Ips V7 Test B
Cisco IPS v7 (642-627) 20 questions
These are ONLY multiple choice questions, no drag/drop, hotspot or sim.
- 1.
A Cisco Catalyst switch is experiencing packet drops on a SPAN destination port that is connected to an Cisco IPS appliance. Which three configurations should be considered to resolve the packet drops issue? (Choose three.)
- A.
Configure an additional SPAN session to a different Cisco IPS appliance interface connected to the same virtual sensor.
- B.
Configure an EtherChannel bundle as the SPAN destination port.
- C.
Configure RSPAN.
- D.
Configure VACL capture.
- E.
Configure the Cisco IPS appliance to inline mode.
Correct Answer(s)
A. Configure an additional SPAN session to a different Cisco IPS appliance interface connected to the same virtual sensor.
D. Configure VACL capture.
E. Configure the Cisco IPS appliance to inline mode.Explanation
To resolve the packet drops issue on the SPAN destination port connected to a Cisco IPS appliance, three configurations should be considered. Firstly, configuring an additional SPAN session to a different Cisco IPS appliance interface connected to the same virtual sensor can distribute the load and prevent packet drops. Secondly, configuring VACL capture can help in capturing the packets without causing drops. Lastly, configuring the Cisco IPS appliance to inline mode allows it to inspect and drop packets directly, reducing the chances of drops.Rate this question:
-
- 2.
Which signature action should be selected to cause the attacker's traffic flow to terminate when the Cisco IPS appliance is operating in promiscuous mode?
- A.
Deny connection
- B.
Deny attacker
- C.
Reset TCP connection
- D.
Deny packet, reset TCP connection
- E.
Deny connection, reset TCP connection
Correct Answer
C. Reset TCP connectionExplanation
The correct answer is "reset TCP connection". When the Cisco IPS appliance is operating in promiscuous mode, it is not able to block or deny traffic directly. However, it can send a TCP reset packet to both the attacker and the target, causing the connection to terminate. This action helps to disrupt the attacker's traffic flow and prevent further malicious activity.Rate this question:
-
- 3.
During Cisco IPS appliance troubleshooting, you notice that all the signatures are set to Fire All. What can cause this situation to occur?
- A.
A new signature engine update package has been loaded to the Cisco IPS appliance.
- B.
A new signature/virus update package has been loaded to the Cisco IPS appliance.
- C.
Summarizer has been disabled globally.
- D.
All the signatures have been set to the default state.
- E.
All the signatures have been retired, and then unretired.
Correct Answer
C. Summarizer has been disabled globally.Explanation
When the summarizer is disabled globally on a Cisco IPS appliance, all the signatures are set to "Fire All." This means that the appliance will generate an alert for every event that matches any signature, regardless of severity or priority. Disabling the summarizer removes the ability to group similar events together and reduces the efficiency of the IPS appliance.Rate this question:
-
- 4.
From which three sources does the Cisco IPS appliance obtain OS mapping information? (Choose three.)
- A.
From manually configured OS mappings
- B.
Imported OS mappings from Management Center for Cisco Security Agent
- C.
Imported OS mappings from Cisco Security Manager
- D.
Learned OS mappings from passive OS fingerprinting
- E.
Learned OS mappings from CiscoSensorBase input
- F.
From Cisco IPS signature updates
Correct Answer(s)
A. From manually configured OS mappings
B. Imported OS mappings from Management Center for Cisco Security Agent
D. Learned OS mappings from passive OS fingerprintingExplanation
The Cisco IPS appliance obtains OS mapping information from three sources: manually configured OS mappings, imported OS mappings from Management Center for Cisco Security Agent, and learned OS mappings from passive OS fingerprinting. This means that the appliance can gather information about operating systems from configurations made by the user, import mappings from the Management Center for Cisco Security Agent, and learn mappings through passive OS fingerprinting techniques.Rate this question:
-
- 5.
Which IPS alert action is available only in inline mode?
- A.
Produce verbose alert
- B.
Request rate limit
- C.
Reset TCP connection
- D.
Log attacker/victim pair packets
- E.
Deny-packet-inline
- F.
Request block connection
Correct Answer
E. Deny-packet-inlineExplanation
The IPS alert action "deny-packet-inline" is available only in inline mode. This action allows the IPS to block and deny packets in real-time when they are detected as malicious or violating security policies. In inline mode, the IPS sits directly in the network traffic flow and can actively block and prevent malicious packets from reaching their destination. This action is not available in other modes such as promiscuous or monitor mode, where the IPS only monitors and logs the traffic without actively blocking it.Rate this question:
-
- 6.
