Datasheet

ManualsBrandsCisco ManualsOtherIDS-4230-FE - Intrusion Detection Sys Fast Ethernet Sensor

642-531

QUESTION 1

Which of the following types of attacks is typical of an intruder who is targeting networks of systems in an

effort to retrieve data of enhance their privileges?

A. Access attack

B. Denial of Service attack

C. Man in the middle attack

D. Authorization attack

E. Reconnaissance attack

Answer: A

Access Attacks

Access is a broad term used to describe any attack that requires the intruder to gain unauthorized

access to a secure system with the intent to manipulate data, elevate privileges,

or simply access the system. The term "access attack" is used to describe any attempt to

gain system access, perform data manipulation, or elevate privileges.

System Access AttacksSystem access is the act of gaining unauthorized access to

a system for which the attacker doesn't have a user account. Hackers usually gain access

to a device by running a script or a hacking tool, or exploiting a known vulnerability of

an application or service running on the host.

Data Manipulation Access AttacksData manipulation occurs when an intruder

simply reads, copies, writes, deletes, or changes data that isn't intended to be accessible

by the intruder. This could be as simple as finding a share on a Windows 9x or

NT computer, or as difficult as attempting to gain access to a credit bureau's information,

or breaking into the department of motor vehicles to change a driving record.

Elevating Privileges Access AttacksElevating privileges is a common type

of attack. By elevating privileges an intruder can gain access to files, folders or application

data that the user account was not initially granted access to. Once the hacker has

gained a high-enough level of access, they can install applications, such as backdoors and

Trojan horses, to allow further access and reconnaissance. A common goal of hackers is to

CCSP: Cisco Certified Security Professional Certification All-in-One Exam Guide

Cisco Courseware 13-6

QUESTION 2

Which of the following types of attacks would be a most probable consequence of the presence of a shared

folder in a Windows operating system?

A. Denial of Service Attack

B. Access Attack

C. Authorization attack

D. Reconnaissance attack

E. Man-in-the-middle

Answer: B

Explanation:

ExactPapers.com

Summary of content (123 pages)

