Exam Prep Questions

[ LiB ]  
Question 1

A network administrator is testing a new monitoring application that uses multiple Internet Control Message Protocol (ICMP) messages to host systems. The application is reported on IEV as a network attack. This alarm is referred to as a

  • A. False positive

  • B. False negative

  • C. True positive

  • D. True negative


Answer A is correct. Because it was not an actual malicious attack but resulted in the generation of an alarm, this alarm is referred to as a false positive. A false negative occurs when an actual attack is not reported; therefore, Answer B is incorrect. True positives occur when real attacks are successfully detected and reported; therefore, Answer C is incorrect. True negatives happen when no attack occurred and no alarm was generated. Therefore, Answer D is incorrect.

Question 2

Which three of the following methodologies are valid methodologies employed by IDS signatures to detect network attacks?

  • A. Heuristic analysis

  • B. Signature-based detection

  • C. Host-based detection

  • D. Pattern matching

  • E. Flood decode analysis

  • F. Obfuscation detection


Answers A, B, and D are correct. Heuristic analysis, signature-based detection, and pattern matching are all valid methodologies used by signatures to detect intrusions. Although IDS components can be host-based, such as the Security Agent, host-based is not a methodology employed by signatures. Therefore, Answer C is incorrect. Flood decode analysis does not exist, and obfuscation is an IDS evasive technique commonly used by attackers . Therefore, Answers E and F are incorrect.

Question 3

Which of the following IDS components were designed for lower-risk network environments? (Choose two.)

  • A. 4200 Series Sensor Appliance

  • B. Router IOS IDS

  • C. Cisco Security Agent

  • D. IDSM2

  • E. PIX IDS

  • F. Host Agent IDS


Answers B and E are correct. The Router Sensor IOS IDS and the Firewall Sensor PIX IDS contain a subset of the Sensor appliance IDS signatures and were designed for lower-risk environments. The 4200 Series Sensor Appliances provide a robust platform for intrusion detection and are designed for high-risk environments; therefore, Answer A is incorrect. Cisco Security Agent, and the host agent IDS product, is agent software that resides on hosts , and it is not designed for network intrusion detection; Answers C and F are therefore incorrect. The IDSM2 is a high-performance switching module designed for high-throughput intrusion detection with no impact on switch performance. It was not designed for lower-risk environments, so Answer D is incorrect.

Question 4

Which of the following are methods used to evade IDSs? (Choose three.)

  • A. Denial of service

  • B. Fragmentation

  • C. Pattern matching

  • D. Obfuscation

  • E. Encryption

  • F. Access attack


Answers B, D, and E are correct. Fragmentation, obfuscation, and encryption are all evasive techniques used by attackers to dodge IDS detection. Denial-of-service and access attacks are forms of attacks performed by hackers but are not directly used to compromise IDSs. Answers A and F are therefore incorrect. Pattern matching is a methodology used by signatures to detect an intrusion, not an evasive technique. Therefore, Answer C is incorrect.

Question 5

Which of the following is a component that is included with Cisco IEV?

  • A. CSEC

  • B. CCO

  • C. NSDB

  • D. C-CRT


Answer C is correct. Cisco's IEV, available from http://www.cisco.com, includes the Network Security Database, a reference of detailed signature and vulnerability information. CCO is a Cisco Connection Online account and is required to access the online version of NSDB. CSEC, the Cisco Secure Encyclopedia, is the online version of NSDB. Answers A and B are therefore incorrect. C-CRT is the Cisco Countermeasures Research Team, which provides support for active updates but has no relationship to IEV. Therefore, Answer D is incorrect.

Question 6

Which of the following are enhancements that the IDSM2 offers over the IDSM? (Choose three.)

  • A. 600Mbps instead of 200Mbps

  • B. 600Mbps instead of 120Mbps

  • C. SPAN and RSPAN support

  • D. VACL capture

  • E. Same code as version 4 sensor appliances

  • F. Support for both blocking and TCP Reset


Answers B, E, and F are correct. The IDSM2 offers 600Mbps instead of the IDSM's 120, uses the same code as the version 4 sensor appliances, and supports both blocking and TCP resets in response to attack detection. The IDSM supports only 120Mbps of performance and not 200Mbps; therefore, Answer A is incorrect. The IDSM also supports SPAN, RSPAN, and VACL capture; therefore, Answers C and D are incorrect.

Question 7

IEV version 4 can support the monitoring and reporting of up to how many sensor devices?

  • A. Only the device on which it's installed

  • B. Three

  • C. Five

  • D. Up to 300


Answer C is correct. IEV version 4 can support the monitoring and reporting of up to five sensor devices. IEV version 3 supports up to three sensor devices, but the question specifically refers to IEV version 4. Answers A, B, and D are therefore incorrect.

Question 8

Management Center for the Cisco Security Agent (CSA MC) supports deployment for up to how many host agents ?

  • A. 100

  • B. 1000

  • C. 3000

  • D. 5000


Answer D is correct. The CSA MC supports management for up to 5000 host Security Agents. Therefore, Answers A, B, and C are incorrect.

Question 9

The PostOffice protocol uses which of the following ports?

  • A. TCP 1741

  • B. UDP 1741

  • C. TCP 443

  • D. UDP 443

  • E. TCP 45000

  • F. UDP 45000


Answer F is correct. The PostOffice protocol uses UDP port 45000 for communications. Therefore, Answers A through E are incorrect.

Question 10

When using RDEP, when are alarms overwritten?

  • A. When a time limit configured through MC is reached

  • B. When the threshold of 2GB is reached

  • C. When the threshold of 4GB is reached

  • D. When the alarm threshold configured through MC is reached

  • E. Either on an hourly, daily, or weekly basis, as configured through IEV


Answer C is correct. A Sensor process called sensorApp begins to overwrite alarms when the threshold of 4GB is reached. Therefore, Answers A, B, D and E are incorrect.

[ LiB ]  

CSIDS Exam Cram 2 (Exam 642-531)
CSIDS Exam Cram 2 (Exam 642-531)
Year: 2004
Pages: 213

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net