Refer to the exhibit. What does the Risk Threshold setting of 95 specify?
- A.
The low risk rating threshold
- B.
The low threat rating threshold
- C.
The low target value rating threshold
- D.
The high risk rating threshold
- E.
The high threat rating threshold
- F.
The high target value rating threshold
Correct Answer
D. The high risk rating thresholdExplanation
The Risk Threshold setting of 95 specifies the threshold at which a risk is considered high. A risk rating below 95 would be considered low, while a risk rating above 95 would be considered high.Rate this question:
-
- 7.
From the Cisco IPS appliance CLI setup command, one of the options is "Modify default threat prevention settings? [no]". What is this option related to?
- A.
Anomaly detection
- B.
Threat rating adjustment
- C.
Event action override that denies high-risk network traffic with a risk rating of 90 to 100
- D.
Risk rating adjustment with global correlation
- E.
Reputation filters
Correct Answer
C. Event action override that denies high-risk network traffic with a risk rating of 90 to 100Explanation
This option is related to event action override that denies high-risk network traffic with a risk rating of 90 to 100. It allows the user to modify the default settings for how the IPS appliance handles high-risk network traffic with a risk rating within the specified range. By enabling this option, the appliance will automatically deny any network traffic that is deemed to be high-risk based on its risk rating.Rate this question:
-
- 8.
In Cisco IDM, the Configuration > Sensor Setup > SSH > Known Host Keys screen is used for what purpose?
- A.
To enable the Cisco IPS appliance as a master blocking sensor
- B.
To enable management hosts to access the Cisco IPS appliance
- C.
To regenerate the Cisco IPS appliance SSH host key
- D.
To regenerate the Cisco IPS appliance SSL RSA key pair
- E.
To enable communications with a blocking device
Correct Answer
E. To enable communications with a blocking deviceExplanation
The Configuration > Sensor Setup > SSH > Known Host Keys screen in Cisco IDM is used to enable communications with a blocking device. This suggests that the Cisco IPS appliance can establish a connection and communicate with a blocking device, possibly for the purpose of preventing or mitigating network threats.Rate this question:
-
- 9.
Which configuration is required when setting up the initial configuration on the Cisco ASA 5505 to support the Cisco ASA AIP-SSC?
- A.
Configure a VLAN interface as a management interface to access the Cisco ASA AIP-SSC.
- B.
Using MPF, configure which virtual sensor to use.
- C.
Configure a management access rule to allow Cisco ASDM access from the Cisco ASA AIPSSC management interface IP address.
- D.
Configure a management access rule to allow SSH access from the Cisco ASA AIP-SSC management interface IP address.
Correct Answer
A. Configure a VLAN interface as a management interface to access the Cisco ASA AIP-SSC.Explanation
To set up the initial configuration on the Cisco ASA 5505 to support the Cisco ASA AIP-SSC, it is necessary to configure a VLAN interface as a management interface. This will allow access to the Cisco ASA AIP-SSC for management purposes. By configuring a VLAN interface as a management interface, the Cisco ASA AIP-SSC can be accessed and managed effectively.Rate this question:
-
- 10.
The Cisco IPS appliance risk category is used with which other feature?
- A.
Anomaly detection
- B.
Event action overrides
- C.
Global correlation
- D.
Reputation filter
Correct Answer
B. Event action overridesExplanation
The Cisco IPS appliance risk category is used in conjunction with event action overrides. Event action overrides allow administrators to customize the response to specific events based on their risk category. By assigning a risk category to an event, administrators can define specific actions to be taken, such as blocking or allowing traffic, based on the severity of the event. This helps to ensure that appropriate actions are taken to mitigate potential threats based on their level of risk.Rate this question:
-
- 11.
Which two Cisco IPS modules support sensor virtualization? (Choose two.)
- A.
AIP-SSM
- B.
AIP-SSC
- C.
IPS AIM
- D.
IPS NME
- E.