PAGE 1
ExactPapers.com 642-531 QUESTION 1 Which of the following types of attacks is typical of an intruder who is targeting networks of systems in an effort to retrieve data of enhance their privileges? A. Access attack B. Denial of Service attack C. Man in the middle attack D. Authorization attack E.
PAGE 2
642-531 Access Attacks Access is a broad term used to describe any attack that requires the intruder to gain unauthorized access to a secure system with the intent to manipulate data, elevate privileges, or simply access the system. The term "access attack" is used to describe any attempt to gain system access, perform data manipulation, or elevate privileges. System Access AttacksSystem access is the act of gaining unauthorized access to a system for which the attacker doesn't have a user account.
PAGE 3
642-531 A. a means of network access B. prior access to the target C. previously installed root kit D. username and password Answer: A DOS attacks are performed by flooding the network, so the only requirement is access to the network. C, the requirement of installing tools to perform distributed attacks (whatever a root toolkit may be) is only true for DDOS attacks. As the aim is not to gain access no usernames or passwords (D), and even no prior access to the target host (B) is required.
PAGE 4
642-531 referred to as read-write access). SNMP agents listen on UDP port 161. Reference: SAFE Blueprint for Small, Midsize, and Remote-User Networks QUESTION 8 Which of the following statements represents a false positive alarm situation? A. normal traffic or a benign action will not cause a signature to fire B. offending traffic will not cause a signature to fire C. normal traffic or a benign action will result in the signature firing D.
PAGE 5
642-531 Explanation: True positive - is when an IDS generates an alarm for known intrusive activity. False negative - is when an IDS fails to generates an alarm for known intrusive activity. False positive - is when an IDS generates an alarm for normal user activity. Reference:Cisco Secure Intrusion Detection System (Ciscopress) page 55 & 58 Note:True positive -A situation in which a signature is fired properly when offending traffic is detected. An attack is detected as expected.
PAGE 6
42-531 C. Rootkit D. Exposure Answer: B Explanation: Exploits activity-Indicative of someone attempting to gain access or compromise systems on your network, such as Back Orifice, failed login attempts, and TCP hijacking Reference: Cisco Intrusion Detection System - Cisco Secure Intrusion Detection System QUESTION 14 Which of the following describes the evasive technique whereby control characters are sent to disguise an attack? A. Flooding B. Fragmentation C. Obfuscation D.
PAGE 7
642-531 3) Unicode representation. Cisco Courseware 3-27 QUESTION 16 Why would an attacker saturate the network with "noise" while simultaneously launching an attack? A. causes the IDS to fire multiple false negative alarms B. an attack may go undetected C. it will have no effect on the sensor's ability to detect attacks D.
PAGE 8
642-531 D. terminate TCP sessions E. dynamically reconfigure access control lists Answer: C, D Cisco Courseware 4-12 (PIX) Cisco Courseware 4-11 (IOS) QUESTION 19 How many sensing interfaces does the IDS-4215 support? A. 6 B. 5 C. 4 D. 1 Answer: B QUESTION 20 Which two Cisco IDS platforms provide integrated intrusion detection capabilities and target lower risk environments? (Choose two.) A. IOS-IDS B. Switch IDS module C. PIX-IDS D. Network appliances IDS E.
PAGE 9
642-531 B. Network uptime C. Unauthorized network access D. Network downtime E. Network throughput F. Network abuse Answer: A, C, F Explanation: An IDS is software and possibly hardware that detects attacks against your network. They detect intrusive activity that enters into your network. You can locate intrusive activity by examining network traffic, host logs, system calls, and other areas that signal an attack against your network.
PAGE 10
642-531 A. Sensor processor speed B. Server performance C. Network throughput D. Intrusion detection analysis performance. Answer: D Explanation: Real-time monitoring of network packets, which involves packet capture and analysis Reference: Cisco IDS Sensor Software - Cisco Secure Intrusion Detection System Overview QUESTION 26 The new Certkiller trainee technician wants to know where the intrusion detection system sends TCP reset packets to terminate a session.What would your reply be? A.
PAGE 11
642-531 E. e1/1 Answer: D The Sensor is on the same network, so that means the only possibly answer is the Ethernet01 interface. Ethernet0/2 is using a different network address and Ethernet0/0 is using a DMZ network. Note:What is being talked about here is a Network Tap. " A network tap is a device used to split full-duplex traffic flows into a single traffic flows that can be aggregated at a switch device.
PAGE 12
642-531 - Merged switching and security into a single chasis - Ability to monitor multiple VLANs - Does not impact switch performance - Attacks and signatures equal to appliance sensor - Uses the same code base of the appliance sensor - Support for improved management techniques such as IDM QUESTION 30 Which of the following features regarding IDSM2 is true? A. parallels attacks and signature capabilities of the 4200 series appliances B. supports subset of signatures available in appliance C.
PAGE 13
642-531 Answer: A Note: In the IDSM chapter I did not come across anything that stated this. In fact there is not much listed in the IDSM chapter. The main thrust was that it uses the same code as the ver4 sensors so it works the same except for some alterations.. Cisco Secure Intrusion Detection System 4 chap 4 QUESTION 34 Which of the following supported client platforms are capable of communicating with aMonitoring Centerfor Security server running on a Windows-based platform? A. Windows only B.
PAGE 14
642-531 According to the exhibit, Server Certkiller 4 is in VLAN 8. The Catalyst 6500 is running Catalyst OS. Which of the following commands would you use as a configuration step if one is to permit the ISDM2 to monitor traffic sent to and from VLAN3, VLAN4, and VLAN5? A. 6500(config)# monitor session 1 source 3-5 both B. 6500(config)# monitor session 1 destination idsm C. 6500(config)# monitor session 1 source vlan 3, 4, 5 D. 6500>(enable) set span 3 -5 8/1 both E.
PAGE 15
642-531 ----------------------------------filter keyword in set rspan command ---> [Catalyst OS using remote SPAN] Cisco Courseware 5-25 ----------------------------------allow vlan keyword in switchport capture command ----> [Catalyst IOS using remote SPAN] http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/12_1e/swconfig/span.
PAGE 16
642-531 Which command represents a valid configuration step to permit Sensor IDS6 to monitor traffic sent to Server Certkiller 7? A. 4000>(enable) set rspan destination 99 3/24 B. 4000>(config)# monitor session 2 destination interface fastEthernet 3/24 C. 6500(config)# remote-span 99 D. 6500>(enable) set rspan source 3/5 99 tx create E.
PAGE 17
642-531 traffic sent to and from VLAN3, VLAN4, and VLAN5? A. 6500(config)# monitor session 1 source vlan 3, 4, 5 both B. 6500(config)# monitor session 1 destination idsm C. This feature is not supported in this configuration. D. 6500>(enable) set span source vlan-list 3- 5 destination interface 8/1 both create E.
PAGE 18
