CISCO 642-627 EXAM QUESTIONS & ANSWERS 642-627 EXAM QUESTIONS & ANSWERS Exam Name: Implementing Cisco Intrusion Prevention System v6.0 (IPS) Sections 1. Troubleshooting 2. Configuration

CISCO 642-627 EXAM QUESTIONS & ANSWERS

Number: 642-627Passing Score: 790Time Limit: 60 minFile Version: 42.4

http://www.gratisexam.com/

CISCO 642-627 EXAM QUESTIONS & ANSWERS

Exam Name: Implementing Cisco Intrusion Prevention System v6.0 (IPS)

Sections1. Troubleshooting2. Configuration3. Hardware4. Simlet5. LAB

Exam A

QUESTION 1Which three are global correlation network participation modes? (Choose three.)

A. offB. partial participation C. reputation filtering D. detect E. full participationF. learning

Correct Answer: ABESection: ConfigurationExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_collaboration.html

QUESTION 2What are four properties of an IPS signature? (Choose four.)

A. reputation rating B. fidelity ratingC. summarization strategyD. signature engine E. global correlation modeF. signature ID and signature status

Correct Answer: BCDFSection: ConfigurationExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.1/user/guide/ipsvchap.html#wp1912551

Official Guide - Page

QUESTION 3The custom signature ID of a Cisco IPS appliance has which range of values?

A. 10000 to 19999B. 20000 to 29999C. 50000 to 59999 D. 60000 to 65000E. 80000 to 90000 F. 1 to 20000

Correct Answer: DSection: Configuration

Explanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/5.0/configuration/guide/idm/dmsigwiz.html

Signature Identification Field Definitions

The following fields and buttons are found in the Signature Identification window of the Custom SignatureWizard.

Field Descriptions:

•Signature ID—Identifies the unique numerical value assigned to this signature.

The signature ID lets the sensor identify a particular signature. The signature ID is reported to the Event Viewerwhen an alert is generated. The valid range is between 60000 and 65000.

QUESTION 4Which Cisco IPS NME interface is visible to the NME module but not visible in the router configuration and actsas the sensing interface of the NME module?

A. ids-sensor 0/1 interfaceB. ids-sensor 1/0 interfaceC. gigabitEthernet 0/1D. gigabitEthernet 1/0E. management 0/1F. management 1/0

Correct Answer: CSection: TroubleshootingExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_nme.html#wp1057817

Office Guide - Page 546

QUESTION 5Which two methods can be used together to configure a Cisco IPS signature set into detection mode whentuning the Cisco IPS appliance to reduce false positives? (Choose two.)

A. Subtract all aggressive actions using event action filters. B. Enable anomaly detection learning mode.C. Enable verbose alerts using event action overrides.D. Decrease the number of events required to trigger the signature.E. Increase the maximum inter-event interval of the signature.

Correct Answer: ACSection: ConfigurationExplanation

Explanation/Reference:Office Cisco Guide Chapter 13

1 > Remove all agressive actions from all signature s using event action filters

2 > Add verbose alerts using event action overrides3 > Add logging packets between the attacker and the victim using event action overrides

QUESTION 6Which four parameters are used to configure how often the Cisco IPS appliance generates alerts when asignature is firing? (Choose four.)

A. summary mode


B. summary intervalC. event count keyD. global summary threshold E. summary keyF. event count G. summary countH. event alert mode

Correct Answer: ABDFSection: ConfigurationExplanation

Explanation/Reference:

NB: Watch for Summary Threshold instead of Event Co unt

QUESTION 7Which statement about inline VLAN pair deployment with the Cisco IPS 4200 Series appliance is true?

A. The sensing interface acts as an 802.1q trunk port, and the Cisco IPS appliance performs VLAN translationbetween pairs of VLANs.

B. The Cisco IPS appliance connects to two physically distinct switches using two paired physical interfaces. C. Two sensing interfaces connect to the same switch that forwards traffic between two VLANs. D. The pair of sensing interfaces can be selectively divided (virtualized) into multiple logical "wires" by VLANs

that can be analyzed separately.

Correct Answer: ASection: ConfigurationExplanation

Explanation/Reference:Cisco Guide - page 102

QUESTION 8Which four statements about Cisco IPS appliance anomaly detection histograms are true? (Choose four.)

A. Histograms are learned or configured manually.B. Destination IP address row is the same for all histograms.C. Source IP address row can be learned or configured. D. Anomaly detection only builds a single histogram for all services in a zone.

E. You can enable a separate histogram and scanner threshold for specific services, or use the default one forall other services.

F. Anomaly detection histograms only track source (attacker) IP addresses.

Correct Answer: ABCESection: ConfigurationExplanation

Explanation/Reference:Cisco Guide Page 261

QUESTION 9Which two switching-based mechanisms are used to deploy high availability IPS using multiple Cisco IPSappliances? (Choose two.)

A. Spanning Tree-based HAB. HSRP-based HAC. EtherChannel-based HAD. VRRP-based HA

Correct Answer: ACSection: ConfigurationExplanation

Explanation/Reference:Official Cisco Guide Chapter 21

When network switches are used to provide High Availability you have two options

EtherChannel based HASTP based HA

QUESTION 10What is the correct regular expression to match a URI request equal to /test.exe?

A. /test.exeB. Vtest\.exeC. /test\.exeD. */test\.exeE. \*/test\.exeF. */test.exe


Explanation/Reference:https://supportforums.cisco.com/community/netpro/security/intrusion-prevention/blog/2010/12/23/introduction-to-regular-expressions-for-ips

http://regexlib.com/DisplayPatterns.aspx?cattabindex=1&categoryid=2&p=4

http://wdvl.com/Style/Languages/Perl/PerlfortheWeb/perlintro2_table1.html

the . has a special meaning = match any character which would have the result testaexe, test$exe etc- wouldme matched as well as test.exe

the \ removes the special meaning from the . so it is now just matching the .exe -- so = test.exe exactly has tobe matched.

see the above links as to why the other answers are not valid.

