Friday, August 26, 2005

Quiz: An IDS/IPS interrogation

This Week

A newsletter from TechTarget
August 26, 2005

> Quiz: Intrusion detection and prevention systems
> Site Highlights: Get free security training


Intrusion detection and prevention systems

Intrusion detection and prevention systems come with a hefty price
tag. And once installed, either one can drain your resources if you
didn't make a knowledgeable buying decision or don't know how to
operate it efficiently. Test your IDS/IPS know-how and improve your
knowledge with this quiz.

1.) Which of the following is an advantage of anomaly detection?
a. Rules are easy to define.
b. Custom protocols can be easily analyzed.
c. The engine can scale as the rule set grows.
d. Malicious activity that falls within normal usage patterns is

2.) A false positive can be defined as...
a. an alert that indicates nefarious activity on a system that, upon
further inspection, turns out to represent legitimate network traffic
or behavior.
b. an alert that indicates nefarious activity on a system that is not
running on the network.
c. the lack of an alert for nefarious activity.
d. Both a. and b.

3.) One of the most obvious places to put an IDS sensor is near the
firewall. Where exactly in relation to the firewall is the most
productive placement?
a. Inside the firewall
b. Outside the firewall
c. Both

4.) What is the purpose of a shadow honeypot?
a. To flag attacks against known vulnerabilities.
b. To help reduce false positives in a signature-based IDS.
c. To randomly check suspicious traffic identified by an anomaly
detection system.
d. To enhance the accuracy of a traditional honeypot.

5.) At which two traffic layers do most commercial IDSes generate
a. application layer
b. network layer
c. session layer
d. transport layer

6.) An IDS follows a two-step process consisting of a passive
component and an active component. Which of the following is part of
the active component?
a. Inspection of password files to detect inadvisable passwords
b. Mechanisms put in place to reenact known methods of attack and
record system responses
c. Inspection of system to detect policy violations
d. Inspection of configuration files to detect inadvisable settings

7.) When discussing IDS/IPS, what is a signature?
a. An electronic signature used to authenticate the identity of a
user on the network
b. Attack-definition file
c. It refers to "normal," baseline network behavior
d. None of the above

8.) "Semantics-aware" signatures automatically generated by Nemean
are based on traffic at which two layers?
a. application layer
b. network layer
c. session layer
d. transport layer

9.) Which of the following is used to provide a baseline measure for
comparison of IDSes?
a. crossover error rate
b. false negative rate
c. false positive rate
d. bit error rate

10.) Which of the following is true of signature-based IDSes?
a. They alert administrators to deviations from "normal" traffic
b. They identify previously unknown attacks.
c. The technology is mature and reliable enough to use on production
d. They scan network traffic or packets to identify matches with
attack-definition files.


How'd you score?
9-10 correct: You are IDS/IPS intelligent
6-8 correct: You are IDS/IPS conversant
3-5 correct: You're an IDS/IPS novice
0-2 correct: You're IDS/IPS ignorant


Earn CPE credits in Web Security School
Learn how to harden a Web server and apply countermeasures to prevent
hackers from breaking into a network. Study at your own pace and
learn how to implement security policies and test a Web site's
security, as well as how to handle a breach should the unspeakable
happen. CISSPs and SSCPs can earn one CPE credit for each school

Secure your e-mail systems
Attend E-mail Security School, where you'll learn tactics for
securing your e-mail systems, beginning with the essentials, moving
on to spam and virus defense, and wrapping up with policy control.
CISSPs and SSCPs can earn one CPE credit for each school webcast.,295582,sid14_gci1062768,00.html?track=NL-105&ad=526845



For sales inquiries, please contact us at:

For feedback about any of our articles or to send us your article
ideas, please contact us at:



This e-newsletter is published by, a targeted Web
site from TechTarget, the most targeted IT media and events company.
TechTarget offers magazines, Web sites, e-newsletters, Webcasts and
conferences for enterprise IT professionals.
Copyright 2005 TechTarget. All rights reserved.


To unsubscribe from "Updates on new site content":

Go to unsubscribe:

Please note, unsubscribe requests may take up to 24 hours to process;
you may receive additional mailings during that time. A confirmation
e-mail will be sent when your request has been successfully

Contact us:
Member Services
117 Kendrick Street, Suite 800
Needham, MA 02494