| 1. | What is a false positive? |
| [click here] | Answer: A false positive happens when a signature triggers incorrectly during normal user traffic instead of attack traffic. |
| 2. | What is a true positive? |
| [click here] | Answer: A true positive happens when a signature correctly identifies an attack launched against the network. |
| 3. | If your sensor has only two monitoring interfaces, can you operate in promiscuous and inline modes simultaneously? |
| [click here] | Answer: No, because running inline requires a pair of sensor interfaces. If you have only two interfaces, you can run either a single interface pair (in inline mode) or two interfaces (in promiscuous mode). |
| 4. | What factors are use to calculate the risk rating? |
| [click here] | Answer: The risk rating is based on the event severity, the signature fidelity, and the target's asset value. |
| 5. | How is the asset value of a target configured? |
| [click here] | Answer: You configure the asset value of a target by assigning one of the following values to an IP address or range of address: low, medium, high, mission critical, or no value. |
| 6. | Which appliance sensors support the inline mode of operation? |
| [click here] | Answer: Inline mode is supported on the following appliance sensors: IDS 4215, IDS 4235, IDS 4240, IDS 4250, and IDS 4255. |
| 7. | Which appliance sensors are diskless? |
| [click here] | Answer: The IDS 4240 and IDS 4255 appliance sensors are diskless. |
| 8. | Which appliance sensor comes with dual 1 Gb monitoring interfaces? |
| [click here] | Answer: The IDS 4250XL comes with dual 1 Gb monitoring interfaces. |
| 9. | What are the three modes that you can configure for software bypass when using inline mode? |
| [click here] | Answer: When using inline mode, you can configure software bypass to one of the following modes: auto, off, or on. |
| 10. | If you want the sensor to fail close when operating in inline mode, what software bypass mode would you use? |
| [click here] | Answer: To cause a sensor running in inline mode to fail close, you need to configure the software bypass to off. |
| 11. | What are the four network boundaries that you need to consider when deploying sensors on your network? |
| [click here] | Answer: When deploying sensors on your network, you need to consider the following network boundaries: Internet, intranets, extranets, and remote access. |
| 12. | What factors (besides network boundaries) must you consider when deploying your sensors? |
| [click here] | Answer: When deploying your sensors, you must consider the following factors: sensor placement, sensor management and monitoring, number of sensors, and external sensor communications. |
| 13. | Which XML-based protocol does your sensor use to transfer event messages to other Cisco IPS devices? |
| [click here] | Answer: Your sensor uses RDEP to transfer event messages to other Cisco IPS devices. |
| 14. | Which standard provides a product-independent standard for communicating security device events? |
| [click here] | Answer: SDEE defines a product-independent standard for communicating security events. |
| 15. | What is a true negative? |
| [click here] | Answer: A true negative is a situation in which a signature does not fire during normal user traffic on the network. |
| 16. | What is the Meta-Event Generator (MEG)? |
| [click here] | Answer: The MEG is a signature engine that enables you to construct meta signatures that are based on correlating distinct individual signatures. Using the MEG, you can construct signatures that trigger only when specific individual signatures all trigger within a specific time period. |
| 17. | What is the main difference between intrusion detection and intrusion prevention? |
| [click here] | Answer: Intrusion detection passively captures traffic looking for intrusive activity. Intrusion prevention operates in inline mode when examining network traffic, enabling intrusion prevention to actively drop intrusive activity. |
