642-531 (CSIDS) TestKing's Cisco Secure Intrusion Detection Systems Version 22.
642 -531 Important Note, Please Read Carefully Study Tips This product will provide you questions and answers along with detailed explanations carefully compiled and written by our experts. Try to understand the concepts behind the questions instead of cramming the questions. Go through the entire document at least twice so that you make sure that you are not missing anything. Further Material For this test TestKing also provides: * Interactive Online Testing. Check out a Demo at http://www.testking.
642 -531 Table of contents Topic 1, Describe and explain the various intrusion detection technologies and evasive techniques (17 questions) ........................................................................................................... 6 Section 1: Define intrusion detection (7 questions) ............................................................... 6 Section 2: Explain the difference between true and false, and positive and negative alarms (4 questions) ......................................
642 -531 Section 2: Configure a signature's enable status, severity level, and action (2 questions)... 67 Section 3: Create signature filters to exclude or include a specific signature or list of signatures (3 questions) ........................................................................................................ 68 Section 4: Tune a signature to perform optimally based on a network's characteristics (3 questions)....................................................................................
642 -531 Section 2: Install the IDS MC (0 questions)....................................................................... 126 Section 3: Generate, approve, and deploy sensor configuration files (3 questions) .......... 126 Section 4: Administer the IDS MC Server (2 questions) ................................................... 128 Section 5: Use the IDS MC to set up Sensors (2 questions) ..............................................
42 -531 Topic 1, Describe and explain the various intrusion detection technologies and evasive techniques (17 questions) Section 1: Define intrusion detection (7 questions) QUESTION NO: 1 Which of the following types of attacks is typical of an intruder who is targeting networks of systems in an effort to retrieve data of enhance their privileges? A. B. C. D. E.
642 -531 QUESTION NO: 2 Which of the following types of attacks would be a most probable consequence of the presence of a shared folder in a Windows operating system? A. B. C. D. E.
642 -531 QUESTION NO: 4 Which of the following is typical of signature-based intrusion detection? A. B. C. D. Signature creation is automatically defined Signature match patterns of malicious activity Signatures are prone to a high number of false positive alarms. Signatures focus on TCP connection sequences Answer: B Page 65 Cisco Press CCSP CSIDS 2nd edition under Misuse Detection QUESTION NO: 5 What does an attacker require to perform a Denial of Service attack? A. B. C. D.
642 -531 An individual sensor contains two separate interfaces. The sensor used on of the interfaces to passively sniff all the network packets by placing the interface in Promiscuous mode. The sensor uses the other network interface for command and control traffic. Reference: Cisco Secure Intrusion Detection System (Ciscopress) page 98 QUESTION NO: 7 What reconnaissance methods are used to discover servers running SMTP and SNMP? (Choose two) A. B. C. D. E.
642 -531 Cisco router but mistakenly enters the wrong password. The IDS cannot distinguish between a rogue user and the network administrator, and generates an alarm. Reference: Cisco Courseware p.3-11 QUESTION NO: 2 What is a false negative alarm situation? A. B. C. D.
642 -531 A Cisco IDS Sensor has been configured to detect attempts to extract the password file from Windows 2000 systems. During a security assessment, the consultants attempted to extract the password files from three Windows 2000 servers. This activity was not detected by the Sensor. What situation has this activity caused? A. B. C. D. False negative False positive True positive True negative Answer: A False negative – is when an IDS fails to generates an alarm for known intrusive activity.
642 -531 Section 3: Describe the relationship between vulnerabilities and exploits (2 questions) QUESTION NO: 1 Which of the following is typical of profile-based, or anomaly-based, intrusion detection? A B C D Normal network activity is easily defined It is most applicable to environments with unpredictable traffic patterns It is prone to a high number of false positive alarms Signatures match patterns of malicious activity Answer: C Page 3-14 CSIDS Courseware under Profile-based Intrusion Detection Pro
642 -531 Section 4: Explain the difference between HIP and NIDS (0 questions) Section 5: Describe the various techniques used to evade intrusion detection (4 questions) QUESTION NO: 1 Which of the following describes the evasive technique whereby control characters are sent to disguise an attack? A. B. C. D.
642 -531 Early intrusion detection wa easily evaded by disguising an attack by unsing special characters to conceal an attack. The term used to describe this evasive technique is obfuscation. Obfuscation is now once again becoming a popular IDS evasive technique. The following are forms of obfuscation: 1) Control characters 2) Hex representation 3) Unicode representation.
642 -531 Reference: Cisco Intrusion Detection System - Cisco Security Advisory: Cisco Secure Intrusion Detection System Signature Obfuscation Vulnerability Leading the way in IT testing and certification tools, www.testking.
642 -531 Topic 2, Design a Cisco IDS protection solution for small, medium, and enterprise customers (36 questions) Section 1: List the network devices involved in capturing traffic for intrusion detection analysis (8 questions) QUESTION NO: 1 Which of the following represents valid responses to an active attack by PIX-IDS and IOS-IDS platforms? (Choose two.) A. B. C. D. E.
642 -531 ANSWER: A, C Cisco Courseware 4-11 (IOS) Cisco Courseware 4-12 (PIX) QUESTION NO: 4 Which routers allow OIR of NM-CIDS? A. B. C. D. E. 3660 3725 3745 2600XM 2691 Answer: A, B, C QUESTION NO: 5 What can intrusion detection systems detect? (Choose three) A. B. C. D. E. F. Network misuse Network uptime Unauthorized network access Network downtime Network throughput Network abuse Answer: A, C, F Explanation: An IDS is software and possibly hardware that detects attacks against your network.
642 -531 C. Network taps D. Router Answer: A Explanation: The ability to capture traffic may be inherent to a device technology or may require special features to provide this capability. For example, network hubs by their nature replicate data to all ports. Switches, on the other hand, rely on features such as port mirroring to permit the copy of specific traffic top another port.
642 -531 Section 2: Describe the traffic flows for each of the network devices (2 questions) QUESTION NO: 1 The new TestKing trainee technician wants to know where the intrusion detection system sends TCP reset packets to terminate a session. What would your reply be? A. B. C. D.
642 -531 Answer: D The Sensor is on the same network, so that means the only possibly answer is the Ethernet01 interface. Ethernet0/2 is using a different network address and Ethernet0/0 is using a DMZ network. Note: What is being talked about here is a Network Tap. “ A network tap is a device used to split full-duplex traffic flows into a single traffic flows that can be aggregated at a switch device.
642 -531 B IDSM2 is limited to 62 signatures C IDSM2 can drop offending packets D IDSM2 makes use of the same code as the network appliance Answer: D Page 199 Cisco Press CCSP CSIDS 2nd edition under Key Features IDSM-2 provides the following capabilities or features: - Merged switching and security into a single chasis - Ability to monitor multiple VLANs - Does not impact switch performance - Attacks and signatures equal to appliance sensor - Uses the same code base of the appliance sensor - Support for im
642 -531 Answer: B Cisco Press CCSP Self-Study CSIDS, p 223-24 QUESTION NO: 6 How many interactive login sessions to the IDSM are allowed? A. B. C. D. 1 2 3 4 Answer: A Note: In the IDSM chapter I did not come across anything that stated this. In fact there is not much listed in the IDSM chapter. The main thrust was that it uses the same code as the ver4 sensors so it works the same except for some alterations..
642 -531 What are the two methods used to initially access the IDSM? (Choose two.) A. B. C. D. E. Telnet to the switch Telnet to the IDSM By use of the IDS Device Manager GUI Console cable connection to the switch By use of the RDEP protocol ANSWER: A, D Since module configuration is a sub instance of normal switch configuration, every method to connect to the switch’s CLI makes IDSM Module configuration possible too.
