Ensurepass

 

QUESTION 151

Which type of intrusion prevention technology is the primary type used by the Cisco IPS security appliances?

 

A.

profile-based

B.

rule-based

C.

protocol analysis-based

D.

signature-based

E.

NetFlow anomaly-based

 

Correct Answer: D

Explanation:

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/gt_fwids.html

 

The Signature Definition File

A Signature Definition file (SDF) has definitions for each signature it contains. After signatures are loaded and complied onto a router running Cisco IOS IPS, IPS can begin detecting the new signatures immediately. If customers do not use the default, built-in signatures that are shipped with the routers, users can choose to download one of two different types of SDFs: the attack- drop.sdf file (which is a static file) or a dynamic SDF (which is dynamically updated and accessed from Cisco.com).

The attack-drop.sdf file is available in flash on all Cisco access routers that are shipped with Cisco IOS Release 12.3(8)T or later. The attack-drop.sdf file can then be loaded directly from flash into the Cisco IOS IPS system. If flash is erased, the attack-drop.sdf file may also be erased. Thus, if you are copying a Cisco IOS image to flash and are prompted to erase the contents of flash before copying the new image, you might risk erasing the attack-drop.sdf file. If this occurs, the router will refer to the built-in signatures within the Cisco IOS image. The attack-drop.sdf file can also be downloaded onto your router from Cisco.com.

To help detect the latest vulnerabilities, Cisco provides signature updates on Cisco.com on a regular basis. Users can use SDM or VMS to download these signature updates, tune the signature parameters as necessary, and deploy the new SDF to a Cisco IOS IPS router.

 

 

QUESTION 152

DRAG DROP

clip_image002

 

Correct Answer:

clip_image004

 

 

QUESTION 153

DRAG DROP

clip_image006

 

Correct Answer:

clip_image008

 

 

QUESTION 154

DRAG DROP

clip_image010

Correct Answer:

clip_image012

 

 

QUESTION 155

DRAG DROP

clip_image014

 

Correct Answer:

clip_image016

 

 

QUESTION 156

What is the key difference between host-based and network-based intrusion prevention?

 

A.

Network-based IPS is better suited for inspection of SSL and TLS encrypted data flows.

B.

Network-based IPS provides better protection against OS kernel-level attacks against hosts and servers.

C.

Network-based IPS can provide protection to desktops and servers without the need of installing specialized software on the end hosts and servers.

D.

Host-based IPS can work in promiscuous mode or inline mode.

E.

Host-based IPS is more scalable then network-based IPS.

F.

Host-based IPS deployment requires less planning than network-based IPS.

 

Correct Answer: C

Explanation:

http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/ServerFarmSec_2.1/8_NIDS.html

 

Cisco Network-Based Intrusion Detection–Functionalities and Configuration This chapter highlights the need for and the benefits of deploying network-based intrusion detection in the data center. It addresses mitigation techniques, deployment models, and the management of the infrastructure.

Intrusion detection systems help data centers and other computer installations prepare for and deal with electronic attacks. Usually deployed as a component of a security infrastructure with a set of security policies for a larger, comprehensive information system, the detection systems themselves are of two main types.

Network-based systems inspect traffic “on the wire” and host-based systems monitor only individual computer server traffic.

Network intrusion detection systems deployed at several points within a single network topology, together with host-based intrusion detection systems and firewalls, can provide a solid, multi-pronged defense against both outside, Internet-based attacks, and internal threats, including network misconfiguration, misuse, or negligent practices. The Cisco Intrusion Detection System (IDS) product line provides flexible solutions for data center security.

 

 

QUESTION 157

Which statement about Cisco IOS IPS on Cisco IOS Release 12.4(11)T and later is true?

 

A.

uses Cisco IPS 5.x signature format

B.

requires the Basic or Advanced Signature Definition File

C.

supports both inline and promiscuous mode

D.

requires IEV for monitoring Cisco IPS alerts

E.

uses the built-in signatures that come with the Cisco IOS image as backup

F.

supports SDEE, SYSLOG, and SNMP for sending Cisco IPS alerts

 

Correct Answer: A

Explanation:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_ios_ips/configuration/12-4t/sec-ips5-sig- fsue.html

 

Signature Categories

Cisco IPS appliances and Cisco IOS IPS with Cisco 5.x format signatures operate with signature categories.

All signatures are pregrouped into categories; the categories are hierarchical. An individual signature can belong to more than one category. Top-level categories help to define general types of signatures.

Subcategories exist beneath each top-level signature category. (For a list of supported top-level categories, use your router CLI help (?).)

