A Cisco Catalyst switch is experiencing packet drops on a SPAN destination port that is connected to an Cisco IPS appliance. Which three configurations should be
considered to resolve the packet drops issue? (Choose three.)
A.
Configure an additional SPAN session to a different Cisco IPS appliance interface connected to the same virtual sensor
Adding an additional span session to a different Cisco IPS will remove some of the traffic and load from the existing span – Confirmed Correct
deny connection
B.
Configure an EtherChannel bundle as the SPAN destination port.
Cisco documentation clearly defines that Ether-channels cannot be configured as SPAN destination ports.
This rules out option B. – Confirmed Incorrect
http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_19_ea1/confi guration/guide/swspan.html#wp1044603
deny attacker
C.
Configure RSPAN.
RSPAN is remote span which is used to send traffic to a device not connected to the local switch.
While this would have a similar effect to answer A since you are in fact creating another span, the implication here is that there is only one IPS device. –
Unconfirmed Incorrect D. Configuring VACL capture will allow a reduced amount of traffic and load on the span by selecting and sending only select traffic over the
SPAN to the IPS. – Confirmed Correct E. Configuring the Cisco IPS appliance in inline mode would eliminate the need for a span altogether. -Unconfirmed Correct.
Cisco ASA IPS Modules–Inline Operation
You can configure the ASA to only forward specific traffic to the AIP SSM or AIP SSC for inspection. This is achieved by using the Cisco Modular Policy Framework
(MPF), where you can configure a Cisco ASA to selectively send traffic to the AIP module operating in inline or promiscuous mode. You can also specify that all
traffic be inspected by the AIP module, and if the total traffic exceeds the IPS module inspection capacity, you can modify the MPF configuration in such a way that
only critical traffic is inspected. This approach reduces the traffic the IPS module will have to analyze, and it is guaranteed to perform optimally.
Cisco ASA IPS Modules–Promiscuous Operation
A selective capture can also be used to ensure that only part of the traffic flowing through a Cisco ASA is sent to the AIP module in promiscuous mode. This way,
the AIP module is not overwhelmed and critical data is analyzed.
The same concept applies when using the Cisco IPS Advanced Integration Module (AIM):
When inline or in promiscuous mode, select traffic can be directed to it.
Cisco Catalyst Switches–VACL Capture
When an IPS is connected to a Cisco Catalyst switch, you can perform selective capture by setting the appropriate VLAN access control lists (VACL). The VACLs
capture only a subset of traffic off the switch backplane and copy it to the sensor that is connected on a capture port, instead of a SPAN port. The sensor in this
case only receives a copy of the packets that are suitable for analysis and completely ignores the rest of the traffic.
Performance issues and bottlenecks should be avoided by sizing the IPS sensors adequately and ensuring that the network topology design is a good fit.
QUESTION 301
Which signature action should be selected to cause the attacker’s traffic flow to terminate when the Cisco IPS appliance is operating in promiscuous mode?
reset TCP connection
D.
Configure VACL capture.
deny packet, reset TCP connection
E.
Configure the Cisco IPS appliance to inline mode.
deny connection, reset TCP connection
A.
Configure an additional SPAN session to a different Cisco IPS appliance interface connected to the same virtual sensor
Adding an additional span session to a different Cisco IPS will remove some of the traffic and load from the existing span – Confirmed Correct
deny connection
B.
Configure an EtherChannel bundle as the SPAN destination port.
Cisco documentation clearly defines that Ether-channels cannot be configured as SPAN destination ports.
This rules out option B. – Confirmed Incorrect
http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_19_ea1/confi guration/guide/swspan.html#wp1044603
deny attacker
C.
Configure RSPAN.
RSPAN is remote span which is used to send traffic to a device not connected to the local switch.
While this would have a similar effect to answer A since you are in fact creating another span, the implication here is that there is only one IPS device. –
Unconfirmed Incorrect D. Configuring VACL capture will allow a reduced amount of traffic and load on the span by selecting and sending only select traffic over the
SPAN to the IPS. – Confirmed Correct E. Configuring the Cisco IPS appliance in inline mode would eliminate the need for a span altogether. -Unconfirmed Correct.
Cisco ASA IPS Modules–Inline Operation
You can configure the ASA to only forward specific traffic to the AIP SSM or AIP SSC for inspection. This is achieved by using the Cisco Modular Policy Framework
(MPF), where you can configure a Cisco ASA to selectively send traffic to the AIP module operating in inline or promiscuous mode. You can also specify that all
traffic be inspected by the AIP module, and if the total traffic exceeds the IPS module inspection capacity, you can modify the MPF configuration in such a way that
only critical traffic is inspected. This approach reduces the traffic the IPS module will have to analyze, and it is guaranteed to perform optimally.
Cisco ASA IPS Modules–Promiscuous Operation
A selective capture can also be used to ensure that only part of the traffic flowing through a Cisco ASA is sent to the AIP module in promiscuous mode. This way,
the AIP module is not overwhelmed and critical data is analyzed.
The same concept applies when using the Cisco IPS Advanced Integration Module (AIM):
When inline or in promiscuous mode, select traffic can be directed to it.