642 -531 Cisco Courseware 12-7 QUESTION NO: 2 Following is a list of filtering methods followed by a list of configurations. Match the most appropriate filtering method to the capture configuration that restricts the VLANs monitored on a trunk port. Note: Every option is used once only.
642 -531 filter keyword in monitor session command -----> [Catalyst IOS using mls ip ids ] ------------------------------------ To monitor specific VLANs when the local or RSPAN source is a trunk port, perform this task: This example shows how to monitor VLANs 1 through 5 and VLAN 9 when the source is a trunk port: Router(config)# monitor session 2 filter vlan 1 - 5 , 9 QUESTION NO: 3 Which of the following commands are used by a Catalyst switch running Catalyst OS to block attacks, as directed by an IDS
642 -531 According to the exhibit Fast Ethernet connections are used to connect all switches. The RSPAN VLAN is 99. Both the Catalyst 4000 and Catalyst 6500 are running Catalyst OS. Which command represents a valid configuration step to permit Sensor IDS6 to monitor traffic sent to Server TestKing7? A. B. C. D. E.
642 -531 vlans...] [create] Reference: Cisco Courseware 5-25 QUESTION NO: 5 Study the exhibit below carefully: According to the exhibit which command represents a valid configuration step to permit the IDSM-2 to monitor traffic sent to and from VLAN3, VLAN4, and VLAN5? A. B. C. D. E. 6500(config)# monitor session 1 source vlan 3, 4, 5 both 6500(config)# monitor session 1 destination idsm This feature is not supported in this configuration.
642 -531 D the mls ip ids command processes capture in hardware versus software E the mls ip ids command is used with keywords to define interesting traffic Answer: C Page 5-45 CSIDS Courseware under Using the mls ip ids command for Catalyst 6500 Traffic capture 1)Create an ACL to capture interesting traffic 2)Select the VLAN interface 3)Apply the ACL to the interface 4)Assign the Sensor's monitoring port as a VACL capture port Note: The ml sip ids command is used to apply an extended IP access list to the
642 -531 Study the exhibit below carefully: According to the exhibit all switches are connected through Fast Ethernet connections. Server TestKing7 and Sensor IDTestKing7 are in the same VLAN.
642 -531 Note: Does the 4000 switch really support VACLs? QUESTION NO: 10 The new TestKing trainee technician wants to know what binds the input and output of a source RSPAN session on a Catalyst 6500 switch running IOS. What would your reply be? A. B. C. D. E.
642 -531 A. B. C. D. E.
642 -531 B. C. D. E. Map the VLAN access map to a VLAN. Use commit to save the VACL configuration. Assign ports to receive capture traffic. Crate VACL using the set security acl command. ANSWER: B, D Explanation: The tasks to capture traffic using VLAN Access Control Lists (VACLs) on a Catalyst 6500 switch running IOS are as follows: 1) 2) 3) 4) 5) 6) 7) Configure ACLs to define interesting traffic.
642 -531 Refer to the exhibit. All switches are connected through Fast Ethernet connections. Server TESTKING2 is in VLAN 3. Which command represents a valid configuration step to permit Sensor IDS1 to monitor traffic sent from Server TESTKING2? A. B. C. D. E.
642 -531 set security acl ip acl_name permit tcp src_ip_spec dest_ip_spec port capture Reference: Cisco Secure Intrusion Detection System (Ciscopress) page 505 Cisco Secure Intrusion Detection System 4 chap 5 page 33 QUESTION NO: 17 A company has installed an IDSM into a Catalyst 6509 switch in slot 9. The network security architect has designed a solution that requires the IDSM monitor traffic only from VLAN 199. Which Catalyst OS commands are used to achieve this configuration? A. B. C. D. E. F.
642 -531 Answer: Explanation: Ingress SPAN copies network traffic received by the source ports for analysis at the destination port. Egress SPAN copies network traffic transmitted from the source ports for analysis at the destination port. A source port is a switch port monitored for network traffic analysis. The traffic through the source ports can be categorized as ingress, egress, or both. A destination port (also called a monitor port) is a switch port where SPAN sends packets for analysis.
642 -531 Topic 3, Identify the Cisco IDS Sensor platforms and describe their features (3 questions) Section 1: Describe the features of the various IDS Sensor appliance models (3 questions) QUESTION NO: 1 What must be done when upgrading Cisco IDS appliance models IDS-4235 or IDS-4250 from Cisco IDS v3.x? A. B. C. D. E.
642 -531 Which sensor appliance does not support the connection of a keyboard and mouse for management? A. B. C. D. 4235 4250 4215 4250XL ANSWER: C Leading the way in IT testing and certification tools, www.testking.
642 -531 Topic 4, Install and configure a Cisco IDS Sensor including a network appliance and IDS module Identify the interfaces and ports on the various Sensors (47 questions) Section 1: Distinguish between the functions of the various Catalyst IDS Module ports (1 question) QUESTION NO: 1 On the IDSM-2, which logical port is used as the TCP reset port? A. B. C. D.
642 -531 Answer: D Page 8-8 CSIDS Courseware under IDSM2 and Switch Configuration Tasks - Initialize the IDSM2. This includes completing the basic configuration via the setup command. QUESTION NO: 2 Which command will you advice the new TestKing trainee technician to issue in order to initiate the IDSM2 system configuration dialog? A. B. C. D. E.
642 -531 QUESTION NO: 4 Which user account is used to log into the IDSM? A. B. C. D. E. Root Administrator Netranger Ciscoidsm Ciscoids Answer: E Explanation: The default user login user name for the Cisco IDS Module is Ciscoids, and the default password is attack. Reference: Cisco Secure Intrusion Detection System (Ciscopress) page 680 Note: This was correct in the older course however it is not right according to 4 but the answers given don’t match what is listed in the course manual.
642 -531 Events can be retrieved through the Sensor’s web server via RDEP communications. Management applications such as IEV and the Security Monitor use RDEP to retrieve events from the Sensor. Cisco Courseware 9-37 QUESTION NO: 2 Network topology exhibit/simulation Sensor output exhibit: ***MISSING*** Note: Use the sensors command line interface to obtain information so that you can answer the question. You are NOT expected to do any configuration.
642 -531 Cisco Courseware 9-40 QUESTION NO: 3 Network topology exhibit/simulation Sensor output exhibit: ***MISSING*** View the signature’s settings. The signature is not configured to perform blocking. Note: Use the sensors command line interface to obtain information so that you can answer the question. You are NOT expected to do any configuration. Why isn't blocking working? A. B. C. D. Blocking is not enabled on the Sensor. The signature is not configured for blocking.
642 -531 QUESTION NO: 4 Network topology exhibit/simulation Sensor output exhibit: ***MISSING*** The user name is Jag. Note: Use the sensors command line interface to obtain information so that you can answer the question. You are NOT expected to do any configuration. What is the username the Sensor will use to log in to the router? A. B. C. D. E. Admin TestKing Lin Cisco Jag ANSWER: E Leading the way in IT testing and certification tools, www.testking.
642 -531 QUESTION NO: 5 Network topology exhibit/simulation Sensor output exhibit: ***MISSING*** No ACL is configured. Note: Use the sensors command line interface to obtain information so that you can answer the question. You are NOT expected to do any configuration. What pre-block ACLs are specified? A. B. C. D. None PreBlockACL BlockingACL RouterACL ANSWER: A QUESTION NO: 6 Exhibit: Given the output of the idsstatus Sensor command.
