CCNP Secure IPS FAQ: Cisco Intrusion Prevention System (IPS) Overview

CCNP Secure IPS FAQ: Cisco Intrusion Prevention System (IPS) Overview

Q1. What do you call a signature that does not fire after observing normal user traffic?
A. False positive
B. True negative
C. False negative
D. True positive

Answer: B

Q2. Which of the following is a valid risk rating?
A. High
B. Severe
C. 80
D. Critical
E. Catastrophic

Answer: C

Q3. Which of the following sensors does not support inline mode?
A. IDS 4215
B. IDS 4255
C. IDS 4240
D. IDS Network Module
E. IDS 4235

Answer: D

Q4. Which software bypass mode causes the sensor to stop passing traffic if the analysis engine stops running?
A. Auto
B. Off
C. On
D. Fail open
E. None of these

Answer: B

Q5. In which processing mode does your sensor passively monitor network traffic as it looks for intrusive activity? How many interfaces does it require?
A. Promiscuous, 1 interface
B. Inline, 1 interface
C. Promiscuous, 2 interfaces
D. Inline, 2 interfaces

Answer: A

Q6. Which of the following appliance sensors is diskless so that it can provide greater reliability?
A. IDS 4215
B. IDS 4235
C. IDS 4240
D. IDS 4250
E. IDS 4210

Answer: C

Q7. Which standard defines a product independent standard for communicating security device events?
A. SDEE
B. LDAP
C. RDEP
D. TLS
E. IDIOM

Answer: A

Q8. Which communication protocol does your sensor use to communicate event messages to other Cisco IPS devices on the network?
A. IDIOM
B. SMTP
C. RDEP
D. SDEE
E. None of these

Answer: C

Q9. What is the name of the boundary between your network and your business partner’s network?
A. Internet boundary
B. Extranet boundary
C. Intranet boundary
D. Remote-access boundary

Answer: B

Q10. Which of the following are internal boundaries that separate network segments within a network?
A. Intranet boundaries
B. Internet boundaries
C. Extranet boundaries
D. Segment boundaries
E. None of these

Answer: A

Q11. What is a false positive?

Answer: A false positive happens when a signature triggers incorrectly during normal user traffic instead of attack traffic.

Q12. What is a true positive?

Answer: A true positive happens when a signature correctly identifies an attack launched against the network.

Q13. If your sensor has only two monitoring interfaces, can you operate in promiscuous and inline modes simultaneously?

Answer: No, because running inline requires a pair of sensor interfaces. If you have only two interfaces, you can run either a single interface pair (in inline mode) or two interfaces (in promiscuous mode).

Q14. What factors are use to calculate the risk rating?

Answer: The risk rating is based on the event severity, the signature fidelity, and the target’s asset value.

Q15. How is the asset value of a target configured?

Answer: You configure the asset value of a target by assigning one of the following values to an IP address or range of address: low, medium, high, mission critical, or no value.

Q16. Which appliance sensors support the inline mode of operation?

Answer: Inline mode is supported on the following appliance sensors: IDS 4215, IDS 4235, IDS 4240, IDS 4250, and IDS 4255.

Q17. Which appliance sensors are diskless?

Answer: The IDS 4240 and IDS 4255 appliance sensors are diskless.
 

Q18. Which appliance sensor comes with dual 1 Gb monitoring interfaces?

Answer: The IDS 4250XL comes with dual 1 Gb monitoring interfaces.

Q19. What are the three modes that you can configure for software bypass when using inline mode?

Answer: When using inline mode, you can configure software bypass to one of the following modes: auto, off, or on.

Q20. If you want the sensor to fail close when operating in inline mode, what software bypass mode would you use?

Answer: To cause a sensor running in inline mode to fail close, you need to configure the software bypass to off.

Q21. What are the four network boundaries that you need to consider when deploying sensors on your network?

Answer: When deploying sensors on your network, you need to consider the following network boundaries: Internet, intranets, extranets, and remote access.

Q22. What factors (besides network boundaries) must you consider when deploying your sensors?

Answer: When deploying your sensors, you must consider the following factors: sensor placement, sensor management and monitoring, number of sensors, and external sensor communications.

Q23. Which XML-based protocol does your sensor use to transfer event messages to other Cisco IPS devices?

Answer: Your sensor uses RDEP to transfer event messages to other Cisco IPS devices.

Q24. Which standard provides a product-independent standard for communicating security device events?

Answer: SDEE defines a product-independent standard for communicating security events.

Q25. What is a true negative?

Answer: A true negative is a situation in which a signature does not fire during normal user traffic on the network.

Q26. What is the Meta-Event Generator (MEG)?

Answer: The MEG is a signature engine that enables you to construct meta signatures that are based on correlating distinct individual signatures. Using the MEG, you can construct signatures that trigger only when specific individual signatures all trigger within a specific time period.

Q27. What is the main difference between intrusion detection and intrusion prevention?

Answer: Intrusion detection passively captures traffic looking for intrusive activity. Intrusion prevention operates in inline mode when examining network traffic, enabling intrusion prevention to actively drop intrusive activity.

About the author

Scott

Leave a Comment