QUESTION 11Which four types of interface modes are available on the Cisco IPS 4200 Series appliance? (Choose four.)

A. promiscuousB. inline TAP C. inline interfaceD. inline VLAN pair E. VLAN groupsF. bypass

Correct Answer: ACDESection: HardwareExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_interfaces.html#wp1047079

https://supportforums.cisco.com/thread/2463764000 series does not support bypass mode

QUESTION 12Which option is best to use to capture only a subset of traffic (capturing traffic per-IP-address, per-protocol, orper-application) off the switch backplane and copy it to the Cisco IPS appliance?

A. SPANB. PBRC. VACLD. MPFE. STP

Correct Answer: CSection: ConfigurationExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/vacl.html#wp1037197

QUESTION 13

Refer to the exhibit. Which statement is true?

A. A summary alert is sent once during each interval for each unique Summary Key entry. B. An alert is generated each time the signature triggers. C. This signature does not fire until three events are seen during 60 seconds with the same attacker and victim

IP addresses and ports.D. This signature is disabled by default.E. When this signature triggers, the Cisco IPS appliance sends an SNMP trap for this event.


Explanation/Reference:Official Gudie Page

NB : even if the box is not checked it is still in use - it is the default action/configuration - ticking it is allowing editof that value

QUESTION 14What are the three anomaly detection modes? (Choose three.)

A. detectB. active C. inactive D. learnE. full F. partial

Correct Answer: ACDSection: ConfigurationExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.0/user/guide/ipsanom.html

Anomaly detection has the following modes:

•Learning accept mode (initial setup)Although anomaly detection is in detect mode by default, it conducts an initial learning accept mode for thedefault period of 24 hours. We assume that during this phase no attack is being carried out. Anomaly detectioncreates an initial baseline, known as a knowledge base, of the network traffic. The default interval value forperiodic schedules is 24 hours and the default action is rotate, meaning that a new knowledge base is savedand loaded, and then replaces the initial knowledge base after 24 hours.

Keep the following in mind:–Anomaly detection does not detect attacks when working with the initial knowledge base, which is empty. Afterthe default of 24 hours, a knowledge base is saved and loaded and now anomaly detection also detectsattacks.

–Depending on your network complexity, you may want to have anomaly detection in learning accept mode forlonger than the default 24 hours. You configure the mode in the Virtual Sensors policy; see Defining A VirtualSensor, page 28-5. After your learning period has finished, edit the virtual sensor and change the mode toDetect.

•Detect modeFor ongoing operation, the sensor should remain in detect mode. This is for 24 hours a day, 7 days a week.Once a knowledge base is created and replaces the initial knowledge base, anomaly detection detects attacksbased on it. It looks at the network traffic flows that violate thresholds in the knowledge base and sends alerts.As anomaly detection looks for anomalies, it also records gradual changes to the knowledge base that do notviolate the thresholds and thus creates a new knowledge base. The new knowledge base is periodically savedand takes the place of the old one thus maintaining an up-to-date knowledge base.

•Inactive mode

You can turn anomaly detection off by putting it in inactive mode. Under certain circumstances, anomalydetection should be in inactive mode, for example, if the sensor is running in an asymmetric environment.Because anomaly detection assumes it gets traffic from both directions, if the sensor is configured to see onlyone direction of traffic, anomaly detection identifies all traffic as having incomplete connections, that is, asscanners, and sends alerts for all traffic flows.

QUESTION 15Which type of signature engine is best suited for creating custom signatures that inspect data at OSI Layer 5and above?

A. AtomicB. StringC. SweepD. ServiceE. Meta F. Flood

Correct Answer: DSection: ConfigurationExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cli_signature_engines.html#wp1014328

Service Engines

The Service engines analyze Layer 5+ traffic betwee n two hosts . These are one-to-one signatures thattrack persistent data. The engines analyze the Layer 5+ payload in a manner similar to the live service.

Exam B

QUESTION 1A Cisco Catalyst switch is experiencing packet drops on a SPAN destination port that is connected to an CiscoIPS appliance. Which three configurations should be considered to resolve the packet drops issue? (Choosethree.)

A. Configure an additional SPAN session to a different Cisco IPS appliance interface connected to the samevirtual sensor.

B. Configure an EtherChannel bundle as the SPAN destination port.C. Configure RSPAN.D. Configure VACL capture. E. Configure the Cisco IPS appliance to inline mode.

Correct Answer: ABDSection: TroubleshootingExplanation

Explanation/Reference:http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#topic8-4Can You Configure SPAN on an EtherChannel Port?

An EtherChannel does not form if one of the ports i n the bundle is a SPAN destination port . If you try toconfigure SPAN in this situation, the switch tells you:

http://www.cisco.com/en/US/docs/solutions/Enterpris e/Data_Center/ServerFarmSec_2.1/9_M_NIDS.html#wp1089201

SPAN is only used with Promiscuous Mode.

QUESTION 2Which signature action should be selected to cause the attacker's traffic flow to terminate when the Cisco IPSappliance is operating in promiscuous mode?

A. deny connectionB. deny attackerC. reset TCP connection D. deny packet, reset TCP connectionE. deny connection, reset TCP connection


Explanation/Reference:Deny attacker is only available in inline mode!

http://www.cisco.com/web/about/security/intelligence/ipsmit.html#7

Promiscuous Mode Event ActionsThe following event actions can be deployed in Promiscuous mode. These actions are in affect for a user-configurable default time of 30 minutes. Because the IPS sensor must send the request to another device orcraft a packet, latency is associated with these actions and could allow some attacks to be successful. Blockingthrough usage of the Attack Response Controller (ARC) has the potential benefit of being able to perform to thenetwork edge or at multiple places within the network.