642-531 A. rx B. both C. ingress D. tcp-rst accept E. inpkts enable F. This feature is not supported in this configuration Answer: E IDS course 4.0 page 5-19 Keyworks to enable the receiving of normal inbound traffic in the SPAN destination port. QUESTION 43 Study the exhibit below carefully: According to the exhibit all switches are connected through Fast Ethernet connections. Server Certkiller 7 and Sensor ID Certkiller 7 are in the same VLAN.
PAGE 19
642-531 Answer: B, D Page 146 Cisco Press CCSP Chapter 6 Capturing Network Traffic Step 1: Define a security ACL Step 2: Commit the VACL to memory Step 3: Map the VACL to VLANs Step 4: Assign the capture port Note:Does the 4000 switch really support VACLs? QUESTION 45 The new Certkiller trainee technician wants to know what binds the input and output of a source RSPAN session on a Catalyst 6500 switch running IOS.What would your reply be? A. RSPAN vlan-id B. interface number C. SNMP ifIndex D.
PAGE 20
642-531 Explanation: We must agree with the conclusion that this is nonsense, but E must be the correct answer since a hub a layer 2 device meaning that it doesn't do network segmenting. All devices connected to the hub wil receive the same traffic. QUESTION 47 Study the exhibit below carefully: According to the exhibit all switches are connected through Fast Ethernet connections. Server Certkiller 3 is in VLAN 8. The Catalyst 4000 is running Catalyst OS.
PAGE 21
642-531 5) Apply the VLAN access-map to the specified VLANs 6) Select an interface. 7) Enable the capture function on the interface. Cisco Courseware 5-38 QUESTION 49 What is a primary reason for using the mls ip ids command to capture traffic instead of VACLs? A. higher performance due to hardware-based multilayer switching B. CBAC is configured on the same VLAN C. D. E.
PAGE 22
642-531 A. because you want to monitor receive traffic from the server. It is not C. because the port monitor fastEthernet 0/5command should be done in the (config-if)# mode. D and E are incorrect. QUESTION 51 Which VLAN ACL sends only ftp traffic to a Cisco IDS Sensor connected to a Catalyst 6500 switch? A. set security acl ip FTP_ACL permit udp any any eq 21 B. set security acl ipx FTP_ACL permit ip any any capture C. set security acl ipx FTP_ACL permit tcp any any eq 21 D.
PAGE 23
642-531 Answer: Explanation: * Ingress SPAN copies network traffic received by the source ports for analysis at the destination port. * Egress SPAN copies network traffic transmitted from the source ports for analysis at the destination port. * A source port is a switch port monitored for network traffic analysis. The traffic through the source ports can be categorized as ingress, egress, or both. * A destination port (also called a monitor port) is a switch port where SPAN sends packets for analysis.
PAGE 24
642-531 A. You can have simultaneous protection of multiple network subnets, which is like having multiple Sensors in a single appliance. B. You can use different configurations for each monitoring interface. C. You must enable the monitoring interfaces in order fro the Sensor to monitor your networks. D. You can enable an interface only if the interface belongs to an interface group. E. Two interface groups, Group 0 and Group 1, are supported. F.
PAGE 25
642-531 F. session Answer: D Page 8-8 CSIDS Courseware under IDSM2 and Switch Configuration Tasks - Initialize the IDSM2. This includes completing the basic configuration via the setup command. QUESTION 59 Which command will you advice the new Certkiller trainee technician to issue in order to initiate the IDSM2 system configuration dialog? A. sysconfig-sensor B. setup C. configure terminal D. session E.
PAGE 26
642-531 D. Ciscoidsm E. Ciscoids Answer: E Explanation: The default user login user name for the Cisco IDS Module is Ciscoids, and the default password is attack. Reference: Cisco Secure Intrusion Detection System (Ciscopress) page 680 Note: This was correct in the older course however it is not right according to 4 but the answers given don't match what is listed in the course manual.
PAGE 27
642-531 Sensor output exhibit: ***MISSING*** Note: Use the sensors command line interface to obtain information so that you can answer the question. You are NOT expected to do any configuration. Which of the following states would be displayed if the Sensor has established a connection to the router? A. "State = Connected" in the Network Access Controller service's configuration mode. B. "State = Connected" in the Network Access Controller's statistics. C.
PAGE 28
642-531 Sensor output exhibit: ***MISSING*** The user name is Jag. Note: Use the sensors command line interface to obtain information so that you can answer the question. You are NOT expected to do any configuration. What is the username the Sensor will use to log in to the router? A. Admin B. Certkiller C. Lin D. Cisco E. Jag Answer: E QUESTION 66 Network topology exhibit/simulation Sensor output exhibit: ***MISSING*** No ACL is configured.
PAGE 29
642-531 C. BlockingACL D. RouterACL Answer: A QUESTION 67 Exhibit: Given the output of the idsstatus Sensor command. What function is the Sensor performing? (Choose two) A. Not logging alarms, commands, and errors. B. Performing IP blocking. C. Not capturing network traffic. D. Logging alarms, commands, and errors. E. Not performing IP blocking.
PAGE 30
642-531 C. Not logging alarms, errors, and commands. D. Generating e-mails for alarms. E. Not capturing network traffic. F. Loading alarms into a user database. Answer: A Explanation: PostofficedThe postofficed daemon serves as the communication vehicle for the entire Cisco IDS product Sapd -The sapd daemon is a user-configurable scheduler that controls database loading and archival of old event and IP session logs.
PAGE 31
642-531 NRS-2FE IDS 3.0 and IDS 3.1 NRS-TR IDS 3.0 and IDS 3.1 NRS-SFDDI IDS 3.0 and IDS 3.1 NRS-DFDDI IDS 3.0 and IDS 3.1 IDS 3.0, IDS 3.1, IDS 4.0, and IDS 4.1 IDS 4.1 IDS 3.0, IDS 3.1, IDS 4.0, and IDS 4.1 IDS 3.0, IDS 3.1, IDS 4.0, and IDS 4.1 IDS 3.0, IDS 3.1, IDS 4.0, and IDS 4.1 IDS 3.0, IDS 3.1, IDS 4.0, and IDS 4.1 IDS 4.0 and IDS 4.1 IDSM 3.0(5) and IDSM 3.
PAGE 32
642-531 QUESTION 72 Which of the following represents the recommended procedure when upgrading a Cisco IDS appliance which is prior to version 4.x? A. Install the image from the IDS Management Center. B. Install the image from the network connection. C. Install the image from the recovery or upgrade CD. D. Install the image from the BIOS boot diskette. Answer: C Page 7-17 CSIDS Courseware under Software Installation Overview To upgrade an IDS appliance from IDS software version 3.x to version 4.
PAGE 33
642-531 With postoffice-based CiscoIntrusionDetectionSystem Sensors (sensors running sensor software version 3.x) you can discover postoffice settings directly from the device. This is accomplished using a Secure Shell (SSH) session. SSH is a protocol for secure remote login and other secure network services over an insecure network.
PAGE 34
642-531 three) A. IDS Device Manager B. IDS Event Viewer C. Remote Shell D. Secure Shell E. Telnet F. Trivial File Transfer Protocol Answer: A, D, E Explanation: Enter or delete the IP addresses of hosts and networks that can access the sensor via Telnet, FTP, SSH, and scp. Reference: Cisco Intrusion Detection System Sensor Getting Started Version 3.1 QUESTION 78 A company policy states that IDS Sensors can be managed only by authorized management workstations. The management workstations exist on the 192.
PAGE 35
642-531 C. IDS Device Manager D. IDS Event Viewer E. Session command F. IDS Management Center Answer: A, E Explanation: The Catalyst 6000 family switch can be accessed either through a console management session or through telnet. Reference:Cisco Secure Intrusion Detection System (Ciscopress) page 498 QUESTION 80 Which command would you will you advice the new Certkiller trainee technician to use inorder to view the initial configuration parameters on the IDSM2? A. show capture B. setup C.
