1

Which Cisco IOS configuration option instructs the IPS to compile a signature category named ios_ips into memory and use it to scan traffic? R1(config)# ip ips signature-category R1(config ips category)# category all R1(config ips category action)# retired false R1(config)# ip ips signature-category R1(config ips category)# category ios_ips basic R1(config ips category action)# retired false R1(config)# ip ips signature-category R1(config ips category)# category all R1(config ips category action)# enabled true R1(config)# ip ips signature-category R1(config ips category)# category ios_ips basic R1(config ips category action)# enabled true 2What is a disad!antage of net"or# $ased IPS as compared to host $ased IPS? %et"or# $ased IPS is less cost effecti!e& %et"or# $ased IPS cannot e'amine encrypted traffic& %et"or# $ased IPS does not detect lo"er le!el net"or# e!ents& %et"or# $ased IPS should not $e used "ith multiple operating systems&

Refer to the e'hi$it& ( user "as installing a )lash Player upgrade "hen the CS( displayed the dialog $o' sho"n& Which default action is ta#en $y CS( if the user does not respond "ithin * minutes and +, seconds? -he action is allo"ed. and a log entry is recorded& -he action is allo"ed. and CS( does not prompt the user again& -he action is denied. and a log entry is recorded& -he action is denied. and the )lashPlayer/pdate&e'e application is terminated& 4(n IPS sensor has detected the string confidential across multiple pac#ets in a -CP session& Which type of signature trigger and signature type does this descri$e? -rigger0 (nomaly $ased detection -ype0 (tomic signature -rigger0 (nomaly $ased detection -ype0 Composite signature -rigger0 Pattern $ased detection -ype0 (tomic signature -rigger0 Pattern $ased detection -ype0 Composite signature -rigger0 Policy $ased detection -ype0 (tomic signature -rigger0 Policy $ased detection -ype0 Composite signature 5

Refer to the e'hi$it& What is the significance of the small red flag "a!ing in the Windo"s system tray? Cisco Security (gent is installed $ut inacti!e& %et"or# $ased IPS is acti!e and has detected a potential security pro$lem& Cisco Security (gent is acti!e and has detected a potential security pro$lem& ( net"or# $ased IPS sensor has pushed an alert to a host running Cisco Security (gent& 6Which t"o $enefits does the IPS !ersion 1&' signature format pro!ide o!er the !ersion *&' signature format? (Choose t"o&) addition of signature micro engines support for IP2 and (pple-al# protocols addition of a signature ris# rating support for comma delimited data import support for encrypted signature parameters 7

Refer to the e'hi$it& What is the significance of the num$er 1, in the signature 6130 10 command? It is the alert se!erity& It is the signature num$er& It is the signature !ersion& It is the su$signature I3& It is the signature fidelity rating& 8

Refer to the e'hi$it& When modifying an IPS signature action. "hich t"o chec# $o'es should $e selected to create an (C4 that denies all traffic from the IP address that is considered the source of the attac# and drops the pac#et and all future

pac#ets from the -CP flo"? (Choose t"o&) 3eny (ttac#er Inline 3eny Connection Inline 3eny Pac#et Inline Produce (lert Reset -CP Connection 9 Which t"o statements characteri5e a net"or# $ased IPS implementation? (Choose t"o&) It ma#es hosts !isi$le to attac#ers& It is una$le to e'amine encrypted traffic& It monitors to see if an attac# "as successful& It pro!ides application le!el encryption protection& It is independent of the operating system on hosts& 10

Refer to the e'hi$it& 6ased on the S37 screen sho"n. "hich t"o actions "ill the signature ta#e if an attac# is detected? (Choose t"o&) Reset the -CP connection to terminate the -CP flo"& 3rop the pac#et and all future pac#ets from this -CP flo"& 8enerate an alarm message that can $e sent to a syslog ser!er& 3rop the pac#et and permit remaining pac#ets from this -CP flo"& Create an (C4 that denies traffic from the attac#er IP address& 11 ( net"or# administrator tunes a signature to detect a$normal acti!ity that might $e malicious and li#ely to $e an immediate threat& What is the percei!ed se!erity of the signature? high medium lo" informational 12Which type of intrusion detection triggers an action if e'cessi!e acti!ity occurs $eyond a specified threshold of normal acti!ity? pattern $ased detection anomaly $ased detection policy $ased detection honey pot $ased detection 13 Why is a net"or# that deploys only I3S particularly !ulnera$le to an atomic attac#? -he I3S must trac# the three "ay handsha#e of esta$lished -CP connections&

-he I3S must trac# the three "ay handsha#e of esta$lished /3P connections& -he I3S permits malicious single pac#ets into the net"or#& -he I3S re9uires significant router resources to maintain the e!ent hori5on& -he stateful properties of atomic attac#s usually re9uire the I3S to ha!e se!eral pieces of data to match an attac# signature& 14

Refer to the e'hi$it& Which option ta$ on the S37 IPS screen is used to !ie" the -op -hreats ta$le and deploy signatures associated "ith those threats? Create IPS :dit IPS Security 3ash$oard IPS 7igration 15 When editing IPS signatures "ith S37. "hich action drops all future pac#ets from a -CP flo"? 3eny Pac#et Inline 3eny -CP Connection 3eny (ttac#er Inline 3eny Connection Inline 16 Which t"o Cisco IOS commands are re9uired to ena$le IPS S3:: message logging? (Choose t"o&) logging on ip ips notify log ip http ser er ip ips notify sdee ip sdee e ents 500 17What are t"o IPS configuration $est practices that can help impro!e IPS efficiency in a net"or#? (Choose t"o&) Configure all sensors to chec# the ser!er for ne" signature pac#s at the same time to ensure that they are all synchroni5ed& Configure the sensors to simultaneously chec# the )-P ser!er for ne" signature pac#s& :nsure that signature le!els that are supported on the management console are synchroni5ed "ith the signature pac#s on the sensors& /pdate signature pac#s manually rather than automatically to maintain close control "hen setting up a large deployment of sensors& Place signature pac#s on a dedicated )-P ser!er "ithin the management net"or#& 18 Which t"o files could $e used to implement Cisco IOS IPS "ith !ersion 1&' format signatures? (Choose t"o&) IOS S''' C4I&$in IOS S''' C4I&p#g IOS S''' C4I&sdf realm cisco&pri!&#ey&t't realm cisco&pu$&#ey&t't 19What are t"o ma;or dra"$ac#s to using <IPS? (Choose t"o&) <IPS has difficulty constructing an accurate net"or# picture or coordinating the e!ents happening across the entire net"or#&

<IPS installations are !ulnera$le to fragmentation attac#s or !aria$le --4 attac#s& With <IPS. the net"or# administrator must !erify support for all the different operating systems used in the net"or#& If the net"or# traffic stream is encrypted. <IPS is una$le to access unencrypted forms of the traffic& With <IPS. the success or failure of an attac# cannot $e readily determined& 20

Refer to the e'hi$it& What is the result of issuing the Cisco IOS IPS commands on router R1? ( named (C4 determines the traffic to $e inspected& ( num$ered (C4 is applied to S,=,=, in the out$ound direction& (ll traffic that is denied $y the (C4 is su$;ect to inspection $y the IPS& (ll traffic that is permitted $y the (C4 is su$;ect to inspection $y the IPS& 21What information is pro!ided $y the sho! ip ips configuration configuration command? detailed IPS signatures alarms that "ere sent since the last reset the num$er of pac#ets that are audited the default actions for attac# signatures