Chapter 19. Answer Key for Practice Exam 2

Answer B is correct. The administrator account can perform all configuration functions on the Intrusion Detection System (IDS) sensor. Answer A is incorrect because you use the service account when working with technical support to access the operating system. There can be only one service account at a time. Answer C, operator, is incorrect. The operator has limited functionality on the sensor. Answer D, the viewer account, is only used for viewing information on the sensor and not for actually configuring the sensor; it is incorrect. Therefore, Answers A, C, and D are incorrect.

Answer B is correct. You use the upgrade command to update sensor software from a Hypertext Transfer Protocol (HTTP), Secure HTTP (HTTPS), File Transfer Protocol (FTP), or Secure Copy Protocol (SCP) server. For example, sensor(config)#upgrade scp://administrator@10.1.1.1/upgrade/sp.rpm downloads a service pack (SP) from an SCP server. Answers A, C, and D are incorrect because the commands do not exist on the IDS 4.0 command-line interface (CLI).

Answer B is correct. When someone is using obfuscation in his attack, it means he is trying to disguise the attack by formatting the text with control characters or in Unicode format. Answer A is incorrect; AppleTalk does not pertain to obfuscation. Answer C is incorrect because using numbers could be a form of obfuscation; however , Answer B is more correct. Answer D is incorrect; packets don't use colors.

Answer C is correct. Signature-based IDS is a pattern matching system that compares packets against known patterns of malicious activity. Answer A is incorrect. Profile-based IDS monitors how the network typically operates; if activity suddenly changes, it detects the change and generates an alarm. Answer B is incorrect because cable sensing IDS is how systems connect and not how they detect malicious activity. Answer D is incorrect because traffic monitoring is what IDS systems do, whether profile or signature based.

Answer C is correct. When you obtain new updates, you first upgrade IDS Management Center (MC) and then upgrade the IDS sensor. That way, you make sure that the IDS MC will be compatible with any sensor changes. Therefore, Answer A is incorrect. Answers B and D relate to IEV, which does not update the sensor, and therefore, neither is the best answer.

Answers B and D are correct. Local and Master are two signature engine parameters. Master parameters are for all signatures within that engine, and Local parameters are for parameters specific to the signature. Answers A and C don't exist and are therefore incorrect.

Answers B and C are correct. You can upload service packs to sensors by using IDS MC and the upgrade command from the CLI. You only use Answer A, IDS IEV, to monitor alarms and logs on a sensor, so it is incorrect. Answer D does not exist and is therefore incorrect.

Answer C is correct. The supported browsers are Netscape 4.79 and higher and Explorer 5.5 and higher. Answer A, Opera, is not supported. Answer B is incorrect because Explorer 5.0 is not supported; you must have at least version 5.5. Answer D is incorrect because this browser does not exist.

Answer D is correct. When you install the IDS MC Sybase database, the installation requires that you enter and confirm a password; no default password is actually present. Therefore, Answers A, B, and C are incorrect.

Answers A and D are correct. The IDS 4.0 supports two partitions, the application and the recovery. You only use the recovery when you need to rebuild the application partition. Answers B and C do not actually exist in the IDS 4.0 software and therefore are incorrect.

Answers A, C, and D are correct. There are several ways to access a sensor. A console connection allows serial terminal access and is the simplest method of access. Telnet provides remote terminal session access. SSH provides secure terminal session access to the sensor. Answer B is incorrect because you use FTP to upload and download configurations and updates to a sensor, but FTP is not a method that you can use to access the sensor.

Answers B, D, E, and F are correct. There are five possible EventAction s that signatures can perform. They are Log, Reset, ShunHost, ShunConnection, and ZERO. Answers A, C, and G are not possible EventAction s and are incorrect.

Answer D is correct. The IDS_Analyzer process defines event rules and requests user -specified notifications when appropriate. Answer A is incorrect; the IDS_ReportScheduler generates all scheduled reports . Answer B is incorrect; the IDS_Receiver receives IDS alarms and syslog security events and stores them in the database. Answer C is incorrect; the IDS_Notifier retrieves notification requests from other subsystems and performs the requested notifications.

Answer B is correct. The IDS_Receiver receives IDS alarms and syslog security events and stores them in the database. Answer A is incorrect; the IDS_ReportScheduler generates all scheduled reports. Answer C is incorrect; the IDS_Notifier retrieves notification requests from other subsystems and performs the requested notifications. Answer D is incorrect; the IDS_Analyzer process defines event rules and requests user-specified notifications when appropriate.

Answer B is correct. You cannot change protected signature parameters for default signatures. However, you can modify them on custom signatures. Answer A is incorrect because master parameters apply to an entire signature engine and can be either protected or unprotected. Answer C is incorrect because you can change unprotected parameters for both default and custom signatures. Answer D is incorrect; there is no such thing as variable parameters.

