Cisco
350-201 · Question #6
350-201 Question #6: Real Exam Question with Answer & Explanation
The correct answer is B: Move the IPS to before the firewall facing the outside network. When an IPS generates false positives from trusted internal IP addresses, relocating it to the network perimeter before the firewall ensures it only inspects untrusted external traffic, eliminating the internal noise.
Question
An engineer receives an incident ticket with hundreds of intrusion alerts that require investigation. An analysis of the incident log shows that the alerts are from trusted IP addresses and internal devices. The final incident report stated that these alerts were false positives and that no intrusions were detected. What action should be taken to harden the network?
Options
- AMove the IPS to after the firewall facing the internal network
- BMove the IPS to before the firewall facing the outside network
- CConfigure the proxy service on the IPS
- DConfigure reverse port forwarding on the IPS
Explanation
When an IPS generates false positives from trusted internal IP addresses, relocating it to the network perimeter before the firewall ensures it only inspects untrusted external traffic, eliminating the internal noise.
Common mistakes.
- A. Moving the IPS to after the firewall facing the internal network would expose it to even more internal trusted device traffic, compounding the false positive problem rather than resolving it.
- C. Configuring a proxy service on the IPS is unrelated to placement or traffic segmentation and does not address false positives generated from trusted internal IP addresses.
- D. Reverse port forwarding is a network redirection technique with no relevance to IPS sensor placement or alert tuning.
Concept tested. IPS placement to reduce false positives from internal traffic
Community Discussion
No community discussion yet for this question.