Firewalls and sensors use different types of rule structures to examine packets, however, briefly explain two similarities between the components of the rule structures that each use?
Matching component - specifies the packet elements of interest, such as packet source & destination, transport layer protocols and ports and data included in the packet payload.
Action component - specifies what should be done with that packet that matches a component, such as accept and forward the packet; drop the packet; or send the packet to a secondary rule set for further inspection
(Snort has the capability to analyse traffic in real – time and produce alerts when threats trigger an alarm. Briefly explain five functionalities provided on a Snort IPS installed on an Integrated Service Router as a service component?
- It can operate in one of two modes (IPS / IDS): In prevention mode, attack traffic will be dropped.
- It provides three signature levels: Least secure to secure.
- It allows for an allowed list: Ability to turn off certain signatures helping to prevent false positives.
- Snort Health Monitoring: Keeps track of the health of the Snort engine that is running the service container.
- Fail Open and Close: In the event of engine failure the device can be configured to block traffic or bypass IPS.
- Signature Update: Allows for the automatic update of signature files.
- Event Logging: Allows logging to an independent log collector.
An IPS sensor has two critical components that operate in tandem in any deployment allowing the sensor to analyse and identify malicious traffic. Briefly explain what these are and the role they play in traffic analysis?
IPS Detection and Enforcement Engine: This is used to validate traffic. It compares incoming traffic with known attack signatures that are included in the IPS attack signature package.
IPS attack signatures package: This is a list of known attack signatures that are contained in a file. The signature pack is updated frequently as new attacks are discovered. Network traffic is analysed for matches against these signatures and dropped if a match is found.
Sensors can identify malicious traffic in many different ways. Identify and give an example of an advantage and disadvantage of the four most common signature triggers used in IPS/IDS detection technologies?
Pattern‑Based Detection
- Advantages:
- Simple and efficient, easy configuration — matches known attack signatures directly.
- Low false positives since it looks for exact patterns.
- Example: Detecting a known malware hash or exploit string.
- Disadvantages:
- Cannot detect new or unknown attacks (zero‑day).
- Requires constant signature updates.
- Example: Misses a new variant of ransomware not yet catalogued.
Anomaly‑Based Detection
- Advantages:
- Can detect previously unknown attacks by spotting deviations from normal behaviour/baseline activity.
- Useful for insider threats or zero‑day exploits.
- Example: Alerting when a user suddenly transfers gigabytes of data at midnight.
- Disadvantages:
- Higher false positives — unusual but legitimate behaviour may be flagged.
- Requires a baseline of “normal” activity, which can be hard to define.
- Example: Flagging legitimate software updates as suspicious.
Honey‑Based Detection
- Advantages:
- Enforces organisational rules and compliance requirements.
- Flexible — tailored to specific business needs.
- Collect information about attacks.
- Example: Blocking all outbound traffic on port 25 except from mail servers.
- Disadvantages:
- Effectiveness depends on how well policies are defined and maintained.
- Misconfiguration can block legitimate traffic or allow malicious traffic.
- Example: A too‑permissive rule accidentally allows unencrypted sensitive data transfer.
Policy‑Based Detection
- Advantages:
- Easy Configuration
- Enforces organisational rules and compliance requirements.
- Flexible — tailored to specific business needs.
- Example: Blocking all outbound traffic on port 25 except from mail servers.
- Disadvantages:
- Effectiveness depends on how well policies are defined and maintained.
- Misconfiguration can block legitimate traffic or allow malicious traffic.
- Example: A too‑permissive rule accidentally allows unencrypted sensitive data transfer.
- Example: Skilled adversaries recognise the decoy and avoid it, reducing effectiveness.
Threats can be identified in one packet while other threats require many packets and their state information. Briefly explain the two types of signatures that can identify each of these threats?
Atomic Signatures: Simplest type of signature, single packet, activity or event identifies an attack. The IPS does not need to maintain state information and traffic analysis can be performed quickly and efficiently.
Composite Signature: Requires several pieces of data to match an attack signature. The IPS must maintain state information, which is referred to as the event horizon and varies signature to signature.
Briefly explain the mode of deployment of an IPS sensor and two advantages and disadvantages?
An IPS is deployed inline, that is all traffic must pass through it.
It can be configured to drop the trigger packets, the packets associated with a connection, or packets from a source IP address.
Because IPS sensors are inline, they can use stream normalization, a technique used to reconstruct the data stream when the attack occurs over multiple data segments.
Because it is deployed inline, errors, failure, and overwhelming the IPS sensor with too much traffic can have a negative effect on network performance.
An IPS sensor can affect network performance by introducing latency and jitter. An IPS sensor must be appropriately sized and implemented so that time-sensitive applications, such as VoIP, are not adversely affected.
While IDS’s and firewalls have a difference in rule structure explain the two similarities between the components of the rule?
Matching component - specifies the packet elements of interest, such as: packet source; the packet destination; transport layer protocols and ports; and data included in the packet payload.
Action component - specifies what should be done with that packet that matches a component, such as: accept and forward the packet; drop the packet; or send the packet to a secondary rule set for further inspection.
Explain the firewall design concept of dropping by default and its advantage?
Dropping by default is to drop packets by default while manually specifying what traffic should be allowed. This design has the advantage of protecting the network from unknown protocols and attacks
Explain why it is important when dropping by default to log the events?
Since these packets are not explicitly allowed, they infringe on the organisation’s policies. Such events should be recorded for future analysis
Briefly explain three common characteristics of Intrusion Detection Systems and Intrusion Prevention Systems?
Both technologies are deployed as sensors
Both technologies use signatures to detect patterns of misuse in network traffic
Both can detect atomic patterns
-
Questions58
-
Chapter 1 Questions24
-
Chapter 2 Questions25
-
Chapter 3 Questions23
-
Chapter 4 Questions25
-
Module 1-4 Questions73
-
Modules 5-765
-
Modules 8-1049
-
Modules 13-1452
-
Firewalls47
-
Tutorial 611
-
Modules 11-1222
-
Modules 15-1724
-
Modules 18-1922
-
Modules 20-2221
-
Network Security Practice Final64
-
Tutorial Week 913
-
Tutorial 824
-
Tutorial 710
-
Mock Theory A14
-
Internet Security Theory Exam 22/2315
-
Internet Secuirty Theory Exam 25-2615