Request block host: This event action will send an ARC request to block the host for a specified time frame,preventing any further communication. This is a severe action that is most appropriate when there is minimalchance of a false alarm or spoofing.

Request block connection: This action will send an ARC response to block the specific connection. This actionis appropriate when there is potential for false alarms or spoofing.

Reset TCP connection : This action is TCP specific, and in instances where the attack requires several TCPpackets, this can be a successful action. However, in some cases where the attack only needs one packet itmay not work as well. Additionally, TCP resets are not very effective with protocols such as SMTP thatconsistently try to establish new connections, nor are they effective if the reset cannot reach the destinationhost in time.

Event actions can be specified on a per signature basis, or as an event action override (based on risk ratingvalues – event action override only). In the case of event action override, specific event actions are performedwhen specific risk rating value conditions are met. Event action overrides offer consistent and simplifiedmanagement. IPS version 6.0 contains a default event action override with a deny-packet-inline action forevents with a risk rating between 90 and 100. For this action to occur, the device must be deployed in Inlinemode.

QUESTION 3During Cisco IPS appliance troubleshooting, you notice that all the signatures are set to Fire All. What cancause this situation to occur?

A. A new signature engine update package has been loaded to the Cisco IPS appliance.B. A new signature/virus update package has been loaded to the Cisco IPS appliance.C. Summarizer has been disabled globally. D. All the signatures have been set to the default state.E. All the signatures have been retired, and then unretired.


Explanation/Reference:http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a0080838bcf.shtml

QUESTION 4From which three sources does the Cisco IPS appliance obtain OS mapping information? (Choose three.)

A. from manually configured OS mappingsB. imported OS mappings from Management Center for Cisco Security Agent C. imported OS mappings from Cisco Security Manager D. learned OS mappings from passive OS fingerprinting E. learned OS mappings from CiscoSensorBase input F. from Cisco IPS signature updates

Correct Answer: ABDSection: TroubleshootingExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.1/user/guide/ipsevact.html#wp707692

There are three sources of OS information. The sens or ranks the sources of OS information in the

following order:

1. Configured OS mappings—OS mappings that you enter on the OS Identification tab of the Event ActionsNetwork Information policy. You can configure different mappings for each virtual sensor. For more information,see Configuring OS Identification (Cisco IPS 6.x and Later Sensors Only).

We recommend configuring OS mappings to define the identity of the OS running on critical systems. It is bestto configure OS mappings when the OS and IP address of the critical systems are unlikely to change.

2. Imported OS mappings—OS mappings imported from Management Center for Cisco Security Agents(CSA MC).

Imported OS mappings are global and apply to all virtual sensors. For information on configuring the sensor touse CSA MC, see Configuring the External Product Interface, page 32-23.

3. Learned OS mappings—OS mappings observed by the sensor through the fingerprinting of TCP packetswith the SYN control bit set.

Learned OS mappings are local to the virtual sensor that sees the traffic.

When the sensor needs to determine the OS for a target IP address, it consults the configured OS mappings. Ifthe target IP address is not in the configured OS mappings, the sensor looks in the imported OS mappings. Ifthe target IP address is not in the imported OS mappings, the sensor looks in the learned OS mappings. If itcannot find it there, the sensor treats the OS of the target IP address as unknown.

QUESTION 5Which IPS alert action is available only in inline mode?

A. produce verbose alert B. request rate limitC. reset TCP connectionD. log attacker/victim pair packetsE. deny-packet-inlineF. request block connection

Correct Answer: ESection: ConfigurationExplanation

Explanation/Reference:http://www.cisco.com/web/about/security/intelligence/ipsmit.html

Inline Mode Event ActionsThe following actions require the device to be deployed in Inline mode and are in affect for a user- configurabledefault time of 3600 seconds (60 minutes).

Deny attacker inline: This action is the most severe and effectively blocks all communication from the attackinghost that passes through the IPS for a specified period of time. Because this event action is severe,administrators are advised to use this only when the probability of false alarms or spoofing is minimal.

Deny attacker service pair inline: This action prevents communication between the attacker IP address and theprotected network on the port in which the event was detected. However, the attacker would be able tocommunicate on another port that has hosts on the protected network. This event action works well for wormsthat attack many hosts on the same service port. If an attack occurred on the same host but on another port,this communication would be allowed. This event action is appropriate when the likelihood of a false alarm orspoofing is minimal.

Deny attacker victim pair inline: This action prevents the attacker from communicating with the victim on any

port. However, the attacker could communicate with other hosts, making this action better suited for exploitsthat target a specific host. This event action is appropriate when the likelihood of a false alarm or spoofing isminimal.

Deny connection inline: This action prevents further communication for the specific TCP flow. This action isappropriate when there is the potential for a false alarm or spoofing and when an administrator wants to preventthe action but not deny further communication.

Deny packet inline : This action prevents the specific offending packet from reaching its intended destination.Other communication between the attacker and victim or victim network may still exist. This action isappropriate when there is the potential for a false alarm or spoofing. Note that for this action, the default timehas no effect.

Modify packet inline: This action enables the IPS device to modify the offending part of the packet. However, itforwards the modified packet to the destination. This action is appropriate for packet normalization and otheranomalies, such as TCP segmentation and IP fragmentation re-ordering.

QUESTION 6From the Cisco IPS appliance CLI setup command, one of the options is "Modify default threat preventionsettings? [no]". What is this option related to?