IDSM-2
Correct Answer(s)
A. AIP-SSM
E. IDSM-2Explanation
The AIP-SSM and IDSM-2 are the two Cisco IPS modules that support sensor virtualization. The AIP-SSM module is a security services module for the Cisco ASA firewall, which provides intrusion prevention system (IPS) capabilities. The IDSM-2 module is an intrusion detection and prevention system (IDPS) module for the Cisco Catalyst 6500 Series switches, which also supports sensor virtualization. Both modules allow for the creation of multiple virtual sensors within a single physical device, enabling the monitoring and protection of multiple network segments or virtual LANs (VLANs) simultaneously.Rate this question:
-
- 12.
You are working with Cisco TAC to troubleshoot a software problem on the Cisco IPS appliance. TAC suspects a fault with the ARC software module in the Cisco IPS appliance. In this case, which Cisco IPS appliance operations may be most affected by the ARC software module fault?
- A.
SDEE
- B.
Global correlation
- C.
Anomaly detection
- D.
Remote blocking
- E.
Virtual sensor
- F.
OS fingerprinting
Correct Answer
D. Remote blockingExplanation
If there is a fault with the ARC software module in the Cisco IPS appliance, the operation that may be most affected is remote blocking. The ARC (Application Response Control) software module is responsible for analyzing network traffic and blocking any malicious or unauthorized connections. If there is a fault with the ARC module, it may not be able to accurately detect and block remote connections, potentially leaving the network vulnerable to attacks.Rate this question:
-
- 13.
Threat rating calculation is performed based on which factors?
- A.
Risk rating and adjustment based on the prevention actions taken
- B.
Threat rating and event action overrides
- C.
Event action overrides and event action filters
- D.
Risk rating and target value rating
- E.
Alert severity and alert actions
Correct Answer
A. Risk rating and adjustment based on the prevention actions takenExplanation
The threat rating calculation is performed based on the risk rating, which assesses the potential impact and likelihood of a threat event occurring. Additionally, the calculation takes into account the adjustment based on the prevention actions taken. This means that if effective preventive measures have been implemented, the threat rating may be adjusted accordingly to reflect the reduced risk.Rate this question:
-
- 14.
Refer to the exhibit. The scanner threshold is set to 120. Which two statements about this histogram are true? (Choose two.)
- A.
From a single source you do not expect to see non stablished connections to more than 120 different destination IP addresses.
- B.
From a single source you do not expect to see nonestablished connections to more than 100 different destination IP addresses.
- C.
You do not expect to see more than 5 sources generate nonestablished connections to 10 or more different destinations.
- D.
You do not expect to see more than 10 sources generate nonestablished connections to 5 or more different destinations.
- E.
A scanner threshold of 120 is not a valid value for this histogram.
- F.
Scanning attacks will not be triggered, because the scanner threshold is higher than the maximum number of destination IP addresses in the histogram.
- G.
Scanning attacks will not be triggered, because the scanner threshold is higher than the maximum number of source IP addresses in the histogram.
Correct Answer(s)
B. From a single source you do not expect to see nonestablished connections to more than 100 different destination IP addresses.
D. You do not expect to see more than 10 sources generate nonestablished connections to 5 or more different destinations.Explanation
The given histogram shows the number of nonestablished connections from different sources to different destinations. The scanner threshold is set to 120. The statement "From a single source you do not expect to see nonestablished connections to more than 100 different destination IP addresses" is true because the histogram does not have any bar that exceeds the value of 100. The statement "You do not expect to see more than 10 sources generate nonestablished connections to 5 or more different destinations" is also true because there are only a few bars that exceed the value of 5 on the x-axis.Rate this question:
-
- 15.
On the Cisco IPS appliance, each virtual sensor can have its own instance of which three parameters? (Choose three.)
- A.
Signature-definition
- B.
Event-action-rules
- C.
Global-correlation-rules
- D.
Anomaly-detection
- E.
Reputation-filters
- F.
External-product-interfaces
Correct Answer(s)
A. Signature-definition
B. Event-action-rules
D. Anomaly-detectionExplanation
Each virtual sensor on the Cisco IPS appliance can have its own instance of signature-definition, event-action-rules, and anomaly-detection parameters. This means that each virtual sensor can have its own set of signatures, rules for event actions, and anomaly detection settings, allowing for customization and flexibility in monitoring and protecting the network.Rate this question:
-
- 16.
Refer to the exhibit. What happens when you click the Cisco Security MARS icon on the Cisco Security MARS query result screen?
- A.
Cross-launch Cisco Security Manager to link the Cisco Security MARS event back to the IPS signature and policy within the Cisco Security Manager that triggered it.
- B.
