Solved: interview question

shiznity2k · ‎04-19-2010

hi all,

I had a technical interview recently and seek opinions. The IT manager asked about loops, spanning-tree, firewalls and NAT. My questions is what your response would be to this scenario he put to me at the end.

If a system is affected by a virus from outside network for example on your network, what would you do? I simply answered: I will implement an access-list to block traffic to that segment/node, take it off the network and put it right. My response did not seem to strike the right chord as he repeated in a different ways by asking, how would I identify the affected system, is that all I would do .etc.

I am CCNA with a little hands-on networking experience, half way into CCNP, more of systems but pursuing career in networking. What is best-practice for such scenario?

StanDamen · ‎04-20-2010

Maybe he wanted more focus on how you would make sure that the whole network is healthy again?

As you said u only cut of the node/segment and make it right. What about the rest?

It could have been spreading without it being visible. Also you should use logs or IPS/IDS systems to locate the affected computer/element, that computer can give clues on how far the infection spread. Identifying the virus can help you take steps to secure your network and/or remove the virus on other systems it is on.

Basically the problem i see with your answer is that it is way to limited. You did the following:

1. Isolate the affected node/segment

2. take it off the network

3. fix the problem

Steps that should be performed as well could be:

4. Identify the problem

5. Prevent future incidents of this problem

6. Check rest of network for signs of the problem

7. Identify the underlying cause and reevaluate your network security for related problems/improvement point

So in short, your answer was to limited as you only mentioned isolating and fixing the problem.

HTH,

Stan

View solution in original post

nelson.garcia · ‎04-19-2010

I don't have an answer to this, unfortunately, but I am very interested in this answer as well if anyone with a little more experience could elaborate on how they might approach this situation.

nelson.garcia · ‎04-19-2010

I would also like to add that I did a quick search on google for "Cisco virus intrusion" and found this post on Cisco IPS: https://supportforums.cisco.com/message/3052156

Also, reading from my BCMSN book on multilayer switch security, Cisco NAC could be a prevantative measure to take by only allowing trusted devices access to your network (from the inside) I would suppose. http://www.cisco.com/en/US/netsol/ns466/networking_solutions_package.html

Again, I'm no security expert, but this is interesting =]

StanDamen · ‎04-20-2010

Maybe he wanted more focus on how you would make sure that the whole network is healthy again?

As you said u only cut of the node/segment and make it right. What about the rest?

It could have been spreading without it being visible. Also you should use logs or IPS/IDS systems to locate the affected computer/element, that computer can give clues on how far the infection spread. Identifying the virus can help you take steps to secure your network and/or remove the virus on other systems it is on.

Basically the problem i see with your answer is that it is way to limited. You did the following:

1. Isolate the affected node/segment

2. take it off the network

3. fix the problem

Steps that should be performed as well could be:

4. Identify the problem

5. Prevent future incidents of this problem

6. Check rest of network for signs of the problem

7. Identify the underlying cause and reevaluate your network security for related problems/improvement point

So in short, your answer was to limited as you only mentioned isolating and fixing the problem.

HTH,

Stan

shiznity2k · ‎04-23-2010

Hi Stan,

I would say your response is quite elaborate and ideal. As I indicated, I have little production experience and no IDS/IPS experience besides GNS (my CV does not say this though). It is also a support role (CCNA requirement) hence I feel my response was enough to take me to the next level.

I have just been invited for another interview which says will be technical, competency based. I thought I was done with the tech aspect.

Your response is definitely noted..

StanDamen · ‎04-23-2010

Hi,

I understand you have little experience with certain aspects, so maybe this will help you.

Managers love it when you think of the whole picture and all possible affects and effects. Wether you solve all those parts yourself depends on the job roles/experience etc. but it is NOT required. For example the IDS/IPS bit, you could mention it like:

"IPS/IDS logs will need to be checked by whoever manages those logs to make sure the infection hasnt spread further then initally thought and to prevent similar attacks/problems in the future"

Like that you are showing that you can comprehend the whole picture, without needing the technical knowhow (someone else will check IDS/IPS and work from there).

Hopefully this can help you and good luck with your interview!

Stan