A. anomaly detection B. threat rating adjustmentC. event action override that denies high-risk network traffic with a risk rating of 90 to 100 D. risk rating adjustment with global correlationE. reputation filters


Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/cli/cli_initializing.html

Modify default threat prevention settings?[no]:Step 11 Enter yes if you want to modify the default threat prevention settings.

Note: The sensor comes with a built-in override to add the deny packet event action to high risk ratin galerts. If you do not want this protection, disable automatic threat prevention.

QUESTION 7Which configuration is required when setting up the initial configuration on the Cisco ASA 5505 to support theCisco ASA AIP-SSC?

A. Configure a VLAN interface as a management interface to access the Cisco ASA AIP-SSC. B. Using MPF, configure which virtual sensor to use.C. Configure a management access rule to allow Cisco ASDM access from the Cisco ASA AIPSSC

management interface IP address.D. Configure a management access rule to allow SSH access from the Cisco ASA AIP-SSC management

interface IP address.


Explanation/Reference:http://www.cisco.com/en/US/docs/security/asa/quick_start/ips/ips_qsg.html

2 Connecting Management Interface Cables

•ASA 5505—The ASA 5505 does not have a dedicated management interface. You must use an ASA VLAN toaccess an internal management IP address over the backplane. Connect the management PC to one of thefollowing ports: Ethernet 0/1 through 0/7. These ports are assigned to VLAN 1 using the 192.168.1.1/24address. The internal IPS management address is 192.168.1.2/24.

QUESTION 8The Cisco IPS appliance risk category is used with which other feature?

A. anomaly detectionB. event action overridesC. global correlationD. reputation filter

Correct Answer: BSection: TroubleshootingExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_event_action_rules.html#wp2068398

QUESTION 9Which two Cisco IPS modules support sensor virtualization? (Choose two.)

A. AIP-SSMB. AIP-SSCC. IPS AIMD. IPS NMEE. IDSM-2

Correct Answer: AESection: HardwareExplanation

Explanation/Reference:http://my.safaribooksonline.com/book/certification/ccnp/9780132372107/using-cisco-ips-virtual-sensors/ch20lev1sec5

QUESTION 10Threat rating calculation is performed based on which factors?

A. risk rating and adjustment based on the prevention actions takenB. threat rating and event action overridesC. event action overrides and event action filtersD. risk rating and target value ratingE. alert severity and alert actions

Correct Answer: ASection: TroubleshootingExplanation

Explanation/Reference:http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/prod_white_paper0900aecd806e7299.html

Threat rating is a quantitative measure of your net work's threat level after IPS mitigation . The formula forthreat rating is:Threat Rating = Risk Rating - Alert RatingThe values of the alert ratings are listed below.• 45: deny-attacker-inline• 40: deny-attacker-victim-pair-inline• 40: deny-attacker-service-pair-inline• 35: deny-connection-inline• 35: deny-packet-inline• 35: modify-packet-inline• 20: request-block-host• 20: request-block-connection• 20: reset-tcp-connection• 20: request-rate-limitFor example, if an alert had a risk rating of 100 and the IPS mitigates the event with a deny-attacker-inlineaction, the threat rating would be calculated as:Threat Rating = Risk Rating - Alert Rating, or 100 - 45 = 55.Threat rating brings the value of risk rating to a new level. By taking the IPS mitigation action into account,threat rating helps you further focus on the most important threats that have not been mitigated.

QUESTION 11Refer to the exhibit. What happens when you click the Cisco Security MARS icon on the Cisco Security MARSquery result screen?

A. Cross-launch Cisco Security Manager to link the Cisco Security MARS event back to the IPS signature andpolicy within the Cisco Security Manager that triggered it.

B. Cross-launch Cisco IDM so the signature that triggered it can be examined.C. Cross-launch Cisco IDM to show the corresponding IPS alerts. D. Cross-launch Cisco Security Manager to show the corresponding IPS alerts.E. Cross-launch Cisco IME so the signature that triggered it can be examined.

Correct Answer: ASection: TroubleshootingExplanation

Explanation/Reference:http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5739/ps6241/product_data_sheet0900aecd80272e64.html

Cisco Security MARS integrates tightly with Cisco's premier security management suite, Cisco SecurityManager. This integration maps traffic-related syslog messages to the firewall policies defined in Cisco SecurityManager that triggered the event. Policy lookup enables rapid, round-trip analysis for troubleshooting firewall-configuration-related network issues, policy configuration errors, and fine-tuning defined policies.

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/4.3/user/guide/local_controller/cfgcsm.html

Only visual reference I can find.

QUESTION 12Refer to the exhibit. What does the Deny Percentage setting affect?

A. the percentage of the signatures to be tuned by the event action filterB. the percentage of the Risk Rating value to be tuned by the event action filterC. the percentage of packets to be denied for the deny attacker actions D. the percentage of the signatures to be tuned by the event action overrides


Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_event_action_rules.html#wp2032330

•Deny Percentage—Determines the percentage of packets to deny for deny attacker features. The valid rangeis 0 to 100. The default is 100 percent.

QUESTION 13Which protocol is used by Encapsulated Remote SPAN?

A. ESPB. GREC. TLSD. STPE. VTIF. 802.1Q

Correct Answer: BSection: ConfigurationExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/span.html#wp1059482

ERSPAN Overview

ERSPAN supports source ports, source VLANs, and destination ports on different switches, which providesremote monitoring of multiple switches across your network (see Figure 52-3).

ERSPAN consists of an ERSPAN source session, routable ERSPAN GRE-encapsulated traffic , and anERSPAN destination session. You separately configure ERSPAN source sessions and destination sessions ondifferent switches.

