CertifyMe - GRATIS EXAM A QUESTION 1 Which three are global correlation network participation modes?...

CertifyMe

Number: 642-627Passing Score: 790Time Limit: 60 minFile Version: 8.0

http://www.gratisexam.com/

CertifyMe 642-627

Sections1. Troubleshooting2. Configuration3. Hardware4. Simlet5. LAB

Exam A

QUESTION 1Which three are global correlation network participation modes? (Choose three.)

A. offB. partial participation C. reputation filtering D. detect E. full participationF. learning

Correct Answer: ABESection: ConfigurationExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_collaboration.html

QUESTION 2What are four properties of an IPS signature? (Choose four.)

A. reputation rating B. fidelity ratingC. summarization strategyD. signature engine E. global correlation modeF. signature ID and signature status

Correct Answer: BCDFSection: ConfigurationExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.1/user/guide/ipsvchap.html#wp1912551

Official Guide - Page

QUESTION 3The custom signature ID of a Cisco IPS appliance has which range of values?

A. 10000 to 19999B. 20000 to 29999C. 50000 to 59999 D. 60000 to 65000E. 80000 to 90000 F. 1 to 20000

Correct Answer: DSection: Configuration

Explanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/5.0/configuration/guide/idm/dmsigwiz.html

Signature Identification Field Definitions

The following fields and buttons are found in the Signature Identification window of the Custom SignatureWizard.

Field Descriptions:

•Signature ID—Identifies the unique numerical value assigned to this signature.

The signature ID lets the sensor identify a particular signature. The signature ID is reported to the Event Viewerwhen an alert is generated. The valid range is between 60000 and 65000.

QUESTION 4When upgrading a Cisco IPS AIM or IPS NME using manual upgrade, what must be performed before installingthe upgrade?

A. Disable the heartbeat reset on the router.B. Enable fail-open IPS mode.C. Enable the Router Blade Configuration Protocol.D. Gracefully halt the operating system on the Cisco IPS AIM or IPS NME.

Correct Answer: ASection: HardwareExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/7.0/release/notes/18483_01.html

Using manual upgrade:

–If you want to manually update your sensor, copy the 7.0(1)E3 update files to the directory on the server thatyour sensor polls for updates.

–When you upgrade the AIM IPS or the NME IPS using manual upgrade, you must disable heartbeat reseton the router before installing the upgrade . You can reenable heartbeat reset after you complete theupgrade. If you do not disable heartbeat reset, the upgrade can fail and leave the AIM IPS or the NME IPS in anunknown state, which can require a system reimage to recover.

Official guide - Page 548

QUESTION 5Which Cisco IPS NME interface is visible to the NME module but not visible in the router configuration and actsas the sensing interface of the NME module?

A. ids-sensor 0/1 interfaceB. ids-sensor 1/0 interfaceC. gigabitEthernet 0/1D. gigabitEthernet 1/0E. management 0/1F. management 1/0

Correct Answer: C

Section: TroubleshootingExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_nme.html#wp1057817

Office Guide - Page 546

QUESTION 6Which two methods can be used together to configure a Cisco IPS signature set into detection mode whentuning the Cisco IPS appliance to reduce false positives? (Choose two.)

A. Subtract all aggressive actions using event action filters. B. Enable anomaly detection learning mode.C. Enable verbose alerts using event action overrides.D. Decrease the number of events required to trigger the signature.E. Increase the maximum inter-event interval of the signature.

Correct Answer: ACSection: ConfigurationExplanation

Explanation/Reference:Office Cisco Guide Chapter 13

1 > Remove all agressive actions from all signature s using event action filters2 > Add verbose alerts using event action overrides3 > Add logging packets between the attacker and the victim using event action overrides

QUESTION 7In which CLI configuration mode is the Cisco IPS appliance management IP address configured?

A. global configuration ips(config)#

B. service network-access ips(config-net)#

C. service host network-settings ips(config-hos-net)#

D. service interface ips(config-int)#

Correct Answer: CSection: ConfigurationExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/7.1/configuration/guide/cli/cli_setup.html#wp1031325

QUESTION 8Which four parameters are used to configure how often the Cisco IPS appliance generates alerts when asignature is firing? (Choose four.)

A. summary modeB. summary interval


C. event count keyD. global summary threshold E. summary keyF. event count G. summary countH. event alert mode

Correct Answer: ABDFSection: ConfigurationExplanation

Explanation/Reference:

NB: Watch for Summary Threshold instead of Event Co unt

QUESTION 9Which three Cisco IPS cross-launch capabilities do Cisco Security Manager and Cisco Security MARSsupport? (Choose three.)

A. Edit IPS signatures in Cisco Security Manager from a Cisco Security MARS query.B. Create custom signatures in Cisco Security Manager from a Cisco Security MARS query.C. Create event action filters in Cisco Security Manager from a Cisco Security MARS query.D. Create a Cisco Security MARS drop rule from Cisco Security Manager policy. E. Create a Cisco Security MARS user inspection rule from Cisco Security Manager policy.F. Query Cisco Security MARS from Cisco Security Manager policy.

Correct Answer: ACFSection: ConfigurationExplanation

Explanation/Reference:Cisco Official Guide Pg 435

"...MARS creates queries that include a launch point for CSM. When CSM is launched, you can carry out thefollowing (cross-connected actions):

Edit an IPS SignatureAdd an event action filter to an IPS configuration in Cisco Security Manager

and when you use CSM to cross-launch MARS, you can query events that wer originated by the signatures inCSM."

http://my.safaribooksonline.com/book/certification/ccnp/9780132372107/integrating-cisco-ips-with-csm-and-cisco-security-mars/435#

Just below graphic on page 435

QUESTION 10Which statement about inline VLAN pair deployment with the Cisco IPS 4200 Series appliance is true?

A. The sensing interface acts as an 802.1q trunk port, and the Cisco IPS appliance performs VLAN translationbetween pairs of VLANs.

B. The Cisco IPS appliance connects to two physically distinct switches using two paired physical interfaces. C. Two sensing interfaces connect to the same switch that forwards traffic between two VLANs. D. The pair of sensing interfaces can be selectively divided (virtualized) into multiple logical "wires" by VLANs

that can be analyzed separately.

Correct Answer: ASection: ConfigurationExplanation

Explanation/Reference:Cisco Guide - page 102

QUESTION 11Which four statements about Cisco IPS appliance anomaly detection histograms are true? (Choose four.)

A. Histograms are learned or configured manually.B. Destination IP address row is the same for all histograms.C. Source IP address row can be learned or configured. D. Anomaly detection only builds a single histogram for all services in a zone. E. You can enable a separate histogram and scanner threshold for specific services, or use the default one for

all other services.F. Anomaly detection histograms only track source (attacker) IP addresses.

Correct Answer: ABCESection: ConfigurationExplanation

Explanation/Reference:Cisco Guide Page 261

QUESTION 12You are working with Cisco TAC to troubleshoot a software problem on the Cisco IPS appliance. TAC suspectsa fault with the NotificationApp software module in the Cisco IPS appliance. In this case, which Cisco IPSappliance operations may be most affected by the NotificationApp software module fault?

A. SNMPB. IDM or IMEC. global correlationD. remote blockingE. anomaly detection F. SDEE

Correct Answer: ASection: TroubleshootingExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_system_architecture.html#wp1009053

NotificationApp allows the sensor to send alerts and system error messages as SNMP traps. It subscribes toevents in the Event Store and translates them into SNMP MIBs and sends them to destinations through apublic-domain SNMP agent. NotificationApp supports sending sets and gets. The SNMP GETs provideinformation about basic sensor health.

QUESTION 13Which two switching-based mechanisms are used to deploy high availability IPS using multiple Cisco IPSappliances? (Choose two.)

A. Spanning Tree-based HAB. HSRP-based HAC. EtherChannel-based HAD. VRRP-based HA


Explanation/Reference:Official Cisco Guide Chapter 21

When network switches are used to provide High Availability you have two options

EtherChannel based HASTP based HA

QUESTION 14Which statement about the 4-port GigabitEthernet card with hardware bypass is true?