PAGE 36
642-531 Answer: C Explanation: The interface sensing configuration mode is a third level of the CLI. It enables you to enable or disable the sensing interface. Command: shutdown Cisco Courseware 9-14 QUESTION 83 Which of the following qualifies to be a second level CLI mode in Cisco IDS? A. privileged exec B. service C. global configuration D. tune micro engines E.
PAGE 37
642-531 QUESTION 86 Match the Cisco IDS Sensor command with its function. Answer: Explanation: * idsstop - Executing this script stops the Cisco IDS daemons. * cidServer stop - If you are troubleshooting an issue with TAC and you need to stop and start the server, enter the following commands * idsvers - To verify the installation of the S10 signature pack, Telnet to the Sensor, log on as netrangr, and issue either the nrvers or the idsvers command.
PAGE 38
642-531 Answer: D Explanation: User Roles The CLI for IDS version 4.0 supports three user roles: Administrator, Operator, and Viewer. The privilege 1. Administrators-This user role has the highest level of privileges. Administrators have unrestricted view access and can perform the following functions: 2. 1. Add users and assign passwords. 2. Enable and disable control of physical interfaces and interface groups. 3. Assign physical sensing interfaces to interface groups. 4.
PAGE 39
642-531 added. Reference:Cisco Courseware 7-24 QUESTION 89 What is the default privilege level that is set when creating a user account on a Cisco IDS Sensor? A. Viewer B. Administrator C. Operator D. Anonymous E. Guest Answer: A Privileges: Allowed levels are: 1. Service 2. Administrator 3. Operator 4. Viewer The default is Viewer. Cisco Courseware 9-23 QUESTION 90 When setting up user accounts on a Cisco IDS Sensor.
PAGE 40
642-531 Page 9-33 CSIDS Courseware under Generating an X.509 Certificate Use the tls generate-key command to generate the self-signed X.509 certificate needed by TLS QUESTION 92 Which CLI command would permit remote network access to the IDS Sensor from network 10.1.1.0/24? A. sensor(config)# access-list 100 permit 10.1.1.0.0.0.0.255 B. sensor(config-Host-net)# access-list 100 permit 10.1.1.0.0.0.0.255 C. sensor(config)# accessList ipAddress 10.1.1.0 netmask 255.255.255.0 D.
PAGE 41
642-531 copy Use the copy command to copy iplogs and configuration files. copy [/erase]source-url destination-url copy iploglog-id destination-url Syntax Description Syntax Description Description (Optional) Erases the destination file /erase before copying. This keyword only applies to current-config, the backupconfig is always over-written. If this keyword is specified for destination current-config, the source configuration is applied to the system default configuration.
PAGE 42
642-531 c. Save the private key. We recommend the name sensorname.key for the private key and we use it in this example. Reference:Cisco Courseware 12-7 QUESTION 96 How would you go about successfully adding a Sensor to the IDS MC if the Sensor software version is not displayed in the drop-down list of available versions during the add process? A. Update the Sensor's software version to a version matching one in the IDS MC list. B.
PAGE 43
642-531 QUESTION 98 Which of the following represents the methods for adding devices in the Management Center for IDS Sensors using the GUI interface? A. Manually add only B. Manually add or import from file C. Manually add or import from RME D. Manually add or import from security monitor E.
PAGE 44
642-531 Answer: B, E Page 12-13 CSIDS Courseware under Devices-Sensor Group Note: When you create subgroups, the subgroup inherits the properties of either the parent group or you may copy settings from another group to the new subgroup QUESTION 101 Select the true statements regarding Sensor groups. A. The mandatory check box exists in the context of a Sensor object to identify required configuration settings. B.
PAGE 45
642-531 2) Download the IP log files via IDM. After retrieving the IP log files, you can use a network protocol analyzer to examine the data. Not B:Archive using SCP is false, although Copy using SCP would be true. QUESTION 103 The new Certkiller trainee technician wants to know how automatic IP logging is enabled on Sensor. What would your reply be? A. It is enabled by default for all high-severity signature alarms. B. It is enabled by default for all signatures. C.
PAGE 46
642-531 creating custom signatures with IDS MC? (Choose two.) A. SubSigID B. signature name C. engine description D. engine name E. signature string Answer: B, D The two required fields are Signature Name & Engine Reference: Cisco Courseware 14-33 Page 365 Cisco Press CCSP CSIDS 2nd edition under Creating Custom Signatures See screenshot, fields marked with * are required.
PAGE 47
642-531 Answer: D Explanation: Select the TCP three way handshake if you want the sensor to tack only those sessions for which the three-way handshake is completed. The other options for reassembly are: No reassembly Loose reassembly Strict reassembly Reference:Cisco Secure Intrusion Detection System (Ciscopress) page 419 QUESTION 107 When configuring a custom signature via the IDM Signature Wizard, you must choose a signature type from one of three categories. What are those categories? Choose three. A.
PAGE 48
642-531 Page 14-7 CSIDS Courseware under Signature Actions You can configure signatures to cause the Sensor to take action when the signature is triggered by the following: 1) IP Log 2) TCP Reset 3) Block - Block Host - Block Connection Cisco Courseware 13-10 Cisco Courseware 14-7 Cisco Courseware 14-12 (Screenshot) QUESTION 110 What information can a network security administrator specify in a Cisco IDS exclude signature filter? (Choose two) A. Signature name B. Signature ID C. Signature action D.
PAGE 49
642-531 whether it is an inclusive or exclusive filter. Reference: CiscoWorks Management Center for IDS Sensors - Tuning Sensor Configurations QUESTION 112 Study the exhibit below carefully: According to the exhibit, which parameter selection would display the correct panel and the capability to perform a tuning of a specific signature to log events when they occur? A. Select the desired check box and click on the engine name. B. Click on the associated Signature ID. C.
PAGE 50
642-531 QUESTION 114 Select the three phases of sensor tuning (Choose three.) A. Prep Phase. B. eployment Phase C. Setup Phase D. Tuning Phase E. Maintenance Phase F.
PAGE 51
642-531 D. SSH E.
PAGE 52
642-531 D. 100 interface/directions maximum per devices E. 10 interface (both directions) across all devices Answer: A Page 383 Cisco Press CCSP CSIDS 2nd edition under IP Blocking: Network Topology A single sensor can only perform IP Blocking on a maximum of 10 interfaces across one or more managed devices Cisco Courseware 15-3 QUESTION 120 Which of the following can a blocking Sensor utilize to manage a PIX Firewall for shunning? (Choose all that apply.) A. RDEP B. Telnet C. SSLand D. SSH E.
PAGE 53
642-531 C. They are considered critical hosts and should not be blocked. D. They provide a method for the Sensor to route through the subnet to the managed router. Answer: A Explanation: Today's networks have several entry points to provide reliability, redundancy, and resilience. These entry points also represent different avenues for the attacker to attack your network. You must identify all the entry points into your network and decide whether they need to also participate in IP blocking.
