642-627 Implementing Cisco Intrusion Prevention System v7.0

Page 1   
Question 1

On the Cisco IPS appliance, the anomaly detection knowledge base is used to store which
two types of information for each service? (Choose two.)

  • A. scanner threshold
  • B. packet per second rate limit
  • C. anomaly detection mode
  • D. histogram
  • E. total bytes transferred

Answer : A,D

Explanation: http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/ security_manager/4.0/user/guide/ipsanom.html The knowledge base has a tree structure and contains the following information: Knowledge base name Zone name Protocol Service The knowledge base holds a scanner threshold and a histogram for each service. If you have learning accept mode set to automatic and the action set to rotate, a new knowledge base is created every 24 hours and used in the next 24 hours. If you have learning accept mode set to automatic and the action is set to save only, a new knowledge base is created but not loaded, and the current knowledge base is used. If you do not have learning accept mode set to automatic, no knowledge base is created.

Question 2

Refer to the exhibit.

When viewing the All Signatures pane, clicking on the Advanced option can be used to
enable which two IPS configurations? (Choose two.)

  • A. normalizer mode
  • B. signature variables
  • C. HTTP and FTP AIC
  • D. network participation mode
  • E. event action overrides
  • F. event action filters

Answer : B,C

Explanation: http://www.cisco.com/en/US/docs/security/ips/7.1/configuration/guide/idm/idm_signature_d efinitions.html#wp1224787

Question 3

Which four statements are true about the Cisco IPS global correlation and reputation
filtering features? (Choose four.)

  • A. Reputation filtering can adjust the risk rating of an alert.
  • B. Reputation filtering can be set to permissive, standard, or aggressive.
  • C. Global correlation can be trialed in with a test mode.
  • D. Reputation filtering can drop packets from untrusted source IP addresses.
  • E. Both global correlation and reputation filtering leverage Cisco SenderBase.
  • F. Global correlation can adjust the risk rating of an alert.

Answer : C,D,E,F

Explanation: http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_collaboratio n.html#wp1056492 Global Correlation Requirements Global correlation has the following requirements: Valid licenseYou must have a valid sensor license for global correlation features to function. You can still configure and display statistics for the global correlation features, but the global correlation databases are cleared and no updates are attempted. Once you install a valid license, the global correlation features are reactivated. Agree to Network Participation disclaimer External connectivity for sensor and a DNS serverThe global correlation features of IPS 7.0 require the sensor to connect to the Cisco SensorBase Network. Domain name resolution is also required for these features to function. You can either configure the sensor to connect through an HTTP proxy server that has a DNS client running on it, or you can assign an Internet routeable address to the management interface of the sensor and configure the sensor to use a DNS server. In IPS 7.0 the HTTP proxy and DNS servers are used only by the global correlation features

Question 4

Answer :

Question 5

Answer :

Question 6

Refer to the exhibit.

What does an action of Rotate indicate?

  • A. A new knowledge base is created, but is not loaded. You can view it to decide if you want to load it.
  • B. A new knowledge base is created and loaded.
  • C. The knowledge base is rolled back to the previous version.
  • D. The knowledge base is rotated on a periodic schedule using the different existing knowledge bases.

Answer : B

Question 7

Refer to the exhibit.

Which statement is true?

  • A. The Service HTTP engine is disabled.
  • B. The Cisco IPS sensor will send an alert if an attacker makes more than 10 HTTP requests to a single target server.
  • C. The IP logging feature has been disabled by setting the Max IP Log Packets and Max IP Log Bytes to 0.
  • D. Application inspection and control for HTTP is disabled.
  • E. Automatic IP Log actions will capture the specified traffic for 30 minutes.

Answer : D

Question 8

You are working with Cisco TAC to troubleshoot a software problem on the Cisco IPS
appliance. TAC suspects a fault with the ARC software module in the Cisco IPS appliance.
In this case, which Cisco IPS appliance operations may be most affected by the ARC
software module fault?

  • A. SDEE
  • B. global correlation
  • C. anomaly detection
  • D. remote blocking
  • E. virtual sensor
  • F. OS fingerprinting

Answer : D

Explanation: http://www.cisco.com/en/US/docs/security/ips/6.1/installation/guide/hw_troubleshooting.htm l#wpmkr1185768

Question 9

Refer to the exhibit. What does the Risk Threshold setting of 95 specify?

  • A. the low risk rating threshold
  • B. the low threat rating threshold
  • C. the low target value rating threshold
  • D. the high risk rating threshold
  • E. the high threat rating threshold
  • F. the high target value rating threshold

Answer : D

Explanation: HIGHRISK = 90 - 100 - = Red Threat

Question 10

Which value is not used by the Cisco IPS appliance in the risk rating calculation?

  • A. attack severity rating
  • B. target value rating
  • C. signature fidelity rating
  • D. promiscuous delta
  • E. threat rating adjustment
  • F. watch list rating

Answer : E

Explanation: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/prod_white_p aper0900aecd806e7299.html Risk Rating Calculation Risk rating is a quantitative measure of your network's threat level before IPS mitigation. For each event fired by IPS signatures, Cisco IPS Sensor Software calculates a risk rating number. The factors used to calculate risk rating are: Signature fidelity rating: This IPS-generated variable indicates the degree of attack certainty. Attack severity rating: This IPS-generated variable indicates the amount of damage an attack can cause. Target value rating: This user-defined variable indicates the criticality of the attack target. This is the only factor in risk rating that is routinely maintained by the user. You can assign a target value rating per IP address in Cisco IPS Device Manager or Cisco Security Manager. The target value rating can raise or lower the overall risk rating for a network device. You can assign the following target values: 75: Low asset value 100: Medium asset value 200: Mission-critical asset value Attack relevancy rating: This IPS-generated value indicates the vulnerability of the attack target. Promiscuous delta: The risk rating of an IPS deployed in promiscuous mode is reduced by the promiscuous delta. This is because promiscuous sensing is less accurate than inline sensing. The promiscuous delta can be configured on a per-signature basis, with a value range of 0 to 30. (The promiscuous delta was introduced in Cisco IPS Sensor Software Version 6.0.) Watch list rating: This IPS-generated value is based on data found in the Cisco Security Agent watch list. The Cisco Security Agent watch list contains IP addresses of devices involved in network scans or possibly contaminated by viruses or worms. If an attacker is found on the watch list, the watch list rating for that attacker is added to the risk rating. The value for this factor is between 0 and 35. (The watch list rating was introduced i

Question 11

On the Cisco IPS appliance, each virtual sensor can have its own instance of which three
parameters? (Choose three.)