Answer C is correct. You can import IDS log files into IDS Event Viewer (IEV) for evaluation. Answer A is incorrect because you use IDS MC primarily for configuration and not for importing log files. Answer B is incorrect; these files cannot be imported into other sensors. Answer D is also incorrect; you use IDS Device Manager (IDM) for configuration, and it does not import log files.

Answers A, B, and C are correct. Cisco's Security Monitor supports Cisco IDS Sensors, PIX Firewalls, and Cisco IOS Routers. Answer D is incorrect; the Cisco Catalyst Route Switching Module (RSM) is not an IDS engine and is not supported.

Answer D is correct. You should copy sensor software and signature updates to the \MDC\etc\ids\updates directory where you install IDS MC. Therefore, Answers A, B, and C are incorrect.

Answer B is correct. MDC is the home directory of all the IDS MC files. Answer A is incorrect because although the MDC\ids directory does exist, it is not the home directory. Answers C and D are directories that do not exist and therefore are incorrect.

Answer B is correct. The IDS MC Web server is located in the MDC\Apache directory. The directories in Answers A, C, and D do not exist and are incorrect.

Answer C is correct. When someone is using obfuscation in his attack, it means that he is trying to disguise the attack by formatting the text with control characters or in Unicode format. Answer A is incorrect; hiding is the right concept, but Answer C is more correct. Answers B and D are both incorrect; again, the concept is correct but Answer C is the most correct answer.

Answer A is correct. Unlike the other Cisco IDS devices, the IDSM2 does not support the recovery partition option. Answers B, C, and D are all true about the IDSM2 module.

Answer C is correct. The ssh host-key command adds keys to the IDS host table. If module or key information is not provided, then it is requested when the sensor contacts the device. Answers A, B, and D are not valid CLI commands and are therefore incorrect.

Answer A is correct. When you log into the IDS MC, you must first log into CiscoWorks, which uses port 1741 by default. However, the connection to IDS MC does use port 443 after you are logged in. Answers B and D are incorrect ports. Answer C is also incorrect but is commonly selected because it is the Secure Sockets Layer (SSL) port used to encrypt traffic between the client and Web server after accessing the IDS MC through CiscoWorks.

Answer B is correct. IDS MC uses Secure Shell (SSH) to communicate securely with IDS sensors. Answer A is incorrect; although you can communicate with Telnet, it is not recommended and Answer B is more correct. Answers C and D are both incorrect because IDS MC does not currently use PostOffice or Remote Data Exchange Protocol (RDEP) to communicate with sensors.

Answer D is correct. The IEV pulls information from the EventStore using an HTTP/HTTPS connection with RDEP inside to collect data for IDS 4.0 sensors. Answers A and B are incorrect. Answer C is incorrect for version 4.0 sensors but correct for older versions of IDS software.

Answer D is correct. The Security Monitor pulls information from the EventStore using an HTTP/HTTPS connection with RDEP inside to collect data for IDS 4.0 sensors. Answers A and B are incorrect connections. Answer C is incorrect for the IDS 4.0 but correct for older sensor versions such as 3.0.

Answers C and D are correct. You use IDS MC primarily to configure IDS Sensors. It can push signature updates to sensors and import sensor configuration from other IDS management tools. You do not use the IDS MC for IOS sensors or to upload alarms. Therefore, Answers A and B are incorrect.

Answers A, B, and F are correct. The IDS MC contains several processes to manage and maintain healthy sensor configurations. IDS_Backup, IDS_DeployDaemon, and IDS_ReportScheduler are all used by IDS MC. Answers C, D, and E are all nonexistent processes for IDS_MC and are therefore incorrect.

Answers B and C are correct. A managed device is an association relevant to PIX Firewalls and IOS Routers that are controlled by an IDS sensor. The IDS sensors can control the managed devices by using Telnet to connect and the enable passwords to gain access. Answer A is incorrect because PIX Firewalls and IOS Routers do not support HTTP access from the sensor. Answer D is incorrect because you cannot access PIX Firewalls and IOS Routers via FTP from the sensor.

Answer D is correct. The IDS sensors send shun commands to PIX Firewalls to block malicious traffic from entering the firewall. Answer A is incorrect because IOS Routers use access lists to block traffic, but an IDS Sensor does not use access lists to block traffic on PIX Firewalls. Answers B and C are incorrect; these commands do not exist.

Answer C is correct. To detect attacks from BGP and EIGRP routing packets, you can use Atomic.L3.IP. Answers A, B, and D would not monitor the Layer 3 protocol ID and would be more difficult to configure than the Atomic.L3.ID signature engine. Therefore, Answers A, B, and D are incorrect.

Answer C, D, E, and F are correct. Informational, low, medium, and high are the four severity levels. Answers A and B do not exist and therefore are incorrect.

