CCNA Security Chapter 5 Quiz

1. What are two major drawbacks to using HIPS? (Choose two.)

(A)HIPS has difficulty constructing an accurate network picture or
coordinating the events happening across the entire network.
(B)HIPS installations are vulnerable to fragmentation attacks or
variable TTL attacks.
(C)With HIPS, the network administrator must verify support for
all the different operating systems used in the network.
(D) If the network traffic stream is encrypted, HIPS is unable to
access unencrypted forms of the traffic.
(E)With HIPS, the success or failure of an attack cannot be readily
determined.

2. Why is a network that deploys only IDS particularly vulnerable to

an atomic attack?
(A)The IDS must track the three-way handshake of established
TCP connections.
(B)The IDS must track the three-way handshake of established
UDP connections.
(C)The IDS permits malicious single packets into the network.
(D) The IDS requires significant router resources to maintain the
event horizon.
(E)The stateful properties of atomic attacks usually require the
IDS to have several pieces of data to match an attack
signature.

3. Refer to the exhibit. What is the result of issuing the Cisco IOS IPS
commands on router R1?

(A)A named ACL determines the traffic to be inspected.

(B)A numbered ACL is applied to S0/0/0 in the outbound
direction.
(C)All traffic that is denied by the ACL is subject to inspection by
 the IPS.
(D) All traffic that is permitted by the ACL is subject to
inspection by the IPS.

4. Which two files could be used to implement Cisco IOS IPS with
version 5.x format signatures? (Choose two.)
(A)IOS-Sxxx-CLI.bin
(B)IOS-Sxxx-CLI.pkg
(C)IOS-Sxxx-CLI.sdf
(D) realm-cisco.priv.key.txt
(E)realm-cisco.pub.key.txt

5. What are two IPS configuration best practices that can help
improve IPS efficiency in a network? (Choose two.)
(A)Configure all sensors to check the server for new signature
packs at the same time to ensure that they are all
synchronized.
(B)Configure the sensors to simultaneously check the FTP server
for new signature packs.
(C)Ensure that signature levels that are supported on the
management console are synchronized with the signature
packs on the sensors.
(D) Update signature packs manually rather than automatically
to maintain close control when setting up a large deployment
of sensors.
(E)Place signature packs on a dedicated FTP server within the
management network.

6. Which Cisco IOS configuration option instructs the IPS to compile

a signature category named ios_ips into memory and use it to
scan traffic?
(A)R1(config)# ip ips signature-category
R1(config-ips-category)# category all
R1(config-ips-category-action)# retired false
(B)R1(config)# ip ips signature-category
R1(config-ips-category)# category ios_ips basic
R1(config-ips-category-action)# retired false
(C)R1(config)# ip ips signature-category
 R1(config-ips-category)# category all
R1(config-ips-category-action)# enabled true
(D) R1(config)# ip ips signature-category
R1(config-ips-category)# category ios_ips basic
R1(config-ips-category-action)# enabled true

7. A network administrator tunes a signature to detect abnormal

activity that might be malicious and likely to be an immediate
threat. What is the perceived severity of the signature?
(A)high
(B)medium
(C)low
(D) informational

8. When editing IPS signatures with SDM, which action drops all
future packets from a TCP flow?
(A)Deny Packet Inline
(B)Deny TCP Connection
(C)Deny Attacker Inline
(D) Deny Connection Inline

9. Which two benefits does the IPS version 5.x signature format
provide over the version 4.x signature format? (Choose two.)
(A)addition of signature micro engines
(B)support for IPX and AppleTalk protocols
(C)addition of a signature risk rating
(D) support for comma-delimited data import
(E)support for encrypted signature parameters

10. Which type of intrusion detection triggers an action if excessive

activity occurs beyond a specified threshold of normal activity?
(A)pattern-based detection
(B)anomaly-based detection
(C)policy-based detection
(D) honey pot-based detection

11. Refer to the exhibit. Which option tab on the SDM IPS screen is
used to view the Top Threats table and deploy signatures
 associated with those threats?

