Ensurepass

 

QUESTION 141

Refer to Cisco IOS Zone-Based Policy Firewall, where will the inspection policy be applied?

 

A.

to the zone-pair

B.

to the zone

C.

to the interface

D.

to the global service policy

 

Correct Answer: A

Explanation:

Zone-based policy firewall (also known as “Zone-Policy Firewall” or “ZPF”) changes the firewall from the older interface-based model to a more flexible, more easily understood zone-based configuration model. Interfaces are assigned to zones, and an inspection policy is applied to traffic moving between the zones. Inter-zone policies offer considerable flexibility and granularity, so different insp
ection policies can be applied to multiple host groups connected to the same router interface.

The following task order can be followed to configure a Zone-Based Policy Firewall:

 

1. Define zones.

2. Define zone-pairs.

3. Define class-maps that describe traffic that must have policy applied as it crosses a zone-pair.

4. Define policy-maps to apply action to your class-map’s traffic.

5. Apply policy-maps to zone-pairs.

6. Assign interfaces to zones.

 

Reference: http://www.cisco.com/c/en/us/td/docs/routers/access/cisco_router_and_security_device_manager/24/software/user/guide/ZPF.html

QUESTION 142

Which two protocols enable Cisco Configuration Professional to pull IPS alerts from a Cisco ISR router? (Choose two.)

 

A.

syslog

B.

SDEE

C.

FTP

D.

TFTP

E.

SSH

F.

HTTPS

 

Correct Answer: BF

Explanation:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/prod_white_paper0900aecd805c4ea8.html

 

Step 4: Enabling IOS IPS

The fourth step is to configure IOS IPS using the following sequence of steps:

Step 4.1: Create a rule name (This will be used on an interface to enable IPS) ip ips name <rule name> < optional ACL>

router#configure terminal

router(config)# ip ips name iosips

You can specify an optional extended or standard access control list (ACL) to filter the traffic that will be scanned by this rule name. All traffic that is permitted by the ACL is subject to inspection by the IPS. Traffic that is denied by the ACL is not inspected by the IPS.

router(config)#ip ips name ips list ?

 

<1-199> Numbered access list

WORD Named access list

Step 4.2: Configure IPS signature storage location, this is the directory `ips’ created in Step 2 ip ips config location flash:<directory name>

router(config)#ip ips config location flash:ips

Step 4.3: Enable IPS SDEE event notification

ip ips notify sdee router(config)#ip ips notify sdee

To use SDEE, the HTTP server must be enabled (via the `ip http server’ command). If the HTTP server is not enabled, the router cannot respond to the SDEE clients because it cannot see the requests. SDEE notification is disabled by default and must be explicitly enabled.

 

 

QUESTION 143

On Cisco ISR routers, for what purpose is the realm-cisco.pub public encryption key used?

 

A.

used for SSH server/client authentication and encryption

B.

used to verify the digital signature of the IPS signature file

C.

used to generate a persistent self-signed identity certificate for the ISR so administrators can authenticate the ISR when accessing it using Cisco Configuration Professional

D.

used to enable asymmetric encryption on IPsec and SSL VPNs

E.

used during the DH exchanges on IPsec VPNs

 

Correct Answer: B

Explanation:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/prod_white_paper0900aecd805c4ea8.html

 

Step 1: Downloading IOS IPS files

The first step is to download IOS IPS signature package files and public crypto key from Cisco.com.

 

Step 1.1: Download the required signature files from Cisco.com to your PC

Location:

http://tools.cisco.com/support/downloads/go/Model.x?mdfid=281442967&mdfLevel=Software%20Family&treeName=Security&modelName=Cisco%20IOS%20Intrusion%20Prevention%20System %20Feature%20Software&treeMdfId=268438162

 

Files to download:

IOS-Sxxx-CLI.pkg: Signature package – download the latest signature package.

realm-cisco.pub.key.txt: Public Crypto key – this is the crypto key used by IOS IPS

 

 

QUESTION 144

Which four tasks are required when you configure Cisco IOS IPS using the Cisco Configuration Professional IPS wizard? (Choose four.)

 

A.

Select the interface(s) to apply the IPS rule.

B.

