1.
A Cisco Catalyst switch is experiencing packet drops on a SPAN destination port that is connected to an Cisco IPS appliance. Which three configurations should be considered to resolve the packet drops issue? (Choose three.)
Correct Answer(s)
A. Configure an additional SPAN session to a different Cisco IPS appliance interface connected to the same virtual sensor.
D. Configure VACL capture.
E. Configure the Cisco IPS appliance to inline mode.
Explanation
To resolve the packet drops issue on the SPAN destination port connected to a Cisco IPS appliance, three configurations should be considered. Firstly, configuring an additional SPAN session to a different Cisco IPS appliance interface connected to the same virtual sensor can distribute the load and prevent packet drops. Secondly, configuring VACL capture can help in capturing the packets without causing drops. Lastly, configuring the Cisco IPS appliance to inline mode allows it to inspect and drop packets directly, reducing the chances of drops.
2.
Which signature action should be selected to cause the attacker's traffic flow to terminate when the Cisco IPS appliance is operating in promiscuous mode?
Correct Answer
C. Reset TCP connection
Explanation
The correct answer is "reset TCP connection". When the Cisco IPS appliance is operating in promiscuous mode, it is not able to block or deny traffic directly. However, it can send a TCP reset packet to both the attacker and the target, causing the connection to terminate. This action helps to disrupt the attacker's traffic flow and prevent further malicious activity.
3.
During Cisco IPS appliance troubleshooting, you notice that all the signatures are set to Fire All. What can cause this situation to occur?
Correct Answer
C. Summarizer has been disabled globally.
Explanation
When the summarizer is disabled globally on a Cisco IPS appliance, all the signatures are set to "Fire All." This means that the appliance will generate an alert for every event that matches any signature, regardless of severity or priority. Disabling the summarizer removes the ability to group similar events together and reduces the efficiency of the IPS appliance.
4.
From which three sources does the Cisco IPS appliance obtain OS mapping information? (Choose three.)
Correct Answer(s)
A. From manually configured OS mappings
B. Imported OS mappings from Management Center for Cisco Security Agent
D. Learned OS mappings from passive OS fingerprinting
Explanation
The Cisco IPS appliance obtains OS mapping information from three sources: manually configured OS mappings, imported OS mappings from Management Center for Cisco Security Agent, and learned OS mappings from passive OS fingerprinting. This means that the appliance can gather information about operating systems from configurations made by the user, import mappings from the Management Center for Cisco Security Agent, and learn mappings through passive OS fingerprinting techniques.
5.
Which IPS alert action is available only in inline mode?
Correct Answer
E. Deny-packet-inline
Explanation
The IPS alert action "deny-packet-inline" is available only in inline mode. This action allows the IPS to block and deny packets in real-time when they are detected as malicious or violating security policies. In inline mode, the IPS sits directly in the network traffic flow and can actively block and prevent malicious packets from reaching their destination. This action is not available in other modes such as promiscuous or monitor mode, where the IPS only monitors and logs the traffic without actively blocking it.
6.
Refer to the exhibit. What does the Risk Threshold setting of 95 specify?
Correct Answer
D. The high risk rating threshold
Explanation
The Risk Threshold setting of 95 specifies the threshold at which a risk is considered high. A risk rating below 95 would be considered low, while a risk rating above 95 would be considered high.
7.
From the Cisco IPS appliance CLI setup command, one of the options is "Modify default threat prevention settings? [no]". What is this option related to?
Correct Answer
C. Event action override that denies high-risk network traffic with a risk rating of 90 to 100
Explanation
This option is related to event action override that denies high-risk network traffic with a risk rating of 90 to 100. It allows the user to modify the default settings for how the IPS appliance handles high-risk network traffic with a risk rating within the specified range. By enabling this option, the appliance will automatically deny any network traffic that is deemed to be high-risk based on its risk rating.
8.
In Cisco IDM, the Configuration > Sensor Setup > SSH > Known Host Keys screen is used for what purpose?
Correct Answer
E. To enable communications with a blocking device
Explanation
The Configuration > Sensor Setup > SSH > Known Host Keys screen in Cisco IDM is used to enable communications with a blocking device. This suggests that the Cisco IPS appliance can establish a connection and communicate with a blocking device, possibly for the purpose of preventing or mitigating network threats.
9.
Which configuration is required when setting up the initial configuration on the Cisco ASA 5505 to support the Cisco ASA AIP-SSC?
Correct Answer
A. Configure a VLAN interface as a management interface to access the Cisco ASA AIP-SSC.
Explanation
To set up the initial configuration on the Cisco ASA 5505 to support the Cisco ASA AIP-SSC, it is necessary to configure a VLAN interface as a management interface. This will allow access to the Cisco ASA AIP-SSC for management purposes. By configuring a VLAN interface as a management interface, the Cisco ASA AIP-SSC can be accessed and managed effectively.
10.
The Cisco IPS appliance risk category is used with which other feature?
Correct Answer
B. Event action overrides
Explanation
The Cisco IPS appliance risk category is used in conjunction with event action overrides. Event action overrides allow administrators to customize the response to specific events based on their risk category. By assigning a risk category to an event, administrators can define specific actions to be taken, such as blocking or allowing traffic, based on the severity of the event. This helps to ensure that appropriate actions are taken to mitigate potential threats based on their level of risk.
11.
Which two Cisco IPS modules support sensor virtualization? (Choose two.)
