Cisco 642-627 Questions & Answers

Number: 642-627Passing Score: 790Time Limit: 60 minFile Version: 21.1

http://www.gratisexam.com/

Cisco 642-627 Questions & Answers

Exam Name: Implementing Cisco Intrusion Prevention System v7.0

Sections1. Troubleshooting2. Configuration3. Hardware4. Simlet5. LAB

Exam A

QUESTION 1Which three are global correlation network participation modes? (Choose three.)

A. offB. partial participation C. reputation filtering D. detect E. full participationF. learning

Correct Answer: ABESection: ConfigurationExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_collaboration.html

QUESTION 2Which two switching-based mechanisms are used to deploy high availability IPS using multiple Cisco IPSappliances? (Choose two.)

A. Spanning Tree-based HAB. HSRP-based HAC. EtherChannel-based HAD. VRRP-based HA

Correct Answer: ACSection: ConfigurationExplanation

Explanation/Reference:Official Cisco Guide Chapter 21

When network switches are used to provide High Availability you have two options

EtherChannel based HASTP based HA

QUESTION 3What is the correct regular expression to match a URI request equal to /test.exe?

A. /test.exeB. Vtest\.exeC. /test\.exeD. */test\.exeE. \*/test\.exeF. */test.exe

Correct Answer: CSection: TroubleshootingExplanation

Explanation/Reference:https://supportforums.cisco.com/community/netpro/security/intrusion-prevention/blog/2010/12/23/introduction-to-regular-expressions-for-ips

http://regexlib.com/DisplayPatterns.aspx?cattabindex=1&categoryid=2&p=4

http://wdvl.com/Style/Languages/Perl/PerlfortheWeb/perlintro2_table1.html

the . has a special meaning = match any character which would have the result testaexe, test$exe etc- wouldme matched as well as test.exethe \ removes the special meaning from the . so it is now just matching the .exe -- so = test.exe exactly has tobe matched.

see the above links as to why the other answers are not valid.

QUESTION 4Which option is best to use to capture only a subset of traffic (capturing traffic per-IP-address, per-protocol, orper-application) off the switch backplane and copy it to the Cisco IPS appliance?

A. SPANB. PBRC. VACLD. MPFE. STP

Correct Answer: CSection: ConfigurationExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/vacl.html#wp1037197

QUESTION 5What are the three anomaly detection modes? (Choose three.)

A. detectB. active C. inactive

http://www.gratisexam.com/

D. learnE. full F. partial

Correct Answer: ACDSection: ConfigurationExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.0/user/guide/ipsanom.html

Anomaly detection has the following modes:

•Learning accept mode (initial setup)Although anomaly detection is in detect mode by default, it conducts an initial learning accept mode for thedefault period of 24 hours. We assume that during this phase no attack is being carried out. Anomaly detectioncreates an initial baseline, known as a knowledge base, of the network traffic. The default interval value forperiodic schedules is 24 hours and the default action is rotate, meaning that a new knowledge base is savedand loaded, and then replaces the initial knowledge base after 24 hours.

Keep the following in mind:–Anomaly detection does not detect attacks when working with the initial knowledge base, which is empty. Afterthe default of 24 hours, a knowledge base is saved and loaded and now anomaly detection also detectsattacks.

–Depending on your network complexity, you may want to have anomaly detection in learning accept mode forlonger than the default 24 hours. You configure the mode in the Virtual Sensors policy; see Defining A VirtualSensor, page 28-5. After your learning period has finished, edit the virtual sensor and change the mode toDetect.

•Detect modeFor ongoing operation, the sensor should remain in detect mode. This is for 24 hours a day, 7 days a week.Once a knowledge base is created and replaces the initial knowledge base, anomaly detection detects attacksbased on it. It looks at the network traffic flows that violate thresholds in the knowledge base and sends alerts.As anomaly detection looks for anomalies, it also records gradual changes to the knowledge base that do notviolate the thresholds and thus creates a new knowledge base. The new knowledge base is periodically savedand takes the place of the old one thus maintaining an up-to-date knowledge base.

