
protected by IPsec. Traffic not matching the crypto
ACL will not be encrypted, but will be sent as a
normal packet.
Encryption Transform set, which DES, 3DES, AES are all options. IKEv1 Phase 2
method is referred to in the does not need to be the same method as Phase 1.
crypto map The method does need to match the peers policy
(transform sets) for Phase 2.
8 CCNA Security 210-260 Official Cert Guide

Item to Plan Implemented By Notes

Hashing Transform set, which MD5 and SHA HMACs may be used, and need to
(HMAC) is referred to in the match the Phase 2 policy of the peer.
method crypto map
Lifetime (time, Global configuration Lifetime for Phase 2 should match between the peers.
or data) command: crypto If both use the default lifetime (by not specifying a
ipsec security- lifetime), both peers would have compatible lifetime
association lifetime policies. The lifetime can be specified as number of
... seconds or number of kilobytes.
Perfect Forward Crypto map DH is run during IKEv1 Phase 1, and Phase 2 reuses
Secrecy (PFS) that same keying material that was generated. If you
(run DH again want Phase 2 to rerun the DH, it is called Perfect
or not) Forward Secrecy (PFS), and you must choose a DH
group number 1, 2, or 5 for Phase 2 to use.
Which interface Crypto map applied From a routing perspective, this is the interface of
used to peer to the outbound a VPN peer that is closest to the other peer, where
with the other interface outbound IPsec packets are leaving the router and
VPN device inbound IPsec packets are coming into the router.

Chapter 8
Table 8-3 Comparison Between SSL and TLS
SSL
Developed by Netscape in the 1990s
Starts with a secured channel and
continues directly to security negations
on a dedicated port
Widely supported on client-side
applications
More weaknesses identified
TLS
Standard developed by the Internet Engineering
Task Force (IETF)
Can start with unsecured communications and
dynamically switch to a secured channel based on
the negotiation with the other side
Supported and implemented more on servers,
compared to end-user devices
Stronger implementation because of the standards
process
 Appendix D: Memory Tables Answer Key 9

Table 8-4 Options for SSL VPN Implementation

Clientless SSL Clientless SSL VPN Full Cisco AnyConnect
VPN with Plug-Ins for Some Secure Mobility Client
Port Forwarding SSL VPN Client
Other names Web VPN. Thin client. Full SSL client.
Installed software No client required. Small applets and/or Full install of Cisco
on client configuration required. AnyConnect Secure
Mobility Client required,
but may be installed by
initially connecting via
the clientless option, and
securely installing it that
way.
User experience Feels like accessing Some applications can be Full access to the
resources (that are run locally with output corporate network.
on the corporate redirected through the The local computer
network) through VPN. Includes the features acts and feels like it is a
a specific browser of the clientless VPN to full participant on the
window or the left. corporate network.
hyperlink.
Servers that can IOS with the IOS with the correct IOS with the correct
be used correct software, software, and ASA with software, and ASA with
and ASA with the the correct licenses. the correct licenses.
correct licenses.
How the user Traffic is proxied Traffic is proxied (PAT) by Clients are assigned their
looks from (Port Address the SSL server as the users own virtual IP address
the corporate Translation packets enter the corporate to use while accessing
network [PAT]) by the SSL network. the corporate network.
server, as the users Traffic is forwarded from
packets enter the the given IP address
corporate network. of the client into the
corporate network.
Clients supported Most SSL-capable Computers that support Most computers that
computers. SSL and Java. support SSL.

D
10 CCNA Security 210-260 Official Cert Guide

Chapter 9
Table 9-2 Toolkit for Layer 2 Security
Tool Description
Port security Limits the number of MAC addresses to be learned on an access switch
port, as covered later in this chapter.
BPDU Guard If BPDUs show up where they should not, the switch protects itself, as
covered in this chapter.
Root Guard Controls which ports are not allowed to become root ports to remote
root switches, as covered in this chapter.
Dynamic ARP Prevents spoofing of Layer 2 information by hosts.
inspection
IP Source Guard Prevents spoofing of Layer 3 information by hosts.
802.1X Authenticates users before allowing their data frames into the network.
DHCP snooping Prevents rogue DHCP servers from impacting the network.
Storm control Limits the amount of broadcast or multicast traffic flowing through the
switch.
Access control lists Traffic control to enforce policy. Access control is covered in another
chapter.

