CCNP Security FAQ : IPS and Advanced Protocol Handling

CCNP Security FAQ : IPS and Advanced Protocol Handling

Q1. What does the ICMP inspection feature on the Security Appliance do?
A. It prevents the Security Appliance from being flooded with water.
B. It protects the inside network from being engulfed by rain.
C. It protects against SYN flood attacks.
D. It protects against AAA attacks.

Answer: D

Q2. Which Security Appliance feature mitigates a DoS attack that uses port 53?
A. Floodguard
B. Incomplete guard
C. Fragguard
D. DNS inspection

Answer: C

Q3. Which of the following multimedia application(s) is(are) supported by Security Appliance?
C. H323
D. All of these answers are correct

Answer: D

Q4. Which is the default port that Security Appliance inspects for H.323 traffic?
A. 1628
B. 1722
C. 1720
D. 1408

Answer: C

Q5. Which of the following describes how the mail inspection works on the Security Appliance?
A. It lets all mail in except for mail described by an access list.

B. It restricts SMTP requests to seven commands and eight ESTMP commands, as well as concealing the SMTP banner.

C. It revokes mail messages that contain attacks.

D. It performs virus checks on each mail message.

Answer: B

6. Which of the following statements about DNS inspection is true?
A. It is disabled by default.
B. It allows only a single DNS response for outgoing requests.
C. It monitors the DNS servers for suspicious activities.
D. It is enabled by default.

Answer: D

Q7. Which of the following are Security Appliance attack mitigation features?
A. DNS inspection
B. ICMP inspection
C. Remote guard
D. Mail inspection
E. Webguard

Answer: C

Q8. Which command installs the Security Appliance IPS Software?
A. copy tftp flash
B. upgrade AIP-SSM software
C. hw-module 1 recover boot
D. hw-module 1 upgrade system

Answer: B

Q9. What does the reset action do in the Security Appliance IPS configuration?
A. Warns the source of the offending packet before it drops the packet

B. Drops the offending packet and closes the connection if it is part of an active connection with a TCP RST

C. Waits 2000 offending packets, and then permanently bans the connection to the source host

D. Reports the incident to the syslog server and waits for more offending packets from the same source to arrive

Answer: C

Q10. Which PIX feature mitigates a DoS attack using a rewritten ICMP datagram?

Answer: ICMP inspection mitigates ally ICMP-based SYN and spoofed broadcast attacks.

Q11. On which port does the Security Appliance inspect for H.323 traffic by default?

Answer: Port 1720

Q12. How do you enable the Security Appliance Mail inspection feature?

Answer: The Mail inspection feature is enabled by default. If it is disabled, it can be enabled by using the fixup protocol smtp command in class-map configuration mode within a policy map.

Q13. What are some of the Security Appliance limitations on CTIQBE application inspection?

Answer: Some of the limitations of the application inspection for CTIQBE include 1) stateful failover of CTIQBE calls is not supported; 2) CTIQBE messages that are fragmented across multiple TCP packets are not supported.

Q14. How do you install a new IPS image on an AIP-SSM module?

Answer: There are two steps to installing a new IPS image on an AIP-SSM module. First, you need to run the hw-module module 1 recover configure command. Use this command to define where the IPS image is located and all the network settings associated with getting to that location. Then, use thehw-module module 1 recover boot command to install and reset the AIP-SSM module with the new image.

Q15. Which policies are available in the Cisco Security IPS configuration?

Answer: alarm, drop, reset

Q16. How does DNS inspection on the Cisco Security Appliance prevent DoS attacks that exploit DNS?

Answer: The Security Appliance allows only a single DNS response for outgoing DNS requests. Any other responses are dropped.

Q17. What basic configurations are required to fully enable IPS features on a Security Appliance?

Answer: The hostname must be set for the module, an IP address must be assigned to the external 10/100/1000 Ethernet port, the Telnet server must be enabled, the HTTP server must be enabled, and the main ACL must allow you into the module.

Q18. How does the Mail inspection feature prevent SMTP-related attacks?

Answer: Mail inspection allows only a restricted set of SMTP commands, namely, HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT. It can also allow a limited set of ESMTP commands through AUTH , DATA, EHLO, ETRN , SAML, SEND, SOML, and VRFY.

Q19. How do you enable MGCP application inspection for call agents and gateways using the default ports?

Answer: Use the fixup protocol mgcp 2427 and fixup protocol mgcp 2727 commands.

More Resources

About the author


Leave a Comment