CCNP Secure IPS FAQ: Cisco IPS Response Configuration

CCNP Secure IPS FAQ: Cisco IPS Response Configuration

Q1. The Deny Connection Inline action stops traffic that matches which of the following descriptions (where “source” and “destination” refer to the traffic that caused the signature to trigger)?
A. Source IP address and destination port
B. Source IP address and destination IP address
C. Source IP address, destination IP addresses, source port, and destination port
D. Source IP address, destination IP address, and destination port

Answer: C

Q2. When you manually configure IP logging, which parameter is not a valid parameter that you can configure with IDM?
A. Maximum Number of Packets
B. Duration (in seconds)
C. Maximum Number of Bytes
D. All of these answers are valid parameters

Answer: B

Q3. Which of the following is not a valid Cisco IPS response action?
A. Request SNMP Trap
B. Produce Verbose Alert
C. Modify Packet Inline
D. Deny Packet Inline
E. Request Block Packet

Answer: E

Q4. What is a major difference between Access Control Lists (ACLs) and VLAN Access Control Lists (VACLs)?
A. ACLs are available only on routers.
B. ACLs apply to traffic either entering or leaving an interface.
C. ACLs are directionless.
D. VACLs are directionless.
E. VACLs apply to traffic either entering or leaving an interface.

Answer: D

Q5. When is a Master Blocking Sensor necessary?
A. When your managed devices are PIX™ Firewalls
B. When one sensor manages multiple managed devices
C. When multiple sensors are configured for IP blocking
D. When one sensor manages both PIX Firewalls and Cisco IOS® routers

Answer: C

Q6. What is the default logging duration when you manually configure IP logging?
A. 10 minutes
B. 15 minutes
C. 20 minutes
D. 30 minutes
E. 60 minutes

Answer: A

Q7. Which of the following is true about the Deny Attacker Duration parameter?
A. It is measured in minutes.
B. The default is 90 minutes.
C. The default is 3600 seconds.
D. It is measured in minutes, and the default is 90 minutes.

Answer: C

Q8. By default, which of the following is true about configuring never-block addresses?
A. You must configure a never-block address to prevent the sensor from being blocked.
B. The sensor can never block itself.
C. By default, the sensor will not block its own address.

Answer: C

Q9. Which of the following is not a consideration for implementing IP blocking?
A. Antispoofing mechanisms
B. Critical hosts
C. Blocking duration
D. Interface ACL requirements
E. Frequency of attack traffic

Answer: E

Q10. By default, what is the maximum number of entries allowed in the blocking ACL?
A. 100
B. 200
C. 250
D. 500
E. 1000

Answer: C

Q11. What are the three inline response actions?

Answer: The three inline response actions are Deny Packet Inline, Deny Connection Inline, and Deny Attacker Inline

Q12. What traffic does the Deny Connection Inline response action prevent?

Answer: The Deny Connection Inline response action prevents traffic that matches the source IP address, source port, destination IP address, and destination port for the traffic that matches the traffic that triggered the signature.

Q13. What are the three logging options available in Cisco IPS version 5.0?

Answer: Cisco IPS version 5.0 provides the following three logging actions: Log Attacker Packets, Log Pair Packets, and Log Victim Packets.

Q14. What two blocking actions can you configure to occur when a signature triggers?

Answer: You can configure the following two blocking actions for signatures: Request Block Host and Request Block Connection.

Q15. What types of devices can Cisco IPS sensors use as managed devices?

Answer: Cisco IPS sensors can use IOS routers, Catalyst 6000 switches, and PIX Firewalls (and ASAs) as managed devices.

Q16. What must you configure when implementing IP blocking on an interface that already has an ACL applied to it?

Answer: To implement IP blocking on an interface that already has an ACL applied to it, you must configure a Pre-Block or Post-Block ACL (or both).

Q17. When do you need to configure a Master Blocking Sensor?

Answer: When configuring multiple sensors to perform IP blocking, you need to configure a Master Blocking Sensor to coordinate IP blocking between the multiple sensors.

Q18. How many sensors can initiate IP blocking on a single managed device?

Answer: Only one sensor can initiate IP blocking on a single managed device.

Q19. How can you protect the traffic from critical systems from accidentally being blocked by the IP blocking functionality?

Answer: To prevent IP blocking from impacting traffic from critical systems, you can configure a never-block address for the critical system.

Q20. What are the two steps for defining a router blocking device in IDM?

Answer: When defining a router blocking device using IDM, you need to first define the blocking device and then define and associate an interface to be used by the blocking device.

Q21. Which response actions can be manually configured via the IDM interface?

Answer: Using the IDM interface, you can manually configure IP logging, host blocks, and network blocks.

Q22. What response action uses the Simple Network Management Protocol (SNMP)?

Answer: The Request SNMP Trap action uses SNMP traps to indicate when a signature triggers.

Q23. How long does the Deny Attacker Inline action block traffic from the attacker’s IP address?

Answer: The Deny Attacker Inline action remains in effect for the length of time specified by the Deny Attacker Duration parameter.

Q24. Which parameter determines how long IP blocking actions remain in effect?

Answer: The block action duration parameter specifies the length of time that IP blocking actions remain in effect.

Q25. Which blocking mechanism enables you to restrict traffic between systems on the same network segment?

Answer: VACLs enable you to restrict traffic between systems on the same network segment.

About the author

Scott

Leave a Comment