To configure an ERSPAN source session on one switch, you associate a set of source ports or VLANs with adestination IP address, ERSPAN ID number, and optionally with a VRF name. To configure an ERSPANdestination session on another switch, you associate the destination ports with the source IP address, ERSPANID number, and optionally with a VRF name.

ERSPAN source sessions do not copy locally sourced RSPAN VLAN traffic from source trunk ports that carryRSPAN VLANs. ERSPAN source sessions do not copy locally sourced ERSPAN GRE-encapsulated trafficfrom source ports.

Each ERSPAN source session can have either ports or VLANs as sources, but not both.

The ERSPAN source session copies traffic from the source ports or source VLANs and forwards the trafficusing routable GRE-encapsulated packets to the ERSPAN destination session. The ERSPAN destinationsession switches the traffic to the destination ports.

QUESTION 14In which three ways can you achieve better Cisco IPS appliance performance? (Choose three.)

A. Place the Cisco IPS appliance behind a firewall.B. Disable unneeded signatures.C. Enable unidirectional capture.D. Have multiple Cisco IPS appliances in the path and configure them to detect different types of events.E. Enable selective packet capture using VLAN ACL on the Cisco IPS 4200 Series appliance. F. Enable all anti-evasive measures to reduce noise.

Correct Answer: ABFSection: Hardware

Explanation

Explanation/Reference:Too many references -- need Official Guide to verify this one.

Only other choices are mulitple devices---but this seems at odds with the question.

Exam C

QUESTION 1What must be configured to enable Cisco IPS appliance reputation filtering and global correlation?

A. DNS server(s) IP addressB. full sensor based network participationC. trusted hosts settingsD. external product interfaces settings


Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/ime/ime_collaboration.html

Global Correlation Requirements

Global correlation has the following requirements:

•Valid license

You must have a valid sensor license for global correlation features to function. You can still configure anddisplay statistics for the global correlation features, but the global correlation databases are cleared and noupdates are attempted. Once you install a valid license, the global correlation features are reactivated.

•Agree to network participation disclaimer

•External connectivity for sensor and a DNS server

The global correlation features of IPS 7.0 require the sensor to connect to the Cisco SensorBase Network.Domain name resolution is also required for these features to function. You can either configure the sensor toconnect through an HTTP proxy server that has a DNS client running on it, or you can assign an Internetrouteable address to the management interface of the sensor and configure the sensor to use a DNS server. InIPS 7.0 the HTTP proxy and DNS servers are used only by the global correlation features.

QUESTION 2What is a best practice to follow before tuning a Cisco IPS signature?

A. Disable all the alert actions on the signature to be tuned. B. Disable the signature to be tuned.C. Create a clone of the signature to be tuned.D. Increase the number of events required to trigger the signature to be tuned.E. Decrease the attention span (maximum inter-event interval) of the signature to be tuned


Explanation/Reference:Still Doubt here. 100% certain C is wrong.

A is best answer with B also possible.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/prod_white_paper0900aecd8066d265.html

Official Guide - Chapter 13 Quiz - When tuning signatures it is recommended

Answer : By removing harmful actions during the tuning phase we can have visibility......without interferring withnormal traffic

"Do no harm" approach.

QUESTION 3Which three statements about the Cisco IntelliShield Alert Manager are true? (Choose three.)

A. Alert information is analyzed and validated by Cisco security analysts. B. Alert analysis is vendor-neutral.C. The built-in workflow system provides a mechanism for tracking vulnerability remediation and integration

with Cisco Security Manager and Cisco Security MARS. D. Users can customize the notification to deliver tailored information relevant to the needs of the organization E. Customers are automatically subscribed to use Cisco SecurityIntelliShield Alert Manager Service with the

Cisco IPS license.F. More than 10 report types are available within the Cisco SecurityIntelliShield Alert Manager Service.

Correct Answer: ABDSection: ConfigurationExplanation

Explanation/Reference:http://www.cisco.com/en/US/products/ps6834/serv_group_home.htmlA & D are clear.Still in doubt for B or C.

FeaturesContinuous threat and vulnerability updatesCustomized notifications that deliver tailored info rmation relevant to IT needs = DActionable alert intelligence analyzed and validate d by security analysts to assist in proactiveprevention =AIntegrated, easy to use tools for easy management of remediation effortsComprehensive intelligence information including historical coverage of over 14,000 alerts

BenefitsAccelerated elimination of threats through actionable security intelligenceCustomized intelligence to avoid sifting through irrelevant informationVendor-neutral analysis of threats and vulnerabilit ies help prevent IT attacks across businessenvironments = BWorkflow management tools enable efficient use of security staff resources

http://www.cisco.com/en/US/services/ps2827/ps6834/services_overview0900aecd803e85ee.pdf

Option C removal!No mention of integration at all with CSM or CS MAR S.

QUESTION 4Which four statements about the blocking capabilities of the Cisco IPS appliance are true? (Choose four.)

A. The three types of blocks are: host, connection, and network. B. Host and connection blocks can be initiated manually or automatically when a signature is triggered. C. Network blocks can only be initiated manually.D. The Device Login Profiles pane is used to configure the profiles that the network devices use when logging

into the Cisco IPS appliance

E. Multiple Cisco IPS appliances can forward their blocking requests to the master blocking sensor.F. Pre-Block and Post-Block ACLs are applicable for blocking or rate limiting.

Correct Answer: ABCESection: HardwareExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/7.0/command/reference/crCmds.html#wp765330

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_blocking.html#wp2216370

It appears that block network is not available from the ARC module.

D is definitely incorrectUse the Device Login Profiles pane to configure the profiles that the sensor uses when logging in toblocking devices.

F is also incorrect Pre-Block and Post-Block ACLS do not apply to r ate limiting.