•Inactive modeYou can turn anomaly detection off by putting it in inactive mode. Under certain circumstances, anomalydetection should be in inactive mode, for example, if the sensor is running in an asymmetric environment.Because anomaly detection assumes it gets traffic from both directions, if the sensor is configured to see onlyone direction of traffic, anomaly detection identifies all traffic as having incomplete connections, that is, asscanners, and sends alerts for all traffic flows.

Exam B

QUESTION 1A Cisco Catalyst switch is experiencing packet drops on a SPAN destination port that is connected to an CiscoIPS appliance. Which three configurations should be considered to resolve the packet drops issue? (Choosethree.)

A. Configure an additional SPAN session to a different Cisco IPS appliance interface connected to the samevirtual sensor.

B. Configure an EtherChannel bundle as the SPAN destination port.C. Configure RSPAN.D. Configure VACL capture. E. Configure the Cisco IPS appliance to inline mode.

Correct Answer: ADSection: TroubleshootingExplanation

Explanation/Reference:A. Adding an additional span session to a different Cisco IPS will remove some of the traffic and load from theexisting span - Confirmed Correct

B. Cisco documentation clearly defines that Ether-channels cannot be configured as SPAN destination ports.This rules out option B. - Confirmed Incorrecthttp://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_19_ea1/configuration/guide/swspan.html#wp1044603

C. RSPAN is remote span which is used to send traffic to a device not connected to the local switch. While this would have a similar effect to answer A since you are in fact creating another span, the implicationhere is that there is only one IPS device. - Unconfirmed Incorrect

D. Configuring VACL capture will allow a reduced amount of traffic and load on the span by selecting andsending only select traffic over the SPAN to the IPS. - Confirmed Correct

E. Configuring the Cisco IPS appliance in inline mode would elminate the need for a span altogether. -Unconfirmed Correct.

QUESTION 2From the Cisco IPS appliance CLI setup command, one of the options is "Modify default threat preventionsettings? [no]". What is this option related to?

A. anomaly detection B. threat rating adjustmentC. event action override that denies high-risk network traffic with a risk rating of 90 to 100 D. risk rating adjustment with global correlationE. reputation filters

Correct Answer: CSection: ConfigurationExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/cli/cli_initializing.html

Modify default threat prevention settings?[no]:Step 11 Enter yes if you want to modify the default threat prevention settings.

Note: The sensor comes with a built-in override to add the deny packet event action to high risk ratin galerts. If you do not want this protection, disable automatic threat prevention.

QUESTION 3Threat rating calculation is performed based on which factors?

A. risk rating and adjustment based on the prevention actions takenB. threat rating and event action overridesC. event action overrides and event action filtersD. risk rating and target value ratingE. alert severity and alert actions

Correct Answer: ASection: TroubleshootingExplanation

Explanation/Reference:http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/prod_white_paper0900aecd806e7299.html

Threat rating is a quantitative measure of your net work's threat level after IPS mitigation . The formula forthreat rating is:Threat Rating = Risk Rating - Alert RatingThe values of the alert ratings are listed below.• 45: deny-attacker-inline• 40: deny-attacker-victim-pair-inline• 40: deny-attacker-service-pair-inline• 35: deny-connection-inline• 35: deny-packet-inline• 35: modify-packet-inline• 20: request-block-host• 20: request-block-connection• 20: reset-tcp-connection• 20: request-rate-limitFor example, if an alert had a risk rating of 100 and the IPS mitigates the event with a deny-attacker-inlineaction, the threat rating would be calculated as:Threat Rating = Risk Rating - Alert Rating, or 100 - 45 = 55.Threat rating brings the value of risk rating to a new level. By taking the IPS mitigation action into account,threat rating helps you further focus on the most important threats that have not been mitigated.