Chapter 10
Table 10-2 Components of a Threat Control and Mitigation Strategy
Plane Security Measures Protection Objectives
Management Authentication, authorization, Authenticate and authorize any
plane accounting (AAA) administrators. Protect time
synchronization by using authenticated
Authenticated Network Time
NTP. Use only encrypted remote-access
Protocol (NTP)
protocols such as SSH for CLI and SSL/TLS
Secure Shell (SSH) for GUI tools, and use secure versions of
SNMP. If plaintext tools are used (such as
Secure Sockets Layer/Transport syslog or Telnet), they should be protected
Layer Security (SSL/TLS) by encryption protocols such as IPsec or
Protected syslog should be used out of band (a separate
network just for management traffic).
Simple Network Management A parser view is a way to limit what a
Protocol Version 3 (SNMPv3) specific individual, based on his role, can
Parser views do on the router.
 Appendix D: Memory Tables Answer Key 11

Plane Security Measures Protection Objectives

Control plane Control Plane Policing (CoPP)
and Control Plane Protection
(CPPr)
Authenticated routing protocol
updates
Data plane Access control lists (ACL)
Layer 2 controls, such as private
VLANs, Spanning Tree Protocol
(STP) guards
IOS IPS, zone-based firewall
The control plane tools can be implemented
to limit the damage an attacker can attempt
to implement directly at one of the routers
IP addresses (traffic addressed directly to
the router, which the router must spend
CPU resources to process).
Routing protocol updates should be
authenticated to remove the possibility of
an attacker manipulating routing tables by
putting a rogue router running the same
routing protocol on your network. The
attacker could be doing reconnaissance
to learn the routes, or the attacker could
be attempting to manipulate the resulting
data plane by changing the routing on the
network.
ACLs, when applied as filters on interfaces,
can control which traffic (transit traffic) is
allowed on the data plane.
At Layer 2, by protecting the infrastructure
there, you can avoid a rogue switch from
becoming the root of your spanning tree,
which would affect the data plane at
Layer 2.
Firewall filtering and services can also
control exactly what traffic is flowing
through your network. An example is using
an IOS zone-based firewall to implement
policy about the data plane and what is
allowed.

Table 10-4 Protecting the Data Plane

Feature Explanation
D
ACLs used There are many types of ACLs and many ways to apply them for filtering.
for filtering
Note that an ACL can be used as a classification mechanism used in other
features, such as an IOS firewall, identifying traffic for control plane protection,
identifying who is allowed to connect to a vty line, where SNMP is allowed,
and so on. In the discussion of protecting the data plane, we focus primarily on
ACLs applied directly to interfaces for the purpose of filtering.
IOS firewall The firewall features on an IOS router have grown over the years. The older
support technology for implementing a firewall on IOS routers was called context-
based access control (CBAC). CBAC has been replaced with the more current
zone-based firewall on the IOS.
12 CCNA Security 210-260 Official Cert Guide

Feature Explanation
IOS IPS IOS IPS is a software implementation of an intrusion prevention system (IPS)
that is overlaid on top of the existing routing platform, to provide additional
security. IOS IPS uses signature matches to look for malicious traffic. When
an alert goes off because of a signature match, the router can prevent the
packet from being forwarded, thus preventing the attack from reaching the final
destination.
TCP This tool enables the router to look at the number of half-formed sessions that
Intercept are in place and intervene on behalf of the destination device. This can protect
against a destination device from a SYN-flood attack that is occurring on your
network. The zone-based firewall on an IOS router includes this feature.
Unicast Unicast Reverse Path Forwarding (uRPF) can mitigate spoofed IP packets.
Reverse Path When this feature is enabled on an interface, as packets enter that interface the
Forwarding router spends an extra moment considering the source address of the packet. It
then considers its own routing table, and if the routing table does not agree that
the interface that just received this packet is also the best egress interface to use
for forwarding to the source address of the packet, it then denies the packet.
This is a good way to limit IP spoofing.

