Jason the security administrator at Certkiller Inc is working on installing IDS in the network. Which signature actions can be selected on the IDS Sensor in the SAFE SMR medium network design? (Choose two)
A.
Jason can select Block
B.
Jason can select TCP reset
C.
Jason can select UDP reassembly
D.
Jason can select Total reassembly
Explanation:
The NIDS appliance between the private interface of the firewall and the internal router provides a final analysis of attacks. Very few attacks should be detected on this segment because only responses to initiated requests, a few select ports from the public services segment, and traffic from the remote access segment are allowed to the inside. Only sophisticated attacks should be seen on this segment because they could mean that a system on the public services segment has been compromised and the hacker is attempting to take advantage of this foothold to attack the internal network. For example, if the public SMTP server were compromised, a hacker might try to attack the internal mail server over TCP port 25, which is permitted to allow mail transfer between the two hosts. If attacks are seen on this segment, the responses to those attacks should be more severe than those on other segments because they probably indicate that a compromise has already occurred. The use of TCP resets or shunning to thwart, for example, the SMTP attack mentioned above, should be seriously considered.
Reference:Safe white papers;page 19
SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks