1 00:00:06,710 --> 00:00:09,186 - [Presenter] Whenever you are studying for the CCNA 2 00:00:09,186 --> 00:00:11,460 CyberOps SECFND exam 3 00:00:12,555 --> 00:00:15,720 you learn what is the concept of the five tuple 4 00:00:15,720 --> 00:00:17,390 but as a refresher here 5 00:00:17,390 --> 00:00:19,920 I'm actually including the five elements. 6 00:00:19,920 --> 00:00:23,660 That's the source IP address, the source port, 7 00:00:23,660 --> 00:00:27,040 the destination IP address, the destination port, 8 00:00:27,040 --> 00:00:28,500 and the protocol. 9 00:00:28,500 --> 00:00:30,210 Now, traditional firewalls typically 10 00:00:30,210 --> 00:00:33,470 provide security event logs that are mostly based 11 00:00:33,470 --> 00:00:34,920 on the five tuple. 12 00:00:34,920 --> 00:00:36,060 For instance, 13 00:00:36,060 --> 00:00:39,740 a traditional Cisco ASA log may look like this, right? 14 00:00:39,740 --> 00:00:43,380 In this example, the ASA dropped a TCP packet 15 00:00:43,380 --> 00:00:46,300 that didn't have an associated connection 16 00:00:46,300 --> 00:00:47,960 in its connection table. 17 00:00:47,960 --> 00:00:51,590 In short, the ASA is actually looking for a syn flag 18 00:00:51,590 --> 00:00:53,617 in the first packet of a TCP connection. 19 00:00:53,617 --> 00:00:56,290 And in this case, actually it was not. 20 00:00:56,290 --> 00:01:00,480 And the ASA drops that packet 21 00:01:00,480 --> 00:01:02,750 that the syn flag was actually not set, 22 00:01:02,750 --> 00:01:04,680 and there was no assisting connection 23 00:01:04,680 --> 00:01:08,687 for that transaction or for that packet. 24 00:01:10,924 --> 00:01:15,600 Now you also see the five tuple used in the IPS events. 25 00:01:15,600 --> 00:01:20,200 You also see them in NetFlow records and other event data. 26 00:01:21,110 --> 00:01:24,880 In fact, in the exam, you may actually need to differentiate 27 00:01:24,880 --> 00:01:29,880 between a firewall log and a traditional IPS/IDS event. 28 00:01:30,410 --> 00:01:31,450 One thing to remember 29 00:01:31,450 --> 00:01:35,590 and I guess a quick tip is that traditional IDS 30 00:01:35,590 --> 00:01:38,890 and IPS devices actually use signatures. 31 00:01:38,890 --> 00:01:42,050 So one easy way to differentiate 32 00:01:42,050 --> 00:01:46,560 is by looking for a signature ID in the output. 33 00:01:46,560 --> 00:01:49,740 So if you see a signature ID, then most definitely 34 00:01:49,740 --> 00:01:54,050 that event is a traditional IPS or IDS event. 35 00:01:54,050 --> 00:01:56,410 And you saw a couple of examples 36 00:01:56,410 --> 00:01:59,970 of a sys log message from a Cisco ASA. 37 00:01:59,970 --> 00:02:03,410 And that will help you identify 38 00:02:03,410 --> 00:02:08,410 what type of device log that may be referring to.