PAGE 54
642-531 B. ACL applied to the internal (trusted) interface of a managed device C. ACL applied to a managed interface prior to an attack being detected D. ACL used to block traffic on the inbound direction of a managed interface E.
PAGE 55
642-531 QUESTION 127 Which of the following represents the best description of a post-block ACL on an IDS blocking device? A. ACL applied to a managed interface once an attack has been detected. B. ACL entries applied to the end of the active ACL after blocking entries. C. ACL used to block traffic on the inbound direction of a managed interface D. ACL used to block traffic on the internal (trusted) interface of a managed device. E.
PAGE 56
642-531 QUESTION 130 A Cisco IDS Sensor has been configured to perform IP Blocking. Which Cisco IDS service must be running on the Sensor? A. Logged B. Eventd C. Blocked D. Managed E. Shunned Answer: D Explanation: Managed -The managed daemon is responsible for managing and monitoring network devices (routers and packet filters). For example, when packetd identifies that a certain type of attack should be shunned, it sends a shun command to managed via the post office facility.
PAGE 57
642-531 command. Reference:Cisco Courseware B-11 QUESTION 132 Which of the following statements regarding the IDS Sensor communications is valid? A. RDEP makes use of SSL for secured internal communications. B. RDEP makes use of SSH for secure external communications. C. PostOffice protocol makes use of IPSec for secured external communications. D. IDAPI makes use of HTTPS for secured internal communications. E. cidCU makes use of SSH for secured external communications.
PAGE 58
642-531 A. Configure the Blocking Forwarding Sensor's IP address. B. Configure the Blocking Forwarding Sensor's SSH public key. C. Configure the Allowed Hosts table to include the Blocking Forwarding Sensor. D. Configure the TLS Trusted-Host table to include the Blocking Forwarding Sensor. E. No additional configuration is required to configure a Master Blocking Sensor.
PAGE 59
642-531 Blocking Sensor controls blocking on devices at the request of the NAC's running on Blocking Forwarding sensors. page 15-30 ids 4.0 uses RDEP to communicate blocking instructions. QUESTION 137 What is the primary function of a Master Blocking Sensor? A. to serve as the central point of configuration in IDM for blocking B. to serve as the central point of configuration in IDS MC fro blocking C. to manage and distribute blocking configurations in to other "slave" Sensors D.
PAGE 60
642-531 C. SERVICE engine signatures on a Cisco IDS Sensor include signatures based on network attacks. D. SERVICE engine signatures on a Cisco IDS Sensor are categorized and tuned by operating system Answer: B Cisco Courseware 13-41 QUESTION 140 Which type of signature can be configured to alarm only on specific source or destination IP addresses? A. atomic signatures B. flood signatures C. service signatures D. state signatures Answer: A The task is simple, the simplest engine should do.
PAGE 61
642-531 A. String signatures B. HTTP signatures C. TCP connection signatures D. FTP connection signatures E. ICMP signatures Answer: C Explanation: Connection signatures are user-configurable attack signatures based on the transport-layer protocol (TCP or UDP) and port number of the packets being monitored Reference: Sensor Signatures QUESTION 143 A company has a custom client-server application that communicates on UDP ports 6000-7000.
PAGE 62
642-531 Reference:Cisco Secure Intrusion Detection System (Ciscopress) page 628-629 QUESTION 145 Which of the following represents a type of signature engine that is characterized by single packet conditions? A. string B. other C. atomic D. traffic Answer: C Signature Structure As previously discussed, signature implementations deal with packet headers and packet payloads. The structure of the signatures deals with the number of packets that must be examined to trigger an alarm.
PAGE 63
642-531 C. ATOMIC.IP.ROUTING D. OTHER E. ATOMIC.IPOPTIONS Answer: B Explanation: ATOMIC.L3.IPis a general-purpose Layer 3 inspector. It can handle DataLength and Protocol Number comparisons. It also has some hooks for fragment and partial ICMP comparisons. None of the parameters are required, so a simple signature meaning "any IP packet" can be written.
PAGE 64
2-531 QUESTION 148 Which of the following signature descriptions best describes a service signature engine? A. Inspects multiple transport protocols. B. Detects network reconnaissance. C. Protocol analysis for layers 5, 6, and 7 applications. D. Identifies traffic irregularities. Answer: C Explanation: SERVICE.* EnginesUse the SERVICE engines to create signatures that deal with the Layer 5+ protocol of the service.
PAGE 65
642-531 QUESTION 151 Which statement is true when creating custom signatures on a Cisco IDS Sensor in IDS MC? A. All parameter fields must be entered. B. They are automatically saved to the Sensor. C. The default action is logging. D. They are enabled by default. Answer: D Explanation: Custom signatures are enabled by default. It is recommended to test custom signatures in a non-production environment to avoid unexpected results including network disruption.
PAGE 66
642-531 Answer: D Microsoft Exchange Server for SMTP is based on the protocol TCP no UDP QUESTION 154 Which of the following statements represents the most suitable description of a required signature parameter attribute? A. The signature parameter value cannot be modified for custom signatures. B. The default signature parameter value cannot be changed. C. The signature parameter must be defined for all signatures. D. The signature parameter value can be defined for custom signatures only.
PAGE 67
642-531 A. SIG 20001 AlarmThrottle FireEvery ChokeThreshold 100 ThrottleInterval 120 B. SIG 20002 AlarmThrottle FireAll ChokeThreshold 60 ThrottleInterval 60 C. SIG 20003 AlarmThrottle FireAll ChokeThreshold 100 ThrottleInterval 60 D. SIG 20004 AlarmThrottle FireEvery ChokeThreshold 60 ThrottleInterval 120 Answer: C Explanation: ThrottleInterval defines the period of time used to control alarm summarization. AlarmThrottle is a technique which is used to limit alarm firings.
PAGE 68
642-531 communications, choose the STRING.TCP signature engine to create the custom signature. Which of the following parameters must be configured so as to detect the desired information? (Choose all that apply.) A. SigStringInfo B. StorageKey C. ServicePorts D. SigComment E. RegexString Answer: C, E Explanation: Both Regex and ServicePorts need to be defined for custom signatures. Reference: Installing and Using the Cisco Intrusion Detection System Device Manager and Event Viewer Version 4.
PAGE 69
642-531 Answer: C E Explanation: Engine parameters have the following attributes: 1) Protected - If a parameter is protected, you cannot change if for the default signatures. You can modify it for custom signatures. 2) Required - If a parameter is required, you must define it for all signatures, both default signatures and custom signatures. Reference:Page 438 CCSP Self-study: CSIDS Second Edition Cisco Courseware 13-16 QUESTION 160 With the ATOMIC.
PAGE 70
642-531 B. Logs deny ACL entries C. Sends SNMP traps to the Sensor D. Sends Syslog messages to the Sensor E. Sends SNMP traps to the Director F. Sends syslog messages to the Director Answer: B, F Explanation: The Sensor can be configured to create an alarm when it detects a policy violation from the syslog generated by a Cisco router. A policy violation is generated by a Cisco router when a packet fails to pass a designated Access Control List.