QUESTION 4Which three statements about the Cisco IPS appliance normalizer feature are true? (Choose three.)

A. only operates in inline modes B. ensures that Layer 4 to Layer 7 traffic conforms to the protocol specifications C. tracks session states and stops packets that do not fully match session stateD. modifies ambiguously fragmented IP traffic E. cannot analyze asymmetric traffic flows

Correct Answer: ACDSection: HardwareExplanation

Explanation/Reference:http://globalknowledgeblog.com/technology/cisco/asa-and-ips-parallel-features-part-ii/

= A

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/white_paper_c11-459025_ps6120_Products_White_Paper.html

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_signature_engines.html#wpxref98199= C and D

The Cisco ASA AIP-SSM is a fully functional firewall and IPS solution that can be deployed in symmetric orasymmetric mode and supports stateful failover deployments. In either deployment mode, session state andevasion protection will be maintained because of advanced state features in the Cisco ASA operating system.

E is not an option -- even though it reduces perfor mance -it is still able to analyze a single traffic flow.http://globalknowledgeblog.com/technology/cisco/asa-and-ips-parallel-features-%E2%80%93-part-iii/

QUESTION 5Which protocol is used by Encapsulated Remote SPAN?

A. ESPB. GREC. TLSD. STPE. VTIF. 802.1Q

Correct Answer: BSection: ConfigurationExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/span.html#wp1059482

ERSPAN Overview

ERSPAN supports source ports, source VLANs, and destination ports on different switches, which providesremote monitoring of multiple switches across your network (see Figure 52-3).

ERSPAN consists of an ERSPAN source session, routable ERSPAN GRE-encapsulated traffic , and anERSPAN destination session. You separately configure ERSPAN source sessions and destination sessions ondifferent switches.

To configure an ERSPAN source session on one switch, you associate a set of source ports or VLANs with adestination IP address, ERSPAN ID number, and optionally with a VRF name. To configure an ERSPANdestination session on another switch, you associate the destination ports with the source IP address, ERSPANID number, and optionally with a VRF name.

ERSPAN source sessions do not copy locally sourced RSPAN VLAN traffic from source trunk ports that carryRSPAN VLANs. ERSPAN source sessions do not copy locally sourced ERSPAN GRE-encapsulated trafficfrom source ports.

Each ERSPAN source session can have either ports or VLANs as sources, but not both.

The ERSPAN source session copies traffic from the source ports or source VLANs and forwards the trafficusing routable GRE-encapsulated packets to the ERSPAN destination session. The ERSPAN destinationsession switches the traffic to the destination ports.

Exam C

QUESTION 1What must be configured to enable Cisco IPS appliance reputation filtering and global correlation?

A. DNS server(s) IP addressB. full sensor based network participationC. trusted hosts settingsD. external product interfaces settings

Correct Answer: ASection: ConfigurationExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/ime/ime_collaboration.html

Global Correlation Requirements

Global correlation has the following requirements:

•Valid license

You must have a valid sensor license for global correlation features to function. You can still configure anddisplay statistics for the global correlation features, but the global correlation databases are cleared and noupdates are attempted. Once you install a valid license, the global correlation features are reactivated.

•Agree to network participation disclaimer

•External connectivity for sensor and a DNS server

The global correlation features of IPS 7.0 require the sensor to connect to the Cisco SensorBase Network.Domain name resolution is also required for these features to function. You can either configure the sensor toconnect through an HTTP proxy server that has a DNS client running on it, or you can assign an Internetrouteable address to the management interface of the sensor and configure the sensor to use a DNS server. InIPS 7.0 the HTTP proxy and DNS servers are used only by the global correlation features.

QUESTION 2What is a best practice to follow before tuning a Cisco IPS signature?