A. Hardware bypass only works with inline interface pairs.B. Hardware bypass is only supported on the Cisco IPS 4270 appliance.C. Hardware bypass is independent from software bypass.D. Hardware bypass is enabled if software bypass is configured to "OFF".E. Hardware bypass is supported between any of the fourGigabitEthernet ports.

Correct Answer: ASection: HardwareExplanation

Explanation/Reference:Official Cisco Guide Pg 135

QUESTION 15What is the correct regular expression to match a URI request equal to /test.exe?

A. /test.exeB. Vtest\.exeC. /test\.exeD. */test\.exeE. \*/test\.exeF. */test.exe

Correct Answer: CSection: TroubleshootingExplanation

Explanation/Reference:https://supportforums.cisco.com/community/netpro/security/intrusion-prevention/blog/2010/12/23/introduction-to-regular-expressions-for-ips

http://regexlib.com/DisplayPatterns.aspx?cattabindex=1&categoryid=2&p=4

http://wdvl.com/Style/Languages/Perl/PerlfortheWeb/perlintro2_table1.html

the . has a special meaning = match any character which would have the result testaexe, test$exe etc- wouldme matched as well as test.exethe \ removes the special meaning from the . so it is now just matching the .exe -- so = test.exe exactly has tobe matched.

see the above links as to why the other answers are not valid.

QUESTION 16Which four types of interface modes are available on the Cisco IPS 4200 Series appliance? (Choose four.)

A. promiscuousB. inline TAP C. inline interfaceD. inline VLAN pair E. VLAN groupsF. bypass

Correct Answer: ACDESection: HardwareExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_interfaces.html#wp1047079

https://supportforums.cisco.com/thread/2463764000 series does not support bypass mode

QUESTION 17Which option is best to use to capture only a subset of traffic (capturing traffic per-IP-address, per-protocol, orper-application) off the switch backplane and copy it to the Cisco IPS appliance?

A. SPANB. PBRC. VACLD. MPFE. STP


Explanation/Reference:http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/vacl.html#wp1037197

QUESTION 18

Refer to the exhibit. Which statement is true?

A. A summary alert is sent once during each interval for each unique Summary Key entry. B. An alert is generated each time the signature triggers. C. This signature does not fire until three events are seen during 60 seconds with the same attacker and victim

IP addresses and ports.D. This signature is disabled by default.E. When this signature triggers, the Cisco IPS appliance sends an SNMP trap for this event.


Explanation/Reference:Official Gudie Page

NB : even if the box is not checked it is still in use - it is the default action/configuration - ticking it is allowing editof that value

QUESTION 19What are the three anomaly detection modes? (Choose three.)

A. detectB. active C. inactive D. learnE. full F. partial

Correct Answer: ACDSection: ConfigurationExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.0/user/guide/ipsanom.html

Anomaly detection has the following modes:

•Learning accept mode (initial setup)Although anomaly detection is in detect mode by default, it conducts an initial learning accept mode for thedefault period of 24 hours. We assume that during this phase no attack is being carried out. Anomaly detectioncreates an initial baseline, known as a knowledge base, of the network traffic. The default interval value forperiodic schedules is 24 hours and the default action is rotate, meaning that a new knowledge base is savedand loaded, and then replaces the initial knowledge base after 24 hours.

Keep the following in mind:–Anomaly detection does not detect attacks when working with the initial knowledge base, which is empty. Afterthe default of 24 hours, a knowledge base is saved and loaded and now anomaly detection also detectsattacks.

–Depending on your network complexity, you may want to have anomaly detection in learning accept mode forlonger than the default 24 hours. You configure the mode in the Virtual Sensors policy; see Defining A VirtualSensor, page 28-5. After your learning period has finished, edit the virtual sensor and change the mode toDetect.

•Detect modeFor ongoing operation, the sensor should remain in detect mode. This is for 24 hours a day, 7 days a week.Once a knowledge base is created and replaces the initial knowledge base, anomaly detection detects attacksbased on it. It looks at the network traffic flows that violate thresholds in the knowledge base and sends alerts.As anomaly detection looks for anomalies, it also records gradual changes to the knowledge base that do notviolate the thresholds and thus creates a new knowledge base. The new knowledge base is periodically savedand takes the place of the old one thus maintaining an up-to-date knowledge base.

•Inactive mode

You can turn anomaly detection off by putting it in inactive mode. Under certain circumstances, anomalydetection should be in inactive mode, for example, if the sensor is running in an asymmetric environment.Because anomaly detection assumes it gets traffic from both directions, if the sensor is configured to see onlyone direction of traffic, anomaly detection identifies all traffic as having incomplete connections, that is, asscanners, and sends alerts for all traffic flows.

QUESTION 20Which type of signature engine is best suited for creating custom signatures that inspect data at OSI Layer 5and above?

A. AtomicB. StringC. SweepD. ServiceE. Meta F. Flood

Correct Answer: DSection: ConfigurationExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cli_signature_engines.html#wp1014328

Service Engines

The Service engines analyze Layer 5+ traffic betwee n two hosts . These are one-to-one signatures thattrack persistent data. The engines analyze the Layer 5+ payload in a manner similar to the live service.

Exam B

QUESTION 1A Cisco Catalyst switch is experiencing packet drops on a SPAN destination port that is connected to an CiscoIPS appliance. Which three configurations should be considered to resolve the packet drops issue? (Choosethree.)

A. Configure an additional SPAN session to a different Cisco IPS appliance interface connected to the samevirtual sensor.

B. Configure an EtherChannel bundle as the SPAN destination port.C. Configure RSPAN.D. Configure VACL capture. E. Configure the Cisco IPS appliance to inline mode.

Correct Answer: ADSection: TroubleshootingExplanation

Explanation/Reference:A. Adding an additional span session to a different Cisco IPS will remove some of the traffic and load from theexisting span - Confirmed Correct

B. Cisco documentation clearly defines that Ether-channels cannot be configured as SPAN destination ports.This rules out option B. - Confirmed Incorrecthttp://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_19_ea1/configuration/guide/swspan.html#wp1044603

C. RSPAN is remote span which is used to send traffic to a device not connected to the local switch. While this would have a similar effect to answer A since you are in fact creating another span, the implicationhere is that there is only one IPS device. - Unconfirmed Incorrect

D. Configuring VACL capture will allow a reduced amount of traffic and load on the span by selecting andsending only select traffic over the SPAN to the IPS. - Confirmed Correct

E. Configuring the Cisco IPS appliance in inline mode would elminate the need for a span altogether. -Unconfirmed Correct.

QUESTION 2Which signature action should be selected to cause the attacker's traffic flow to terminate when the Cisco IPSappliance is operating in promiscuous mode?

A. deny connectionB. deny attackerC. reset TCP connection D. deny packet, reset TCP connectionE. deny connection, reset TCP connection


Explanation/Reference:Deny attacker is only available in inline mode!

http://www.cisco.com/web/about/security/intelligence/ipsmit.html#7

Promiscuous Mode Event ActionsThe following event actions can be deployed in Promiscuous mode. These actions are in affect for a user-configurable default time of 30 minutes. Because the IPS sensor must send the request to another device orcraft a packet, latency is associated with these actions and could allow some attacks to be successful. Blockingthrough usage of the Attack Response Controller (ARC) has the potential benefit of being able to perform to thenetwork edge or at multiple places within the network.

Request block host: This event action will send an ARC request to block the host for a specified time frame,preventing any further communication. This is a severe action that is most appropriate when there is minimalchance of a false alarm or spoofing.

Request block connection: This action will send an ARC response to block the specific connection. This actionis appropriate when there is potential for false alarms or spoofing.

Reset TCP connection : This action is TCP specific, and in instances where the attack requires several TCPpackets, this can be a successful action. However, in some cases where the attack only needs one packet itmay not work as well. Additionally, TCP resets are not very effective with protocols such as SMTP thatconsistently try to establish new connections, nor are they effective if the reset cannot reach the destinationhost in time.

Event actions can be specified on a per signature basis, or as an event action override (based on risk ratingvalues – event action override only). In the case of event action override, specific event actions are performedwhen specific risk rating value conditions are met. Event action overrides offer consistent and simplifiedmanagement. IPS version 6.0 contains a default event action override with a deny-packet-inline action forevents with a risk rating between 90 and 100. For this action to occur, the device must be deployed in Inlinemode.