PAGE 71
642-531 A. it should be on a SCP or FTP server B. it should be on cisco.com C. it should be on the FTP server only D. it should be on the IDS MC server E. it should be on the secure Web server Answer: D Requirements to install an update from the IDS MC: The file must exist on the IDS MC at: \Program Files\CSCOpx\MDC\etc\IDS\Updates Cisco Courseware 17-6 QUESTION 164 Which Cisco IDS software update file can be installed on a IDS-4210 Sensor? A. IDSMk9-sp-3.0-3-S10.exe B. IDSMk9-sp-3.0-3-S10.bin C.
PAGE 72
642-531 Supported: FTP (A) HTTPS (D) SCP (F) HTTP Reference:Cisco Courseware 17-6 QUESTION 166 Which of the following methods will you advice the new Certkiller trainee technician to use when upgrading the signatures on a Cisco IDS Sensor? (Choose all that apply.) A. IEV B. IDM C. IDS MC D. Monitoring Center for Security Answer: B C To use this procedure, you must have access to the server: *You must have access to the IDSMC server if you want to update the IDSMC or a sensor.
PAGE 73
642-531 A. FTP B. SCP C. RCP D. HTTP E. NFS F. TFTP Answer: A, B, D Page 17-6 CSIDS Courseware under Sensor Maintenance The update file must be located and accessible on one of these types of servers: - FTP - HTTP/HTTPS - SCP QUESTION 169 Which two methods can be used to upgrade the signatures on a Cisco IDS Sensor? (Choose two.) A. CLI B. IEV C. SigUp D. IDS MC E. Monitoring Center for Security Answer: A, D Page 17-10, 17-12 CIDS Courseware v4.
PAGE 74
642-531 QUESTION 171 The Cisco IDS Sensor service pack file IDSk9-sp-3.1-2-S23.bin exists on the Sensor. Which command installs the service pack on the Sensor? A. IDSk9-sp-3.1-2-S23 -install B. IDSk9-sp-3.1-2-S23.bin -install C. IDSk9-sp-3.1-2-S23.bin -i D. IDSk9-sp-3.1-2-S23.bin -l E. IDSk9-sp-3.1-2-S23-bin -apply F. IDSk9-sp-3.1-2-S23 -apply Answer: E Explanation: INSTALLATION To install the version 3.1(5)S58 service pack, follow these steps: 1. Download the self-extracting binary file IDSk9-sp-3.
PAGE 75
642-531 You can re-image the IDS module from the maintenance partition. After you re-image the IDS module, you must initialize the IDS module using the setup command. Recovering the Software Image You can recover the software image for the IDS module if it becomes unusable. If you install a service pack on an IDS module, for example, and it is unusable after it reboots, you must reimage the IDS module from the maintenance partition.
PAGE 76
642-531 Answer: A, B, C Although time is not changed, time is NOT an application setting. Cisco Courseware 17-17 QUESTION 176 What version of Cisco IDS software is required prior to upgrading to 4.1? A. 4.0(2)S37 B. 4.0(3)S41 C. 4.0(1)S37 D. 4.0(1)S24 Answer: A The sensor must report the version as 4.0(1)S37 or later before you can apply this minor update http://ftp-sj.cisco.com/cisco/crypto/3DES/ciscosecure/ids/4.x/IDS-K9-min-4.1-1-S47a.readme.
PAGE 77
642-531 Answer: E Explanation: [client] --- HTTPS ---> [IDS MC] --- SSH ---> [IDS] Cisco Courseware 6-8: QUESTION 179 Which protocol is used for communication between the IDS Event Viewer and the Sensor? A. RDEP B. SSH C. SNMP D. IPSec Answer: A Explanation: RDEP uses the industry standard HTTPS. 1. Communications with monitoring applications - HTTPS Reference:Cisco Courseware 6-8 QUESTION 180 You are the Certkiller administrator.
PAGE 78
642-531 B. subscriptions C. transaction log D. queries E.
PAGE 79
642-531 Explanation: Communication infrastructure parameters: * Sensor Host ID and Organization ID * Sensor Host Name and Organization Name * Sensor IP Address * Cisco Secure IDS Director or Cisco Secure PM IDS Manager Host ID and Organization ID * Cisco Secure IDS Director or Cisco Secure PM IDS Manager Host Name and Organization Name * Cisco Secure IDS Director or Cisco Secure PM IDS Manager workstation IP address Reference: Cisco Secure Intrusion Detection System Sensor Configuration Note Version 2.
PAGE 80
642-531 Cisco Courseware 6-4 QUESTION 186 When does the Sensor create a new log file? A. Only when the Sensor is initially installed. B. Only when the Sensor requests it. C. Every time its services are restarted. D. Every time a local log file is used. Answer: C Explanation: The sensor creates new log file every time its services are restarted.
PAGE 81
642-531 QUESTION 188 Which Cisco IDS service allows external management applications to control and configure sensors? A. Transaction Server B. Event Server C. IPLog Server D. Sensor Server Answer: A Explanation: TransactionSource is an application that forwards locally initiated remote control transactions to their remote destinations using the RDEP and HTTP protocols.
PAGE 82
642-531 QUESTION 191 Which network services are enabled by default on a Cisco IDS Sensor for remote management? (Choose all that apply) A. SSH B. TFTP C. SNMP D. Telnet E. RSH F. FTP Answer: A, F Explanation: Telnet - requires an IP address that has been assigned to the command and control interface via the CLI setup command. Must be enabled to allow telnet access. Telnet is DISABLED by default.
PAGE 83
642-531 A. Managed B. Captured C. Snifferd D. Packetd E. Trafficd Answer: D Explanation: Packetd -The packetd daemon interprets and responds to all of the events it detects on the monitored subnet. Reference: Cisco Secure IDS Internal Architecture QUESTION 194 What can be determined about a Cisco IDS update file named IDS-K9-sp-4.1-2-S40.zip? A. B. C. D. E.
PAGE 84
642-531 Explanation: *Network security database (NSDB )-The NSDB provides instant access to specific information about the attacks, hyperlinks, potential countermeasures, and related vulnerabilities. Because the NSDB is an HTML database, it can be personalized for each user to include operation-specific information such as response and escalation procedures for specific attacks.
PAGE 85
642-531 Device Manager? A. on a web server with supported operating systems B. on a Cisco IDS Sensor running version 3.1 and higher C. on a Cisco IOS router with IOS version 12.2.(2)T and higher running IDS software D. on a Cisco PIX Firewall version 6.
PAGE 86
642-531 In the Cisco IDS Event Viewer, how do you display the context data associated with an event? A. Choose View>Context Data from the main menu. B. Right-click the event and choose Show Data. C. Choose View>Show data from the main menu. D. Right-click the event and choose Show Context. E. Choose View>Show Context from the main menu. F. Double-click the event. Answer: D Explanation: Certain alarms may have context data associated with them.
PAGE 87
642-531 Event Viewer? (Choose all that apply) A. Right-click Dest_Address_Group_View and choose View. B. Double-click Dest_Address_Group_View C. Right-click Dest_Address_Group_View and choose Display. D. Right-click Sig_Name_Group_View and choose View. E. Right-click Sig_Name_Group_View and choose Display. F. Double-click Sig_Name_Group_View Answer: B, F Explanation: Right-click a row in the Expanded Details Dialog, and then select View Alarms. Result: The Alarm Information Dialog appears.
PAGE 88
642-531 Explanation: The information you provide in the Device Properties panel should match the settings you entered during the initial configuration of the Sensor. If you have set up a user account with Viewer access for the IEV, specify the username and password for that account. Reference: Cisco Courseware p.10-13 QUESTION 205 When enabling time schedules for archival of events with IDS Event Viewer. Which three options are available? (Choose three.) A. every N minutes B. every N MB C. every N hours D.
PAGE 89