Select the traffic flow direction that should be applied by the IPS rule.

C.

Add or remove IPS alerts actions based on the risk rating.

D.

Specify the signature file and the Cisco public key.

E.

Select the IPS bypass mode (fail-open or fail-close).

F.

Specify the configuration location and select the category of signatures to be applied to the selected interface(s).

 

Correct Answer: ABDF

Explanation:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/prod_white_paper090 0aecd8066d265.html

 

Step 11. At the `Select Interfaces’ screen, select the interface and the direction that IOS IPS will be applied to, then click `Next’ to continue.

 

clip_image002

 

Step 12. At the `IPS Policies Wizard’ screen, in the `Signature File’ section, select the first radio button “Specify the signature file you want to use with IOS IPS”, then click the “…” button to bring up a dialog box to specify the location of the signature package file, which will be the directory specified in Step 6. In this example, we use tftp to download the signature package to the router.

 

clip_image004

 

Step 13. In the `Configure Public Key’ section, enter `realm-cisco.pub’ in the `Name’ text field, then
copy and paste the following public key’s key-string in the `Key’ text field. This public key can be download from

 

Cisco.com at: http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup. Click `Next’ to continue. 30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101 00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16 17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128 B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E 5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35 FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85 50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36 006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE 2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3 F3020301 0001

 

clip_image006

 

 

QUESTION 145

Which statement is a benefit of using Cisco IOS IPS?

 

A.

It uses the underlying routing infrastructure to provide an additional layer of security.

B.

It works in passive mode so as not to impact traffic flow.

C.

It supports the complete signature database as a Cisco IPS sensor appliance.

D.

The signature database is tied closely with the Cisco IOS image.

 

Correct Answer: A

Explanation:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/product_data_sheet0900aecd803137cf.html

Product Overview

In today’s business environment, network intruders and attackers can come from outside or inside the network.

They can launch distributed denial-of-service attacks, they can attack Internet connections, and they can exploit network and host vulnerabilities. At the same time, Internet worms and viruses can spread across the world in a matter of minutes. There is often no time to wait for human intervention-the network itself must possess the intelligence to recognize and mitigate these attacks, threats, exploits, worms and viruses.

Cisco IOS Intrusion Prevention System (IPS) is an inline, deep-packet inspection-based solution that enables Cisco IOS Software to effectively mitigate a wide range of network attacks. While it is common practice to defend against attacks by inspecting traffic at data centers and corporate headquarters, distributing the network level defense to stop malicious traffic close to its entry point at branch or telecommuter offices is also critical.

 

Cisco IOS IPS: Major Use Cases and Key Benefits

IOS IPS helps to protect your network in 5 ways:

 

clip_image008

 

Key Benefits

Provides network-wide, distributed protection from many attacks, exploits, worms and viruses exploiting vulnerabilities in operating systems and appl
ications

Eliminates the need for a standalone IPS device at branch and telecommuter offices as well as small and medium-sized business networks

Unique, risk rating based signature event action processor dramatically improves the ease of management of IPS policies

Offers field-customizable worm and attack signature set and event actions

Offers inline inspection of traffic passing through any combination of router LAN and WAN interfaces in both directions

Works with Cisco IOS® Firewall, control-plane policing, and other Cisco IOS Software security features to protect the router and networks behind the router

Supports more than 3700 signatures from the same signature database available for Cisco Intrusion Prevention System (IPS) appliances

 

 

QUESTION 146

You are the security administrator for a large enterprise network with many remote locations. You have been given the assignment to deploy a Cisco IPS solution. Where in the network would be the best place to deploy Cisco IOS IPS?

 

A.

Inside the firewall of the corporate headquarters Internet connection

B.

At the entry point into the data center

C.

Outside the firewall of the corporate headquarters Internet connection

D.

At remote branch offices

 

Correct Answer: D

Explanation:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/product_data_sheet0 900aecd803137cf.html

 

Product Overview

In today’s business environment, network intruders and attackers can come from outside or inside the network.

They can launch distributed denial-of-service attacks, they can attack Internet connections, and they can exploit network and host vulnerabilities. At the same time, Internet worms and viruses can spread across the world in a matter of minutes. There is often no time to wait for human intervention-the network itself must possess the intelligence to recognize and mitigate these attacks, threats, exploits, worms and viruses.