QUESTION 5OS mappings associate IP addresses with an OS type, which in turn helps the Cisco IPS appliance to calculatewhat other value?

A. TVRB. SFRC. ARRD. PDE. ASR



QUESTION 6On the Cisco IPS appliance, the anomaly detection knowledge base is used to store which two types ofinformation for each service? (Choose two.)

A. scanner thresholdB. packet per second rate limitC. anomaly detection modeD. histogram


E. total bytes transferred

Correct Answer: ADSection: HardwareExplanation


The knowledge base has a tree structure and contains the following information:

•Knowledge base name

•Zone name

•Protocol

•Service

The knowledge base holds a scanner threshold and a histogram for each service . If you have learningaccept mode set to automatic and the action set to rotate, a new knowledge base is created every 24 hours andused in the next 24 hours. If you have learning accept mode set to automatic and the action is set to save only,a new knowledge base is created but not loaded, and the current knowledge base is used. If you do not havelearning accept mode set to automatic, no knowledge base is created.

QUESTION 7Which four features are supported on the Cisco ASA AIP-SSM but are not supported on the Cisco ASA AIP-SSC? (Choose four.)

A. multiple virtual sensorsB. anomaly detection C. promiscuous modeD. custom signaturesE. fail openF. global correlation

Correct Answer: ABDFSection: HardwareExplanation

Explanation/Reference:http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/ps6825/product_data_sheet0900aecd80404916_ps6120_Products_Data_Sheet.html

QUESTION 8Which Cisco IPS appliance TCP session tracking mode should be used if packets of the same session arecoming to the sensor over different interfaces , but should be treated as a single session?

A. interface and VLANB. virtual sensorC. VLAN only D. promiscuousE. normalizer

Correct Answer: B

Section: HardwareExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/7.1/configuration/guide/ime/ime_policies.html#wp2005229

Inline TCP Session Tracking Mode

When you choose to modify packets inline, if the packets from a stream are seen twice by the Normalizerengine, it cannot properly track the stream state and often the stream is dropped. This situation occurs mostoften when a stream is routed through multiple VLANs or interfaces that are being monitored by the IPS. Afurther complication in this situation is the necessity of allowing asymmetric traffic to merge for proper trackingof streams when the traffic for either direction is received from different VLANs or interfaces.

To deal with this situation, you can set the mode s o that streams are perceived as unique if they arereceived on separate interfaces and/or VLANs (or th e subinterface for VLAN pairs).

The following inline TCP session tracking modes apply:

•Interface and VLAN—All packets with the same session key (AaBb) in the same VLAN (or inline VLAN pair)and on the same interface belong to the same session. Packets with the same key but on different VLANs aretracked separately.

•VLAN Only—All packets with the same session key (AaBb) in the same VLAN (or inline VLAN pair) regardlessof the interface belong to the same session. Packets with the same key but on different VLANs are trackedseparately.

•Virtual Sensor—All packets with the same session k ey (AaBb) within a virtual sensor belong to thesame session. This is the default and almost always the best option to choose.

QUESTION 9Which four configuration elements can the virtual sensor of an Cisco IPS appliance have? (Choose four.)

A. interfaces or VLAN pairs B. IPS reputation filtersC. signature set definitionD. global correlation rulesE. event action rules (filters and overrides)F. anomaly detection policy

Correct Answer: ACEFSection: HardwareExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_policies.html#wpmkr2163359

You can apply the same policy, for example, sig0, rules0, and ad0, to different virtual sensors. The Add VirtualSensor dialog box displays only the interfaces that are available to be assigned to this virtual sensor. Interfacesthat have already been assigned to other virtual sensors are not shown in this dialog box.

You can also assign event action overrides to virtu al sensors, and configure the following modes:

•Anomaly detection operational mode

•Inline TCP session tracking mode

•Normalizer mode

The following fields are found in the Add and Edit Virtual Sensor dialog boxes:

•Virtual Sensor Name—Name for this virtual sensor.

•Description—Description for this virtual sensor.

•Interfaces —Lets you assign and remove interfaces for this virtual sensor.

–Assigned—Whether the interfaces or interface pairs have been assigned to the virtual sensor.

–Name—The list of available interfaces or interface pairs that you can assign to the virtual sensor(GigabitEthernet or FastEthernet).

–Details—Lists the mode (Inline Interface or Promiscuous) of the interface and the interfaces of the inline pairs.

•Signature Definition Policy —The name of the signature definition policy you want to assign to this virtualsensor. The default is sig0.

•Event Action Rules Policy —The name of the event action rules policy you want to assign to this virtualsensor. The default is rules0.

•Use Event Action Overrides—When checked, lets you configure event action overrides when you click Add toopen the Add Event Action Override dialog box.

–Risk Rating—Indicates the level of risk rating for this override.

–Actions to Add—Indicates the action to add to this override.

–Enabled—Indicates whether this override is enabled or disabled.

•Anomaly Detection Policy —The name of the anomaly detection policy you want to assign to this virtualsensor. The default is ad0.

•AD Operational Mode—The mode that you want the anomaly detection policy to operate in for this virtualsensor. The default is Detect.

•Inline TCP Session Tracking Mode—The mode used to segregate multiple views of the same stream if thesame stream passes through the sensor more than once. The default mode is Virtual Sensor.

–Interface and VLAN —All packets with the same session key (AaBb) in the same VLAN (or inline VLAN pair)and on the same interface belong to the same session. Packets with the same key but on different VLANs aretracked separately.

–VLAN Only—All packets with the same session key (AaBb) in the same VLAN (or inline VLAN pair) regardlessof the interface belong to the same session.Packets with the same key but on different VLANs are trackedseparately.