642 -531 A. B. C. D. E. Not logging alarms, commands, and errors. Performing IP blocking. Not capturing network traffic. Logging alarms, commands, and errors. Not performing IP blocking. Answer: B, D Explanation: Postofficed The postofficed daemon serves as the communication vehicle for the entire Cisco IDS product Sapd - The sapd daemon is a user-configurable scheduler that controls database loading and archival of old event and IP session logs.
642 -531 Postofficed The postofficed daemon serves as the communication vehicle for the entire Cisco IDS product Sapd - The sapd daemon is a user-configurable scheduler that controls database loading and archival of old event and IP session logs. Managed - The managed daemon is responsible for managing and monitoring network devices (routers and packet filters).
642 -531 Cisco Network IDS Sensor Appliances NRS-2E IDS 3.0 and IDS 3.1 NRS-2FE IDS 3.0 and IDS 3.1 NRS-TR IDS 3.0 and IDS 3.1 NRS-SFDDI IDS 3.0 and IDS 3.1 NRS-DFDDI IDS 3.0 and IDS 3.1 IDS-4210 IDS 3.0, IDS 3.1, IDS 4.0, and IDS 4.1 IDS-4215 IDS 4.1 IDS-4220 IDS 3.0, IDS 3.1, IDS 4.0, and IDS 4.1 IDS-4230 IDS 3.0, IDS 3.1, IDS 4.0, and IDS 4.1 IDS-4235 IDS 3.0, IDS 3.1, IDS 4.0, and IDS 4.1 IDS-4250-TX and IDS-4250-SX IDS 3.0, IDS 3.1, IDS 4.0, and IDS 4.
642 -531 I am not sure about this question. The latest course manual 4, states that the IDM “is a webbased, embedded architecture configuration tool for cisco ids sensors.” Cisco Secure Intrusion Detection System 4 chap 10 page 4 Section 5: Install the Sensor appliance on the network (2 questions) QUESTION NO: 1 Which of the following represents the recommended procedure when upgrading a Cisco IDS appliance which is prior to version 4.x? A. B. C. D. Install the image from the IDS Management Center.
642 -531 Section 6: Obtain management access on the Sensor (6 questions) QUESTION NO: 1 Which of the following protocols is used by the IDS MC Sensors to securely manage an IDS Sensor? A. B. C. D. E. SSL SSH RDEP HTTP PostOffice Answer: B Explanation: Importing Communication Settings from postoffice Sensors With postoffice-based Cisco Intrusion Detection System Sensors (sensors running sensor software version 3.x) you can discover postoffice settings directly from the device.
642 -531 Cisco Courseware 7-22, 7-23 QUESTION NO: 3 Which user account role must you specifically create in order to allow special root access for troubleshooting purposes only on a Cisco IDS Sensor? A. B. C. D. E. operator viewer service administrator client Answer: C Explanation: The service account is a special account that allows TAC to log into a native, operating system shell rather than a CLI shell. The purpose of the service account is not to support configuration but to support troubleshooting.
642 -531 QUESTION NO: 5 A company policy states that IDS Sensors can be managed only by authorized management workstations. The management workstations exist on the 192.168.21.0/24 network. Which address must the network security administrator add to the Cisco IDS Sensor’s network access control list? A. B. C. D. E. F. 192.168.21. 192.168.21 192.168. 192.168 192.168.21.0. 192.168.21.
642 -531 Section 7: Initialize the Sensor (2 questions) QUESTION NO: 1 Which command would you will you advice the new TestKing trainee technician to use in order to view the initial configuration parameters on the IDSM2? A B C D show capture setup show running-config session Answer: B IDS course 4.0 page 8-8 Initialize the IDSM2 this includes completing the basic configuration via the setup command. Note: After you enter the setup command the default settings are displayed.
642 -531 Explanation: The interface sensing configuration mode is a third level of the CLI. It enables you to enable or disable the sensing interface. Command: shutdown Cisco Courseware 9-14 QUESTION NO: 2 Which of the following qualifies to be a second level CLI mode in Cisco IDS? A. B. C. D. E.
642 -531 A. B. C. D. IDS event Viewer Cisco ConfigMaker Command Line Interface Syslog ANSWER: C QUESTION NO: 2 Match the Cisco IDS Sensor command with its function. Answer: Explanation: idsstop - Executing this script stops the Cisco IDS daemons.
642 -531 cidServer version – If you are having difficulty connecting to the sensor via the IDS Device Manager, SSH or Telnet to the sensor and type the cidServer version command to check the version and status of the sensor (whether it is running): Reference: Cisco Secure Intrusion Detection System Internal Architecture Cisco IDS Sensor Software - Cisco Intrusion Detection System Sensor Getting Started Version 3.
642 -531 • Operators—This user role has the second highest level of privileges. Operators have unrestricted view access and can perform the following functions: o Modify their passwords. o Tune signatures. o Manage routers. • Viewers—This user role has the lowest level of privileges. Viewers can view configuration and event data and can perform the following function: o Modify their passwords.
642 -531 E Guest Answer: A Privileges: Allowed levels are: Service Administrator Operator Viewer The default is Viewer. Cisco Courseware 9-23 QUESTION NO: 4 When setting up user accounts on a Cisco IDS Sensor. What role would you assign to provide users all viewing operations and the administrative ability to change only their own passwords? A. B. C. D.
642 -531 D. "tls generate-key" command generates a self-signed X.509 certificate Answer: D Page 9-33 CSIDS Courseware under Generating an X.509 Certificate Use the tls generate-key command to generate the self-signed X.509 certificate needed by TLS QUESTION NO: 2 Which CLI command would permit remote network access to the IDS Sensor from network 10.1.1.0/24? A. B. C. D. sensor(config)# access-list 100 permit 10.1.1.0.0.0.0.255 sensor(config-Host-net)# access-list 100 permit 10.1.1.0.0.0.0.
642 -531 Section 13: Configure Sensor logging properties (1 question) QUESTION NO: 1 Which of the following Sensor commands will archive IP log files to a remote host? A. B. C. D. E. ftp iplog copy iplog upload log iplog export export log Answer: B Explanation: copy Use the copy command to copy iplogs and configuration files.
642 -531 Section 14: Perform a configuration backup via the CLI (0 questions) Section 15: Setting up Sensors and Sensor Groups (7 questions) QUESTION NO: 1 The new TestKing trainee technician wants to know what the PuTTYgen utility in IDS MC is used for. What will your reply be? A. B. C. D. PuTTYgen utility is used to generate SSL certificates for IDS Sensors. PuTTYgen utility is used to generate SSH public and private keys for IDS Sensors.
642 -531 D. Manually enter the correct software version in the version field under the Sensor’s Identification window. E. Use the Query Sensor option next to the version field under the Sensor’s identification window to automatically discover the unlisted version.
642 -531 Reference: Cisco Courseware 12-3 QUESTION NO: 4 Which of the following represents the methods for adding devices in the Management Center for IDS Sensors using the GUI interface? A. B. C. D. E.
642 -531 QUESTION NO: 6 Which of the following options are available to add a new Sensor group? (Choose all that apply.) A. B. C. D. E.
2 -531 Section 16: Sensor Communications Sensor Logging (2 questions) QUESTION NO: 1 You need to retrieve Sensor IP logs for analysis. Which of the following methods are available to you to accomplish this task? (Choose all that apply.) A. B. C. D. E.