 

Cisco IOS Intrusion Prevention System (IPS) is an inline, deep-packet inspection-based solution that enables Cisco IOS Software to effectively mitigate a wide range of network attacks. While it is common practice to defend against attacks by inspecting traffic at data centers and corporate headquarters, distributing the network level defense to stop malicious traffic close to its entry point at branch or telecommuter offices is also critical.

Cisco IOS IPS: Major Use Cases and Key Benefits

IOS IPS helps to protect your network in 5 ways:

 

clip_image009

 

 

Key Benefits

Provides network-wide, distributed protection from many attacks, exploits, worms and viruses exploiting vulnerabilities in operating systems and applications

Eliminates the need for a standalone IPS device at branch and telecommuter offices as well as small and medium-sized business networks

Unique, risk rating based signature event action processor dramatically improves the ease of management of IPS policies

Offers field-customizable worm and attack signature set and event actions

Offers inline inspection of traffic passing through any combination of router LAN and WAN interfaces in both directions

Works with Cisco IOS® Firewall, control-plane policing, and other Cisco IOS Software security features to protect the router and networks behind the router

Supports more than 3700 signatures from the same signature database available for Cisco Intrusion Prevention System (IPS) appliances

 

 

QUESTION 147

Which IPS technique commonly is used to improve accuracy and context awareness, aiming to detect and respond to relevant incidents only and therefore, reduce noise?

 

A.

Attack relevancy

B.

Target asset value

C.

Signature accuracy

D.

Risk rating

 

Correct Answer: D

Explanation:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/prod_white_paper09 00aecd806e7299.html

 

Risk Rating Calculation

Risk rating is a quantitative measure of your network’s threat level before IPS mitigation. For each event fired by IPS signatures, Cisco IPS Sensor Software calculates a risk rating number. The factors used to calculate risk rating are:

Signature fidelity rating: This IPS-generated variable indicates the degree of attack certainty.

Attack severity rating: This IPS-generated variable indicates the amount of damage an attack can cause.

Target value rating: This user-defined variable indicates the criticality of the attack target. This is the only factor in risk rating that is routinely maintained by the user. You can assign a target value rating per IP address in Cisco IPS Device Manager or Cisco Security Manager. The target value rating can raise or lower the overall risk rating for a network device. You can assign the following target values:

-75: Low asset value

-100: Medium asset value

-200: Mission-critical asset value

Attack relevancy rating: This IPS-generated value indicates the vulnerability of the attack target.

Promiscuous deltA. The ri
sk rating of an IPS deployed in promiscuous mode is reduced by the promiscuous delta. This is because promiscuous sensing is less accurate than inline sensing. The promiscuous delta can be configured on a per-signature basis, with a value range of 0 to 30. (The promiscuous delta was introduced in Cisco IPS Sensor Software Version 6.0.)

Watch list rating: This IPS-generated value is based on data found in the Cisco Security Agent watch list. The Cisco Security Agent watch list contains IP addresses of devices involved in network scans or possibly contaminated by viruses or worms. If an attacker is found on the watch list, the watch list rating for that attacker is added to the risk rating. The value for this factor is between 0 and 35. (The watch list rating was introduced in Cisco IPS Sensor Software Version 6.0.) Risk rating can help enhance your productivity as it intelligently assesses the level of risk of each event and helps you focus on high-risk events.

 

 

QUESTION 148

Which Cisco IPS product offers an inline, deep-packet inspection feature that is available in integrated services routers?

 

A.

Cisco iSDM

B.

Cisco AIM

C.

Cisco IOS IPS

D.

Cisco AIP-SSM

 

Correct Answer: C

Explanation:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/product_data_sheet0900aecd803137cf.html

 

Product Overview

In today’s business environment, network intruders and attackers can come from outside or inside the network.

 

They can launch distributed denial-of-service attacks, they can attack Internet connections, and they can exploit network and host vulnerabilities. At the same time, Internet worms and viruses can spread across the world in a matter of minutes. There is often no time to wait for human intervention-the network itself must possess the intelligence to recognize and mitigate these attacks, threats, exploits, worms and viruses.