  • A. signature-definition
  • B. event-action-rules
  • C. global-correlation-rules
  • D. anomaly-detection
  • E. reputation-filters
  • F. external-product-interfaces

Answer : A,B,D

Explanation: http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/idm/dmAnEng.html The Virtual Sensors pane displays a list of the virtual sensors. For each virtual sensor the following is displayed: Assigned interfaces/pairs Signature definition policy Event action rules policy Anomaly detection policy Anomaly detection operational mode setting Inline TCP session tracking mode Description of the virtual sensor You can create, edit, or delete virtual sensors.

Question 12

Which global correlation data is sent to the Cisco SensorBase Network with full network
participation that is not sent with partial network participation?

  • A. attack type
  • B. connecting IP address and port
  • C. victim IP address and port
  • D. protocol attributes
  • E. IPS appliance CPU and memory usage information

Answer : C

Explanation: http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_collaboratio n.html#wp1053292 In the Network Participation pane, you can configure the sensor to send data to the SensorBase Network. You can configure the sensor to fully participate and send all data to the SensorBase Network. Or you can configure the sensor to collect the data but to omit potentially sensitive data, such as the destination IP address of trigger packets.

Question 13

Refer to the exhibit.

Which option is affected by the IP Log parameters?

  • A. the syslog operations of the Cisco IPS appliance
  • B. the signature logging action
  • C. SNMP trap operations
  • D. the signature produce verbose alert action
  • E. the SDEE operations of the Cisco IPS appliance

Answer : B

Explanation: http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/ security_manager/4.1/user/guide/ipsvchap.pdf

Question 14

Which three Cisco IPS cross-launch capabilities do Cisco Security Manager and Cisco
Security MARS support? (Choose three.)

  • A. Edit IPS signatures in Cisco Security Manager from a Cisco Security MARS query.
  • B. Create custom signatures in Cisco Security Manager from a Cisco Security MARS query.
  • C. Create event action filters in Cisco Security Manager from a Cisco Security MARS query.
  • D. Create a Cisco Security MARS drop rule from Cisco Security Manager policy.
  • E. Create a Cisco Security MARS user inspection rule from Cisco Security Manager policy.
  • F. Query Cisco Security MARS from Cisco Security Manager policy.

Answer : A,C,F

Explanation: "...MARS creates queries that include a launch point for CSM. When CSM is launched, you can carry out the following (cross-connected actions): Edit an IPS Signature Add an event action filter to an IPS configuration in Cisco Security Manager and when you use CSM to cross-launch MARS, you can query events that were originated by the signatures in CSM." http://my.safaribooksonline.com/book/certification/ccnp/9780132372107/integrating-cisco- ips-with-csm-andcisco-security-mars/435#

Question 15

A Cisco Catalyst switch is experiencing packet drops on a SPAN destination port that is
connected to an Cisco IPS appliance. Which three configurations should be considered to
resolve the packet drops issue? (Choose three.)

  • A. Configure an additional SPAN session to a different Cisco IPS appliance interface connected to the same virtual sensor
  • B. Configure an EtherChannel bundle as the SPAN destination port.
  • C. Configure RSPAN.
  • D. Configure VACL capture.
  • E. Configure the Cisco IPS appliance to inline mode.

Answer : A,D,E

Explanation: From Neil: A, D, E A. Adding an additional span session to a different Cisco IPS will remove some of the traffic and load from the existing span - Confirmed Correct B. Cisco documentation clearly defines that Ether-channels cannot be configured as SPAN destination ports. This rules out option B. - Confirmed Incorrect http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_19_ea1 /configuration/guide/swspan.html#wp1044603 C. RSPAN is remote span which is used to send traffic to a device not connected to the local switch. While this would have a similar effect to answer A since you are in fact creating another span, the implication here is that there is only one IPS device. - Unconfirmed Incorrect D. Configuring VACL capture will allow a reduced amount of traffic and load on the span by selecting and sending only select traffic over the SPAN to the IPS. - Confirmed Correct E. Configuring the Cisco IPS appliance in inline mode would eliminate the need for a span altogether. -Unconfirmed Correct. Cisco ASA IPS ModulesInline Operation You can configure the ASA to only forward specific traffic to the AIP SSM or AIP SSC for inspection. This is achieved by using the Cisco Modular Policy Framework (MPF), where you can configure a Cisco ASA to selectively send traffic to the AIP module operating in inline or promiscuous mode. You can also specify that all traffic be inspected by the AIP module, and if the total traffic exceeds the IPS module inspection capacity, you can modify the MPF configuration in such a way that only critical traffic is inspected. This approach reduces the traffic the IPS module will have to analyze, and it is guaranteed to perform optimally. Cisco ASA IPS ModulesPromiscuous Operation A selective capture can also be used to ensure that only part of the traffic flowing through a Cisco ASA is sent to the AIP module in promiscuous mode. This way, the AIP module is not overwhelmed and critical data is analyzed. The same c

Page 1