–Virtual Sensor—All packets with the same session key (AaBb) within a virtual sensor belong to the samesession.

•Normalizer Mode—Lets you choose which type of Normalizer mode you need for traffic inspection:

–Strict Evasion Protection—If a packet is missed for any reason, all packets after the missed packet are notprocessed. Strict evasion protection provides full enforcement of TCP state and sequence tracking.

Note Any out-of-order packets or missed packets can produce Normalizer engine signatures 1300 or 1330firings, which try to correct the situation, but can result in denied connections.

–Asymmetric Mode Protection—Can only see one direction of bidirectional traffic flow. Asymmetric mode

protection relaxes the evasion protection at the TCP layer.

Note Asymmetric mode lets the sensor synchronize state with the flow and maintain inspection for thoseengines that do not require both directions. Asymmetric mode lowers security because full protection requiresboth sides of traffic to be seen.

QUESTION 10Which value is not used by the Cisco IPS appliance in the risk rating calculation?

A. attack severity ratingB. target value ratingC. signature fidelity rating D. promiscuous deltaE. threat rating adjustmentF. watch list rating

Correct Answer: ESection: HardwareExplanation

Explanation/Reference:http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/prod_white_paper0900aecd806e7299.html

Risk Rating CalculationRisk rating is a quantitative measure of your network's threat level before IPS mitigation. For each event firedby IPS signatures, Cisco IPS Sensor Software calculates a risk rating number. The factors used to calculaterisk rating are:• Signature fidelity rating: This IPS-generated variable indicates the degree of attack certainty.• Attack severity rating: This IPS-generated variable indicates the amount of damage an attack can cause.• Target value rating: This user-defined variable indicates the criticality of the attack target. This is the onlyfactor in risk rating that is routinely maintained by the user. You can assign a target value rating per IP addressin Cisco IPS Device Manager or Cisco Security Manager. The target value rating can raise or lower the overallrisk rating for a network device. You can assign the following target values:– 75: Low asset value– 100: Medium asset value– 200: Mission-critical asset value• Attack relevancy rating: This IPS-generated value indicates the vulnerability of the attack target.• Promiscuous delta: The risk rating of an IPS deployed in promiscuous mode is reduced by the promiscuousdelta. This is because promiscuous sensing is less accurate than inline sensing. The promiscuous delta can beconfigured on a per-signature basis, with a value range of 0 to 30. (The promiscuous delta was introduced inCisco IPS Sensor Software Version 6.0.)• Watch list rating: This IPS-generated value is based on data found in the Cisco Security Agent watch list. TheCisco Security Agent watch list contains IP addresses of devices involved in network scans or possiblycontaminated by viruses or worms. If an attacker is found on the watch list, the watch list rating for that attackeris added to the risk rating. The value for this factor is between 0 and 35. (The watch list rating was introduced inCisco IPS Sensor Software Version 6.0.)The formula to calculate risk rating in Cisco IPS Sensor Software Version 6.0 is: Risk rating can help enhance your productivity as it intelligently assesses the level of risk of each event andhelps you focus on high-risk events.

QUESTION 11In a centralized Cisco IPS appliance deployment, it may not be possible to connect an IPS appliance to everyswitch or segment in the network. So, an IPS appliance can be deployed to inspect traffic on ports that arelocated on multiple remote network switches. In this case, which two configurations required? (Choose two.)

A. IPS promiscuous mode operations

B. in-line IPS operationsC. RSPAND. SPANE. HSRPF. SLB

Correct Answer: ACSection: HardwareExplanation

Explanation/Reference:No specific reference --- is in Videos from CBT

QUESTION 12Which three actions does the Cisco IDM custom signature wizard provide? (Choose three.)

A. selecting the signature engine to use or not to use any signature engineB. selecting the Layer 3 or Layer 4 protocol that the sensor will use to match malicious traffic C. selecting the attack relevancy rating D. selecting the signature threat ratingE. selecting the scope of matching (for example, single packet)

Correct Answer: ABESection: ConfigurationExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/idm/idm_signature_wizard.html#wp1655660

Shows A B E and nothing for C or D

QUESTION 13Which Cisco IPS appliance feature is best used to detect these two conditions? 1) The network startsbecoming congested by worm traffic. 2) A single worm-infected source enters the network and starts scanningfor other vulnerable hosts.

A. global correlationB. anomaly detectionC. reputation filteringD. custom signature E. meta signatureF. threat detection

Correct Answer: BSection: ConfigurationExplanation


Anomaly detection identifies worm-infected hosts by their behavior as a scanner. To spread, a wormvirus must find new hosts. It finds them by scannin g the Internet using TCP, UDP, and other protocolsto generate unsuccessful attempts to access differe nt destination IP addresses. A scanner is defined

as a source IP address that generates events on the same destination port (in TCP and UDP) for toomany destination IP addresses.

QUESTION 14What will happen if you try to recover the password on the Cisco IPS 4200 Series appliance on which passwordrecovery is disabled?

A. The GRUB menu will be disabled.B. The ROM monitor command to reset the password will be disabled.C. The password recovery process will proceed with no errors or warnings; however, the password is not reset.D. The Cisco IPS appliance will reboot immediately.


Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_troubleshooting.html#wp1139544

If you try to recover the password on a sensor on which password recovery is disabled, the process proceedswith no errors or warnings; however, the password is not reset. If you cannot log in to the sensor because youhave forgotten the password, and password recovery is set to disabled, you must reimage your sensor.

QUESTION 15Which four networking tools does Cisco IME include that can be invoked for specific events, to learn moreabout attackers and victims using basic network reconnaissance? (Choose four.)