642 -531 The sensor compares the list of signatures with network activity. When a match is found, the sensor takes an action, such as logging the event or sending an alarm to IDS Event Viewer. Sensors allow you to modify existing signatures and define new ones. Signature-based intrusion detection can produce false positives because certain normal network activity can be misinterpreted as malicious activity.
642 -531 Topic 5: Tune and customize Cisco IDS signatures to work optimally in specific environments (12 questions) Section 1: Configure the Sensor's sensing parameters (3 questions) QUESTION NO: 1 Which of the following fields will you advice the new TestKing trainee technician to populate when creating custom signatures with IDS MC? (Choose all that apply.) A. B. C. D. E.
642 -531 The goal of defining these reassembly settings is to ensure that the sensor does not allocate all of its resources to datagrams that cannot be completely reconstructed, either because the sensor missed some frame transmissions or because an attack is generating random fragmented datagrams. To specify that the sensor track only sessions for which the three-way handshake is completed, select the TCP Three Way Handshake check box.
642 -531 ANSWER: C, D, E QUESTION NO: 2 How do you configure the Sensor to capture the packet that triggers a signature? A. B. C. D. It is always on for TCP stream signatures. In the signature configuration. In the signature configuration by IP address Globally by IP addess Answer: B Section 3: Create signature filters to exclude or include a specific signature or list of signatures (3 questions) QUESTION NO: 1 You are the TestKing administrator.
642 -531 QUESTION NO: 2 What information can a network security administrator specify in a Cisco IDS exclude signature filter? (Choose two) A. B. C. D. E. F.
642 -531 Section 4: Tune a signature to perform optimally based on a network's characteristics (3 questions) QUESTION NO: 1 Study the exhibit below carefully: According to the exhibit, which parameter selection would display the correct panel and the capability to perform a tuning of a specific signature to log events when they occur? A. Select the desired check box and click on the engine name. B. Click on the associated Signature ID. C.
642 -531 Answer: B FireAll is default. AlamInterval doesn’t seem to be related to AlamThrottle. ThrottleInterval specifies the related throttle (summarization-) timer. Cisco Courseware 13-17, 13-18 QUESTION NO: 3 Select the three phases of sensor tuning (Choose three.) A. B. C. D. E. F. Prep Phase.
642 -531 A. B. C. D. ATOMIC.IPOPTIONS SERVICE.MSSQL SERVICE.IDENT STRING.TCP Answer: D TCP.STRING by using these parameters: ToService (=number of the targeted port) RegExString (=string of well known default password) Reference: Cisco Courseware 13-62 Leading the way in IT testing and certification tools, www.testking.
642 -531 Topic 6, Configure a Cisco IDS Sensor to perform device management of supported blocking devices (22 questions) Section 1: Describe the device management capability of the Sensor and how it is used to perform blocking with a Cisco device (7 questions) QUESTION NO: 1 Which of the following is used by a blocking Sensor in order to manage a Cisco IOS router for shunning? (Choose all that apply.
642 -531 QUESTION NO: 3 Which of the following Cisco IDS platforms are capable of responding to active attacks by initiating either shunning or blocking? (Choose two.) A B C D E PIX-IDS Network appliance IDS IOS-IDS Switch IDS module Host IDS Answer: A, D NAC block actions are initiated by IDS Sensors - executed by PIX and routers and featured switches.
642 -531 The blocking device must have one of the following configured: 1) Telnet enabled - Telnet access should be allowed from the sensor 2) Secure shell (SSH) enabled - SSH access should be allowed from the sensor QUESTION NO: 6 Which Sensor process is responsible for initialing shuns on a blocking device? A. B. C. D. E. exec NAC blockd shunStart ACL Daemon ANSWER: B Explanation: Network Access Controller (NAC) is used to initiate Sensor shunning on network devices.
642 -531 Section 2: Design a Cisco IDS solution using the blocking feature, including the ACL placement considerations, when deciding where to apply Sensor-generated ACLs (7 questions) QUESTION NO: 1 Which of the following commands does a Cisco IOS router use to block attacks, as directed by and IDS blocking Sensor? A. B. C. D.
642 -531 B. C. D. E.
642 -531 C. Router runs the packet against ACL, tags it for drop action, forwards the packet to the NM-CIDS and drops it if it triggers any signature, even a signature with no action configured. D. Router runs packet against ACL, forwards packet to NM-CIDS for inspection, only if it is an ICMP packet , and then drops the packet. Answer: B QUESTION NO: 5 Which of the following represents the best description of a post-block ACL on an IDS blocking device? A. B. C. D. E.
642 -531 Which type of ACL is allowed when implementing the Cisco IDS IP blocking feature using post-shun ACLs? A. B. C. D. Numbered IP extended Named IPX extended Numbered IP standard Numbered IPX standard Answer: A Explanation: Extended ACLs enable you to create fine-tuned filtering policies.
642 -531 Answer: B Explanation: PIX Firewall You can configure sensors can to use the PIX Firewall to block hosts. A new API command on the PIX Firewall has been created, shun [ip], which tells the PIX Firewall which hosts to block. Existing PIX Firewall ACLs are not altered by device management. You cannot use preshun or postshun ACLs for the PIX Firewall, instead you must create ACLs directly on the PIX Firewall. The PIX Firewall does not support the ShunNet command.
642 -531 Cisco Courseware 15-30 QUESTION NO: 2 Which of the following statements regarding the Master Blocking Sensor communications is valid? (Choose three.) A. A Master Blocking Sensor can use Telnet to communicate with a PIX Firewall. B. A Blocking Forwarding Sensor uses SSH to communicate with a Master Blocking Sensor. C. An IDS v4.0 Sensor can server as a Master Blocking Sensor for IDS v3.x and IDS v4.0 Sensors. D.
642 -531 Blocking with Multiple Sensors Multiple sensors can forward blocking requests to a specified master blocking sensor, which controls one or more devices. The sensor that is sending its block requests to the master blocking sensor is referred to as a "blocking forwarding sensor." On the blocking forwarding sensor, you must specify which remote host serves as the master blocking sensor. And on the master blocking sensor you must add the blocking forwarding sensors to its remote host configuration.
642 -531 Course ver 4.0 page 6-4 CtlTransSource allows sensor to communicate control transactions with each other. This is used to enablt eh NAC's Master Blocking Capability. The NAC Network Access Controller on a Master Blocking Sensor controls blocking on devices at the request of the NAC's running on Blocking Forwarding sensors. page 15-30 ids 4.0 uses RDEP to communicate blocking instructions. QUESTION NO: 6 What is the primary function of a Master Blocking Sensor? A. B. C. D. E.
642 -531 Topic 7, Describe the Cisco IDS signatures and determine the immediate threat posed to the network (23 questions) Section 1: Explain the Cisco IDS signature features (7 questions) QUESTION NO: 1 The new TestKing trainee technician wants to know which signature description best describes a string signature engine. What would your reply be? A. B. C. D. Layer 5, 6, and 7 services that require protocol analysis. Regular expression-based pattern inspection for multiple transport protocols.
642 -531 Answer: B Cisco Courseware 13-41 QUESTION NO: 3 Which type of signature can be configured to alarm only on specific source or destination IP addresses? A. B. C. D. atomic signatures flood signatures service signatures state signatures ANSWER: A The task is simple, the simplest engine should do. Page 13-29 CIDS Courseware v4.0 QUESTION NO: 4 A Cisco IDS Sensor is capturing large volumes of network traffic.
642 -531 QUESTION NO: 5 Which Cisco IDS signatures are affected by the Sensor’s level of traffic logging value? A. B. C. D. E.