Chapter 11
Table 11-2 AAA Components to Secure Administrative and Remote LAN Access
Access Type Mode Mode Where These Are AAA Command
Likely to Be Used Element
Remote administrative Character (line or Lines: vty, AUX login, enable,
access EXEC mode) console, and tty exec
Usually TACACS+ between
the router and the ACS
Remote network access end Packet (interface Interfaces: async, ppp, network,
users mode) such as group-async, BRI, PRI vpn groups
an interface with
Usually RADIUS between Other functionality:
PPP requiring
the router and the ACS VPN user
authentication
authentication

Table 11-3 Method List Options

Command Element Description
type Identifies the type of list being created. Relevant options are
authentication, authorization, or accounting.
default Specifies the default list of methods to be used based on the
methods that follow this argument. If you use the keyword default,
a custom name is not used.
 Appendix D: Memory Tables Answer Key 13

Command Element Description

list-name Used to create a custom method list. This is the name of this list, and
is used when this list is applied to a line, such as to vty lines 04.
method At least one method must be specified. To use the local user
database, use the local keyword. A single list can contain up to four
methods, which are tried in order, from left to right.
In the case of an authentication method list, methods include the
following:
enable: The enable password is used for authentication. This might
be an excellent choice as the last method in a method list. This way,
if the previous methods are not available (such as the AAA server,
which might be down or not configured), the router times out on the
first methods and eventually prompts the user for the enable secret
as a last resort.
krb5: Kerberos 5 is used for authentication.
krb5-telnet: Kerberos 5 Telnet authentication protocol is used when
using Telnet to connect to the router.
line: The line password (the one configured with the password
command, on the individual line) is used for authentication.
local: The local username database (running config) is used for
authentication.
local-case: Requires case-sensitive local username authentication.
none: No authentication is used.
group radius: A RADIUS server (or servers) is used for
authentication.
group tacacs+: A TACACS+ server (or servers) is used for
authentication.
group group-name: Uses either a subset of RADIUS or TACACS+
servers for authentication as defined by the aaa group server radius
or aaa group server tacacs+ command.

Chapter 12
Table 12-3 Conversion Charts Between Decimal, Binary, and Hexadecimal
Decimal Binary Hexadecimal
0 0000 0
1 0001 1
2 0010 2
3 0011 3
14 CCNA Security 210-260 Official Cert Guide

Decimal Binary Hexadecimal

4 0100 4
5 0101 5
6 0110 6
7 0111 7
8 1000 8
9 1001 9
10 1010 A
11 1011 B
12 1100 C
13 1101 D
14 1110 E
15 1111 F

Chapter 14
Table 14-5 Advantages and Disadvantages of Application Layer Gateways
Advantages
Very tight control is possible, due to
analyzing the traffic all the way to the
application layer.
It is more difficult to implement an
attack against an end device because of
the proxy server standing between the
attacker and potential victim.
Can provide very detailed logging.
May be implemented on common
hardware.
Disadvantages
Is processor intensive because most of the work is
done via software on the proxy server.
Not all applications are supported, and in practice
it might support a specific few applications.
Special client software may be required.
Memory and disk intensive at the proxy server.
Could potentially be a single point of failure in the
network, unless fault tolerance is also configured.

Table 14-6 Advantages and Disadvantages of Stateful Packet-Filtering Devices

Advantages Disadvantages
Can be used as a primary means Might not be able to identify or prevent an application
of defense by filtering unwanted layer attack.
or unexpected traffic
Can be implemented on routers Not all protocols contain tightly controlled state
and dedicated firewalls information, such as User Datagram Protocol (UDP) and
Internet Control Message Protocol (ICMP).
 Appendix D: Memory Tables Answer Key 15

Advantages
Dynamic in nature compared to
static packet filtering
Provides a defense against
spoofing and denial-of-service
(DoS) attacks
Disadvantages
Some applications may dynamically open up new ports
from the server, which if a firewall is not analyzing specific
applications or prepared for this server to open up a new
port, it could cause a failure of that application for the
end user. If a firewall also supports application layer
inspection, it may be able to predict and allow this inbound
connection.
Stateful technology, by itself, does not support user
authentication. This, however, does not prevent a firewall
that implements stateful packet filtering from also
implementing authentication as an additional feature.

Table 14-8 NAT Terminology

NAT Term Description
Inside local The real IP configured on an inside host, such as User 1.
Inside global The mapped/global address that the router is swapping out for the
inside host during NAT. The outside world sees User 1 coming from this
mapped/global address.
Outside local If performing NAT on outside devices (outside NAT), this is the mapped
address of the outside device (such as Server A) as it would appear to
inside hosts. If not doing outside NAT on the router, this appears as the
normal outside devices IP address to the inside devices.
Outside global The real IP configured on an outside host, such as the IP on Server A.

