ccna 5.0 pdf

ccna 5.0 pdf.5.2.4.5 Resetting, Blocking, and Allowing TrafficThe IPS can reset or block packets. Reset TCP Connection The TCP reset feature behavior is a basic behavior that terminates a TCP connection by generating a packet carrying the TCPRST flag bit for theTCP connection. Many IPS devices use the TCP reset connection behavior to quickly stop a TCP connection that is performing an unintended operation. The Reset TCP Connection behavior can be used in conjunction with the Deny Packet and Deny Connection behaviors. Packet rejection and data flow denial behaviors do not automatically cause TCP reset behavior to occur.Blocking subsequent (future) behaviorMost IPS devices have the ability to block subsequent traffic by having the IPS device update the access control list (ACL) on the infrastructure device. ACLs block traffic from attacking systems without requiring the IPS to consume resources to analyze them. After a configured period of time has expired, the IPS device removes that ACL. network IPS devices typically provide this blocking feature to work in conjunction with other behaviors, such as dropping unwanted packets. One advantage of the blocking behavior is that a single IPS device can block traffic from multiple locations across the network, regardless of where that [PS device is placed. For example, an IPS device located deep in the network can apply ACLo on a border router or firewallto allow that behavior5.2 IPS Features 133 The ultimate behavior is to allow the feature behavior. Here the reader may have -some confusion, as most IPS devices are used to stop and block unintended traffic on the network. The allow action is required so that the administrator can define the exception configuration for the feature. When an IPS device is configured to disallow certain actions, but sometimes needs to allow a small number of systems or users is an exception to the configuration rule. Configuring exceptions allows administrators to take a stricter approach to security because they can first deny all actions and then allow only those that are needed. For example, suppose IT routinely scans the network using a common vulnerability scanner. This scan causes the IPS to trigger many alerts. As the attacker scans the network, the IPS generates the same alerts. By allowing alerts from recognized IT scanning hosts, administrators can achieve prevention of intruder scanning while eliminating false alarms caused by legitimate IT routine scanning. Some IPS devices indirectly can also provide permissive behavior through other mechanisms, such as feature filtering. If the IPS does not provide direct permission or allow such behavior, the administrator needs to consult the product documentation to find the mechanism used to enable exception features.5.2.5 Managing and Monitoring IPS5.2.5.1 Monitoring BehaviorMonitoring security-related events on the network is an equally important aspect of protecting the network from attacks. While IPS can stop many attacks against the network, understanding these attacks against the network allows administrators to assess how strong the current protection is and what aspects need to be enhanced as the network expands. It is only by monitoring security events on the network that administrators can