 

Cisco IOS Intrusion Prevention System (IPS) is an inline, deep-packet inspection-based solution that enables Cisco IOS Software to effectively mitigate a wide range of network attacks. While it is common practice to defend against attacks by inspecting traffic at data centers and corporate headquarters, distributing the network level defense to stop malicious traffic close to its entry point at branch or telecommuter offices is also critical.

Cisco IOS IPS: Major Use Cases and Key Benefits

IOS IPS helps to protect your network in 5 ways:

 

clip_image010

Key Benefits

Provides network-wide, distributed protection from many attacks, exploits, worms and viruses exploiting vulnerabilities in operating systems and applications

Eliminates the need for a standalone IPS device at branch and telecommuter offices as well as small and medium-sized business networks

Unique, risk rating based signature event action processor dramatically improves the ease of management of IPS policies

Offers field-customizable worm and attack signature set and event actions

Offers inline inspection of traffic passing through any combination of router LAN and WAN interfaces in both directions

Works with Cisco IOS® Firewall, control-plane policing, and other Cisco IOS Software security features to protect the router and networks behind the router

Supports more than 3700 signatures from the same signature database available for Cisco Intrusion Prevention System (IPS) appliances

 

 

QUESTION 149

You use Cisco Configuration Professional to enable Cisco IOS IPS. Which state must a signature be in before any actions can be taken when an attack matches that signature?

 

A.

Enabled

B.

Unretired

C.

Successfully complied

D.

Successfully compli
ed and unretired

E.

Successfully complied and enabled

F.

Unretired and enabled

G.

Enabled, unretired, and successfully complied

 

Correct Answer: G

Explanation:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/prod_white_paper0900aecd8066d265.html

 

Step 21. Verify the signatures are loaded properly by using this command at the router prompt:

router#show ip ips signatures count

Cisco SDF release version S353.0

Trend SDF release version V0.0

|

snip

|

Total Signatures: 2363

Total Enabled Signatures: 1025

Total Retired Signatures: 1796

Total Compiled Signatures: 567

Total Obsoleted Signatures: 15

Step 23. To retire/unretire and enable/disable signatures, select the Edit IPS tab, then select Signatures.

Highlight the signature(s), and then click the Enable, Disable, Retire, or Unretire button. Notice the status changed in the Enabled or the Retired column. A yellow icon appears for the signature(s) in the column next to Enabled. The yellow icon means changes have been made to the signature, but have not been applied. Click the Apply Changes button to make the changes take effect.

 

Retire/unretire is to select/de-select which signatures are being used by IOS IPS to scan traffic. Retiring a signature means IOS IPS will NOT compile that signature into memory for scanning. Unretiring a signature instructs IOS IPS to compile the signature into memory and use the signature to scan traffic.

 

Enable/disable does NOT select/de-select signatures to be used by IOS IPS.

Enabling a signature means that when triggered by a matching packet (or packet flow), the signature takes the appropriate action associated with it. However, only unretired AND successfully compiled signatures will take the action when they are enabled. In other words, if a signature is retired, even though it is enabled, it will not be compiled (because it is retired) and it will not take the action associated with it.

 

Disabling a signature means that when triggered by a matching packet (or packet flow), the signature DOES NOT take the appropriate action associated with it. In other words, when a signature is disabled, even though it is unretired and successfully compiled, it will not take the action associated with it.

 

Free VCE & PDF File for Cisco 640-554 Real Exam

Instant Access to Free VCE Files: CCNA | CCNP | CCIE …
Instant Access to Free PDF Files: CCNA | CCNP | CCIE …

 

 

QUESTION 150

Whic
h statement about disabled signatures when using Cisco IOS IPS is true?

 

A.

They do not take any actions, but do produce alerts.

B.

They are not scanned or processed.

C.

They still consume router resources.

D.

They are considered to be “retired” signatures.

 

Correct Answer: C

Explanation:

Disabled means that the signature does not produce an alert but is compiled into memory and inspection takes place. There are advantages of having signatures disabled, such as allowing the customer to quickly enable the signature without waiting for it to be loaded into memory and for inspection to take place.

Comments are closed.