QUESTION 3During Cisco IPS appliance troubleshooting, you notice that all the signatures are set to Fire All. What cancause this situation to occur?

A. A new signature engine update package has been loaded to the Cisco IPS appliance.B. A new signature/virus update package has been loaded to the Cisco IPS appliance.C. Summarizer has been disabled globally. D. All the signatures have been set to the default state.E. All the signatures have been retired, and then unretired.


Explanation/Reference:http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a0080838bcf.shtml

QUESTION 4From which three sources does the Cisco IPS appliance obtain OS mapping information? (Choose three.)

A. from manually configured OS mappingsB. imported OS mappings from Management Center for Cisco Security Agent C. imported OS mappings from Cisco Security Manager D. learned OS mappings from passive OS fingerprinting E. learned OS mappings from CiscoSensorBase input F. from Cisco IPS signature updates

Correct Answer: ABDSection: TroubleshootingExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.1/user/guide/ipsevact.html#wp707692

There are three sources of OS information. The sens or ranks the sources of OS information in thefollowing order:

1. Configured OS mappings—OS mappings that you enter on the OS Identification tab of the Event ActionsNetwork Information policy. You can configure different mappings for each virtual sensor. For more information,see Configuring OS Identification (Cisco IPS 6.x and Later Sensors Only).

We recommend configuring OS mappings to define the identity of the OS running on critical systems. It is bestto configure OS mappings when the OS and IP address of the critical systems are unlikely to change.

2. Imported OS mappings—OS mappings imported from Management Center for Cisco Security Agents(CSA MC).

Imported OS mappings are global and apply to all virtual sensors. For information on configuring the sensor touse CSA MC, see Configuring the External Product Interface, page 32-23.

3. Learned OS mappings—OS mappings observed by the sensor through the fingerprinting of TCP packetswith the SYN control bit set.

Learned OS mappings are local to the virtual sensor that sees the traffic.

When the sensor needs to determine the OS for a target IP address, it consults the configured OS mappings. Ifthe target IP address is not in the configured OS mappings, the sensor looks in the imported OS mappings. Ifthe target IP address is not in the imported OS mappings, the sensor looks in the learned OS mappings. If itcannot find it there, the sensor treats the OS of the target IP address as unknown.

QUESTION 5Which IPS alert action is available only in inline mode?

A. produce verbose alert B. request rate limitC. reset TCP connectionD. log attacker/victim pair packetsE. deny-packet-inlineF. request block connection

Correct Answer: ESection: ConfigurationExplanation

Explanation/Reference:http://www.cisco.com/web/about/security/intelligence/ipsmit.html

Inline Mode Event ActionsThe following actions require the device to be deployed in Inline mode and are in affect for a user- configurabledefault time of 3600 seconds (60 minutes).

Deny attacker inline: This action is the most severe and effectively blocks all communication from the attackinghost that passes through the IPS for a specified period of time. Because this event action is severe,administrators are advised to use this only when the probability of false alarms or spoofing is minimal.

Deny attacker service pair inline: This action prevents communication between the attacker IP address and theprotected network on the port in which the event was detected. However, the attacker would be able tocommunicate on another port that has hosts on the protected network. This event action works well for wormsthat attack many hosts on the same service port. If an attack occurred on the same host but on another port,this communication would be allowed. This event action is appropriate when the likelihood of a false alarm orspoofing is minimal.

Deny attacker victim pair inline: This action prevents the attacker from communicating with the victim on anyport. However, the attacker could communicate with other hosts, making this action better suited for exploitsthat target a specific host. This event action is appropriate when the likelihood of a false alarm or spoofing isminimal.

Deny connection inline: This action prevents further communication for the specific TCP flow. This action isappropriate when there is the potential for a false alarm or spoofing and when an administrator wants to preventthe action but not deny further communication.

Deny packet inline : This action prevents the specific offending packet from reaching its intended destination.Other communication between the attacker and victim or victim network may still exist. This action isappropriate when there is the potential for a false alarm or spoofing. Note that for this action, the default timehas no effect.

Modify packet inline: This action enables the IPS device to modify the offending part of the packet. However, itforwards the modified packet to the destination. This action is appropriate for packet normalization and otheranomalies, such as TCP segmentation and IP fragmentation re-ordering.

QUESTION 6Refer to the exhibit. What does the Risk Threshold setting of 95 specify?

A. the low risk rating thresholdB. the low threat rating threshold C. the low target value rating thresholdD. the high risk rating threshold E. the high threat rating threshold F. the high target value rating threshold

Correct Answer: DSection: ConfigurationExplanation


HIGHRISK = 90 - 100 - = Red Threat

Official Guide Chapter 15 and Cisco.com

QUESTION 7From the Cisco IPS appliance CLI setup command, one of the options is "Modify default threat preventionsettings? [no]". What is this option related to?

A. anomaly detection B. threat rating adjustmentC. event action override that denies high-risk network traffic with a risk rating of 90 to 100 D. risk rating adjustment with global correlationE. reputation filters


Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/cli/cli_initializing.html

Modify default threat prevention settings?[no]:Step 11 Enter yes if you want to modify the default threat prevention settings.

Note: The sensor comes with a built-in override to add the deny packet event action to high risk ratin galerts. If you do not want this protection, disable automatic threat prevention.

QUESTION 8In Cisco IDM, the Configuration > Sensor Setup > SSH > Known Host Keys screen is used for what purpose?

A. to enable the Cisco IPS appliance as a master blocking sensorB. to enable management hosts to access the Cisco IPS applianceC. to regenerate the Cisco IPS appliance SSH host keyD. to regenerate the Cisco IPS appliance SSL RSA key pairE. to enable communications with a blocking device

Correct Answer: ESection: ConfigurationExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliTasks.html#wp1067312

You must add hosts to the SSH known hosts list so that the sensor can recognize the hosts that it cancommunicate with through SSH. These hosts are SSH servers that the sensor needs to connect to forupgrades and file copying, and other hosts, such as Cisco routers, PIX Firewalls, and Catalyst switchesthat the sensor will connect to for blocking.

QUESTION 9Which configuration is required when setting up the initial configuration on the Cisco ASA 5505 to support theCisco ASA AIP-SSC?

A. Configure a VLAN interface as a management interface to access the Cisco ASA AIP-SSC. B. Using MPF, configure which virtual sensor to use.

C. Configure a management access rule to allow Cisco ASDM access from the Cisco ASA AIPSSCmanagement interface IP address.

D. Configure a management access rule to allow SSH access from the Cisco ASA AIP-SSC managementinterface IP address.


Explanation/Reference:http://www.cisco.com/en/US/docs/security/asa/quick_start/ips/ips_qsg.html

2 Connecting Management Interface Cables

•ASA 5505—The ASA 5505 does not have a dedicated management interface. You must use an ASA VLAN toaccess an internal management IP address over the backplane. Connect the management PC to one of thefollowing ports: Ethernet 0/1 through 0/7. These ports are assigned to VLAN 1 using the 192.168.1.1/24address. The internal IPS management address is 192.168.1.2/24.

QUESTION 10The Cisco IPS appliance risk category is used with which other feature?

A. anomaly detectionB. event action overridesC. global correlationD. reputation filter

Correct Answer: BSection: TroubleshootingExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_event_action_rules.html#wp2068398

QUESTION 11Which two Cisco IPS modules support sensor virtualization? (Choose two.)

A. AIP-SSMB. AIP-SSCC. IPS AIMD. IPS NMEE. IDSM-2

Correct Answer: AESection: HardwareExplanation

Explanation/Reference:http://my.safaribooksonline.com/book/certification/ccnp/9780132372107/using-cisco-ips-virtual-sensors/ch20lev1sec5

QUESTION 12You are working with Cisco TAC to troubleshoot a software problem on the Cisco IPS appliance. TAC suspectsa fault with the ARC software module in the Cisco IPS appliance. In this case, which Cisco IPS applianceoperations may be most affected by the ARC software module fault?