642 -531 Answer: Reference: Cisco Secure Intrusion Detection System (Ciscopress) page 628-629 Section 2: Select the Cisco IDS signature engine to create a custom signature (9 questions) QUESTION NO: 1 Which of the following represents a type of signature engine that is characterized by single packet conditions? A. B. C. D. string other atomic traffic Leading the way in IT testing and certification tools, www.testking.
642 -531 Answer: C Signature Structure As previously discussed, signature implementations deal with packet headers and packet payloads. The structure of the signatures deals with the number of packets that must be examined to trigger an alarm. Two types of signature structures exist and these are as follows: • Atomic • Composite Atomic Structure Some attacks can be detected by matching IP header information (context based) or string information contained in a single IP packet (content based).
642 -531 Given the following signature engines, which would represent the most appropriate choice when creating a intruder detecting signature that scans for open port number 80 using stealth scanning techniques? A. B. C. D. ATOMIC.TCP SERVICE.TCP.HTTP ATOMIC.IPORTIONS SERVICE.HTTP Answer: A Explanation: Reference: Cisco Courseware 13-34 QUESTION NO: 4 Which of the following signature descriptions best describes a service signature engine? A. B. C. D. Inspects multiple transport protocols.
642 -531 Answer: C Explanation: SERVICE.* Engines Use the SERVICE engines to create signatures that deal with the Layer 5+ protocol of the service. The DNS (TCP and UDP) engines support analysis of compressed messages and can fire alarms on request/reply conditions and overflows. The RPC and PORTMAP engines are fine tuned for RPC and Portmapper requests. Batch and fragmented messages are decoded and analyzed.
642 -531 Which statement is true when creating custom signatures on a Cisco IDS Sensor in IDS MC? A. B. C. D. All parameter fields must be entered. They are automatically saved to the Sensor. The default action is logging. They are enabled by default. ANSWER: D Explanation: Custom signatures are enabled by default. It is recommended to test custom signatures in a non-production environment to avoid unexpected results including network disruption.
642 -531 E. String.UDP Answer: E (or D) Note: I am not sure why the original person who answered this question picked tcp but I think that most email is delivered via tcp. However he/she is correct in that it is a string signature. Off hand I have a slight doubt if most email is delivered via UDP or TCP. If you think that most email is UDP pick E if you don’t then stay with the given answer. ICMP is wrong. Atomic is one packet and wrong. The course manual does not give examples of String signatures.
642 -531 Answer: C Explanation: Protected—The protected attribute of the parameter applies only to the default signature set. When a default signature parameter is protected, its value cannot be modified meaning that the fundamental behavior of the default signature cannot be changed. For example, you can modify certain parameters (AlarmThrottle, ChokeThreshold, Unique) of default signatures, but not the underlying functionality, such as TcpFlags and Mask.
642 -531 Log Reset ShunHost ShunConnection ZERO Cisco Courseware 13-18 Section 4: Explain the engine-specific signature parameters (4 questions) QUESTION NO: 1 Study the exhibit below carefully: To create a custom signature that detects the word “Classified Information” circulating in email and FTP communications, choose the STRING.TCP signature engine to create the custom signature.
642 -531 Answer: C, E Explanation: Both Regex and ServicePorts need to be defined for custom signatures. Reference: Installing and Using the Cisco Intrusion Detection System Device Manager and Event Viewer Version 4.0 Cisco Courseware 14-37 QUESTION NO: 2 Which of the following represents basic types of Cisco IDS signature parameters? (Choose all that apply.) A. B. C. D. E.
642 -531 Answer: C E Explanation: Engine parameters have the following attributes: 1) Protected – If a parameter is protected, you cannot change if for the default signatures. You can modify it for custom signatures. 2) Required – If a parameter is required, you must define it for all signatures, both default signatures and custom signatures. Reference: Page 438 CCSP Self-study: CSIDS Second Edition Cisco Courseware 13-16 QUESTION NO: 3 With the ATOMIC.
642 -531 Reference: Working With Signature Engines QUESTION NO: 4 An ACL policy violation signature has been created on a Cisco IDS Sensor. The Sensor is configured to receive policy violations from a Cisco IOS router. What configurations must exist on the router? (Choose two) A. B. C. D. E. F.
642 -531 Reference: Cisco Secure Intrusion Detection System Overview Leading the way in IT testing and certification tools, www.testking.
642 -531 Topic 8, Perform maintenance operations such as signature updates, software upgrades, data archival and license updates (15 questions) Section 1: Identify the correct IDS software update files for a Sensor and an IDSM (3 questions) QUESTION NO: 1 The new TestKing trainee technician wants to know which of the following IDS software components can be upgraded from IDS MC’s Updates page. What would your reply be? (Choose all that apply.) A. B. C. D. E.
642 -531 applied, they change the version number of a sensor. Service pack update files contain executable code; they affect the actual micro-engine software on the sensor. They also contain signature updates. o Signature update files—Signature update file names contain the letters "sig" before the version number. Signature update files contain newly released signatures but not executable code.
642 -531 ftp://cisco@192.168.1.1/ids-k9-sp4.0-2-s29.bin - Installs the IDS-k9-sp-4.0-2-s29.bin from the ftp server’s root directory at IP address 192.168.1.
642 -531 • You must have access to the IDS MC server if you want to update the IDS MC or a sensor. • You must have access to the Security Monitor server if you want to update Security Monitor. • If you have installed IDS MC and Security Monitor on the same server, you must have access to that server if you want to update the IDS MC or a sensor or Security Monitor. Note: The installation of IDS software updates can be performed from supported management consoles or from the command line interface (CLI).
642 -531 - FTP - HTTP/HTTPS - SCP QUESTION NO: 5 Which two methods can be used to upgrade the signatures on a Cisco IDS Sensor? (Choose two.) A. B. C. D. E. CLI IEV SigUp IDS MC Monitoring Center for Security ANSWER: A, D Page 17-10, 17-12 CIDS Courseware v4.0 QUESTION NO: 6 Which Cisco IDSM partition must be active to install a signature update? A. B. C. D. E.
642 -531 E. IDSk9-sp-3.1-2-S23-bin –apply F. IDSk9-sp-3.1-2-S23 –apply Answer: E Explanation: INSTALLATION To install the version 3.1(5)S58 service pack, follow these steps: 1. Download the self-extracting binary file IDSk9-sp-3.1-5-S58.bin to a directory on the target Sensor from the following website: http://www.cisco.com/cgi-bin/tablebuild.pl/ids3-app CAUTION: You must preserve the original file name. 2. Log in as root on the Sensor. 3. Change directories to the location of the downloaded binary. 4.
642 -531 C. Maintenance partition for the blade D. Service partition Answer: C Explanation: Re-imaging the IDS Module from the Maintenance Partition You can re-image the IDS module from the maintenance partition. After you re-image the IDS module, you must initialize the IDS module using the setup command. Recovering the Software Image You can recover the software image for the IDS module if it becomes unusable.
642 -531 Note: …what about 4220? For 4220, in this list there’s only a memory upgrade stated. QUESTION NO: 4 Upon restoring a sensor’s configuration to default, which application settings are not set to default? Choose three. A. B. C. D. E. F. IP address netmask allowed hosts passwords user accounts time ANSWER: A, B, C Although time is not changed, time is NOT an application setting. Cisco Courseware 17-17 QUESTION NO: 5 What version of Cisco IDS software is required prior to upgrading to 4.1? A. B.
