642-532 Securing Networks Using Intrusion Prevention Systems Exam (IPS)

Page 1   
Question 1

You recently noticed a large volume of alerts generated by attacks against your web
servers. Because these are mission-critical servers, you keep them up to date on patches.
As a result, the attacks fail and your inline sensor generates numerous false positives. Your
assistant, who monitors the alerts, is overwhelmed.
Which two actions will help your assistant manage the false positives? (Choose two.)

  • A. Create a policy that denies attackers inline and filters alerts for events with high Risk Ratings.
  • B. Lower the severity level of signatures that are generating the false positives.
  • C. Lower the fidelity ratings of signatures that are generating the false positives.
  • D. Raise the Target Value Ratings for your web servers.
  • E. Create a filter that filters out any alert whose target address is that of one of your web servers.


Answer : A,D

Question 2

You think users on your corporate network are disguising the use of file-sharing
applications by tunneling the traffic through port 80. How can you configure your sensor to
identify and stop this activity?

  • A. Enable all signatures in the Service HTTP engine.
  • B. Assign the Deny Packet Inline action to all signatures in the Service HTTP engine.
  • C. Enable HTTP Application Policy and enable the Alarm on Non-HTTP Traffic signature.
  • D. Enable all signatures in the Service HTTP engine. Then create an Event Action Override that adds the Deny Packet Inline action to events triggered by these signatures if the traffic originates from your corporate network.
  • E. Enable the Alarm on the Non-HTTP Traffic signature. Then create an Event Action Override that adds the Deny Packet Inline action to events triggered by the signature if the traffic originates from your corporate network.


Answer : C

Question 3

Which two are appropriate installation points for a Cisco IPS sensor? (Choose two.)

  • A. on publicly accessible servers
  • B. on critical network servers
  • C. at network entry points
  • D. on user desktops
  • E. on corporate mail servers
  • F. on critical network segments


Answer : C,F

Question 4

Which two are necessary to take into consideration when preparing to tune your sensor?
(Choose two.)

  • A. the security policy
  • B. the network topology
  • C. which outside addresses are statically assigned to the servers and which are DHCP addresses
  • D. the IP addresses of your inside gateway and outside gateway
  • E. which traffic the sensor denies by default
  • F. the current configuration for each virtual sensor


Answer : A,B

Question 5

Which statement is true about using the Cisco IDM to configure automatic signature and
service pack updates?

  • A. You access the Automatic Update panel from the IDM Monitoring tab.
  • B. You must select the Enable Auto Update check box in the Auto Update panel in order to configure automatic updates
  • C. You can schedule updates to occur daily, weekly, or monthly.
  • D. If you configure updates to occur daily, the sensor checks for updates at 12:00 a.m. each day.
  • E. You must enter your Cisco.com username and password.


Answer : B

Question 6

Your sensor is detecting a large volume of web traffic because it is monitoring traffic
outside the firewall. What is the most appropriate sensor tuning for this scenario?

  • A. lowering the severity level of certain web signatures
  • B. raising the severity level of certain web signatures
  • C. disabling all web signatures
  • D. disabling the Meta Event Generator
  • E. retiring certain web signatures


Answer : A

Question 7

Which four tasks must you complete in the Cisco IDM to have the sensor automatically look
for and install signature and service pack updates? (Choose four.)

  • A. Specify whether the sensor should look for an update file on Cisco.com or on a local server.
  • B. Enter your Cisco.com username and password.
  • C. Enter the IP address of the remote server that contains the updates.
  • D. Select the protocol that is used for transferring the file.
  • E. Enter the path to the update file.
  • F. Schedule the updates.


Answer : C,D,E,F

Question 8

To use the upgrade command to retain the sensor configuration when upgrading to Cisco
IPS software version 5.0, which version of Cisco IDS software must the sensor be running
prior to upgrade?

  • A. 3.5
  • B. 4.0
  • C. 4.1
  • D. 4.2


Answer : C

Question 9

Which command captures live traffic on Fast Ethernet interface 0/1?

  • A. packet capture FastEthernet0/1
  • B. packet display FastEthernet0/1
  • C. show interfaces FastEthernet0/1 | include real-time
  • D. show traffic FastEthernet0/1
  • E. traffic display FastEthernet0/1
  • F. physical-interfaces FastEthernet0/1


Answer : A

Question 10

When signature 3116 (NetBus) fires, you want your sensor to terminate the current packet
and future packets on the TCP flow. Which action should you assign to the signature?

  • A. Request Block Connection
  • B. Request Block Host
  • C. Deny Attacker Inline
  • D. Deny Connection Inline
  • E. Reset TCP Connection
  • F. Modify Packet Inline


Answer : D

Question 11

Drag Drop question






Answer : D

Question 12

What is the hostId entry in a Cisco IPS alert?

  • A. the blocking device that blocked the attack
  • B. the globally unique identifier for the attacker
  • C. the sensor that originated the alert
  • D. the IP address of the attacked host
  • E. the IP address of the attacker


Answer : C

Question 13

When performing a signature update on a Cisco IDS Sensor, which three server types are
supported for retrieving the new software? (Choose three.)

  • A. FTP
  • B. SCP
  • C. RCP
  • D. NFS
  • E. TFTP
  • F. HTTP


Answer : A,B,F

Question 14

For which purpose is a sensor license needed?

  • A. Cisco IDM functionality
  • B. signature updates
  • C. all sensor operations
  • D. service pack updates
  • E. failover configurations


Answer : B

Question 15

Why would an attacker saturate the network with noise while simultaneously launching an
attack?

  • A. It causes the Cisco IDS to fire multiple false negative alarms.
  • B. An attack may go undetected.
  • C. It will have no effect on the ability of the sensor to detect attacks.
  • D. It will initiate asymmetric attack techniques.
  • E. It will force the sensor into Bypass mode so that future attacks go undetected.


Answer : B

Page 1