Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
54 Cards in this Set
- Front
- Back
|
Initializes the system, starts and stops the other applications, configures the OS, and
performs upgrades |
MainApp—
|
|
|
Allows sensors to send control transactions. This
is used to enable the master blocking sensor capability of Attack Response Controller (formerly known as Network Access Controller). |
ctlTransSource (Control Transaction server)—
|
|
|
An indexed store used to store IPS events (error, status, and alert system
messages) that is accessible through the CLI, IDM, IME, ASDM, or SDEE. |
Event Store—
|
|
|
This IPS app handles bypass and physical settings and defines paired interfaces. Physical
settings are speed, duplex, and administrative state. |
InterfaceApp—
|
|
|
This IPS app writes all the log messages of the application to the log file and the error messages of
the application to the Event Store. |
Logger—
|
|
|
—Manages
remote network devices (firewalls, routers, and switches) to provide blocking capabilities when an alert event has occurred. |
Attack Response Controller (formerly known as Network Access Controller)
|
|
|
creates and applies ACLs on the controlled network device or
uses the shun command (firewalls). |
Attack Response Controller (formerly known as Network Access Controller)
|
|
|
This app on the IPS sends SNMP traps when triggered by alert, status, and error events.
|
NotificationApp—
|
|
|
provide information about
the general health of the sensor. |
SNMP GETs
|
|
|
—Provides a web interface and communication with other IPS
devices through the SDEE protocol using several servlets to provide IPS services. |
Web Server (HTTP SDEE server)
|
|
|
Remote Cisco IPS applications (other sensors, management applications, and third-party software) communicate with
sensors through this protocol. |
SDEE
|
|
|
Verifies that users are authorized to perform CLI, IDM, IME, ASDM, or
SDEE actions. |
AuthenticationApp—
|
|
|
Performs packet capture and analysis.
|
SensorApp (Analysis Engine)—
|
|
|
Interfaces with MainApp and SensorApp using various interprocess
communication technologies including IDAPI control transactions, semaphores, shared memory, and file exchange. |
CollaborationApp—
|
|
|
needs question
|
semaphore
|
|
|
All Cisco IPS applications communicate with each other through this common API
|
IDAPI
|
|
|
needs question
|
API
|
|
|
The Cisco IPS has three partitions
|
application partition
Maintenance partition Recovery partition |
|
|
A special purpose IPS image used to reimage the application partition of
the IDSM2. When you reimage this partition, all configuration settings are lost. |
Maintenance partition
|
|
|
A special purpose image used for recovery of the sensor. Booting into this partition enables you to completely reimage the application partition. Network settings are
preserved, but all other configuration is lost. |
recovery partition
|
|
|
Since there is no FTP capability on the Cisco sensor, you can use this tool to remotely copy files
|
SCP
|
|
|
Installing and uninstalling IPS software upgrade is handled by this component of the Cisco IPs architecture
|
MainApp
|
|
|
Gathering stats and reporting the health and security monitoring status of the CIsco IPS is done by this architectural component
|
MainApp
|
|
|
Each IPS event is stored here with a time stamp and a unique, monotonic, ascending ID.
|
in Event Store
|
|
|
What happens when the Ciscp IPS event store reaches its configured size?
|
When the
circular Event Store has reached its configured size, the oldest event or events are overwritten by the new event being stored. |
|
|
This IPS application is the only application that writes a;ert event into the Event Store
|
SensorApp is the only application that writes alert events into the Event Store
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_system_architecture.pdf |
|
|
The following are examples of ?
Request to update the configuration data of an application instance • Request for the diagnostic data of an application instance • Request to reset the diagnostic data of an application instance |
Control transactions
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_system_architecture.pdf |
|
|
IPS data is represented in the format
|
IPS data is represented in XML format as an XML document. The system stores user-configurable
parameters in several XML files. |
|
|
This IPS event —Alert event messages that report when a signature is triggered by network activity.
|
evAlert
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_system_architecture.pdf |
|
|
Status event messages that report the status and actions of the IPS applications.
|
evStatus—
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_system_architecture.pdf |
|
|
— Error event messages that report errors that occurred while attempting response actions.
|
evError
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_system_architecture.pdf |
|
|
Log transaction messages that report the control transactions processed by each
sensor application. |
evLogTransaction—
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_system_architecture.pdf |
|
|
Block request messages that report when ARC issues a block request.
|
evShunRqst—
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_system_architecture.pdf |
|
|
allows the sensor to send alerts and system error messages as SNMP traps.
|
NotificationApp
|
|
|
an application that forwards locally initiated remote control transactions to their
remote destinations using HTTP protocol. |
CtlTransSource is
|
|
|
a loop that waits on remote
control transactions that are directed to CtlTransSource. |
The transactionHandlerLoop method is
|
|
|
the IPS application that starts and stops blocking on routers, switches, and firewalls, and rate
limits traffic on routers running Cisco IOS 12.3. |
ARC is
|
|
|
ARC can simultaneously control up to how many interfaces
|
250 interfaces.
|
|
|
When the sensor shuts down, ARC writes all blocks and rate limits (with starting timestamps) to this local file
|
a local
file (nac.shun.txt) that is maintained by ARC. |
|
|
What happens to the existing active TCP connections if the block command specifies only the source address?
|
If the block command specifies only the source IP address, existing active TCP connections are not
broken, but all incoming packets from the blocked host are dropped. |
|
|
When you configure a firewall to use NAT or PAT and the sensor is checking packets on the firewall
outside network, if you detect a host attack that originates on the firewall inside network, the sensor tries to block this address which is provided by the firewall. |
When you configure a firewall to use NAT or PAT and the sensor is checking packets on the firewall
outside network, if you detect a host attack that originates on the firewall inside network, the sensor tries to block the translated address provided by the firewall. |
|
|
To view an existing VACL on a catalyst switch:
|
show security acl info acl_name
|
|
|
To block an address (address_spec is the same as used by router ACLs):
|
set security acl ip acl_name deny address_spec
|
|
|
To map a VACL to a VLAN:
|
set sec acl acl_name vlans
|
|
|
To clear a single VACL:
|
clear security acl map acl_name
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_system_architecture.pdf |
|
|
Logger writes the log messages to this circular text file
|
/usr/cids/idsRoot/log/main.log,
|
|
|
This IPS component configures and controls IPS AAA and password management.
|
AuthenticationApp
|
|
|
needs question
|
Pluggable Authentication Modules (PAM).
|
|
|
needs question
|
You can use the show ssh server-key and show tls fingerprint to display the key fingerprints of the
sensor. |
|
|
switches set to this VTPM mode do not participate in VTP.
|
VTP Transparent mode
|
|
|
A switch operating in this VTP mode does not advertise its VLAN configuration and does not synchronize its VLAN configuration based on received advertisements, but these switches do forward VTP advertisements that they receive out their trunk ports in VTP Version 2.
|
VTP Transparent mode
|
|
|
In this VTP mode, switches behave the same as in VTP transparent mode with the exception that VTP advertisements are not forwarded.
|
off - vtp mode
|
|
|
Switches in this VTP mode, advertise their VLAN configuration to other switches in the same VTP domain and synchronize their VLAN configuration with other switches based on advertisements received over trunk links.
|
VTP server mode
|
|
|
This is the default VTP mode
|
VTP server mode
|