Table 14-10 Firewall Access Rules

Rule Description
Rules based on These rules are based on the types of services that may be accessed
service control through the firewall, inbound or outbound. An example is that access to
web servers, both HTTP or HTTPS, is allowed while all other types of
traffic are denied.
Rules based on These rules are based on the source/destination addresses involved, D
address control usually with a permit or deny based on specific entries in an access
control list.
Rules based on These rules specify where the initial traffic can flow. For example, a rule
direction control might say that traffic from the inside going to the outside (which we could
also call outbound traffic) is permitted. Traffic initiated from the outside
going to inside resources (which we could call inbound traffic) would
be denied. Note that stateful filtering, with its stateful database, could
dynamically allow the return traffic back to the inside users. These types
of rules could very easily be combined (and usually are) with various
protocols/services (such as HTTP, HTTPS, and so on).
16 CCNA Security 210-260 Official Cert Guide

Rule Description
Rules based on These rules control access based on knowing who the user is and what
user control that user is authorized to do. This can be implemented via AAA services.
Rules based on These rules control how a particular service is used. For example, a
behavior control firewall may implement an e-mail filter to protect against spam.

Chapter 15
Table 15-2 Policy Map Actions
Policy Description When to Use It
Action
Inspect Permit and This should be used on transit traffic initiated by users who
statefully inspect expect to get replies from devices on the other side of the
the traffic firewall.
Pass Permit/allow the Traffic that does not need a reply. Also in the case of
traffic but do not protocols that do not support inspection, this policy could be
create an entry applied to the zone pair for specific outbound traffic, and be
in the stateful applied to a second zone pair for inbound traffic.
database
Drop Deny the packet Traffic you do not want to allow between the zones where
this policy map is applied.
Log Log the packets If you want to see log information about packets that were
dropped because of policy, you can add this option.

Table 15-3 Traffic Interaction Between Zones

Ingress Interface Egress Interface Zone Pair Exists, Result
Member of Zone Member of Zone with Applied
Policy
No No Does not matter Traffic is forwarded.
No Yes (any zone) Does not matter Traffic is dropped.
Yes (zone A) Yes (zone A) Does not matter Traffic is forwarded.
Yes (zone A) Yes (zone B) No Traffic is dropped.
Yes (zone A) Yes (zone B) Yes Policy is applied. If policy
is inspect or pass, the
initial traffic is forwarded.
If the policy is drop, the
initial traffic is dropped.
 Appendix D: Memory Tables Answer Key 17

Table 15-4 Self Zone Traffic Behavior

Source Traffic Destination Zone Pair Result
Member of Zone Traffic Member Exists, with a
of Zone Policy Applied
Self Zone A No Traffic is passed.
Zone A Self No Traffic is passed.
Self Zone A Yes Policy is applied.
Zone A Self Yes Policy is applied.

Chapter 17
Table 17-2 IDS Versus IPS
IDS
Position in the network Not inline with the flow of
flow network traffic, the IDS is sent
copies of the original packets.
Mode Promiscuous mode, out of
band.
Latency or delay Does not add delay to the
original traffic because it is not
inline.
Impact caused by There is no negative impact if
the sensor failing to the sensor goes down.
forward packets
Ability to prevent By itself, a promiscuous mode
malicious traffic from IDS cannot stop the original
going into the network packet. Options do exist for a
sensor in promiscuous mode to
request assistance from another
device that is inline which may
block future packets. An IDS can
send TCP Reset packets to break
(reset) malicious connections,
but there is no guarantee that
this will prevent an attack packet
from reaching its destination.
Normalization ability Because the IDS does not see
the original packet, it cannot
manipulate any original inline
traffic.
IPS
Directly inline with the flow of
network traffic and every packet
goes through the sensor on its way
through the network.
Inline mode.
Adds a small amount of delay
before forwarding it through the
network.
If the sensor goes down, traffic
that would normally flow through
the sensor could be impacted.
Dependent on fail open or fail
closed configuration.
The IPS can drop the packet on its
own because it is inline. The IPS
can also request assistance from
another device to block future
packets just as the IDS does. D
Because the IPS is inline, it can
normalize (manipulate or modify)
traffic inline based on a current set
of rules.
18 CCNA Security 210-260 Official Cert Guide

Table 17-3 IPS/IDS Method Advantages and Disadvantages

Advantages
Signature-based Easy to configure, simple to
implement.
Policy-based Simple and reliable, very
customizable, only allows policy-
based traffic that could deny
unknown attacks, which by default
are outside of the policy being
allowed.
Anomaly-based Self-configuring baselines, detect
worms based on anomalies, even if
specific signatures have not been
created yet for that type of traffic.
Reputation-based Leverages enterprise and global
correlation, providing information
based on the experience of other
systems. Early-warning system.
Disadvantages
Does not detect attacks outside
of the rules. May need to disable
signatures that are creating false
positives. Signatures must be
updated periodically to remain
current and effective against new
threats.
Policy must be manually created.
Implementation of the policy is
only as good as the signatures you
manually create.
Difficult to accurately profile
extremely large networks. May
cause false positives based on
significant changes in valid network
traffic.
Requires timely updates, and
requires participation in the
correlation process.

Table 17-5 Risk Rating (RR) Calculation Factors

Factor That Influences Description
Risk Rating
Target value rating (TVR) The value that you, as an administrator, have assigned to specific
destination IP addresses or subnets where the critical servers/
devices live.
Signature fidelity rating The accuracy of the signature as determined by the person who
(SFR) created that signature. The likelihood that the signature will not
result in a false positive.
Attack severity rating The criticality of the attack as determined by the person who
(ASR) created that signature.
Attack relevancy (AR) A signature match that is destined to a host where the attack is
relevant, such as a Windows serverbased attack, which is going to
the destination address of a known Windows server, is considered
a relevant attack, and the risk rating increases slightly as a result.
Global correlation If the sensor is participating in global correlation and receives
information about specific source addresses that are being used to
implement large-scale attacks, attacks coming from these source
IP addresses are also given a slightly increased risk rating value.

Table 17-6 IPS/IDS Evasion Techniques
Evasion Method Description
Traffic The attacker splits malicious traffic
fragmentation into multiple parts with the intent
that it will avoid detection by IPS/IDS
technologies.
Traffic The attacker substitutes characters
substitution and in the data using different formats
insertion that have the same final meaning. An
example is Unicode strings, which an
end station could interpret but perhaps
could evade detection by IPS/IDS
technologies.
Protocol level An attacker may attempt to cause a
misinterpretation sensor to misinterpret the end-to-end
meaning of a network protocol with the
end goal of the sensor not detecting the
attack in progress.
Timing attacks Sending packets at a rate low enough
(for example, to avoid triggering a signature (for
low and slow example, a flood signature that triggers
attacks) at 1000 packets per second, and the
attacker sending packets at 900 packets
per second).
Encryption and Encrypted payloads are called
tunneling encrypted for a reason. If an IPS/IDS
sees only encrypted traffic, the attacker
can build a Secure Sockets Layer (SSL)
or IPsec session between himself and
the victim and could then send private
data over that virtual private network
(VPN).
Appendix D: Memory Tables Answer Key 19
Cisco Anti-Evasion
Techniques
Complete session reassembly is
performed by the sensor so that
the IPS/IDS can see the entire
flow of malicious traffic.
Data normalization and
de-obfuscation techniques.
Ciscos implementation is
looking for Unicode, case
sensitivity, substitution of
spaces with tabs, and other
similar anti-evasion techniques.
IP Time-To-Live (TTL) analysis,
TCP checksum validation.
Configurable intervals and use
of third-party correlation.
If traffic is encrypted and
passing through the sensor as
encrypted data, the encrypted
payload cannot be inspected by
legacy Cisco IPS solutions. For
generic routing encapsulation
(GRE) tunnels, there is support
for inspection if the data is not
encrypted.
Starting with the latest
Sourcefire version of the NGIPS D
solution, encrypted traffic
can now be decrypted and
inspected.
20 CCNA Security 210-260 Official Cert Guide

Evasion Method Description Cisco Anti-Evasion

Resource If thousands of alerts are being
exhaustion generated by distracter attacks, an
attacker may just be trying to disguise
or cloak the single attack that he hopes
succeeds. The resource exhaustion
could be overwhelming the sensor and
overwhelming the administration team
who has to view the large volume of
events.
Techniques
Dynamic and configurable
event summarization. Here is an
example: 20,000 devices are all
under the control of the attacker.
All those devices begin to send
the same attack. The sensor
summarizes those by showing
a few of the attacks as alerts,
and then summaries at regular
intervals that indicate the attack
is still in play and how many
thousands of times it occurred
over the last interval. This is
much better than trying to wade
through thousands of individual
alerts.

Table 17-7 Micro-Engines (Groupings of Signatures)

Signature Signatures in This Grouping
Micro-Engine
Atomic Signatures that can match on a single packet, as compared to a string of
packets
Service Signatures that examine application layer services, regardless of the
operating system
String or Supports flexible pattern matching, and can be identified in a single packet
Multistring or group of packets, such as a session
Other Miscellaneous signatures that may not specifically fit into the previously
mentioned other categories