642-531 Explanation: 1. IDS_Analyzer-To check that the service that processes event rules and requests user-specified notifications when appropriate is running properly. 2. IDS_DeployDaemon-To check that the service that manages all configuration deployments is running properly. 3. IDS_Notifier-To check that the service that receives notification requests (script, e-mail, and/or console) from other subsystems and performs the requested notification is running properly. 4.
PAGE 90
642-531 sensors, switch IDS sensors, and IDS network modules for routers. Uses a web-based interface. Reference: CiscoWorks Management Center for IDS Sensors Datasheet Note:What is the IDS MC? The IDS MC is a web-based application that centralizes and accelerates the deployment and management of multiple IUDS sensors of IDSM. IDS MC is a component of the VMS bundle.
PAGE 91
642-531 Explanation: The Workflow tab is where you can generate, approve, and deploy configuration files for the sensors that you want to manage with your installation of IDSMC Reference: Generating, Approving, and Deploying Configuration Files QUESTION 212 Match the common IDS deployment scenario with the appropriate description.
PAGE 92
642-531 Answer: C Cisco Courseware Lab 11-4 QUESTION 214 Which CiscoWorks user role provides administrative access for performing all IDS MC operations? A. root B. administrator C. service account D. system administrator E. network administrator Answer: D Explanation: The five types of user authorization roles are as follows: 1) Help Desk - Read-only for the entire system. 2) Approver - Read-only for the entire system and includes approval privileges for configuration changes.
PAGE 93
642-531 D. keygen E. puttygen Answer: E Explanation: This document explains how to use the Key generator for PuTTY (PuTTYgen) to generate Secure Shell (SSH) authorized keys and RSA authentication for use on Cisco Secure Intrusion Detection System (IDS). The primary issue when you establish SSH authorized keys is that only the older RSA1 key format is acceptable. This means that you need to tell your key generator to create an RSA1 key, and you must restrict the SSH client to use the SSH1 protocol.
PAGE 94
642-531 QUESTION 219 Study the exhibit below carefully: According to the exhibit depicting the RDEP properties of a Sensor in IDS MC: Which of the following statements will be valid if the web server port value changed from its current value? (Choose all that apply.) A. IEV must use this new port value to retrieve IDS events B. The web server port must be manually changed on the Sensor to match the new value C. IDS MC must use this new port value to configure the Sensor D.
PAGE 95
642-531 C. If not selected, the option specifies that IDS MC will dynamically generate new keys to securely communicate with the Sensor. D. The option increases security of Sensor communications by requiring the use of both username/password and SSH authentication. E. The option increases performance, but decreases security of Sensor communications by replacing username and password authentication with a single pre-shared key.
PAGE 96
642-531 a NAT device B. Informs the IDS device which address to use in order to send alarms to Monitoring Center for Security when separated by a NAT device C. Specifies to Monitoring Center for Security the true address of an IDS device located behind a NAT device D. Identifies the IP address of a NAT device that separates Monitoring Center for Security from the IDS device E.
PAGE 97
642-531 B. SSH C. Syslog D. PostOffice E. Not supported (Security Monitor does not support this platform) Answer: C Explanation: Adding a PIXFirewall or Cisco IDS Host Sensor PIXFirewalls and Cisco IDS Host Sensors use syslog messages to communicate with SecurityMonitor. You do not have to add syslog devices because SecurityMonitor monitors all syslog traffic on the UDP port.
PAGE 98
642-531 F. None of the above.
PAGE 99
642-531 (Choose three.) A. events B. sensors C. statistics D. signatures E. connections F. notifications Answer: A, C, E Explanation: You can monitor information about the devices that you have added to Security Monitor. This information falls into the following three categories: 1) Connections 2) Statistics 3) Events Cisco Courseware 16-33 QUESTION 232 Which of the following will identify possible actions for an event rule in theMonitoring Center for Security? (Choose three.) A. notify via Email B.
PAGE 100
642-531 E. by Sensor F. by address Answer: C, D Page 16-58 CSIDS Courseware under Event-Viewer - Creating Graph Two types of graphs: - By Child (Displays child events across the X-axis of the graph and the number of occurrences along the Y-axis) number of occurrences) QUESTION 234 Which Cisco IDS Sensor configuration parameter affects the source and destination values included in an IDS alarm event? A. Data source B. IP fragment reassembly C. External network definition D. Internal network definition E.
PAGE 101
642-531 E) SSL Wrong . The test is not specifying the version 3.X that means version 4.X the right answer is B CiscoPress CSIDS Self-Study Second Edition Earl Cater Page 607, 608 and 610 QUESTION 236 Which of the following protocols is utilized by theMonitoring Center for Security use to monitor alarms on an IDS v3.x Sensor? A. SSL B. SSH C. RDEP D. HTTP E.
PAGE 102
642-531 QUESTION 238 Which protocol does theMonitoring Center for Security use to monitor alarms on an IDS v3x Sensor? A. SSL B. SSH C. RDEP D. HTTP E. PostOffice Answer: E Page 16-27 CIDS Courseware v4.0 QUESTION 239 Which three parameters, in addition to its IP address, are required byMonitoring Center for Security in orderfor it to receive alarms from an IDS Sensor device? (Choose three.) A. Org ID B. HostID C. Username D. Org Name E. Password F.
PAGE 103
642-531 Answer: A, D, E Explanation: The Security Monitor enables you to launch a notification, trigger a script, or sent an e-mail when a database rule is triggered. These database rules can be triggered when the Security Monitor database reaches a certain size, a number of events happen, or on a daily basis. The Security Monitor comes with three predefined rules for database maintenance: 1) Default pruning - Default pruning for alarm tables when the database reaches 2,000,000 total events.
PAGE 104
642-531 Answer: Explanation: login: Certkiller password: Certkiller 1636 sensor# 1.sensor# copy current-config ftp://admin@172.16.16.100/ Certkiller 5287/backup-cfg password: password2 2. sensor# show user all 3. sensor# config terminal sensor(config)#no username service (service is the username for service account) 4.sensor(config)# privilege user tessking operator 5. sensor(config)#service virtual-sensor-configuration virtualSensor 6.
PAGE 105
642-531 a. Enter configure terminal mode: sensor# configure terminal b. Enter host configuration mode: sensor(config)# service host c. Enter network parameters configuration mode: sensor(config-Host)# networkParams d. View the current settings: sensor(config-Host-net)# show settings networkParams -----------------------ipAddress: 10.10.10.200 netmask: 255.255.255.0 default: 255.255.255.0 defaultGateway: 10.10.10.
PAGE 106
642-531 system's parameters to a known baseline by performing the following actions: 1)Create a backup of the running configuration to a remote FTP server. 2)Verify existing account and access privileges 3)Delete the service account 4)Reduce the access rights of your assistant, Jack King, from operator access to one that can only monitor IDS events.
PAGE 107