Answer B is correct. You use the service signature engine to monitor Layers 5, 6, and 7. Answer A is incorrect because several different engines use Atomic, and it doesn't specifically monitor Layers 5, 6, and 7. Answer C is incorrect because you use the State.String engine to look for text or string patterns in packet streams. Answer D is incorrect because you use flood engines at lower levels to monitor sweeping activity; they do not inspect the higher layers .

Answer D is correct. You must define required parameters for all signatures. Answer A is incorrect because you cannot change protected parameters for default (built-in) signatures, but you can change them for custom signatures. Answers B and C do not need to be defined for all signatures.

Answers A and D are correct. StorageKey parameters are for pre-alarm counters. SummaryKeys are for post-alarm counters. Therefore, Answers B and C are incorrect.

Answer C is correct. You use the MaxProto parameter to define the maximum protocol number allowed in the Atomic.L3.IP signature engine. Therefore, Answers A, B, and D are incorrect.

Answer D is correct. You can create custom signatures from most signature engines. However, you cannot use Trojan.UDP signature engines to create custom signatures. You can create custom signatures from Atomic.L3.IP, String.TCP, and Service.Generic signature engines. Therefore, Answers A, B, and C are all incorrect.

Answers A, E, and F are correct. Sensors can receive update files from several location types, such as HTTP/HTTPS, FTP, and SCP. However, they cannot use SSH, Telnet, and RDEP; therefore, Answers B, C, and D are incorrect.

Answer B is correct. The filename IDS-K9-sp-4.0-2-S42.rpm.pkg has several parts . The sp stands for software type, the 4.0 is the IDS version, the 2 is the service pack level, and finally, the S42 is the signature version. Therefore, Answers A, C, and D are all incorrect.

Answer D is correct. You use the tls generate-key command to create a self-signed certificate. Answers A, B, and C are invalid commands and therefore are incorrect.

Answer C is correct. Master blocking sensors use RDEP as the communication protocol between 4.0 sensors. Master blocking sensors send access lists and shun commands to managed devices on the behalf of other sensors. This means a single sensor can control a particular managed device. Therefore, Answers A, B, and D are incorrect.

Answers A, C, D, and F are correct. Signature actions are the responses used when a signature is triggered. Logging just records the triggered event. Reset sends a TCP reset command to the attacker sending malicious data. Blocking host and connections allows a sensor to send access lists and shun commands to a managed device in an effort to prevent more malicious traffic from entering the network. Answer B is incorrect because the word informational is used as a severity level and not an action. Answer E is incorrect because FTP resets are not a function of the IDS sensors.

Answer D is correct. You can configure master blocking sensors from the CLI, IDM, or IDS-MC; therefore, Answer D is the only untrue statement in this group . Master blocking sensors (behaving as forwarding blocking sensors) can use other master blocking sensors to control managed devices and use RDEP for communications. Therefore, Answers A and B are incorrect. Answer C is incorrect because master blocking sensors can block managed devices on the behalf of other forwarding blocking sensors, allowing a single sensor to control a specific managed device.

Answer C is correct. PuTTYGen is a utility you use to create public and private keys for SSH communications. You can use this utility with IDS MC to create keys for secure communications. Answer A is incorrect because sensors cannot make SSH keys for IDS MC. Answer B is incorrect because the command or utility does not exist. Answer D is incorrect because you use ssh host-key to add a key to a sensor, not to generate them.

Answer B is correct. The port monitor command is the correct command when configuring the 2900XL switch to support Switched Port Analyzer (SPAN) features for IDS detection. Answer A is incorrect because you use the mls ip config command to apply an extended IP access list to a VLAN interface on a Catalyst 6000 switch. Answer C is incorrect because you use the monitor session command to enable SPAN monitoring on a port or multiple ports for the 2950/3550 series switches. The Answer D command doesn't exist and therefore is incorrect.

Answer B is correct. The SPAN technology allows switches to copy traffic from a specific port or virtual LAN (VLAN) so it can be monitored by an IDS sensor. Answer A is incorrect because Remote Session is not a feature of monitoring. Answers C and D are incorrect because they do not exist.

Answer C is correct. You can configure switches to monitor just a direction if needed. The rx is for receive, and the tx is for transmitted. The keyword both is a valid term used to represent both directions. Answer A is incorrect because it only monitors receiving traffic. Answer B is incorrect because tx only monitors transmitted traffic. Answer D is incorrect because rx-tx is incorrect syntax.

Answer B is correct. When configuring a sensor and a switch, you should first clear the trunk of any residual configurations applied to it. Next, you should set the VLAN, then set the trunk, and finally set the security access control list (ACL). Therefore, Answers A, C, and D are incorrect.

Answer A is correct. The recover application-partition command overwrites the application partition with the recovery partition. All the other commands are invalid and not supported on the IDS; therefore, Answers B, C, and D are incorrect.