(A)Create IPS
(B)Edit IPS
(C)Security Dashboard
(D) IPS Migration

12. Which two statements characterize a network-based IPS

implementation? (Choose two.)
(A)It makes hosts visible to attackers.
(B)It is unable to examine encrypted traffic.
(C)It monitors to see if an attack was successful.
(D) It provides application-level encryption protection.
(E)It is independent of the operating system on hosts.

13. An IPS sensor has detected the string confidential across

multiple packets in a TCP session. Which type of signature trigger
and signature type does this describe?
(A)Trigger: Anomaly-based detection
Type: Atomic signature
(B)Trigger: Anomaly-based detection
Type: Composite signature
(C)Trigger: Pattern-based detection
Type: Atomic signature
(D) Trigger: Pattern-based detection
Type: Composite signature
(E)Trigger: Policy-based detection
Type: Atomic signature
(F) Trigger: Policy-based detection
Type: Composite signature

14. Which type of IPS signature detection is used to distract and

confuse attackers?
 (A)pattern-based detection
(B)anomaly-based detection
(C)policy-based detection
(D) honey pot-based detection

15. Which two Cisco IOS commands are required to enable IPS SDEE
message logging? (Choose two.)
(A) logging on
(B) ip ips notify log
(C) ip http server
(D) ip ips notify sdee
(E) ip sdee events 500

16. Refer to the exhibit. What is the significance of the number 10 in

the signature 6130 10 command?

(A)It is the alert severity.

(B)It is the signature number.
(C)It is the signature version.
(D) It is the subsignature ID.
(E)It is the signature fidelity rating.

17. Refer to the exhibit. When modifying an IPS signature action,

which two check boxes should be selected to create an ACL that
denies all traffic from the IP address that is considered the source
of the attack and drops the packet and all future packets from
the TCP flow? (Choose two.)
 (A)Deny Attacker Inline
(B)Deny Connection Inline
(C)Deny Packet Inline
(D) Produce Alert
(E)Reset TCP Connection

18. Refer to the exhibit. What is the significance of the small red
flag waving in the Windows system tray?

(A)Cisco Security Agent is installed but inactive.

(B)Network-based IPS is active and has detected a potential
security problem.
(C)Cisco Security Agent is active and has detected a potential
security problem.
(D) A network-based IPS sensor has pushed an alert to a host
running Cisco Security Agent.

19. Refer to the exhibit. A user was installing a Flash Player upgrade
when the CSA displayed the dialog box shown. Which default
action is taken by CSA if the user does not respond within 4
minutes and 20 seconds?
 (A)The action is allowed, and a log entry is recorded.
(B)The action is allowed, and CSA does not prompt the user
again.
(C)The action is denied, and a log entry is recorded.
(D) The action is denied, and the FlashPlayerUpdate.exe
application is terminated.

20. Which type of intrusion prevention technology is primarily used

by Cisco IPS security appliances?
(A)rule-based
(B)profile-based
(C)signature-based
(D) NetFlow anomaly-based
(E)protocol analysis-based

21.
Refer to the exhibit. Based on the SDM screen shown, which two
actions will the signature take if an attack is detected? (Choose
two.)
(A) Reset the TCP connection to terminate the TCP flow.
(B) Drop the packet and all future packets from this TCP flow.
(C) Generate an alarm message that can be sent to a syslog
server.
(D) Drop the packet and permit remaining packets from this TCP
flow.
(E) Create an ACL that denies traffic from the attacker IP address.

22.
What information is provided by the show ip ips configuration
configuration command?

detailed IPS signatures

alarms that were sent since the last reset

the number of packets that are audited

the default actions for attack signatures

23.
What is a disadvantage of network-based IPS as compared to
host-based IPS?

Network-based IPS is less cost-effective.

 Network-based IPS cannot examine encrypted traffic.

Network-based IPS does not detect lower level network

events.

Network-based IPS should not be used with multiple operating

systems.