Router Configuration Files and Signature Event Action Processor (SEAP)

As of Cisco IOS Release 12.4(11)T, SDFs are no longer used by Cisco IOS IPS. Instead, routers access signature definition information through a directory that contains three configuration files–the default configuration, the delta configuration, and the SEAP configuration. Cisco IOS accesses this directory through the ip ips config location command.

 

 

QUESTION 158

Under which higher-level policy is a VPN security policy categorized?

 

A.

application policy

B.

DLP policy

C.

remote access policy

D.

compliance policy

E.

corporate WAN policy

 

Correct Answer: C

Explanation:

http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.0/user/guide/ravpnpag.html

 

Remote Access VPN Policy Reference

The Remote Access VPN policy pages are used to configure remote access VPNs on Cisco IOS security routers, PIX Firewalls, Catalyst 6500 /7600 devices, and Adaptive Security Appliance (ASA) devices.

 

 

QUESTION 159

Which two functions are required for IPsec operation? (Choose two.)

 

A.

using SHA for encryption

B.

using PKI for pre-shared key authentication

C.

using IKE to negotiate the SA

D.

using AH protocols for encryption and authentication

E.

using Diffie-Hellman to establish a shared-secret key

 

Correct Answer: CE

Explanation:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml

Configure ISAKMP

IKE exists only to establish SAs for IPsec. Before it can do this, IKE must negotiate an SA (an ISAKMP SA) relationship with the peer. Since IKE negotiates its own policy, it is possible to configure multiple policy statements with different configuration statements, then let the two hosts come to an agreement. ISAKMP negotiates:

 

Oakley

This is a key exchange protocol that defines how to acquire authenticated keying material. The basic mechanism for Oakley is the Diffie-Hellman key exchange algorithm. You can find the standard in RFC 2412: The OAKLEY Key Determination Protocol leavingcisco.com.

 

 

QUESTION 160

Which two statements about SSL-based VPNs are true? (Choose two.)

 

A.

Asymmetric algorithms are used for authentication and key exchange.

B.

SSL VPNs and IPsec VPNs cannot be configured concurrently on the same router.

C.

The application programming interface can be used to modify extensively the SSL client software for use in special applications.

D.

The authentication process uses hashing technologies.

E.

Both client and clientless SSL VPNs require special-purpose client software to be installed on the client machine.

 

Correct Answer: AD

Explanation:

http://www.cisco.com/en/US/docs/routers/access/cisco_router_and_security_device_manager/25/software/user/guide/IKE.html

 

Add or Edit IKE Policy

Priority

An integer value that specifies the priority of this policy relative to the other configured IKE policies. Assign the lowest numbers to the IKE policies that you prefer that the router use. The router will offer those policies first during negotiations.

 

Encryption

The type of encryption that should be used to communicate this IKE policy. Cisco SDM supports a variety of encryption types, listed in order of security. The more secure an encryption type, the more processing time it requires.

Note If your router does not support an encryption type, the type will not appear in the list.

Cisco SDM supports the following types of encryption:

Data Encryption Standard (DES)–This form of encryption supports 56-bit encryption.

Triple Data Encryption Standard (3DES)–This is a stronger form of encryption than DES, supporting 168-bit encryption.

AES-128–Advanced Encryption Standard (AES) encryption with a 128-bit key. AES provides greater security than DES and is computationally more efficient than triple DES.

AES-192–Advanced Encryption Standard (AES) encryption with a 192-bit key.

AES-256–Advanced Encryption Standard (AES) encryption with a 256-bit key.

Hash

The authentication algorithm to be used for the negotiation. There are two options:

Secure Hash Algorithm (SHA)

Message Digest 5 (MD5)

Authentication

The authentication method to be used.

Pre-SHARE. Authentication will be performed using pre-shared keys.

RSA_SIG. Authentication will be performed using digital signatures.

D-H Group

Diffie-Hellman (D-H) Group. Diffie-Hellman is a public-key cryptography protocol that allows two routers to establish a shared secret over an unsecure communications channel. The options are as follows:

group1–768-bit D-H Group. D-H Group 1.

group2–1024-bit D-H Group. D-H Group 2. This group provides more security than group 1, but requires more processing time.

group5–1536-bit D-H Group. D-H Group 5. This group provides more security than group 2, but requires more processing time.

Note

If your router does not support group5, it will not appear in the list.

Easy VPN servers do not support D-H Group 1.

Lifetime This is the lifetime of the security association, in hours, minutes and seconds. The default is one day, or 24:00:00.

 

Free VCE & PDF File for Cisco 640-554 Real Exam

Instant Access to Free VCE Files: CCNA | CCNP | CCIE …
Instant Access to Free PDF Files: CCNA | CCNP | CCIE …

Comments are closed.