642 -531 Topic 9, Describe the Cisco IDS architecture including supporting services and configuration files (18 questions) Section 1: Explain the Cisco IDS directory structure (0 questions) Section 2: Explain the communication infrastructure of the Cisco IDS (8 questions) QUESTION NO: 1 Which of the following represents Sensor servlets that leverage the IDS Sensor’s cidWebServer application? (Choose all that apply.) A. B. C. D. E. F.
642 -531 Answer: E Explanation: [client] --- HTTPS ---> [IDS MC] --- SSH ---> [IDS] Cisco Courseware 6-8: QUESTION NO: 3 Which protocol is used for communication between the IDS Event Viewer and the Sensor? A. B. C. D. RDEP SSH SNMP IPSec Answer: A Explanation: RDEP uses the industry standard HTTPS. Communications with monitoring applications - HTTPS Reference: Cisco Courseware 6-8 QUESTION NO: 4 You are the TestKing administrator.
642 -531 QUESTION NO: 5 The new TestKing trainee technician wants to know what types of requests can be made with a client initiated RDEP event request. What would your reply be? (Choose all that apply.) A. B. C. D. E.
642 -531 QUESTION NO: 7 Which Cisco IDS communication infrastructure parameters are required to enable the use of IDS Device Manager to configure the Sensor? (Choose two) A. B. C. D. E.
642 -531 Cisco Secure IDS Director or Cisco Secure PM IDS Manager Host Name and Organization Name Cisco Secure IDS Director or Cisco Secure PM IDS Manager workstation IP address Reference: Cisco Secure Intrusion Detection System Sensor Configuration Note Version 2.5 Section 3: Locate and identify the Cisco IDS log and error files (2 questions) QUESTION NO: 1 Which of the following communication protocols does the Event Server, Transaction Server, and IPLog Server servlets use in Cisco IDS? A. B. C. D.
642 -531 Explanation: Cisco Courseware 6-4 QUESTION NO: 2 When does the Sensor create a new log file? A. B. C. D. Only when the Sensor is initially installed. Only when the Sensor requests it. Every time its services are restarted. Every time a local log file is used. Answer: C Explanation: The sensor creates new log file every time its services are restarted.
642 -531 Section 4: List the Cisco IDS services and their associated configuration files (7 questions) QUESTION NO: 1 The new TestKing trainee technician wants to know which of the following applications forms part of the SensorApp process of the Cisco IDS Sensor. What would your reply be? (Choose all that apply.) A. B. C. D. E.
642 -531 requestor is assigned a cookie containing a user authentication that must be presented with each request on that connection. Cisco Courseware 6-3 QUESTION NO: 3 Which statement describes the Sensor’s CapturePacket feature? A. It is used for TCP streams only. And contains only the Layer 5 data of the TCP stream and a limited number of bytes. B. It provides a snapshot of the TCP traffic that preceded the triggering of the signature. C. It captures packets that follow the trigger packet. D.
642 -531 Enter or delete the IP addresses of hosts and networks that can access the sensor via Telnet, FTP, SSH, and scp. Reference: Cisco Intrusion Detection System Sensor Getting Started Version 3.1 Note by 2nd TestKing writer: I think the answers don’t conform to the latest course manual. Telnet – requires an IP address that has been assigned to the command and control interface via the CLI setup command. Must be enabled to allow telnet access. Telnet is DISABLED by default.
642 -531 Explanation: Packetd - The packetd daemon interprets and responds to all of the events it detects on the monitored subnet. Reference: Cisco Secure IDS Internal Architecture Section 5: Describe the Cisco IDS configuration files and their function (1 question) QUESTION NO: 1 What can be determined about a Cisco IDS update file named IDS-K9-sp-4.1-2-S40.zip? A. B. C. D. E. It is a Sensor software patch: signature version is 4.1; IDS version is 4.0.
642 -531 Topic 10, Monitor a Cisco IDS protection solution for small and medium networks (11 questions) Section 1: Explain the features and benefits of IEV (1 question) QUESTION NO: 1 You are the TestKing administrator and need to get detailed signature and vulnerability information. Which feature of IDS Event Viewer will provide this information to you? A. B. C. D.
642 -531 D. SSH Answer: A Explanation: To specify the communication protocol IDS Event Viewer should use when connecting to the sensor, select the Use encrypted connection (https) or Use non-encrypted connection (http) radio button. Reference: Installing and Using the Cisco Intrusion Detection System Device Manager and Event Viewer Version 4.1 Cisco Courseware 10-13 QUESTION NO: 2 The new TestKing trainee technician wants to know how IDS devices are added into IDS Event Viewer. What would your reply be? A.
642 -531 How are IDS device added into IDS Even Viewer? A. B. C. D.
642 -531 In the Cisco IDS Event Viewer, how do you display the context data associated with an event? A. B. C. D. E. F. Choose View>Context Data from the main menu. Right-click the event and choose Show Data. Choose View>Show data from the main menu. Right-click the event and choose Show Context. Choose View>Show Context from the main menu. Double-click the event. Answer: D Explanation: Certain alarms may have context data associated with them.
642 -531 After 1EV has been configured to receive alarms from Sensors, how do you display the alarms in the Cisco IDS Event Viewer? (Choose all that apply) A. B. C. D. E. F. Right-click Dest_Address_Group_View and choose View. Double-click Dest_Address_Group_View Right-click Dest_Address_Group_View and choose Display. Right-click Sig_Name_Group_View and choose View. Right-click Sig_Name_Group_View and choose Display.
642 -531 Section 6: Perform IEV database administration functions (1 question) QUESTION NO: 1 Which methods are available in Monitoring Center for Security to populate the device database? A. B. C. D. manual entry only import from IDS MC only manual entry and import from IDS MC only manual entry, import from IDS MC, and import from Resource Manager Essentials only E. manual entry, import from IDS MC, and import from Resource Manager Essentials, and import from text file.
642 -531 QUESTION NO: 2 When enabling time schedules for archival of events with IDS Event Viewer. Which three options are available? (Choose three.) A. B. C. D. E. F. every N minutes every N MB every N hours every N KB every day at same time every week on same day and time ANSWER: A, C, E Explanation: The time schedule for the archiving events feature must be enabled.
642 -531 Topic 11, Manage a large scale deployment of Cisco IDS Sensors with Cisco IDS Management software (20 questions) Section 1: Define features and key concepts of the IDS MC (4 questions) QUESTION NO: 1 Following is a list of descriptions and IDS MC processes. Match the IDS MC process with its description. Answer: Leading the way in IT testing and certification tools, www.testking.
642 -531 Explanation: • IDS_Analyzer—To check that the service that processes event rules and requests user-specified notifications when appropriate is running properly. • IDS_DeployDaemon—To check that the service that manages all configuration deployments is running properly. • IDS_Notifier—To check that the service that receives notification requests (script, email, and/or console) from other subsystems and performs the requested notification is running properly.
642 -531 Note: What is the IDS MC? The IDS MC is a web-based application that centralizes and accelerates the deployment and management of multiple IUDS sensors of IDSM. IDS MC is a component of the VMS bundle. - Cisco Secure Intrusion Detection System 4 chap 11 page 3 QUESTION NO: 4 What security management product allows IDS Sensor to be grouped for management? A. B. C. D.
642 -531 In the Cisco IDS Management Center, what workflow steps must you perform to push configuration files to a Sensor? A. B. C. D.
642 -531 Reference: Cisco IOS Intrusion Detection System Software App Overview Section 4: Administer the IDS MC Server (2 questions) QUESTION NO: 1 What is the default username/password that you will need to use when accessing and administrating the IDS MC server? A B C D E cisco/cisco admin/cisco admin/admin administrator/cisco administrator/attack Answer: C Cisco Courseware Lab 11-4 QUESTION NO: 2 Which CiscoWorks user role provides administrative access for performing all IDS MC operations? A. B. C.
