642-627 - Implementing Cisco Intrusion Prevention System (IPS) v7.0
Go back to Cisco
OS mappings associate IP addresses with an OS type, which in turn helps the Cisco IPS appliance to calculate what other value?
Which two statements are true with respect to IPS false negatives? (Choose two.)
A false negative is the failure of the IPS to create an alert on malicious activity.
Increasing event count thresholds can lead to false negatives.
What is a best practice to follow before tuning a Cisco IPS signature?
Disable all the alert actions on the signature to be tuned.
In Cisco IDM, the Configuration > Sensor Setup > SSH > Known Host Keys screen is used for what purpose?
to enable communications with a blocking device
When setting up a Cisco IPS appliance in promiscuous mode, which Cisco Catalyst switch CLI command is used to configure SPAN on the switch?
monitor session in global configuration mode
From the Cisco IPS appliance CLI setup command, one of the options is "Modify default threat prevention settings? [no]". What is this option related to?
event action override that denies high-risk network traffic with a risk rating of 90 to 100
A Cisco Catalyst switch is experiencing packet drops on a SPAN destination port that is connected to an Cisco IPS appliance. Which three configurations should be considered to resolve the packet drops issue? (Choose three.)
Configure an additional SPAN session to a different Cisco IPS appliance interface connected to the same virtual sensor.
Configure an EtherChannel bundle as the SPAN destination port.
Configure VACL capture.
Which mode consolidates alarms where the Cisco IPS appliance will generate an alert the first time that a signature fires on an address set and then only send a summary alert for all address sets over a given time interval?
Which option is best to use to capture only a subset of traffic (capturing traffic per-IP-address, per-protocol, or per-application) off the switch backplane and copy it to the Cisco IPS appliance?
In which CLI configuration mode is the Cisco IPS appliance management IP address configured?
service host network-settings ips(config-hos-net)#
Which three actions does the Cisco IDM custom signature wizard provide? (Choose three.)
selecting the signature engine to use or not to use any signature engine
selecting the Layer 3 or Layer 4 protocol that the sensor will use to match malicious traffic
selecting the scope of matching (for example, single packet)
Which two methods can be used together to configure a Cisco IPS signature set into detection mode when tuning the Cisco IPS appliance to reduce false positives? (Choose two.)
Subtract all aggressive actions using event action filters.
Enable verbose alerts using event action overrides.
Which parameter is used to configure a signature to fire if the activity it detects happens a certain number of times for the same address set within a specified period of time?
Numerous attacks using duplicate packets, changed packets, or out-of-order packets are able to successfully evade and pass through the Cisco IPS appliance when it is operating in inline mode. What could be causing this problem?
The normalizer is set to asymmetric mode.
Threat rating calculation is performed based on which factors?
risk rating and adjustment based on the prevention actions taken
Which option is best to use to capture only a subset of traffic (capturing traffic per-IP-address, per- protocol, or per-application) off the switch backplane and copy it to the Cisco IPS appliance?
Which three statements about the Cisco IPS appliance normalizer feature are true? (Choose three.)
only operates in inline modes
tracks session states and stops packets that do not fully match session state
modifies ambiguously fragmented IP traffic
Which two switching-based mechanisms are used to deploy high availability IPS using multiple Cisco IPS appliances? (Choose two.)
Spanning Tree-based HA
Which configuration is required when setting up the initial configuration on the Cisco ASA 5505 to support the Cisco ASA AIP-SSC?
Configure a VLAN interface as a management interface to access the Cisco ASA AIP-SSC.
A Cisco IPS appliance running in a network environment with asymmetrical traffic flow is experiencing many false positive alerts that are triggered by the 13000 signature ID. What can the IPS administrator tune on the IPS to reduce the false positives?
set the AD operational mode to inactive
Which two interface modes can be implemented with a single physical sensing interface on the Cisco IPS 4200 Series appliance? (Choose two.)
inline VLAN pair
Referring to the monitor session 1 destination GigabitEthernet0/47 ingress Cisco Catalyst switch command, what does the "ingress" command option enable?
Allow the SPAN port (GigabitEthernet0/47) to be a source of traffic (for TCP resets).
What about this configuration command is true: ips inline fail-open sensor sensor_name?
will enable the desired traffic to be diverted from the Cisco ASA to one of the Cisco ASA AIPSSM virtual sensors
Which Cisco IPS appliance feature has the following three potential settings: off, partial, and full?
global correlation network participation
In tuning a Cisco IPS signature, you need to edit the regexp string of the Cisco IPS signature, but when editing the signature, the regexp string of the signature cannot be edited. What should you do?
