642-533 - IPS - Implementing Cisco Intrusion Prevention Systems
Go back to Cisco
What two steps must you perform to initialize a Cisco IPS Sensor appliance? (Choose two.)
connect a serial cable to the console port of the sensor
issue the setup command via the CLI
Which command provides a snapshot of the current internal state of a sensor service, enabling you to check the status of automatic upgrades and NTP?
show statistics host
How does a Cisco network sensor detect malicious network activity?
by using a blend of intrusion detection technologies
You would like to investigate an incident and have already enabled the Log Pair Packets action on various signatures being triggered. What should you do next?
Use Cisco IDM to download the IP log to a management station then use a packet analyzer like Ethereal to decode the IP log.
You have configured your sensor to use risk ratings to determine when to deny traffic into the network. How could you best leverage this configuration to provide the highest level of protection for the mission-critical web server on your DMZ?
Assign a target value rating of Mission Critical to the web server.
Which two are not forwarded to the NM-CIDS? (Choose two.)
GRE encapsulated packets
Which two tasks must you complete in Cisco IDM to configure the sensor to allow an SNMP network management station to obtain the sensor's health and welfare information? (Choose two.)
From the SNMP General Configuration panel, enable SNMP Gets/Sets.
From the SNMP General Configuration panel, configure the SNMP agent parameters
Which statement accurately describes what the External Product Interface feature included in the Cisco IPS 6.0 software release allows the Cisco IPS Sensor to do?
receive host postures and quarantined IP address events from theCiscoWorks Management Center for Cisco Security Agent
With Cisco IPS 6.0, what is the maximum number of virtual sensors that can be configured on a single platform?
Which statement is true about using the Cisco IDM to configure automatic signature and service pack updates?
You must select the Enable Auto Update check box in the Auto Update panel in order to configure automatic updates
Your Cisco router is hosting an NM-CIDS. The router configuration contains an inbound ACL. Which action does the router take when it receives a packet that should be dropped, according to the inbound ACL?
The router drops the packet and does not forward it to the NM-CIDS for inspection.
What is the best way to mitigate the risk that executable-code exploits will perform malicious acts such as erasing your hard drive?
assign deny actions to signatures that are controlled by the Trojan engines
You recently noticed a large volume of alerts generated by attacks against your web servers. Because these are mission-critical servers, you keep them up to date on patches. As a result, the attacks fail and your inline sensor generates numerous false positives. Your assistant, who monitors the alerts, is overwhelmed. Which two actions will help your assistant manage the false positives? (Choose two.)
Raise the Target Value Ratings for your web servers.
Create a policy that denies attackers inline and filters alerts for events with high Risk Ratings.
Which statement is true about viewing sensor events?
You can use the Events panel in the Cisco IDM to filter and view events.
Which two statements accurately describe the software bypass mode? (Choose two.)
When it is set to on, traffic inspection ceases without impacting network traffic.
When it is set to off, traffic stops flowing if the sensor is down.
What are three differences between inline and promiscuous sensor functionality? (Choose three.)
Inline operation provides more protection from Internet worms than promiscuous mode does.
Inline operation provides more protection from atomic attacks than promiscuous mode does.
A sensor that is operating in inline mode can drop the packet that triggers a signature before it reaches its target, but a sensor that is operating in promiscuous mode cannot.
When configuring Passive OS Fingerprinting, what is the purpose of restricting operating system mapping to specific addresses?
limits the ARR to the defined IP addresses
Under which tab in the Cisco IDM can you find the Custom Signature Wizard?
Why would an attacker saturate the network with noise while simultaneously launching an attack?
An attack may go undetected
What is a false-negative alarm situation?
A signature is not fired when offending traffic is present
Which statement is incorrect about Cisco IPS 6.0 Sensor Anomaly Detection?
It sub-divides the network into two zones.
Which two are appropriate installation points for a Cisco IPS sensor? (Choose two.)
at network entry points
on critical network segments
You think users on your corporate network are disguising the use of file-sharing applications by tunneling the traffic through port 80. How can you configure your Cisco IPS Sensor to identify and stop this activity?
Enable both the HTTP application policy and the alarm on non-HTTP traffic signature.
What is a configurable weight that is associated with the perceived importance of a network asset?
Target Value Rating
Which statement is true about inline sensor functionality?
If your sensor has a sufficient number of monitoring interfaces, you can use inline and promiscuous modes simultaneously.
Which character must precede a variable to indicate that you are using a variable rather than a string?
Which command resets all signature settings back to the factory defaults?
default service signature-definition
What is used to perform password recovery for the "cisco" admin account on a Cisco IPS 4200 Series Sensor?
Which command displays the statistics for Fast Ethernet interface 0/1?
show interfaces FastEthernet0/l
Which value is not used to calculate the risk rating for an event?
fidelity severity rating
Which action is available only to signatures supported by the Normalizer engine?
Modify Packet Inline
In which file format are IP logs stored?
What is the purpose of an interface pair?
What is the hostld entry in a Cisco IPS alert?
the sensor that originated the alert
You would like to examine all high-severity alert events generated by your sensor since 1:00 a.m. January 1, 2005. Which command should you use?
show events alert high1:00 jan 1 2005
Which two communication protocols does Cisco IEV support for communications with Cisco IPS Sensors? (Choose two.)
Your sensor is detecting a large volume of web traffic because it is monitoring traffic outside the firewall. What is the most appropriate sensor tuning for this scenario?
lowering the severity level of certain web signatures
You are in charge of Securing Networks with Cisco Routers and Switches for your company .What is not the role of the Cisco IPS Sensor interface.
What is the primary function of a Master Blocking Sensor?
to directly communicate the blocking requests that are sent by other sensors
Please match the inline and inline VLAN pair descriptions to the proper categories. (l) also known as inline on a stick (2) IPS appliance is installed between two network devices (3) Two monitoring interfaces are configured as a pair (4) IPS appliance bridges traffic between pairs of VLAN (I) Inline Interface Pair (Il) Inline VLAN Pair
(I)-(2 3);(II)-(1 4)
Which one of the following statements is true regarding tuned signatures?
contain modified parameters of built-in signatures
Which TCP stream reassembly mode disables TCP window-evasion checking?
In Cisco IDM, the Configuration > Sensor Setup > SSH > Known Host Keys screen is used for what purpose?
to enable communications with a blocking device
You are the network security administrator for a company. You want to create a user account for your assistant that gives the assistant the second-highest level of privileges. You want to ensure that your assistant can view all events and tune signatures. Which role would you assign to the account for your assistant?
Which of the following is a valid file name for a Cisco IPS 6.0 system image?
Which two protocols can be used for automatic signature anc service pack updates? (Choose two.
Which command can be used to retrieve Cisco Product Evolution Program (PEP) unique device identifier (UDI) information to help you manage certified hardware versions within your network?
How is automatic IP logging enabled on a sensor?
It must be manually configured for individual signatures.
Which of the following statements best describes how IP logging should be used?
only be used temporarily for such purposes as attack confirmation, damage assessment, or the collection of forensic evidence, because of its impact on performance
When performing a signature update on a Cisco IDS Sensor, which three server types are supported for retrieving the new software? (Choose three.)