Correct Answer(s)
A. AIP-SSM
E. IDSM-2
Explanation
The AIP-SSM and IDSM-2 are the two Cisco IPS modules that support sensor virtualization. The AIP-SSM module is a security services module for the Cisco ASA firewall, which provides intrusion prevention system (IPS) capabilities. The IDSM-2 module is an intrusion detection and prevention system (IDPS) module for the Cisco Catalyst 6500 Series switches, which also supports sensor virtualization. Both modules allow for the creation of multiple virtual sensors within a single physical device, enabling the monitoring and protection of multiple network segments or virtual LANs (VLANs) simultaneously.
12.
You are working with Cisco TAC to troubleshoot a software problem on the Cisco IPS appliance. TAC suspects a fault with the ARC software module in the Cisco IPS appliance. In this case, which Cisco IPS appliance operations may be most affected by the ARC software module fault?
Correct Answer
D. Remote blocking
Explanation
If there is a fault with the ARC software module in the Cisco IPS appliance, the operation that may be most affected is remote blocking. The ARC (Application Response Control) software module is responsible for analyzing network traffic and blocking any malicious or unauthorized connections. If there is a fault with the ARC module, it may not be able to accurately detect and block remote connections, potentially leaving the network vulnerable to attacks.
13.
Threat rating calculation is performed based on which factors?
Correct Answer
A. Risk rating and adjustment based on the prevention actions taken
Explanation
The threat rating calculation is performed based on the risk rating, which assesses the potential impact and likelihood of a threat event occurring. Additionally, the calculation takes into account the adjustment based on the prevention actions taken. This means that if effective preventive measures have been implemented, the threat rating may be adjusted accordingly to reflect the reduced risk.
14.
Refer to the exhibit. The scanner threshold is set to 120. Which two statements about this histogram are true? (Choose two.)
Correct Answer(s)
B. From a single source you do not expect to see nonestablished connections to more than 100 different destination IP addresses.
D. You do not expect to see more than 10 sources generate nonestablished connections to 5 or more different destinations.
Explanation
The given histogram shows the number of nonestablished connections from different sources to different destinations. The scanner threshold is set to 120. The statement "From a single source you do not expect to see nonestablished connections to more than 100 different destination IP addresses" is true because the histogram does not have any bar that exceeds the value of 100. The statement "You do not expect to see more than 10 sources generate nonestablished connections to 5 or more different destinations" is also true because there are only a few bars that exceed the value of 5 on the x-axis.
15.
On the Cisco IPS appliance, each virtual sensor can have its own instance of which three parameters? (Choose three.)
Correct Answer(s)
A. Signature-definition
B. Event-action-rules
D. Anomaly-detection
Explanation
Each virtual sensor on the Cisco IPS appliance can have its own instance of signature-definition, event-action-rules, and anomaly-detection parameters. This means that each virtual sensor can have its own set of signatures, rules for event actions, and anomaly detection settings, allowing for customization and flexibility in monitoring and protecting the network.
16.
Refer to the exhibit. What happens when you click the Cisco Security MARS icon on the Cisco Security MARS query result screen?
Correct Answer
A. Cross-launch Cisco Security Manager to link the Cisco Security MARS event back to the IPS signature and policy within the Cisco Security Manager that triggered it.
Explanation
Clicking the Cisco Security MARS icon on the Cisco Security MARS query result screen allows the user to cross-launch Cisco Security Manager. This enables the user to link the Cisco Security MARS event back to the IPS signature and policy within the Cisco Security Manager that triggered it.
17.
Which three statements about the Cisco IPS appliance normalizer feature are true? (Choose three.)
Correct Answer(s)
A. Only operates in inline modes
C. Tracks session states and stops packets that do not fully match session state
D. Modifies ambiguously fragmented IP traffic
Explanation
The Cisco IPS appliance normalizer feature has the following characteristics: it only operates in inline modes, it tracks session states and stops packets that do not fully match session state, and it modifies ambiguously fragmented IP traffic.
18.
Refer to the exhibit. What does the Deny Percentage setting affect?
Correct Answer
C. The percentage of packets to be denied for the deny attacker actions
Explanation
The Deny Percentage setting affects the percentage of packets that will be denied for the deny attacker actions. This means that if the Deny Percentage is set to 50%, then only 50% of the packets that trigger the deny attacker action will actually be denied, while the other 50% will be allowed. This setting allows for more granular control over the denial of packets and can be used to balance security measures with potential impact on network performance.
19.
Which protocol is used by Encapsulated Remote SPAN?
Correct Answer
B. GRE
Explanation
Encapsulated Remote SPAN uses the GRE (Generic Routing Encapsulation) protocol. GRE is a tunneling protocol that encapsulates packets from one network protocol within packets of another network protocol, allowing the packets to be transmitted over a network that does not support the original protocol. In the case of Encapsulated Remote SPAN, GRE is used to encapsulate and transmit SPAN traffic over an IP network.
20.
In which three ways can you achieve better Cisco IPS appliance performance? (Choose three.)
Correct Answer(s)
A. Place the Cisco IPS appliance behind a firewall.
B. Disable unneeded signatures.
D. Have multiple Cisco IPS appliances in the path and configure them to detect different types of events.
Explanation
To achieve better Cisco IPS appliance performance, three strategies can be implemented. Firstly, placing the Cisco IPS appliance behind a firewall can enhance performance by reducing the amount of traffic that the appliance needs to inspect. Secondly, disabling unneeded signatures can improve performance by reducing the processing load on the appliance. Lastly, having multiple Cisco IPS appliances in the path and configuring them to detect different types of events can distribute the workload and enhance overall performance.