examen capitulo 9 cisco ccna 2

examen capitulo 9 cisco ccna 2.Figure 11-16EventsByPriorityandClassification window11.2 Network Insight Techniques 413 Additional options can be displayed in the context menu and the specific options that can be displayed vary with the type of data to be examined414 Chapter 11 Network and Host Insight Techniquesvaries. Data points associated with a specific IP address provide options to view host or Whois information for the selected IP address. Data points associated with a specific application provide the option to view application information for the selected application. The data point associated with a specific user provides the option to view the user's profile. The data point associated with an intrusion event message provides the option to view the rule document for the intrusion rule associated with that event. The data point associated with a specific IP address provides the option to blacklist or whitelist that IP address.Next-generation firewalls and next-generation IPS systems also support incidentlifecycle through FMC, which allows network administrators to change the status of an incident as they respond to an attack. When an incident is closed, network administrators can also record what changes were made to the security policy as a result of what was learned. Typically, network administrators define one or more intrusion events that they consider to be against the security policy as an incident. o In the FMC, the term also describes the functionality that can be used to track responses to incidents.Because the potential impact of each type of intrusion on the availability, confidentiality, and integrity of network assets can be large or small, the importance of various intrusion events can vary. Let's say that network administrators can use port scan detection to stay aware of port scanning behavior within the network. However, network administrators generally do not explicitly prohibit port scanning behavior or classify it as a top threat when developing security policies. Therefore, even if there is port scanning behavior, the network administrator will not take any action, but will keep any port scanning logs for future network forensics. In other words, if the system generates an intrusion event that indicates that a host on the network has been compromised and is participating in a distributed denial of service (DDoS) attack, then such behavior is a clear violation of security policy and the network administrator should create an incident in the FMC to help track the investigation of the intrusion event.FMC and Next Generation Firewall/IPS systems are particularly well suited to support the investigation and identification process for incident response. Network administrators can create their own classifications of incidents and apply them in a way that best describes the vulnerabilities within the network. When traffic within the network triggers an event, the system automatically prioritizes the event and will specifically indicate what kind of attack is being suffered by the host with the known vulnerability. FMC's incident tracking feature also includes a status indicator that can be changed to indicate escalated incidents.All incident handling processes should specify how the incident handling team communicates with internal and external audiences. For example, consideration should be given to what type of incident requires intervention from that level of management. In addition, the incident management process should specify how and when to communicate with outside units. Consideration should be given to how to answer the following questions. Is it necessary to file a lawsuit and contact law enforcement agencies? If the unit's hosts are involved in a distributed denial-of-service (DDoS) attack, do they need to notify the victim?