Clone the signature, then edit the cloned signature, then disable the original signature.
During Cisco IPS appliance troubleshooting, you notice that all the signatures are set to Fire All. What can cause this situation to occur?
Summarizer has been disabled globally.
Which Cisco IPS appliance TCP session tracking mode should be used if packets of the same session are coming to the sensor over different interfaces, but should be treated as a single session?
What will happen if you try to recover the password on the Cisco IPS 4200 Series appliance on which password recovery is disabled?
The password recovery process will proceed with no errors or warnings; however, the password is not reset.
The Cisco IPS appliance risk category is used with which other feature?
event action overrides
Which two Cisco IPS modules support sensor virtualization? (Choose two.)
When upgrading a Cisco IPS AIM or IPS NME using manual upgrade, what must be performed before installing the upgrade?
Disable the heartbeat reset on the router.
When using the Cisco IPS signature and engine auto updates feature from Cisco.com, which password must be configured on the IDM Auto/Cisco.com Update pane?
the CCO user account password
Which signature action should be selected to cause the attacker's traffic flow to terminate when the Cisco IPS appliance is operating in promiscuous mode?
What must be configured to enable Cisco IPS appliance reputation filtering and global correlation?
DNS server(s) IP address
Which two operations would put an inline Cisco IPS sensor in detection mode? (Choose two.)
subtract all aggressive actions using event action filters
remove the default event action override, which drops traffic with a risk rating of 90 to 100
Which two statements are true with respect to the AIP-SSC? (Choose two.)
The AIP-SSC supports fail open.
The AIP-SSC supports both promiscuous and inline analysis.
Which statement about the 4-port GigabitEthernet card with hardware bypass is true?
Hardware bypass only works with inline interface pairs.
W hat must be configured to enable Cisco IPS appliance reputation filtering and global correlation?
DNS serve r(s) IP address . full sensor based network participation B
Which two statements are true with respect to the AIP-SSM? (Choose two.)
The AIP-SSM supports up to four virtual sensors.
The AIP-SSM supports both promiscuous and inline analysis.
The Cisco IPS sensor can obtain operating system identification data from which two sources? (Choose two.)
passive operating system fingerprinting
manual operating system mappings configured on the Cisco IPS appliance
Which statement about inline VLAN pair deployment with the Cisco IPS 4200 Series appliance is true?
The sensing interface acts as an 802.1q trunk port, and the Cisco IPS appliance performs VLAN translation between pairs of VLANs.
When setting up a Cisco IPS appliance in promiscuous mode, which Cisco Catalyst switch command is used to display information about all SPAN and remote SPAN sessions on the switch?
Regarding the Cisco IPS appliance anomaly detection feature, which two of these would be considered scan events? (Choose two.)
an unacknowledged TCP SYN
a unidirectional UDP session
All signatures in the Cisco IPS signature set include which three parameters that can be tuned according to the environment? (Choose three.)
vulnerable OS list
alert severity rating
signature fidelity rating
Which two statements are true regarding the Cisco IPS appliance traffic normalizer? (Choose two.)
It only operates in inline mode.
It can help prevent false negatives that are caused by evasions.
In which three ways can you achieve better Cisco IPS appliance performance? (Choose three.) the Cisco IPS appliance behind a firewall.
Place B . Disable unneeded signatures.
Enable unidirectional capture.
On the Cisco IPS appliance, the anomaly detection knowledge base is used to store which two types of information for each service? (Choose two.)
on the active signature window, there is a advanced option on bottom right corner, when we drill down that window to miscellaneous tab ? on the exam it shows that window with few answers, so please navigate that window and understand the options there.
Configure the application policy parameters (also known as AIC signatures) You can configure the sensor to provide Layer 4 to Layer 7 packet inspection to prevent malicious attacks related to web services. You first set up the AIC parameters, then you can either use the default AIC signatures or tune them.
You are tasked to create a custom IPS signature using the IDM Custom Signature Wizard to detect a network reconnaissance attack in which one system makes connections to multiple hosts on multiple TCP ports. Which Cisco IPS signature engine should be selected to configure this custom IPS signature?
From Cisco Security Manager, which external component or service is used to access in-depth signature information?
Cisco IntelliShield Service