CCNA Security FAQ: Network Security Using Cisco IOS IPS
Question. True or false. An IDS is a passive technology that only reports when events trigger signatures, whereas an IPS not only reports but also blocks the intrusion.
Question. Which in the following list are examples of where an IDS or IPS may be deployed? (Choose all that apply.)
A. Separate network device.
B. Option card in a router or security appliance.
C. Software on a router.
D. Add-on blade module on Cisco VPN 3000 Series Concentrator.
E. All of the above
A. IPS operates in promiscuous mode.
B. IPS receives a copy of the traffic to be analyzed.
C. IPS operates in inline mode.
D. IDS receives a copy of the traffic to be analyzed
A. Signature-based detection
B. Policy-based detection
C. Anomaly-based detection
D. Honey pot detection
A. Management interface
B. Monitoring interface
C. Command and control interface
D. Loopback interface
A. String signatures
B. DoS signatures
C. Exploit signatures
D. Connection signatures
A. CTIQBE
B. SDEE
C. TLS
D. SRTP
Question. Match the list of IPS technologies below with the letter corresponding to the platform to which it belongs. Letters may be used more than once.
- AIP-SSM: _____
- IDSM-2: _____
- IPS AIM: _____
- IOS IPS: _____
Choices:
A. ASA 5500 Series Adaptive Security appliances
B. Catalyst 6500 Series switches
C. Cisco IOS router
Question. Which of the following is part of Cisco’s suite of IPS Management Software? (Choose one correct answer.)
A. Cisco IPS Device Manager (IDM)
B. Cisco IPS Event Viewer (IEV)
C. Cisco Security Monitoring, Analysis, and Response System (MARS)
D. Cisco Router Security Device Manager (SDM)
E. All of the above.
Question. Fill in the blank. Cisco _____ Agent is Cisco’s Host IPS (HIPS) software solution.
A. Integrity
B. Accountability
C. Information
D. Security
E. Trust
Question. Which of the following is not considered an advantage of Network IPS? (Choose all that apply.)
A. New end system hosts and devices can be added without the need for new sensors.
B. A single sensor can monitor traffic from many hosts.
C. Network IPS can be deployed on every end system in the network.
D. Network IPS can see all traffic inside encrypted data streams.
E. None of the above.
A. Create a log entry
B. Drop the offending packet
C. Reset the TCP connection
D. Send an ICMP Source Quench to the attacker’s IP address
E. Block the attacker’s IP address
A. SMS
B. QPM
C. SDM
D. IPM
A. Selecting the interface to which the IPS rule will be applied
B. Selecting the direction of traffic that will be inspected
C. Selecting the inspection policy that will be applied to the interface
D. Selecting the Signature Definition File (SDF) that the router will use
A. permit ip any any
B. deny ip any any
C. permit tcp 127.0.0.1 any
D. deny tcp any 255.255.255.255
A. Enable Engine Fail Closed
B. Enable Default IOS Signature
C. Enable Fail Opened
D. Enable Signature Default
A. Blue circle
B. Yellow triangle
C. Red diamond
D. Orange oval
Question. Review the information in Figure 8.27. Which of the following statements is correct about the information it contains? (Choose all that apply.)
A. Only inbound traffic from untrusted to trusted zones will be scanned for signs of intrusion since only the Inbound Filter radio button is pressed in the bottom pane.
B. VFR (Virtual Fragmentation Reassembly) is enabled on every interface.
C. Inbound inspection of packets for intrusive activity is enabled on every interface.
D. You cannot tell whether the IPS is active or not by looking at this screenshot.
E. None of the above.
Question. Fill in the blanks in the following sentence with a choice from the list below. The IPS signature file that you download to your PC will end with a _____ file extension, whereas the file that you push to the IOS IPS will end with a _____ file extension. Both can be downloaded from Cisco.
A. .zip, .pkg
B. .cab, .zip
C. .tar, .zip
D. .pkg, .zip
E. .cab, .pkg
Question. View the CLI output below of an incomplete IPS configuration. Which of the following statements best describes what is missing?
A. The basic category of IPS signatures should not be used because it is unlikely to capture trigger packets.
B. The basic category of IPS signatures should not be used because it is known to cause memory allocation errors on IOS IPS routers with less than 128MB of DRAM.
C. Only retired signatures are being used.
D. The IPS is inactive because the configuration has not been applied to an interface.
E. The IPS is inactive because the configuration has not been applied globally to the device.
Here is an example of a complete configuration. Note that the IPS policy sdm_ips_rule has been applied in the inbound direction to interfaces Vlan1 and FastEthernet4:
Question. True or false. SDEE is a push-logging protocol that can optionally use encryption, whereas syslog uses a pull-logging protocol.