IPS

A known, confirmed attack Detected when a file or traffic matches a signature pattern: 1- lPS signatures 2- WAF signatures 3- Antivirus signatures Example: Exploit of known application vulnerabilities

Can be zero-day or denial of service attacks (DoS) Detected by behavioral analysis: 1-Rate-based IPS signatures 2-DoS policies 3-Protocol constraints inspection Example: Abnormally high rate of traffic (DoS/flood)

Flow-based detection and blocking :

IPS Components‘ IPS signature databases ‘ Protocol decoders IPS engine (Select 3)

IPS engine (Select 5)

Decoders parse protocols. lPS signatures find parts of a protocol that don’t conform. For example, too many HTTP headers, or a buffer overflow attempt Unlike proxy-based scans, IPS often does not require IANA standard ports. Automatically selects decoder for protocol at each OSI layer

IPS packages are updated by FortiGuard. (Select 3)

Choosing the Signature Database - [blank_start]Regular[blank_end] : Common attacks with fast, certain identification (default action is block) - [blank_start]Extended[blank_end] : Performance-intensive

In fact, because of its size, the extended database is only available for FortiGate models with a smaller disk or RAM. But, for high-security networks, you might be required to enable the extended signatures database.

Configuring IPS sensors

IPS Actions (Select 6)

Which of the following are evaluated first in an lPS sensor?

Which IPS component is updated most frequently?