A. SDEEB. global correlationC. anomaly detectionD. remote blockingE. virtual sensorF. OS fingerprinting

Correct Answer: DSection: TroubleshootingExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/6.1/installation/guide/hw_troubleshooting.html#wpmkr1185768

QUESTION 13Threat rating calculation is performed based on which factors?

A. risk rating and adjustment based on the prevention actions takenB. threat rating and event action overridesC. event action overrides and event action filtersD. risk rating and target value ratingE. alert severity and alert actions


Explanation/Reference:http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/prod_white_paper0900aecd806e7299.html

Threat rating is a quantitative measure of your net work's threat level after IPS mitigation . The formula forthreat rating is:Threat Rating = Risk Rating - Alert RatingThe values of the alert ratings are listed below.• 45: deny-attacker-inline• 40: deny-attacker-victim-pair-inline• 40: deny-attacker-service-pair-inline• 35: deny-connection-inline• 35: deny-packet-inline• 35: modify-packet-inline• 20: request-block-host• 20: request-block-connection• 20: reset-tcp-connection• 20: request-rate-limitFor example, if an alert had a risk rating of 100 and the IPS mitigates the event with a deny-attacker-inlineaction, the threat rating would be calculated as:Threat Rating = Risk Rating - Alert Rating, or 100 - 45 = 55.Threat rating brings the value of risk rating to a new level. By taking the IPS mitigation action into account,threat rating helps you further focus on the most important threats that have not been mitigated.

QUESTION 14Refer to the exhibit. The scanner threshold is set to 120. Which two statements about this histogram are true?(Choose two.)

A. From a single source you do not expect to see non stablished connections to more than 120 differentdestination IP addresses.

B. From a single source you do not expect to see nonestablished connections to more than 100 differentdestination IP addresses.

C. You do not expect to see more than 5 sources generate nonestablished connections to 10 or more differentdestinations.

D. You do not expect to see more than 10 sources generate nonestablished connections to 5 or more differentdestinations.

E. A scanner threshold of 120 is not a valid value for this histogram.F. Scanning attacks will not be triggered, because the scanner threshold is higher than the maximum number

of destination IP addresses in the histogram.G. Scanning attacks will not be triggered, because the scanner threshold is higher than the maximum number

of source IP addresses in the histogram.

Correct Answer: BDSection: TroubleshootingExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.0/user/guide/ipsanom.pdf

Read this topic carefully and you will see the answers better.

Two test takers have done B & D and have 100% in tr oubleshooting so beilieve this is good.

QUESTION 15On the Cisco IPS appliance, each virtual sensor can have its own instance of which three parameters? (Choosethree.)

A. signature-definition B. event-action-rulesC. global-correlation-rulesD. anomaly-detectionE. reputation-filters F. external-product-interfaces

Correct Answer: ABDSection: HardwareExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/idm/dmAnEng.html

The Virtual Sensors pane displays a list of the virtual sensors. For each virtual sensor the following is displayed:

•Assigned interfaces/pairs

•Signature definition policy

•Event action rules policy

•Anomaly detection policy

•Anomaly detection operational mode setting

•Inline TCP session tracking mode

•Description of the virtual sensor

You can create, edit, or delete virtual sensors.

QUESTION 16Refer to the exhibit. What happens when you click the Cisco Security MARS icon on the Cisco Security MARSquery result screen?

A. Cross-launch Cisco Security Manager to link the Cisco Security MARS event back to the IPS signature andpolicy within the Cisco Security Manager that triggered it.

B. Cross-launch Cisco IDM so the signature that triggered it can be examined.C. Cross-launch Cisco IDM to show the corresponding IPS alerts. D. Cross-launch Cisco Security Manager to show the corresponding IPS alerts.E. Cross-launch Cisco IME so the signature that triggered it can be examined.


Explanation/Reference:http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5739/ps6241/product_data_sheet0900aecd80272e64.html

Cisco Security MARS integrates tightly with Cisco's premier security management suite, Cisco SecurityManager. This integration maps traffic-related syslog messages to the firewall policies defined in Cisco SecurityManager that triggered the event. Policy lookup enables rapid, round-trip analysis for troubleshooting firewall-configuration-related network issues, policy configuration errors, and fine-tuning defined policies.

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/4.3/user/guide/local_controller/cfgcsm.html

Only visual reference I can find.

QUESTION 17Which three statements about the Cisco IPS appliance normalizer feature are true? (Choose three.)

A. only operates in inline modes

B. ensures that Layer 4 to Layer 7 traffic conforms to the protocol specifications C. tracks session states and stops packets that do not fully match session stateD. modifies ambiguously fragmented IP traffic E. cannot analyze asymmetric traffic flows

Correct Answer: ACDSection: HardwareExplanation

Explanation/Reference:http://globalknowledgeblog.com/technology/cisco/asa-and-ips-parallel-features-part-ii/

= A

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/white_paper_c11-459025_ps6120_Products_White_Paper.html

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_signature_engines.html#wpxref98199= C and D

The Cisco ASA AIP-SSM is a fully functional firewall and IPS solution that can be deployed in symmetric orasymmetric mode and supports stateful failover deployments. In either deployment mode, session state andevasion protection will be maintained because of advanced state features in the Cisco ASA operating system.

E is not an option -- even though it reduces perfor mance -it is still able to analyze a single traffic flow.http://globalknowledgeblog.com/technology/cisco/asa-and-ips-parallel-features-%E2%80%93-part-iii/

QUESTION 18Refer to the exhibit. What does the Deny Percentage setting affect?

A. the percentage of the signatures to be tuned by the event action filterB. the percentage of the Risk Rating value to be tuned by the event action filterC. the percentage of packets to be denied for the deny attacker actions D. the percentage of the signatures to be tuned by the event action overrides


Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_event_action_rules.html#wp2032330

•Deny Percentage—Determines the percentage of packets to deny for deny attacker features. The valid rangeis 0 to 100. The default is 100 percent.

QUESTION 19Which protocol is used by Encapsulated Remote SPAN?

A. ESPB. GREC. TLSD. STPE. VTIF. 802.1Q

Correct Answer: BSection: ConfigurationExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/span.html#wp1059482

ERSPAN Overview

ERSPAN supports source ports, source VLANs, and destination ports on different switches, which providesremote monitoring of multiple switches across your network (see Figure 52-3).

ERSPAN consists of an ERSPAN source session, routable ERSPAN GRE-encapsulated traffic , and anERSPAN destination session. You separately configure ERSPAN source sessions and destination sessions ondifferent switches.

To configure an ERSPAN source session on one switch, you associate a set of source ports or VLANs with adestination IP address, ERSPAN ID number, and optionally with a VRF name. To configure an ERSPANdestination session on another switch, you associate the destination ports with the source IP address, ERSPANID number, and optionally with a VRF name.

ERSPAN source sessions do not copy locally sourced RSPAN VLAN traffic from source trunk ports that carryRSPAN VLANs. ERSPAN source sessions do not copy locally sourced ERSPAN GRE-encapsulated trafficfrom source ports.

Each ERSPAN source session can have either ports or VLANs as sources, but not both.

The ERSPAN source session copies traffic from the source ports or source VLANs and forwards the trafficusing routable GRE-encapsulated packets to the ERSPAN destination session. The ERSPAN destinationsession switches the traffic to the destination ports.

QUESTION 20In which three ways can you achieve better Cisco IPS appliance performance? (Choose three.)

A. Place the Cisco IPS appliance behind a firewall.B. Disable unneeded signatures.C. Enable unidirectional capture.D. Have multiple Cisco IPS appliances in the path and configure them to detect different types of events.E. Enable selective packet capture using VLAN ACL on the Cisco IPS 4200 Series appliance. F. Enable all anti-evasive measures to reduce noise.