A. pingB. traceroute C. packet tracerD. nslookupE. whoisF. nmap

Correct Answer: ABDESection: TroubleshootingExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/ime/ime_getting_started.html

IME also supports tools such, as ping, trace route , DNS lookup, and whois lookup for selected events

Exam D

QUESTION 1

Select and Place:

Correct Answer:



QUESTION 2

Select and Place:

Correct Answer:

Section: ConfigurationExplanation


QUESTION 3

Select and Place:

Correct Answer:



QUESTION 4

Select and Place:

Correct Answer:

Section: ConfigurationExplanation


QUESTION 5

Select and Place:

Correct Answer:

Section: TroubleshootingExplanation


Exam E

QUESTION 1

Simlet - which area will you need to work in to get the answers for the simlet?

A. Home > Dashboard B. Configuration > Policies > Rule 0C. Configuration > Sensor SetupD. Configuration > Polices > virtual sensor

Correct Answer: BSection: SimletExplanation

Explanation/Reference:Self explanatory

QUESTION 2Simlet Question #1

*NB* -- This is only sample - real questions and an swers may vary so know the topics and purpose ofthe simlet and get a feel for the questions.

A. It is only enabled to indentify "Cisco IOS" OS using statically mapped OS fingerprintingB. OS mapping information will not be used for Risk Rating calculationsC. It is configured to enable OS mapping and ARR only for the 10.0.0.0/24 networkD. It is enabled for passive OS fingerprinting for all networks

Correct Answer: DSection: SimletExplanation

Explanation/Reference:Still trying to get a answer for this one.

http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/ime/ime_event_action_rules.html#wp2119120

Understanding Passive OS Fingerprinting

Passive OS fingerprinting lets the sensor determine the OS that hosts are running. The sensor analyzesnetwork traffic between hosts and stores the OS of these hosts with their IP addresses. The sensor inspectsTCP SYN and SYNACK packets exchanged on the network to determine the OS type.

The sensor then uses the OS of the target host OS to determine the relevance of the attack to the victim bycomputing the attack relevance rating component of the risk rating. Based on the relevance of the attack, thesensor may alter the risk rating of the alert for the attack and/or the sensor may filter the alert for the attack.You can then use the risk rating to reduce the number of false positive alerts (a benefit in IDS mode) ordefinitively drop suspicious packets (a benefit in IPS mode). Passive OS fingerprinting also enhances the alertoutput by reporting the victim OS, the source of the OS identification, and the relevance to the victim OS in thealert.

Passive OS fingerprinting consists of three components:•Passive OS learning

Passive OS learning occurs as the sensor observes traffic on the network. Based on the characteristics of TCPSYN and SYNACK packets, the sensor makes a determination of the OS running on the host of the source IPaddress.•User-configurable OS identification

You can configure OS host mappings, which take precedence over learned OS mappings.•Computation of attack relevance rating and risk rating



A. rules0B. vs0C. sig0D. ad0

E. ad1F. sig1

Correct Answer: CSection: SimletExplanation

Explanation/Reference:Default signature

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_signature_definitions.html

You can create multiple security policies and apply them to individual virtual sensors. A security policy is madeup of a signature definition policy, an event action rules policy, and an anomaly detection policy. Cisco IPScontains a default signature definition policy call ed sig0 , a default event action rules policy called rules0 ,and a default anomaly detection policy called ad0. You can assign the default policies to a virtual sensor or youcan create new policies.



A. Global correlation is configured in Audit mode for testing the feature without actually denying any hosts.B. Global correlation is configured in Aggressive mode, which has a very aggressive effect on deny actions.C. It will not adjust risk rating values based on the known bad hosts list.D. Reputation filtering is disabled.

Correct Answer: DSection: SimletExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_collaboration.html#wp1054333


*NB* -- This is only sample - real questions and an swers may vary so know the topics and purpose of

the simlet and get a feel for the questions.

A. This is a custom signature.B. The severity level is High.C. This signature has triggered as indicated by the red severity icon.D. Produce Alert is the only action defined.E. This signature is enabled, but inactive, as indicated by the/0 to that follows the signature

number.

Correct Answer: BDSection: SimletExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/7.1/configuration/guide/ime/ime_signature_wizard.pdf

QUESTION 6This is the most likely shot of the LAB

A. Tasks = 41: Event Action Overrides

Verify and enable this feature for rules0 instance

2: Risk Category name MYCUSTOMRISKcreate a custom risk category named MYCUSTOMRISKassign this category a risk threshold of 80 (hard to see could be 90)

Modify the the new MYCUSTOMRISK to take the following actions > Deny Attacker Inline > Produce Alert > Reset TCP Connection

3: Modify the Red Threat ThresholdModify the value to 80 to enable the new risk category to be included in the Red Threshold level for network security health statistics alert threat categorization

4 : REMEMBER TO SAVE AND APPLY ALL CHANGES AS NEEDED ( MEANS AS YOU GO - DO NOTWAIT TILL END TO SAVE CHANGES)

Correct Answer: ASection: LABExplanation


#3 http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/ime/ime_dashboards.html

Sensor Health Gadget

The Sensor Health gadget visually displays sensor health and network security information in two coloredmeters. The meters are labeled Normal, Needs Attention, or Critical according to an analysis of the specificmetrics. The overall health status is set to the highest severity of all the metrics you configured. For example, ifyou configure eight metrics to determine the sensor health and seven of the eight are green while one is red,the overall sensor health is displayed as red.

The dashboard is not available -- You have to look for the Red Threat Option under the Policies Screen !It is a small field at the bottom of the screen.


Documents

CISCO 642-627 EXAM QUESTIONS & ANSWERS 642-627 EXAM QUESTIONS & ANSWERS Exam Name: Implementing Cisco Intrusion Prevention System v6.0 (IPS) Sections 1. Troubleshooting 2. Configuration