642 -531 Section 5: Use the IDS MC to set up Sensors (2 questions) QUESTION NO: 1 What does the password represent in the Sensor’s identification window when one uses SSH in IDS MC for Sensor access? A B C D E It represents the passphrase to access the Sensor’s public key It represents the passphrase to access the Sensor’s private key It represents the password of user account to access the Sensor It represents the passphrase to access the IDS MC server’s private key It represents the password of user acc
642 -531 Section 6: Use the IDS MC to configure Sensor communication properties (7 questions) QUESTION NO: 1 Which of the following identify basic authentication methods for accessing a Sensor from IDS MC? (Choose all that apply.) A. B. C. D. E. User account passwords SSL certificates SSH public keys Digital certificates with pre-shared keys Digital certificates with Certificate Authority Answer: A C Explanation: Note SSH supports two forms of authentication: password and public key.
642 -531 According to the exhibit depicting the RDEP properties of a Sensor in IDS MC: Which of the following statements will be valid if the web server port value changed from its current value? (Choose all that apply.
642 -531 A. The option increases security of Sensor communications by replacing username or password authentication with SSH authentication. B. If selected, the option specifies that IDS MC should use existing keys instead of prompting for new keys. C. If not selected, the option specifies that IDS MC will dynamically generate new keys to securely communicate with the Sensor. D. The option increases security of Sensor communications by requiring the use of both username/password and SSH authentication. E.
642 -531 What is the purpose of the NAT address field in the graphic? A. Informs Monitoring Center for Security which address to use in order to access an IDS device located behind a NAT device B. Informs the IDS device which address to use in order to send alarms to Monitoring Center for Security when separated by a NAT device C. Specifies to Monitoring Center for Security the true address of an IDS device located behind a NAT device D.
642 -531 Section 7: Use the IDS MC to configure Sensor logging properties (2 questions) QUESTION NO: 1 What does a value of zero (0) in the parameter field “maximum number of bytes in a log event” imply when you are configuring IP logging using IDS MC? A. B. C. D. Disabled the automatic logging feature. No packets will be logged. No limit of packets logged. Zero is an invalid setting.
642 -531 Topic 12, Monitor a large scale deployment of Cisco IDS Sensors with Cisco IDS Monitoring software (15 questions) Section 1: Define features and key concepts of the Security Monitor (2 questions) QUESTION NO: 1 Which of the following represents a protocol used by the Monitoring Center for Security to monitor alarms on a PIX Firewall? A. B. C. D. E.
642 -531 called Watchdog, helps you track the state and desired operation of your sensors. Watchdog is a feature of the postoffice service. Watchdog checks the availability of services that are supposed to be running on the sensor and verifies that desired sensor-to-other network object communications (based on postoffice) are available. The Watchdog queries the services to see if they are operational, and if they are not, it issues warnings to the user and attempts to restart the services.
642 -531 Section 3: Monitor IDS devices with the Security Monitor (3 questions) QUESTION NO: 1 What network devices does Security Monitoring Center monitor? (Choose three) A. B. C. D. E. F. Cisco VPN Concentrators Cisco IDS Sensors Cisco Host IDS software Cisco PIX Firewalls Cisco Catalyst switches Cisco Secure Access Control server Answer: B, C, D Explanation: You can use Event Viewer to view real-time and historical events.
642 -531 A. B. C. D. E. F. events sensors statistics signatures connections notifications ANSWER: A, C, E Explanation: You can monitor information about the devices that you have added to Security Monitor. This information falls into the following three categories: 1) Connections 2) Statistics 3) Events Cisco Courseware 16-33 Leading the way in IT testing and certification tools, www.testking.
642 -531 Section 4: Administer Security Monitor event rules (3 questions) QUESTION NO: 1 Which of the following will identify possible actions for an event rule in the Monitoring Center for Security? (Choose all that apply.
642 -531 A. B. C. D. E. F. Data source IP fragment reassembly External network definition Internal network definition TCP reassembly Sensor IP address Answer: D Explanation: You can use the source and destination location to alter your response to specific alarms. Traffic coming from a system within your network to another internal host that generates an alarm may be acceptable, whereas, you might consider this same traffic, originating from an external host or the Internet, totally unacceptable.
642 -531 Note: VMS Security Monitor (= the Monitoring Center for Security???) monitors the following types of devices: RDEP IDS PostOffice IDS IOS IDS Host IDS PIX But: If the PostOffice watchdog is meant, PostOffice is the best choice (Cisco Courseware C49) – I don’t know if RDEP devices provide such functionality to generate alarms about their device state.
642 -531 Answer: B Explanation: Devices using RDEP to communicate with Security Monitor and Security Agent MC servers can show the following one of the following statuses: • Connected TLS—A secure connection has been established. • Connected non-TLS—(RDEP devices only) A connection that does not use Transport Layer Security (TLS) has been established.
642 -531 - Org ID - Port - Heartbeat Note: …only required if running an IDS software version earlier than 4.0 (PostOffice). Page 612 Cisco Press CCSP CSIDS 2nd edition under Adding IOS Devices Cisco Courseware 16-14 Section 6: Use the reporting features of the Security Monitor (0 questions) Section 7: Administer the Security Monitor server (1 question) QUESTION NO: 1 Which three specify the predefined rules for database maintenance in the Monitoring Center for Security? (Choose three.) A. B. C. D. E. F.
642 -531 Topic XIII, Simulations (7 questions) This section covers simulated questions for the 642-531 exam. QUESTION NO: 1 You have recently been employed by TestKing and have inspected the configuration of TestKing's IDS-4215 Sensor. You then decide to modify access on user accounts and return some of the system's parameters to a known baseline through the following actions: 1) Create a backup of the running configuration to a remote FTP server. 2) Verify existing accounts and access privileges.
642 -531 Answer: login: testking password:testking1636 sensor# 1.sensor# copy current-config ftp://admin@172.16.16.100/testking5287/backup-cfg password: password2 2. sensor# show user all 3. sensor# config terminal sensor(config)#no username service (service is the username for service account) 4.sensor(config)# privilege user tessking operator 5. sensor(config)#service virtual-sensor-configuration virtualSensor 6.
642 -531 Answer: a. Enter configure terminal mode: sensor# configure terminal b. Enter host configuration mode: sensor(config)# service host c. Enter network parameters configuration mode: sensor(config-Host)# networkParams d. View the current settings: sensor(config-Host-net)# show settings networkParams -----------------------ipAddress: 10.10.10.200 netmask: 255.255.255.0 default: 255.255.255.0 defaultGateway: 10.10.10.
642 -531 sensor(config-Host-net)# show settings networkParams ipaddress: 10.10.10.200 netmask: 255.255.255.0 default: 255.255.255.0 defaultGateway: 10.10.10.1 hostname: sensor telnetOption: disabled default:disabled accessList (min: 0, max:512, current: 1) ipAddress: 10.10.10.100 netmask: 255.255.255.
642 -531 Assignment: Click on the picture of the host connected to an IDS Sensor by a serial console cable shown in the diagram as a dotted line. Select the Cisco Terminal Option and make the appropriate configuration tasks. Answer: login: testking password:testking1914 sensor# 1.sensor# copy current-config ftp://tkoperator@192.168.1.15/ids4235/backup-config password: testking 2.sensor# show user all 3.sensor# config terminal sensor(config)#no username service 4.