A. Disable all the alert actions on the signature to be tuned. B. Disable the signature to be tuned.C. Create a clone of the signature to be tuned.D. Increase the number of events required to trigger the signature to be tuned.E. Decrease the attention span (maximum inter-event interval) of the signature to be tuned

Correct Answer: ASection: ConfigurationExplanation

Explanation/Reference:Still Doubt here. 100% certain C is wrong.

A is best answer with B also possible.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/prod_white_paper0900aecd8066d265.html

Official Guide - Chapter 13 Quiz - When tuning signatures it is recommended

Answer : By removing harmful actions during the tuning phase we can have visibility......without interferring withnormal traffic

"Do no harm" approach.

QUESTION 3Which three statements about the Cisco IntelliShield Alert Manager are true? (Choose three.)

A. Alert information is analyzed and validated by Cisco security analysts. B. Alert analysis is vendor-neutral.C. The built-in workflow system provides a mechanism for tracking vulnerability remediation and integration

with Cisco Security Manager and Cisco Security MARS. D. Users can customize the notification to deliver tailored information relevant to the needs of the organization E. Customers are automatically subscribed to use Cisco SecurityIntelliShield Alert Manager Service with the

Cisco IPS license.F. More than 10 report types are available within the Cisco SecurityIntelliShield Alert Manager Service.

Correct Answer: ABDSection: ConfigurationExplanation

Explanation/Reference:http://www.cisco.com/en/US/products/ps6834/serv_group_home.htmlA & D are clear.Still in doubt for B or C.

FeaturesContinuous threat and vulnerability updatesCustomized notifications that deliver tailored info rmation relevant to IT needs = DActionable alert intelligence analyzed and validate d by security analysts to assist in proactiveprevention =AIntegrated, easy to use tools for easy management of remediation effortsComprehensive intelligence information including historical coverage of over 14,000 alerts

BenefitsAccelerated elimination of threats through actionable security intelligenceCustomized intelligence to avoid sifting through irrelevant informationVendor-neutral analysis of threats and vulnerabilit ies help prevent IT attacks across businessenvironments = BWorkflow management tools enable efficient use of security staff resources

http://www.cisco.com/en/US/services/ps2827/ps6834/services_overview0900aecd803e85ee.pdf

Option C removal!No mention of integration at all with CSM or CS MAR S.

QUESTION 4Which two configurations are required on the Cisco IPS appliance to allow Cisco Security Manager to log intothe Cisco IPS appliance? (Choose two.)

A. Enable SNMPv2.B. Enable SSH access.C. Enable TLS/SSL to allow HTTPS access.D. Enable NTP.

E. Enable Telnet access.F. Enable the IP address of the Cisco Security Manager server as an allowed host.

Correct Answer: CFSection: ConfigurationExplanation

Explanation/Reference:Obvious standard config but needs confirmation

http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliTasks.html#wp1056053

QUESTION 5OS mappings associate IP addresses with an OS type, which in turn helps the Cisco IPS appliance to calculatewhat other value?

A. TVRB. SFRC. ARRD. PDE. ASR

Correct Answer: CSection: TroubleshootingExplanation

Explanation/Reference:

QUESTION 6Which two Cisco IPS appliance features are implemented using input data from the Cisco SensorBase?(Choose two.)

A. global correlationB. anomaly detectionC. reputation filtersD. botnet traffic filtersE. OS fingerprintingF. threat detection

Correct Answer: ACSection: HardwareExplanation

Explanation/Reference:see previous information about that

QUESTION 7You want your inline Cisco IPS appliance to drop packets that pose the most severe risk to your network,especially to the servers on your DMZ. Which two parameters should you set to protect your DMZ servers in themost-time-efficient manner? (Choose two.)

A. event action filterB. reputation filterC. target value rating

http://www.gratisexam.com/

D. signature fidelity rating E. global correlationF. event action override

Correct Answer: CFSection: TroubleshootingExplanation

Explanation/Reference:

QUESTION 8Which Cisco IPS appliance feature is best used to detect these two conditions? 1) The network startsbecoming congested by worm traffic. 2) A single worm-infected source enters the network and starts scanningfor other vulnerable hosts.

