Exam Prep Questions

A network administrator is testing a new monitoring application that uses multiple Internet Control Message Protocol (ICMP) messages to host systems. The application is reported on IEV as a network attack. This alarm is referred to as a

• A. False positive

• B. False negative

• C. True positive

• D. True negative

Answer A is correct. Because it was not an actual malicious attack but resulted in the generation of an alarm, this alarm is referred to as a false positive. A false negative occurs when an actual attack is not reported; therefore, Answer B is incorrect. True positives occur when real attacks are successfully detected and reported; therefore, Answer C is incorrect. True negatives happen when no attack occurred and no alarm was generated. Therefore, Answer D is incorrect.

Which three of the following methodologies are valid methodologies employed by IDS signatures to detect network attacks?

• A. Heuristic analysis

• B. Signature-based detection

• C. Host-based detection

• D. Pattern matching

• E. Flood decode analysis

• F. Obfuscation detection

Answers A, B, and D are correct. Heuristic analysis, signature-based detection, and pattern matching are all valid methodologies used by signatures to detect intrusions. Although IDS components can be host-based, such as the Security Agent, host-based is not a methodology employed by signatures. Therefore, Answer C is incorrect. Flood decode analysis does not exist, and obfuscation is an IDS evasive technique commonly used by attackers . Therefore, Answers E and F are incorrect.

Which of the following IDS components were designed for lower-risk network environments? (Choose two.)

• A. 4200 Series Sensor Appliance

• B. Router IOS IDS

• C. Cisco Security Agent

• D. IDSM2

• E. PIX IDS

• F. Host Agent IDS

Answers B and E are correct. The Router Sensor IOS IDS and the Firewall Sensor PIX IDS contain a subset of the Sensor appliance IDS signatures and were designed for lower-risk environments. The 4200 Series Sensor Appliances provide a robust platform for intrusion detection and are designed for high-risk environments; therefore, Answer A is incorrect. Cisco Security Agent, and the host agent IDS product, is agent software that resides on hosts , and it is not designed for network intrusion detection; Answers C and F are therefore incorrect. The IDSM2 is a high-performance switching module designed for high-throughput intrusion detection with no impact on switch performance. It was not designed for lower-risk environments, so Answer D is incorrect.

Which of the following are methods used to evade IDSs? (Choose three.)

• A. Denial of service

• B. Fragmentation

• C. Pattern matching

• D. Obfuscation

• E. Encryption

• F. Access attack

Answers B, D, and E are correct. Fragmentation, obfuscation, and encryption are all evasive techniques used by attackers to dodge IDS detection. Denial-of-service and access attacks are forms of attacks performed by hackers but are not directly used to compromise IDSs. Answers A and F are therefore incorrect. Pattern matching is a methodology used by signatures to detect an intrusion, not an evasive technique. Therefore, Answer C is incorrect.

Which of the following is a component that is included with Cisco IEV?

• A. CSEC

• B. CCO

• C. NSDB

• D. C-CRT

Answer C is correct. Cisco's IEV, available from http://www.cisco.com, includes the Network Security Database, a reference of detailed signature and vulnerability information. CCO is a Cisco Connection Online account and is required to access the online version of NSDB. CSEC, the Cisco Secure Encyclopedia, is the online version of NSDB. Answers A and B are therefore incorrect. C-CRT is the Cisco Countermeasures Research Team, which provides support for active updates but has no relationship to IEV. Therefore, Answer D is incorrect.

Which of the following are enhancements that the IDSM2 offers over the IDSM? (Choose three.)

• A. 600Mbps instead of 200Mbps

• B. 600Mbps instead of 120Mbps

• C. SPAN and RSPAN support

• D. VACL capture

• E. Same code as version 4 sensor appliances

• F. Support for both blocking and TCP Reset

Answers B, E, and F are correct. The IDSM2 offers 600Mbps instead of the IDSM's 120, uses the same code as the version 4 sensor appliances, and supports both blocking and TCP resets in response to attack detection. The IDSM supports only 120Mbps of performance and not 200Mbps; therefore, Answer A is incorrect. The IDSM also supports SPAN, RSPAN, and VACL capture; therefore, Answers C and D are incorrect.

IEV version 4 can support the monitoring and reporting of up to how many sensor devices?

• A. Only the device on which it's installed

• B. Three

• C. Five

• D. Up to 300

Answer C is correct. IEV version 4 can support the monitoring and reporting of up to five sensor devices. IEV version 3 supports up to three sensor devices, but the question specifically refers to IEV version 4. Answers A, B, and D are therefore incorrect.

Management Center for the Cisco Security Agent (CSA MC) supports deployment for up to how many host agents ?

• A. 100

• B. 1000

• C. 3000

• D. 5000

Answer D is correct. The CSA MC supports management for up to 5000 host Security Agents. Therefore, Answers A, B, and C are incorrect.

The PostOffice protocol uses which of the following ports?

• A. TCP 1741

• B. UDP 1741

• C. TCP 443

• D. UDP 443

• E. TCP 45000

• F. UDP 45000

Answer F is correct. The PostOffice protocol uses UDP port 45000 for communications. Therefore, Answers A through E are incorrect.

When using RDEP, when are alarms overwritten?

• A. When a time limit configured through MC is reached

• B. When the threshold of 2GB is reached

• C. When the threshold of 4GB is reached

• D. When the alarm threshold configured through MC is reached

• E. Either on an hourly, daily, or weekly basis, as configured through IEV

Answer C is correct. A Sensor process called sensorApp begins to overwrite alarms when the threshold of 4GB is reached. Therefore, Answers A, B, D and E are incorrect.