642 -531 You work as network security administrator at the TestKing.com office in Washington DC. TestKing is now installing new Cisco IDS Sensors and you are responsible to configure them to permit remote access only from trusted hosts. Perform this task on one of the Sensors using the CLI (Command Line Interface). Refer to the following information and network topology exhibit to permit access from the IDS MC management station only to the Sensor.
642 -531 sensor(config-Host)#networkParams (Enter Network Parameters Configuration mode) sensor(config-Host-net)# no accessList ipAddress 10.0.0.0 netmask 255.0.0.0 (Removes the default allowed network address) sensor(config-Host-net)# accessList ipAddress 192.168.1.
642 -531 D) Give your trainee Tess King, the daughter of the TestKing CEO, increased access rights. Tess's access rights should be increased from viewer access to one that can monitor and tune IDS, however Tess should not be granted excessive access. E) To default settings returned to all ATOMIC L3 IP signatures. The information in the following table should be used: Cisco IDS Parameters Sensor administrator username/password FTP server address FTP username/password Settings testking/testkingabc 10.1.1.
642 -531 You work as a network security administrator at TestKing.com. TestKing is now installing new Cisco IDS Sensors. You are required to configure these new Sensors so that they allow remote access only from hosts that are trusted. You must execute this task on of the IDS Sensors using the CLI (Command Line Interface). Use the information below and the network topology exhibit. Permit access from IDS MC management station only to the sensor.
642 -531 c. Enter network parameters configuration mode: sensor(config-Host)# networkParams d. View the current settings: sensor(config-Host-net)# show settings networkParams -----------------------ipAddress: 10.10.10.200 netmask: 255.255.255.0 default: 255.255.255.0 defaultGateway: 10.10.10.1 hostname: sensor telnetOption: disabled default: disabled accessList (min: 0, max: 512, current: 1) -----------------------ipAddress: 10.0.0.0 netmask: 255.0.0.0 default: 255.255.255.255 e. Remove the 10.0.0.
642 -531 Cisco IDS Paramaters Sensor Host ID Sensor Organization ID Sensor Host Name Sensor Organization Name Settings 4 27 sensor27 HQ Assignment: Click on the picture of the host connected to an IDS Sensor by a serial console cable shown in the diagram as a dotted line. Select the Cisco Terminal Option and make the appropriate configuration tasks. Sensor IP address 192.168.1.
642 -531 E. Sensor IP address - 192.168.1.4/24 Type "y" to use the IDS Device Manager. Note: Use the sensor settings, not the director settings. Reference: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids8/13872_01.htm Pages 6-12. Leading the way in IT testing and certification tools, www.testking.
642 -531 Topic XIV Misc. questions (7 questions) This topic covers the miscellaneous questions which can appear in 642-531 exam. QUESTION NO: 1 Following is a list of descriptions and IDS processes. Match the IDS process with its description. Leading the way in IT testing and certification tools, www.testking.
642 -531 Answer: Reference: Cisco Courseware 6-4 QUESTION NO: 2 Starting and stopping all IDS applications is the task of which of the following Cisco IDS application servlets? A B C D sensorApp mainApp cidCLI IDM servlet Answer: B Explanation: Correct description, but wrong options choused.MainApp is started by the operating system. It starts the applications in the following sequence: 1. Read and validate contents of dynamic and static configurations. 2.
642 -531 • Schedule, download, and install software upgrades.
642 -531 C. UDP packets D. ARP packets Answer: A, D QUESTION NO: 6 How many megabits per second can the NM-CIDS monitor? A. B. C. D. 10mbps 100mbps 45mbps 80mbps Answer: B QUESTION NO: 7 Under what circumstance would only the untranslated inside source be sent to the NMCIDS for processing? A. B. C. D. When using outside NAT When using intside NAT When using outside PAT When using intside PAT Answer: A Leading the way in IT testing and certification tools, www.testking.
642 -531 Topic XV Cisco secure pix firewall questions (20 questions) This topic covers the questions about pix firewall, more related to the CSPFA 642-521 exam QUESTION NO: 1 If you wanted to list active telnet sessions and selectively end certain ones, what commands from the list below could you use on your PIX Firewall? (Choose all that apply) A. B. C. D. E. F. show who remove session show logon end session kill whois Answer: A, E Explanation: Answer A.
642 -531 Answer: A Explanation: The ca authenticate command is not saved to the PIX Firewall configuration. However, the public keys embedded in the received CA (and RA) certificates are saved in the configuration as part of the RSA public key record (called the "RSA public key chain"). Reference: PIX Firewall Software Version 6.3 Commands QUESTION NO: 3 Using the Cisco PIX and using port re-mapping, a single valid IP address can support source IP address translation for up to 64,000 active xlate objects.
642 -531 QUESTION NO: 5 What command could you use on your PIX Firewall to view the current names and security levels for each interface? A. B. C. D. Show ifconfig Show nameif Show all Ifconfig /all Answer: B Explanation: Use the show nameif command to determine which interface is being described in a message containing this variable.
642 -531 D. debug crypto Answer: A Explanation: The debug command lets you view debug information. The show debug command displays the current state of tracing. You can debug the contents of network layer protocol packets with the debug packet command Reference: Cisco PIX Firewall Command Reference, Version 6.3 . Note: in Appendix B of the Cisco Secure Intrusion Detection System 4 Debugging is not talked about. QUESTION NO: 8 RIP uses a port to establish communications.
642 -531 QUESTION NO: 10 Which common command are you going to use to clear the contents of the translation slots when needed? A. B. C. D. clear xlate clear translate clear all show translate Answer: A Explanation: The xlate command allows you to show or clear the contents of the translation (xlate) slots. show xlate, clear xlate Reference: Cisco Secure PIX Firewall (Ciscopress) page 77 QUESTION NO: 11 When working on your PIX, you would like to view the network states of local hosts.
642 -531 Explanation: Two things are required for traffic to flow from a lower security to a higher security interface: a static translation and a conduit or an access list to permit the desired traffic. Reference: Cisco Secure PIX Firewall (Ciscopress) page 55 QUESTION NO: 13 Which common command are you going to use to clear the contents of the translation slots when needed? A. B. C. D. E. F.
642 -531 B. The Conduit is where the data travels on the Bus. C. It controls what QoS the packets get when going through Eth1. D. Controls connections between external and internal networks. Answer: D Explanation: the conduit command functions by creating an exception to the PIX Firewall Adaptive Security Algorithm that then permits connections from one PIX Firewall network interface to access hosts on another. Reference: Cisco PIX Firewall Command Reference, Version 6.
642 -531 If you wanted to show the running configuration of a PIX firewall, what command would you use? A. B. C. D. Show Running-Config Write terminal Show Config Show pix Answer: B Explanation: Write terminal displays current configuration on the terminal. Reference: Cisco PIX Firewall Command Reference, Version 6.3 QUESTION NO: 19 Which command(s) from the list below generates RSA key pairs for your PIX Firewall? A. B. C. D.
642 -531 • Archie • Berkeley Standard Distribution (BSD)-rcmds • Bootstrap Protocol (BOOTP) • Domain Name System (DNS) • File Transfer Protocol (FTP) • generic routing encapsulation (GRE) • Gopher • HyperText Transport Protocol (HTTP) • Internet Control Message Protocol (ICMP) • Internet Protocol (IP) • NetBIOS over IP (Microsoft Networking) • Point-to-Point Tunneling Protocol (PPTP) • Simple Network Management Protocol (SNMP) • Sitara Networks Protocol (SNP) • SQL*Net (Oracle client/server protocol) • Sun