Cross-launch Cisco IDM so the signature that triggered it can be examined.
- C.
Cross-launch Cisco IDM to show the corresponding IPS alerts.
- D.
Cross-launch Cisco Security Manager to show the corresponding IPS alerts.
- E.
Cross-launch Cisco IME so the signature that triggered it can be examined.
Correct Answer
A. Cross-launch Cisco Security Manager to link the Cisco Security MARS event back to the IPS signature and policy within the Cisco Security Manager that triggered it.Explanation
Clicking the Cisco Security MARS icon on the Cisco Security MARS query result screen allows the user to cross-launch Cisco Security Manager. This enables the user to link the Cisco Security MARS event back to the IPS signature and policy within the Cisco Security Manager that triggered it.Rate this question:
-
- 17.
Which three statements about the Cisco IPS appliance normalizer feature are true? (Choose three.)
- A.
Only operates in inline modes
- B.
Ensures that Layer 4 to Layer 7 traffic conforms to the protocol specifications
- C.
Tracks session states and stops packets that do not fully match session state
- D.
Modifies ambiguously fragmented IP traffic
- E.
Cannot analyze asymmetric traffic flows
Correct Answer(s)
A. Only operates in inline modes
C. Tracks session states and stops packets that do not fully match session state
D. Modifies ambiguously fragmented IP trafficExplanation
The Cisco IPS appliance normalizer feature has the following characteristics: it only operates in inline modes, it tracks session states and stops packets that do not fully match session state, and it modifies ambiguously fragmented IP traffic.Rate this question:
-
- 18.
Refer to the exhibit. What does the Deny Percentage setting affect?
- A.
The percentage of the signatures to be tuned by the event action filter
- B.
The percentage of the Risk Rating value to be tuned by the event action filter
- C.
The percentage of packets to be denied for the deny attacker actions
- D.
the percentage of the signatures to be tuned by the event action overrides
Correct Answer
C. The percentage of packets to be denied for the deny attacker actionsExplanation
The Deny Percentage setting affects the percentage of packets that will be denied for the deny attacker actions. This means that if the Deny Percentage is set to 50%, then only 50% of the packets that trigger the deny attacker action will actually be denied, while the other 50% will be allowed. This setting allows for more granular control over the denial of packets and can be used to balance security measures with potential impact on network performance.Rate this question:
-
- 19.
Which protocol is used by Encapsulated Remote SPAN?
- A.
ESP
- B.
GRE
- C.
TLS
- D.
STP
- E.
VTI
- F.
802.1Q
Correct Answer
B. GREExplanation
Encapsulated Remote SPAN uses the GRE (Generic Routing Encapsulation) protocol. GRE is a tunneling protocol that encapsulates packets from one network protocol within packets of another network protocol, allowing the packets to be transmitted over a network that does not support the original protocol. In the case of Encapsulated Remote SPAN, GRE is used to encapsulate and transmit SPAN traffic over an IP network.Rate this question:
-
- 20.
In which three ways can you achieve better Cisco IPS appliance performance? (Choose three.)
- A.
Place the Cisco IPS appliance behind a firewall.
- B.
Disable unneeded signatures.
- C.
Enable unidirectional capture.
- D.
Have multiple Cisco IPS appliances in the path and configure them to detect different types of events.
- E.
Enable selective packet capture using VLAN ACL on the Cisco IPS 4200 Series appliance.
- F.
Enable all anti-evasive measures to reduce noise.
Correct Answer(s)
A. Place the Cisco IPS appliance behind a firewall.
B. Disable unneeded signatures.
D. Have multiple Cisco IPS appliances in the path and configure them to detect different types of events.Explanation
To achieve better Cisco IPS appliance performance, three strategies can be implemented. Firstly, placing the Cisco IPS appliance behind a firewall can enhance performance by reducing the amount of traffic that the appliance needs to inspect. Secondly, disabling unneeded signatures can improve performance by reducing the processing load on the appliance. Lastly, having multiple Cisco IPS appliances in the path and configuring them to detect different types of events can distribute the workload and enhance overall performance.Rate this question:
-
Quiz Review Timeline +
Our quizzes are rigorously reviewed, monitored and continuously updated by our expert board to maintain accuracy, relevance, and timeliness.
-
Current Version
-
Mar 18, 2023Quiz Edited by
ProProfs Editorial Team -
Apr 04, 2012Quiz Created by
Keoka
Back to top