Cisco Catalyst Switches–VACL Capture
When an IPS is connected to a Cisco Catalyst switch, you can perform selective capture by setting the appropriate VLAN access control lists (VACL). The VACLs
capture only a subset of traffic off the switch backplane and copy it to the sensor that is connected on a capture port, instead of a SPAN port. The sensor in this
case only receives a copy of the packets that are suitable for analysis and completely ignores the rest of the traffic.
Performance issues and bottlenecks should be avoided by sizing the IPS sensors adequately and ensuring that the network topology design is a good fit.
QUESTION 301
Which signature action should be selected to cause the attacker’s traffic flow to terminate when the Cisco IPS appliance is operating in promiscuous mode?
reset TCP connection
A.
Configure an additional SPAN session to a different Cisco IPS appliance interface connected to the same virtual sensor
Adding an additional span session to a different Cisco IPS will remove some of the traffic and load from the existing span – Confirmed Correct
deny connection
B.
Configure an EtherChannel bundle as the SPAN destination port.
Cisco documentation clearly defines that Ether-channels cannot be configured as SPAN destination ports.
This rules out option B. – Confirmed Incorrect
http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_19_ea1/confi guration/guide/swspan.html#wp1044603
deny attacker
C.
Configure RSPAN.
RSPAN is remote span which is used to send traffic to a device not connected to the local switch.
While this would have a similar effect to answer A since you are in fact creating another span, the implication here is that there is only one IPS device. –
Unconfirmed Incorrect D. Configuring VACL capture will allow a reduced amount of traffic and load on the span by selecting and sending only select traffic over the
SPAN to the IPS. – Confirmed Correct E. Configuring the Cisco IPS appliance in inline mode would eliminate the need for a span altogether. -Unconfirmed Correct.
Cisco ASA IPS Modules–Inline Operation
You can configure the ASA to only forward specific traffic to the AIP SSM or AIP SSC for inspection. This is achieved by using the Cisco Modular Policy Framework
(MPF), where you can configure a Cisco ASA to selectively send traffic to the AIP module operating in inline or promiscuous mode. You can also specify that all
traffic be inspected by the AIP module, and if the total traffic exceeds the IPS module inspection capacity, you can modify the MPF configuration in such a way that
only critical traffic is inspected. This approach reduces the traffic the IPS module will have to analyze, and it is guaranteed to perform optimally.
Cisco ASA IPS Modules–Promiscuous Operation
A selective capture can also be used to ensure that only part of the traffic flowing through a Cisco ASA is sent to the AIP module in promiscuous mode. This way,
the AIP module is not overwhelmed and critical data is analyzed.
The same concept applies when using the Cisco IPS Advanced Integration Module (AIM):
When inline or in promiscuous mode, select traffic can be directed to it.
Cisco Catalyst Switches–VACL Capture
When an IPS is connected to a Cisco Catalyst switch, you can perform selective capture by setting the appropriate VLAN access control lists (VACL). The VACLs
capture only a subset of traffic off the switch backplane and copy it to the sensor that is connected on a capture port, instead of a SPAN port. The sensor in this
case only receives a copy of the packets that are suitable for analysis and completely ignores the rest of the traffic.
Performance issues and bottlenecks should be avoided by sizing the IPS sensors adequately and ensuring that the network topology design is a good fit.
QUESTION 301
Which signature action should be selected to cause the attacker’s traffic flow to terminate when the Cisco IPS appliance is operating in promiscuous mode?
reset TCP connection
D.
Configure VACL capture.
deny packet, reset TCP connection
E.
Configure the Cisco IPS appliance to inline mode.
deny connection, reset TCP connection
Explanation:
From Neil:
A, D, EDeny attacker is only available in inline mode!
http://www.cisco.com/web/about/security/intelligence/ipsmit.html#7
Promiscuous Mode Event Actions
The following event actions can be deployed in Promiscuous mode. These actions are in affect for a userconfigurable default time of 30 minutes. Because the IPS
sensor must send the request to another device or craft a packet, latency is associated with these actions and could allow some attacks to be successful. Blocking
through usage of the Attack Response Controller (ARC) has the potential benefit of being able to perform to the network edge or at multiple places within the
network.
Request block host: This event action will send an ARC request to block the host for a specified time frame, preventing any further communication. This is a severe
action that is most appropriate when there is minimal chance of a false alarm or spoofing.
Request block connection: This action will send an ARC response to block the specific connection. This action is appropriate when there is potential for false alarms
or spoofing. Reset TCP connection: This action is TCP specific, and in instances where the attack requires several TCP packets, this can be a successful action.
However, in some cases where the attack only needs one packet it may not work as well. Additionally, TCP resets are not very effective with protocols such as
SMTP that consistently try to establish new connections, nor are they effective if the reset cannot reach the destination host in time.
Event actions can be specified on a per signature basis, or as an event action override (based on risk rating values event action override only). In the case of eventaction override, specific event actions are performed when specific risk rating value conditions are met. Event action overrides offer consistent and simplified
management. IPS version 6.0 contains a default event action override with a deny-packet-inline action for events with a risk rating between 90 and 100. For this
action to occur, the device must be deployed in Inline mode.