Correct Answer: ABDSection: HardwareExplanation

Explanation/Reference:Cisco Official Guide Pg 499

A. Placing the IPS behind a firewall will reduce traffic which will help improve performance - Confirmed Correct

B. Disable unneeded signatures will reduce processing over head which will help improve performance -Unconfirmed Correct

C. Enabling unidirectional capture would improve device performance but it would also result in poor IPSperformance - Unconfirmed Incorrect

D. Having multiple Cisco IPS devices in the path each detecting a different type of traffic would balance the loadresulting in increased performance on each device - Confirmed correct

E. VACL selective packet capture is enabled on the switch, not the device. - Confirmed incorrect

F. Enabling all anti-evasive measures would force all traffic through the device likely causing an increase innoice (not a reduction) and the increased traffice would cause increased load on the device resulting indecrease performance. - Confirmed Incorrect

http://my.safaribooksonline.com/book/certification/ccnp/9780132372107/deploying-cisco-ips-for-high-availability-and-high-performance/499#

Exam C

QUESTION 1What must be configured to enable Cisco IPS appliance reputation filtering and global correlation?

A. DNS server(s) IP addressB. full sensor based network participationC. trusted hosts settingsD. external product interfaces settings


Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/ime/ime_collaboration.html

Global Correlation Requirements

Global correlation has the following requirements:

•Valid license

You must have a valid sensor license for global correlation features to function. You can still configure anddisplay statistics for the global correlation features, but the global correlation databases are cleared and noupdates are attempted. Once you install a valid license, the global correlation features are reactivated.

•Agree to network participation disclaimer

•External connectivity for sensor and a DNS server

The global correlation features of IPS 7.0 require the sensor to connect to the Cisco SensorBase Network.Domain name resolution is also required for these features to function. You can either configure the sensor toconnect through an HTTP proxy server that has a DNS client running on it, or you can assign an Internetrouteable address to the management interface of the sensor and configure the sensor to use a DNS server. InIPS 7.0 the HTTP proxy and DNS servers are used only by the global correlation features.

QUESTION 2What is a best practice to follow before tuning a Cisco IPS signature?

A. Disable all the alert actions on the signature to be tuned. B. Disable the signature to be tuned.C. Create a clone of the signature to be tuned.D. Increase the number of events required to trigger the signature to be tuned.E. Decrease the attention span (maximum inter-event interval) of the signature to be tuned


Explanation/Reference:Still Doubt here. 100% certain C is wrong.

A is best answer with B also possible.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/prod_white_paper0900aecd8066d265.html

Official Guide - Chapter 13 Quiz - When tuning signatures it is recommended

Answer : By removing harmful actions during the tuning phase we can have visibility......without interferring withnormal traffic

"Do no harm" approach.

QUESTION 3Which three statements about the Cisco IntelliShield Alert Manager are true? (Choose three.)

A. Alert information is analyzed and validated by Cisco security analysts. B. Alert analysis is vendor-neutral.C. The built-in workflow system provides a mechanism for tracking vulnerability remediation and integration

with Cisco Security Manager and Cisco Security MARS. D. Users can customize the notification to deliver tailored information relevant to the needs of the organization E. Customers are automatically subscribed to use Cisco SecurityIntelliShield Alert Manager Service with the

Cisco IPS license.F. More than 10 report types are available within the Cisco SecurityIntelliShield Alert Manager Service.

Correct Answer: ABDSection: ConfigurationExplanation

Explanation/Reference:http://www.cisco.com/en/US/products/ps6834/serv_group_home.htmlA & D are clear.Still in doubt for B or C.

FeaturesContinuous threat and vulnerability updatesCustomized notifications that deliver tailored info rmation relevant to IT needs = DActionable alert intelligence analyzed and validate d by security analysts to assist in proactiveprevention =AIntegrated, easy to use tools for easy management of remediation effortsComprehensive intelligence information including historical coverage of over 14,000 alerts

BenefitsAccelerated elimination of threats through actionable security intelligenceCustomized intelligence to avoid sifting through irrelevant informationVendor-neutral analysis of threats and vulnerabilit ies help prevent IT attacks across businessenvironments = BWorkflow management tools enable efficient use of security staff resources

http://www.cisco.com/en/US/services/ps2827/ps6834/services_overview0900aecd803e85ee.pdf

Option C removal!No mention of integration at all with CSM or CS MAR S.

QUESTION 4Which two configurations are required on the Cisco IPS appliance to allow Cisco Security Manager to log intothe Cisco IPS appliance? (Choose two.)

A. Enable SNMPv2.B. Enable SSH access.C. Enable TLS/SSL to allow HTTPS access.D. Enable NTP.

E. Enable Telnet access.F. Enable the IP address of the Cisco Security Manager server as an allowed host.

Correct Answer: CFSection: ConfigurationExplanation

Explanation/Reference:Obvious standard config but needs confirmation

http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliTasks.html#wp1056053

QUESTION 5Which four statements about the blocking capabilities of the Cisco IPS appliance are true? (Choose four.)

A. The three types of blocks are: host, connection, and network. B. Host and connection blocks can be initiated manually or automatically when a signature is triggered. C. Network blocks can only be initiated manually.D. The Device Login Profiles pane is used to configure the profiles that the network devices use when logging

into the Cisco IPS appliance E. Multiple Cisco IPS appliances can forward their blocking requests to the master blocking sensor.F. Pre-Block and Post-Block ACLs are applicable for blocking or rate limiting.

Correct Answer: ABCESection: HardwareExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/7.0/command/reference/crCmds.html#wp765330

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_blocking.html#wp2216370

It appears that block network is not available from the ARC module.

D is definitely incorrectUse the Device Login Profiles pane to configure the profiles that the sensor uses when logging in toblocking devices.

F is also incorrect Pre-Block and Post-Block ACLS do not apply to r ate limiting.

QUESTION 6OS mappings associate IP addresses with an OS type, which in turn helps the Cisco IPS appliance to calculatewhat other value?

A. TVRB. SFRC. ARRD. PDE. ASR



QUESTION 7Which signature engine is recommended for creating a custom signature for packet header matching?

A. MULTI-STRINGB. FLOOD.HOSTC. ATOMIC.IPD. SERVICEE. SWEEPF. META


Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cli_signature_engines.html#wp1141808

Atomic IP Engine

The Atomic IP engine defines signatures that inspect IP protocol headers and associated Layer 4 transportprotocols (TCP, UDP, and ICMP) and payloads.

QUESTION 8On the Cisco IPS appliance, the anomaly detection knowledge base is used to store which two types ofinformation for each service? (Choose two.)

A. scanner thresholdB. packet per second rate limitC. anomaly detection modeD. histogramE. total bytes transferred

Correct Answer: ADSection: HardwareExplanation


The knowledge base has a tree structure and contains the following information:

•Knowledge base name

•Zone name

•Protocol

•Service

The knowledge base holds a scanner threshold and a histogram for each service . If you have learning

accept mode set to automatic and the action set to rotate, a new knowledge base is created every 24 hours andused in the next 24 hours. If you have learning accept mode set to automatic and the action is set to save only,a new knowledge base is created but not loaded, and the current knowledge base is used. If you do not havelearning accept mode set to automatic, no knowledge base is created.

QUESTION 9Which four features are supported on the Cisco ASA AIP-SSM but are not supported on the Cisco ASA AIP-SSC? (Choose four.)

A. multiple virtual sensorsB. anomaly detection C. promiscuous modeD. custom signaturesE. fail openF. global correlation

Correct Answer: ABDFSection: HardwareExplanation

Explanation/Reference:http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/ps6825/product_data_sheet0900aecd80404916_ps6120_Products_Data_Sheet.html

QUESTION 10Which Cisco IPS appliance TCP session tracking mode should be used if packets of the same session arecoming to the sensor over different interfaces , but should be treated as a single session?

A. interface and VLANB. virtual sensor


C. VLAN only D. promiscuousE. normalizer

Correct Answer: BSection: HardwareExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/7.1/configuration/guide/ime/ime_policies.html#wp2005229

Inline TCP Session Tracking Mode

When you choose to modify packets inline, if the packets from a stream are seen twice by the Normalizerengine, it cannot properly track the stream state and often the stream is dropped. This situation occurs mostoften when a stream is routed through multiple VLANs or interfaces that are being monitored by the IPS. A

further complication in this situation is the necessity of allowing asymmetric traffic to merge for proper trackingof streams when the traffic for either direction is received from different VLANs or interfaces.