642-531 5.sensor(config)#service virtual-sensor-configuration virtualSensor sensor(config-vsc)#reset-signatures string.tcp QUESTION 244 You work as network security administrator at the Certkiller .com office inWashington DC. Certkiller is now installing new Cisco IDS Sensors and you are responsible to configure them to permit remote access only from trusted hosts. Perform this task on one of the Sensors using the CLI (Command Line Interface).
PAGE 108
642-531 QUESTION 245 Exhibit/simulation: Certkiller .com has recently hired you as a security administrator at theirToronto office. You are required to increase the security on one of Certkiller 's Cisco IDS-4250 Sensors.
PAGE 109
642-531 3. sensor# config terminal sensor(config)#no username service (service is the username for service account) 4.sensor(config)# privilege user tessking operator 5. sensor(config)#service virtual-sensor-configuration virtualSensor 6. sensor(config-vsc)#reset-signatures ATOMIC.L3.TCP QUESTION 246 Network topology exhibit/simulation You work as a network security administrator at Certkiller .com. Certkiller is now installing new Cisco IDS Sensors.
PAGE 110
642-531 sensor(config-Host-net)# show settings networkParams -----------------------ipAddress: 10.10.10.200 netmask: 255.255.255.0 default: 255.255.255.0 defaultGateway: 10.10.10.1 hostname: sensor telnetOption: disabled default: disabled accessList (min: 0, max: 512, current: 1) -----------------------ipAddress: 10.0.0.0 netmask: 255.0.0.0 default: 255.255.255.255 e. Remove the 10.0.0.0 network from the access list: sensor(config-Host-net)# no accessList ipAddress 10.0.0.0 netmask 255.0.0.
PAGE 111
642-531 Assignment: Click on the picture of the host connected to an IDS Sensor by a serial console cable shown in the diagram as a dotted line. Select the Cisco Terminal Option and make the appropriate configuration tasks. Sensor IP address 192.168.1.4/24 IDS Manager Host ID 4 IDS Manager Host Organization ID 27 IDS Manager Host Name sensor 27 IDS Manager Organizaiton Name HQ IDS Manager IP Address 192.168.1.
PAGE 112
642-531 Answer: Explanation: Reference:Cisco Courseware 6-4 QUESTION 249 Starting and stopping all IDS applications is the task of which of the following Cisco IDS application servlets? A. sensorApp B. mainApp C. cidCLI D. IDM servlet Answer: B Explanation: Correct description, but wrong options choused.MainApp is started by the operating system. It starts the applications in the following sequence: 1. Read and validate contents of dynamic and static configurations. 2.
PAGE 113
642-531 Create the shared system components-EventStore and IDAPI. 4. Open status event subscription. 5. Start the IDS applications (the order is specified in the static configuration). 6. Wait for an initialization status event from each application. If after waiting 60 seconds all status events have not been received, MainApp generates an error event identifying all applications that did not start. 7. Close status event subscription. 8. Start the upgrade scheduler. 9.
PAGE 114
642-531 QUESTION 252 Which types of packets are not forwarded to the NM-CIDS? (Choose two.) A. GRE encapsulated packets B. TCP packets C. UDP packets D. ARP packets Answer: A, D QUESTION 253 How many megabits per second can the NM-CIDS monitor? A. 10mbps B. 100mbps C. 45mbps D. 80mbps Answer: B QUESTION 254 Under what circumstance would only the untranslated inside source be sent to the NM-CIDS for processing? A. When using outside NAT B. When using intside NAT C. When using outside PAT D.
PAGE 115
642-531 A. ip cef B. ip inspect C. service-module D. ip cef linecard ipc memory Answer: A QUESTION 257 Select the true statement regarding Sensor groups. A. The mandatory check box exists in the context of a Sensor object to identify required configuration settings. B. The override check box exists in the context of a Sensor Group object to prevent configuration parameters from being inherited. C.
PAGE 116
642-531 Explanation: Answer A. Show who:Shows active administrative Telnet sessions on the PIXFirewall. Cisco Secure Policy Manager does not generate this command, but the command can be supported using the Command panel on the PIXFirewall node. You can use the who command with the same results. AnswerE. kill: Terminates another Telnet session to PIXFirewall. Reference: PIX Firewall Command Support Status Incorrect Answers B:remove session - is not a real command. C:show logon - is not a real command.
PAGE 117
642-531 specified in the global statement, that address is port translated. The PIX allows one port translation per interface and that translation supports up to 65,535 active xlate objects to the single global address. The first 1023 are reserved. Reference:Cisco Secure PIX Firewall (Ciscopress) page 91 Using nat, global, static, conduit, and access-list Commands and Port Redirection on PIX QUESTION 262 With regards to the PIX Firewall, which two terms are correct from the below list? A.
PAGE 118
642-531 Answer: C Explanation: The fixup protocol commands let you view, change, enable, or disable the use of a service or protocol through the PIXFirewall. The ports you specify are those that the PIXFirewall listens at for each respective service. Reference: Cisco PIX Firewall Command Reference, Version 6.3 Note:In Appendix B of the Cisco Secure Intrusion Detection System 4 Fixup protocol is not talked about. QUESTION 265 Debugging a PIX is what you want to do to resolve a problem.
PAGE 119
642-531 A. 501 B. 506 C. 515 D. 1100 Answer: C Reference: Cisco Secure PIX Firewall QUESTION 268 Which common command are you going to use to clear the contents of the translation slots when needed? A. clear xlate B. clear translate C. clear all D. show translate Answer: A Explanation: The xlate command allows you to show or clear the contents of the translation (xlate) slots.
PAGE 120
642-531 B. Use the static and access-list commands. C. Set the Eth1/0 interface to auto. D. Use the nat and global commands. Answer: B Explanation: Two things are required for traffic to flow from a lower security to a higher security interface: a static translation and a conduit or an access list to permit the desired traffic. Reference:Cisco Secure PIX Firewall (Ciscopress) page 55 QUESTION 271 Which common command are you going to use to clear the contents of the translation slots when needed? A.
PAGE 121
642-531 B. The Conduit is where the data travels on the Bus. C. It controls what QoS the packets get when going through Eth1. D. Controls connections between external and internal networks. Answer: D Explanation: the conduit command functions by creating an exception to the PIXFirewall Adaptive Security Algorithm that then permits connections from one PIXFirewall network interface to access hosts on another. Reference: Cisco PIX Firewall Command Reference, Version 6.
PAGE 122
642-531 C. Show Config D. Show pix Answer: B Explanation: Write terminal displays current configuration on the terminal. Reference: Cisco PIX Firewall Command Reference, Version 6.3 QUESTION 277 Which command(s) from the list below generates RSA key pairs for your PIX Firewall? A. rsa set ca B. ca generate rsa C. ca rsa config D. config rsa Answer: B Explanation: The ca generate rsa command generates RSA key pairs for your PIXFirewall.
PAGE 123
642-531 *HyperText Transport Protocol (HTTP) *Internet Control Message Protocol (ICMP) *Internet Protocol (IP) *NetBIOS over IP (Microsoft Networking) *Point-to-Point Tunneling Protocol (PPTP) *Simple Network Management Protocol (SNMP) *Sitara Networks Protocol (SNP) *SQL*Net (Oracle client/server protocol) *Sun Remote Procedure Call (RPC) services, including Network File System (NFS) *Telnet *Transmission Control Protocol (TCP) *Trivial File Transfer Protocol (TFTP) *User Datagram Protocol (UDP) *RFC 1700