Cisco IPS & IDS Interview Questions

Ques 1. What is a false positive?

False positive is an alert that indicates nefarious activity on a system that, upon further
inspection, turns out to represent legitimate network traffic or behavior. At times, the
signatures mistakenly report a vulnerability that may not exist.

Ques 2. What is difference between IPS and IDS?

Below table enumerates difference between IPS and IDS in detail -
Ques 3. What key advantage IPS offers over IDS that makes it a crucial component of a security
approach?
The speed at which attacks can be mitigated.

Ques 4. What Is Intrusion Detection System?

An Intrusion Detection System (IDS) is a device or software application that monitors a network
or systems for malicious activity or policy violations. IDS is passive device which watches packets
of data traversing the network, comparing with signature patterns and setting off an alarm on
detection on suspicious activity.
 The most common classifications are network intrusion detection systems (NIDS) and host-
based intrusion detection systems (HIDS).

Ques 5. Explain Anomaly-based Intrusion Detection System?

An anomaly-based intrusion detection system is an intrusion detection system for detecting
both network and computer intrusions and misuse by monitoring system activity and classifying
it as either normal or anomalous. The classification is based on heuristics or rules, rather than
patterns or signatures, and attempts to detect any type of misuse that falls out of normal
system operation.

Ques 6. What Is A Network Intrusion?

Network intrusion is any unauthorized activity on a computer network. Detecting an intrusion
depends on the defenders having a clear understanding of how attacks work.

Ques 7. In reference to IDS/IPS, what is a signature?

Signature is an attack definition file that describes each type of known malicious activity.

Ques 8. What is DoS?

DoS stands for Denial of Service attack. A Denial of Service attack attempts to slow down or
completely shut down a target so as to disrupt the service and deny the legitimate and
authorized users access.

Ques 9. What is Scanning Attack?

In scanning attack, an attacker sends various kinds of packets to probe a system or network for
vulnerability that can be exploited.
Ques 10. What is penetration attack?
In penetration attack, an attacker gains an unauthorized control of a system, and can
modify/alter system state, read files, etc. Generally such attacks exploit certain flaws in the
software, which enables the attacker to install viruses, and malware in the system.

Ques 11. Name some of Signature Engines of Cisco IPS?

 Atomic Engine
 Meta Engine
 String Engine
 Flood Engine
 Normalizer Engine
 Service Engine
 State Engine
 Trojan Engine

Ques 12. What is range of Custom Signature ID in Cisco IPS?

The valid range is between 60000 and 65000

Ques 13. Can IPS/IDS read encrypted traffic?

No, IPS/IDS cannot read encrypted traffic.

Ques 14. In reference of IPS, Explain Vulnerability?

Vulnerability is a weakness and state of being exposed to the possibility of being attacked or
harmed.

Ques 15. In context of IPS, explain Threat?

A Threat is an attacker who exploits the weakness that is exposed by vulnerabilities.

Ques 16. What is the difference between encryption and hashing?

Below are the differences –
 Encryption is reversible whereas hashing is irreversible.
 Encryption ensures confidentiality whereas hashing ensures Integrity.

Ques 17. What is difference between NIPS and HIPS?

Ques 18. What is “SQL injection”?
SQL Injection is one of the common attacking techniques used by hackers to get the critical
data. SQL injection is the placement of malicious code in SQL statements, via web page input.

Ques 19. Explain “URL manipulation”?

URL manipulation is a type of attack in which hackers manipulate the website URL to get the
critical information. The information is passed in the parameters in the query string via HTTP
GET method between client and server. Hackers can alter the information between these
parameters and get the authentication on the servers and steal the critical data.
Ques 20. What is importance of Intrusion Detection System (IDS)?
Computers connected directly to the Internet are subject to relentless probing and attack. While
protective measures such as safe configuration, up-to-date patching, and firewalls are all
prudent steps, they are difficult to maintain and cannot guarantee that all vulnerabilities are
shielded. An IDS provides defense in depth by detecting and logging hostile activities. An IDS
system acts as "eyes" that watch for intrusions when other protective measures fail.

Ques 21. What is Signature Based Detection?

Signature based detection is a technique in which network traffic is compared with a predefined
database of known threats, and appropriate action is taken against that threat when a packet
matches the signature or rules set of a predefined threat.

Ques 22. What is Anomaly Based Detection?

Anomaly detection is a technique which is used to identify the abnormal and unusual traffic
patterns, these traffic patterns are those which do not conform to the expected behavior. Any
traffic pattern which seems suspicious can trigger an alert based on the network activity, and
the action again that is taken as well.

Ques 23. What are two modes of IPS?

Inline Mode and Promiscuous Mode

Ques 24. What is Promiscuous mode?

In Promiscuous mode, a copy of each packet is sent to the processing system for analyzing the
packet against the defined rules. In the stream of packets, if a packet is flagged, then the second
packet will be blocked, since first packet already went through the device while its copy was being
analyzed by the processing system.

Ques 25. What is inline mode?

In Inline mode, each packet is processed against the signature set and rules, so if in a stream of
packet, there is an intrusion occurring, the very first packet can be dropped as soon as it is flagged
by the sensor.

Ques 26. Name few of the Vendor who deals in IPS/IDS

 Cisco
 Palo Alto
 Checkpoint
 Fortinet
 Extreme Networks
 F5Networks
 Juniper
 Snort
 HP
 IBM
  FireEye
 Dell

Ques 27. Where IPS devices are usually deployed in a network?

IPS devices are deployed at edge of the network.

Ques 28. What is the mode of the IPS from the diagram below

Promiscuous mode

Ques 29. What is the mode of the IPS in the below diagram-
 Inline Mode

Ques 30. What is the new name of legacy IPS in Cisco?

Firepower NGIPS, Next Generation IPS

Ques 31. Does Cisco 5500X Series support NGIPS?

Yes it support Firepower NGIPS.

Ques 32. In the given below the diagram, what type of IPS should be deployed?
 Network Based IPS

Ques 33. From the diagram below, how we can achieve multiple sensors in a single IPS
 By making Virtual Sensors in a single IPS

Ques 34. In Cisco hardware based IPS can be accessed using which command from the firewall?
Session 1. Here “1” is the module number where module in physically installed. Further, the
default username is "cisco" and the default password is "cisco"

Ques 35. In Cisco, software based IPS can be accessed using which command from firewall?
session ips

Ques 36. What is the purpose of Cisco IME?

Cisco IME is used to manage multiple IPS devices from a centralized management.

Ques 37. How many devices can be managed by Cisco IME at a given time?
Cisco IME can manage upto 10 IPS devices simultaneously.

Ques 38. What does Cisco FMC stands for?

Cisco FMC is short for Cisco Firepower Management Center

Ques 39. What is the purpose of Cisco FMC?

Cisco FMC is used to manage Firepower devices. It can be Firepower Threat Defense Firewall and
Firepower NGIPS devices as well.
Ques 40. What does Cisco IME Stands for?
Cisco IME stands for Cisco IPS Manager Express.