To deal with this situation, you can set the mode s o that streams are perceived as unique if they arereceived on separate interfaces and/or VLANs (or th e subinterface for VLAN pairs).

The following inline TCP session tracking modes apply:

•Interface and VLAN—All packets with the same session key (AaBb) in the same VLAN (or inline VLAN pair)and on the same interface belong to the same session. Packets with the same key but on different VLANs aretracked separately.

•VLAN Only—All packets with the same session key (AaBb) in the same VLAN (or inline VLAN pair) regardlessof the interface belong to the same session. Packets with the same key but on different VLANs are trackedseparately.

•Virtual Sensor—All packets with the same session k ey (AaBb) within a virtual sensor belong to thesame session. This is the default and almost always the best option to choose.

QUESTION 11Which two Cisco IPS appliance features are implemented using input data from the Cisco SensorBase?(Choose two.)

A. global correlationB. anomaly detectionC. reputation filtersD. botnet traffic filtersE. OS fingerprintingF. threat detection

Correct Answer: ACSection: HardwareExplanation

Explanation/Reference:see previous information about that

QUESTION 12Which four configuration elements can the virtual sensor of an Cisco IPS appliance have? (Choose four.)

A. interfaces or VLAN pairs B. IPS reputation filtersC. signature set definitionD. global correlation rulesE. event action rules (filters and overrides)F. anomaly detection policy

Correct Answer: ACEFSection: HardwareExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_policies.html#wpmkr2163359

You can apply the same policy, for example, sig0, rules0, and ad0, to different virtual sensors. The Add VirtualSensor dialog box displays only the interfaces that are available to be assigned to this virtual sensor. Interfaces

that have already been assigned to other virtual sensors are not shown in this dialog box.

You can also assign event action overrides to virtu al sensors, and configure the following modes:

•Anomaly detection operational mode


•Normalizer mode

The following fields are found in the Add and Edit Virtual Sensor dialog boxes:

•Virtual Sensor Name—Name for this virtual sensor.

•Description—Description for this virtual sensor.

•Interfaces —Lets you assign and remove interfaces for this virtual sensor.

–Assigned—Whether the interfaces or interface pairs have been assigned to the virtual sensor.

–Name—The list of available interfaces or interface pairs that you can assign to the virtual sensor(GigabitEthernet or FastEthernet).

–Details—Lists the mode (Inline Interface or Promiscuous) of the interface and the interfaces of the inline pairs.

•Signature Definition Policy —The name of the signature definition policy you want to assign to this virtualsensor. The default is sig0.

•Event Action Rules Policy —The name of the event action rules policy you want to assign to this virtualsensor. The default is rules0.

•Use Event Action Overrides—When checked, lets you configure event action overrides when you click Add toopen the Add Event Action Override dialog box.

–Risk Rating—Indicates the level of risk rating for this override.

–Actions to Add—Indicates the action to add to this override.

–Enabled—Indicates whether this override is enabled or disabled.

•Anomaly Detection Policy —The name of the anomaly detection policy you want to assign to this virtualsensor. The default is ad0.

•AD Operational Mode—The mode that you want the anomaly detection policy to operate in for this virtualsensor. The default is Detect.

•Inline TCP Session Tracking Mode—The mode used to segregate multiple views of the same stream if thesame stream passes through the sensor more than once. The default mode is Virtual Sensor.

–Interface and VLAN —All packets with the same session key (AaBb) in the same VLAN (or inline VLAN pair)and on the same interface belong to the same session. Packets with the same key but on different VLANs aretracked separately.

–VLAN Only—All packets with the same session key (AaBb) in the same VLAN (or inline VLAN pair) regardlessof the interface belong to the same session.Packets with the same key but on different VLANs are trackedseparately.

–Virtual Sensor—All packets with the same session key (AaBb) within a virtual sensor belong to the samesession.

•Normalizer Mode—Lets you choose which type of Normalizer mode you need for traffic inspection:

–Strict Evasion Protection—If a packet is missed for any reason, all packets after the missed packet are notprocessed. Strict evasion protection provides full enforcement of TCP state and sequence tracking.

Note Any out-of-order packets or missed packets can produce Normalizer engine signatures 1300 or 1330firings, which try to correct the situation, but can result in denied connections.

–Asymmetric Mode Protection—Can only see one direction of bidirectional traffic flow. Asymmetric modeprotection relaxes the evasion protection at the TCP layer.

Note Asymmetric mode lets the sensor synchronize state with the flow and maintain inspection for thoseengines that do not require both directions. Asymmetric mode lowers security because full protection requiresboth sides of traffic to be seen.

QUESTION 13Which value is not used by the Cisco IPS appliance in the risk rating calculation?

A. attack severity ratingB. target value ratingC. signature fidelity rating D. promiscuous deltaE. threat rating adjustmentF. watch list rating

Correct Answer: ESection: HardwareExplanation


Risk Rating CalculationRisk rating is a quantitative measure of your network's threat level before IPS mitigation. For each event firedby IPS signatures, Cisco IPS Sensor Software calculates a risk rating number. The factors used to calculaterisk rating are:• Signature fidelity rating: This IPS-generated variable indicates the degree of attack certainty.• Attack severity rating: This IPS-generated variable indicates the amount of damage an attack can cause.• Target value rating: This user-defined variable indicates the criticality of the attack target. This is the onlyfactor in risk rating that is routinely maintained by the user. You can assign a target value rating per IP addressin Cisco IPS Device Manager or Cisco Security Manager. The target value rating can raise or lower the overallrisk rating for a network device. You can assign the following target values:– 75: Low asset value– 100: Medium asset value– 200: Mission-critical asset value• Attack relevancy rating: This IPS-generated value indicates the vulnerability of the attack target.• Promiscuous delta: The risk rating of an IPS deployed in promiscuous mode is reduced by the promiscuousdelta. This is because promiscuous sensing is less accurate than inline sensing. The promiscuous delta can beconfigured on a per-signature basis, with a value range of 0 to 30. (The promiscuous delta was introduced inCisco IPS Sensor Software Version 6.0.)• Watch list rating: This IPS-generated value is based on data found in the Cisco Security Agent watch list. TheCisco Security Agent watch list contains IP addresses of devices involved in network scans or possiblycontaminated by viruses or worms. If an attacker is found on the watch list, the watch list rating for that attackeris added to the risk rating. The value for this factor is between 0 and 35. (The watch list rating was introduced inCisco IPS Sensor Software Version 6.0.)The formula to calculate risk rating in Cisco IPS Sensor Software Version 6.0 is:

Risk rating can help enhance your productivity as it intelligently assesses the level of risk of each event andhelps you focus on high-risk events.

QUESTION 14Refer to the exhibit. Which General settings under the Event Action Rule affect the risk rating calculations?

A. Use SummarizerB. Use Meta Event GeneratorC. Use Threat Rating AdjustmentD. Use Event Action FiltersE. Enable One Way TCP Reset


Explanation/Reference:http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/product_data_sheet0900aecd805baef2.html

Threat RatingNew with Cisco IPS Sensor Software Version 6.0, the Threat Rating feature provides a single view of the threatenvironment of the network. Threat Rating can minimize alarms and events through the ability to customize theviewer to only show events with a high Threat Rating value. The Threat Rating value is derived as follows:• Dynamic adjustment of event Risk Rating based on success of response action• If response action was applied, Risk Rating is deprecated (TR < RR)• If response action was not applied, Risk Rating remains unchanged (TR = RR)The result is a single value by which the threat risk is determined. This eases the management of alarms anddetermination of risk on the network.

QUESTION 15In a centralized Cisco IPS appliance deployment, it may not be possible to connect an IPS appliance to everyswitch or segment in the network. So, an IPS appliance can be deployed to inspect traffic on ports that are

located on multiple remote network switches. In this case, which two configurations required? (Choose two.)

A. IPS promiscuous mode operationsB. in-line IPS operationsC. RSPAND. SPANE. HSRPF. SLB


Explanation/Reference:No specific reference --- is in Videos from CBT

QUESTION 16Which three actions does the Cisco IDM custom signature wizard provide? (Choose three.)

A. selecting the signature engine to use or not to use any signature engineB. selecting the Layer 3 or Layer 4 protocol that the sensor will use to match malicious traffic C. selecting the attack relevancy rating D. selecting the signature threat ratingE. selecting the scope of matching (for example, single packet)

Correct Answer: ABESection: ConfigurationExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/idm/idm_signature_wizard.html#wp1655660

Shows A B E and nothing for C or D

QUESTION 17You want your inline Cisco IPS appliance to drop packets that pose the most severe risk to your network,especially to the servers on your DMZ. Which two parameters should you set to protect your DMZ servers in themost-time-efficient manner? (Choose two.)

A. event action filterB. reputation filterC. target value ratingD. signature fidelity rating E. global correlationF. event action override

Correct Answer: CFSection: TroubleshootingExplanation


QUESTION 18

Which Cisco IPS appliance feature is best used to detect these two conditions? 1) The network startsbecoming congested by worm traffic. 2) A single worm-infected source enters the network and starts scanningfor other vulnerable hosts.

A. global correlationB. anomaly detectionC. reputation filteringD. custom signature E. meta signatureF. threat detection



Anomaly detection identifies worm-infected hosts by their behavior as a scanner. To spread, a wormvirus must find new hosts. It finds them by scannin g the Internet using TCP, UDP, and other protocolsto generate unsuccessful attempts to access differe nt destination IP addresses. A scanner is definedas a source IP address that generates events on the same destination port (in TCP and UDP) for toomany destination IP addresses.

QUESTION 19What will happen if you try to recover the password on the Cisco IPS 4200 Series appliance on which passwordrecovery is disabled?

A. The GRUB menu will be disabled.B. The ROM monitor command to reset the password will be disabled.C. The password recovery process will proceed with no errors or warnings; however, the password is not reset.D. The Cisco IPS appliance will reboot immediately.


Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_troubleshooting.html#wp1139544

If you try to recover the password on a sensor on which password recovery is disabled, the process proceedswith no errors or warnings; however, the password is not reset. If you cannot log in to the sensor because youhave forgotten the password, and password recovery is set to disabled, you must reimage your sensor.

QUESTION 20Which four networking tools does Cisco IME include that can be invoked for specific events, to learn moreabout attackers and victims using basic network reconnaissance? (Choose four.)

A. pingB. traceroute C. packet tracerD. nslookupE. whoisF. nmap

Correct Answer: ABDESection: TroubleshootingExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/ime/ime_getting_started.html

IME also supports tools such, as ping, trace route , DNS lookup, and whois lookup for selected events

Exam D

QUESTION 1

Select and Place:

Correct Answer:

Section: HardwareExplanation


QUESTION 2

Select and Place:

Correct Answer:

Section: ConfigurationExplanation


QUESTION 3

Select and Place:

Correct Answer:


Explanation/Reference:http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/product_data_sheet0900aecd805baef2.html

QUESTION 4

Select and Place:

Correct Answer:



QUESTION 5

Select and Place:

Correct Answer:



QUESTION 6

Select and Place:

Correct Answer:



QUESTION 7

Select and Place:

Correct Answer:


Explanation/Reference:Official Guide Page - Page 61 - Table 3-2

QUESTION 8

Select and Place:

Correct Answer:

Section: TroubleshootingExplanation



A. multiple virtual sensorsB. anomaly detection C. promiscuous modeD. custom signaturesE. fail openF. global correlation







You can apply the same policy, for example, sig0, rules0, and ad0, to different virtual sensors. The Add VirtualSensor dialog box displays only the interfaces that are available to be assigned to this virtual sensor. Interfacesthat have already been assigned to other virtual sensors are not shown in this dialog box.




•Normalizer mode


























A. multiple virtual sensors

B. anomaly detection C. promiscuous modeD. custom signaturesE. fail openF. global correlation







You can apply the same policy, for example, sig0, rules0, and ad0, to different virtual sensors. The Add VirtualSensor dialog box displays only the interfaces that are available to be assigned to this virtual sensor. Interfacesthat have already been assigned to other virtual sensors are not shown in this dialog box.




•Normalizer mode

























QUESTION 13Which value is not used by the Cisco IPS appliance in the risk rating calculation?

A. attack severity ratingB. target value ratingC. signature fidelity rating

D. promiscuous deltaE. threat rating adjustmentF. watch list rating

Correct Answer: ESection: HardwareExplanation


Risk Rating CalculationRisk rating is a quantitative measure of your network's threat level before IPS mitigation. For each event firedby IPS signatures, Cisco IPS Sensor Software calculates a risk rating number. The factors used to calculaterisk rating are:• Signature fidelity rating: This IPS-generated variable indicates the degree of attack certainty.• Attack severity rating: This IPS-generated variable indicates the amount of damage an attack can cause.• Target value rating: This user-defined variable indicates the criticality of the attack target. This is the onlyfactor in risk rating that is routinely maintained by the user. You can assign a target value rating per IP addressin Cisco IPS Device Manager or Cisco Security Manager. The target value rating can raise or lower the overallrisk rating for a network device. You can assign the following target values:– 75: Low asset value– 100: Medium asset value– 200: Mission-critical asset value• Attack relevancy rating: This IPS-generated value indicates the vulnerability of the attack target.• Promiscuous delta: The risk rating of an IPS deployed in promiscuous mode is reduced by the promiscuousdelta. This is because promiscuous sensing is less accurate than inline sensing. The promiscuous delta can beconfigured on a per-signature basis, with a value range of 0 to 30. (The promiscuous delta was introduced inCisco IPS Sensor Software Version 6.0.)• Watch list rating: This IPS-generated value is based on data found in the Cisco Security Agent watch list. TheCisco Security Agent watch list contains IP addresses of devices involved in network scans or possiblycontaminated by viruses or worms. If an attacker is found on the watch list, the watch list rating for that attackeris added to the risk rating. The value for this factor is between 0 and 35. (The watch list rating was introduced inCisco IPS Sensor Software Version 6.0.)The formula to calculate risk rating in Cisco IPS Sensor Software Version 6.0 is: Risk rating can help enhance your productivity as it intelligently assesses the level of risk of each event andhelps you focus on high-risk events.

QUESTION 14In a centralized Cisco IPS appliance deployment, it may not be possible to connect an IPS appliance to everyswitch or segment in the network. So, an IPS appliance can be deployed to inspect traffic on ports that arelocated on multiple remote network switches. In this case, which two configurations required? (Choose two.)

A. IPS promiscuous mode operationsB. in-line IPS operationsC. RSPAND. SPANE. HSRPF. SLB



No specific reference --- is in Videos from CBT

QUESTION 15Which Cisco IPS appliance feature is best used to detect these two conditions? 1) The network startsbecoming congested by worm traffic. 2) A single worm-infected source enters the network and starts scanningfor other vulnerable hosts.

A. global correlationB. anomaly detectionC. reputation filteringD. custom signature E. meta signatureF. threat detection



Anomaly detection identifies worm-infected hosts by their behavior as a scanner. To spread, a wormvirus must find new hosts. It finds them by scannin g the Internet using TCP, UDP, and other protocolsto generate unsuccessful attempts to access differe nt destination IP addresses. A scanner is definedas a source IP address that generates events on the same destination port (in TCP and UDP) for toomany destination IP addresses.

QUESTION 16Simlet Question #2

*NB* -- This is only sample - real questions and an swers may vary so know the topics and purpose ofthe simlet and get a feel for the questions.

A. rules0B. vs0C. sig0

D. ad0E. ad1F. sig1

Correct Answer: CSection: SimletExplanation

Explanation/Reference:Default signature

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_signature_definitions.html

You can create multiple security policies and apply them to individual virtual sensors. A security policy is madeup of a signature definition policy, an event action rules policy, and an anomaly detection policy. Cisco IPScontains a default signature definition policy call ed sig0 , a default event action rules policy called rules0 ,and a default anomaly detection policy called ad0. You can assign the default policies to a virtual sensor or youcan create new policies.



A. It will not contribute to the SensorBase network.B. It will contribute to the SensorBase network, but will withhold some sensitive informationC. It will contribute the victim IP address and port to the SensorBase network.D. It will not contribute to Risk Rating adjustments that use information from the SensorBase network.

Correct Answer: BSection: SimletExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/7.0/co nfiguration/guide/idm/idm_collaboration.html#wp1053292

Configuring Network Participation

To configure network participation, follow these steps:

Step 1 Log in to IDM using an account with administrator privileges.

Step 2 Choose Configuration > Policies > Global Correlation > Net work Participation.

Step 3 To turn on network participation, click the Partial or Full radio button:

•Partial—Data is contributed to the SensorBase Netw ork, but data considered potentially sensitive isfiltered out and never sent.

•Full—All data is contributed to the SensorBase Network.



A. This is a custom signature.B. The severity level is High.C. This signature has triggered as indicated by the red severity icon.D. Produce Alert is the only action defined.E. This signature is enabled, but inactive, as indicated by the/0 to that follows the signature

number.

Correct Answer: BDSection: SimletExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/7.1/configuration/guide/ime/ime_signature_wizard.pdf



A. The maximum number of denied attackers is set to 10000B. The block action duraton is set to 3600 seconds.C. The Meta Event Generator is globally enabled.D. Events Summarization is globally disabled.E. Threat Rating Adjustment is globally disabled

Correct Answer: ABCSection: SimletExplanation

Explanation/Reference:Feedback from test takers.A & C is clear.

Major issues with this answer --- the third choice is impossible I believe B should be Block actionduration is set for 30minutes -- only choice really .


A. Spanning Tree-based HAB. HSRP-based HAC. EtherChannel-based HAD. VRRP-based HA





Exam E

QUESTION 1

Simlet - which area will you need to work in to get the answers for the simlet?

A. Home > Dashboard B. Configuration > Policies > Rule 0C. Configuration > Sensor SetupD. Configuration > Polices > virtual sensor


Explanation/Reference:Self explanatory



A. It is only enabled to indentify "Cisco IOS" OS using statically mapped OS fingerprintingB. OS mapping information will not be used for Risk Rating calculationsC. It is configured to enable OS mapping and ARR only for the 10.0.0.0/24 networkD. It is enabled for passive OS fingerprinting for all networks

Correct Answer: DSection: SimletExplanation

Explanation/Reference:Still trying to get a answer for this one.

http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/ime/ime_event_action_rules.html#wp2119120

Understanding Passive OS Fingerprinting

Passive OS fingerprinting lets the sensor determine the OS that hosts are running. The sensor analyzesnetwork traffic between hosts and stores the OS of these hosts with their IP addresses. The sensor inspectsTCP SYN and SYNACK packets exchanged on the network to determine the OS type.

The sensor then uses the OS of the target host OS to determine the relevance of the attack to the victim bycomputing the attack relevance rating component of the risk rating. Based on the relevance of the attack, thesensor may alter the risk rating of the alert for the attack and/or the sensor may filter the alert for the attack.You can then use the risk rating to reduce the number of false positive alerts (a benefit in IDS mode) ordefinitively drop suspicious packets (a benefit in IPS mode). Passive OS fingerprinting also enhances the alertoutput by reporting the victim OS, the source of the OS identification, and the relevance to the victim OS in thealert.

Passive OS fingerprinting consists of three components:•Passive OS learning

Passive OS learning occurs as the sensor observes traffic on the network. Based on the characteristics of TCPSYN and SYNACK packets, the sensor makes a determination of the OS running on the host of the source IPaddress.•User-configurable OS identification

You can configure OS host mappings, which take precedence over learned OS mappings.•Computation of attack relevance rating and risk rating



A. rules0B. vs0C. sig0D. ad0

E. ad1F. sig1

Correct Answer: CSection: SimletExplanation

Explanation/Reference:Default signature

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_signature_definitions.html

You can create multiple security policies and apply them to individual virtual sensors. A security policy is madeup of a signature definition policy, an event action rules policy, and an anomaly detection policy. Cisco IPScontains a default signature definition policy call ed sig0 , a default event action rules policy called rules0 ,and a default anomaly detection policy called ad0. You can assign the default policies to a virtual sensor or youcan create new policies.



A. Global correlation is configured in Audit mode for testing the feature without actually denying any hosts.B. Global correlation is configured in Aggressive mode, which has a very aggressive effect on deny actions.C. It will not adjust risk rating values based on the known bad hosts list.D. Reputation filtering is disabled.

Correct Answer: DSection: SimletExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_collaboration.html#wp1054333


*NB* -- This is only sample - real questions and an swers may vary so know the topics and purpose of

the simlet and get a feel for the questions.

A. It will not contribute to the SensorBase network.B. It will contribute to the SensorBase network, but will withhold some sensitive informationC. It will contribute the victim IP address and port to the SensorBase network.D. It will not contribute to Risk Rating adjustments that use information from the SensorBase network.


Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/7.0/co nfiguration/guide/idm/idm_collaboration.html#wp1053292

Configuring Network Participation

To configure network participation, follow these steps:

Step 1 Log in to IDM using an account with administrator privileges.

Step 2 Choose Configuration > Policies > Global Correlation > Net work Participation.

Step 3 To turn on network participation, click the Partial or Full radio button:

•Partial—Data is contributed to the SensorBase Netw ork, but data considered potentially sensitive isfiltered out and never sent.

•Full—All data is contributed to the SensorBase Network.



A. This is a custom signature.B. The severity level is High.C. This signature has triggered as indicated by the red severity icon.D. Produce Alert is the only action defined.E. This signature is enabled, but inactive, as indicated by the/0 to that follows the signature

number.

Correct Answer: BDSection: SimletExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/7.1/configuration/guide/ime/ime_signature_wizard.pdf



A. The maximum number of denied attackers is set to 10000B. The block action duraton is set to 3600 seconds.C. The Meta Event Generator is globally enabled.D. Events Summarization is globally disabled.E. Threat Rating Adjustment is globally disabled

Correct Answer: ABCSection: SimletExplanation

Explanation/Reference:Feedback from test takers.A & C is clear.

Major issues with this answer --- the third choice is impossible I believe B should be Block actionduration is set for 30minutes -- only choice really .

QUESTION 8This is the most likely shot of the LAB

A. Tasks = 41: Event Action Overrides

Verify and enable this feature for rules0 instance

2: Risk Category name MYCUSTOMRISKcreate a custom risk category named MYCUSTOMRISKassign this category a risk threshold of 80 (hard to see could be 90)

Modify the the new MYCUSTOMRISK to take the following actions > Deny Attacker Inline > Produce Alert > Reset TCP Connection

3: Modify the Red Threat ThresholdModify the value to 80 to enable the new risk category to be included in the Red Threshold level for network security health statistics alert threat categorization

4 : REMEMBER TO SAVE AND APPLY ALL CHANGES AS NEEDED ( MEANS AS YOU GO - DO NOTWAIT TILL END TO SAVE CHANGES)

Correct Answer: ASection: LABExplanation


#3 http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/ime/ime_dashboards.html

Sensor Health Gadget

The Sensor Health gadget visually displays sensor health and network security information in two coloredmeters. The meters are labeled Normal, Needs Attention, or Critical according to an analysis of the specificmetrics. The overall health status is set to the highest severity of all the metrics you configured. For example, ifyou configure eight metrics to determine the sensor health and seven of the eight are green while one is red,the overall sensor health is displayed as red.

The dashboard is not available -- You have to look for the Red Threat Option under the Policies Screen !It is a small field at the bottom of the screen.


A. Spanning Tree-based HAB. HSRP-based HAC. EtherChannel-based HA

D. VRRP-based HA





QUESTION 10Which four types of interface modes are available on the Cisco IPS 4200 Series appliance? (Choose four.)

A. promiscuousB. inline TAP C. inline interfaceD. inline VLAN pair E. VLAN groupsF. bypass

Correct Answer: ACDESection: HardwareExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_interfaces.html#wp1047079

https://supportforums.cisco.com/thread/2463764000 series does not support bypass mode


CertifyMe - GRATIS EXAM A QUESTION 1 Which three are global correlation network participation modes?...

Documents

Transcript of CertifyMe - GRATIS EXAM A QUESTION 1 Which three are global correlation network participation modes?...