A. global correlationB. anomaly detectionC. reputation filteringD. custom signature E. meta signatureF. threat detection

Correct Answer: BSection: ConfigurationExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.0/user/guide/ipsanom.html

Anomaly detection identifies worm-infected hosts by their behavior as a scanner. To spread, a wormvirus must find new hosts. It finds them by scannin g the Internet using TCP, UDP, and other protocolsto generate unsuccessful attempts to access differe nt destination IP addresses. A scanner is definedas a source IP address that generates events on the same destination port (in TCP and UDP) for toomany destination IP addresses.

QUESTION 9Which four networking tools does Cisco IME include that can be invoked for specific events, to learn moreabout attackers and victims using basic network reconnaissance? (Choose four.)

A. pingB. traceroute C. packet tracerD. nslookupE. whoisF. nmap

Correct Answer: ABDESection: TroubleshootingExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/ime/ime_getting_started.html

IME also supports tools such, as ping, trace route , DNS lookup, and whois lookup for selected events

Exam D

QUESTION 1

Select and Place:

Correct Answer:

Section: HardwareExplanation

Explanation/Reference:

QUESTION 2

Select and Place:

Correct Answer:

Section: ConfigurationExplanation

Explanation/Reference:

QUESTION 3Which four features are supported on the Cisco ASA AIP-SSM but are not supported on the Cisco ASA AIP-SSC? (Choose four.)

A. multiple virtual sensorsB. anomaly detection C. promiscuous modeD. custom signaturesE. fail openF. global correlation

Correct Answer: ABDFSection: HardwareExplanation

Explanation/Reference:http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/ps6825/product_data_sheet0900aecd80404916_ps6120_Products_Data_Sheet.html

QUESTION 4Which four features are supported on the Cisco ASA AIP-SSM but are not supported on the Cisco ASA AIP-SSC? (Choose four.)

A. multiple virtual sensorsB. anomaly detection

C. promiscuous modeD. custom signaturesE. fail openF. global correlation

Correct Answer: ABDFSection: HardwareExplanation

Explanation/Reference:http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/ps6825/product_data_sheet0900aecd80404916_ps6120_Products_Data_Sheet.html

QUESTION 5In a centralized Cisco IPS appliance deployment, it may not be possible to connect an IPS appliance to everyswitch or segment in the network. So, an IPS appliance can be deployed to inspect traffic on ports that arelocated on multiple remote network switches. In this case, which two configurations required? (Choose two.)

A. IPS promiscuous mode operationsB. in-line IPS operationsC. RSPAND. SPANE. HSRPF. SLB

Correct Answer: ACSection: HardwareExplanation

Explanation/Reference:No specific reference --- is in Videos from CBT

QUESTION 6Simlet Question #4

*NB* -- This is only sample - real questions and an swers may vary so know the topics and purpose ofthe simlet and get a feel for the questions.

A. It will not contribute to the SensorBase network.B. It will contribute to the SensorBase network, but will withhold some sensitive informationC. It will contribute the victim IP address and port to the SensorBase network.D. It will not contribute to Risk Rating adjustments that use information from the SensorBase network.

Correct Answer: BSection: SimletExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/7.0/co nfiguration/guide/idm/idm_collaboration.html#wp1053292

Configuring Network Participation

To configure network participation, follow these steps:

Step 1 Log in to IDM using an account with administrator privileges.

Step 2 Choose Configuration > Policies > Global Correlation > Net work Participation.

Step 3 To turn on network participation, click the Partial or Full radio button:

•Partial—Data is contributed to the SensorBase Netw ork, but data considered potentially sensitive isfiltered out and never sent.

•Full—All data is contributed to the SensorBase Network.

QUESTION 7Simlet Question #5

*NB* -- This is only sample - real questions and an swers may vary so know the topics and purpose ofthe simlet and get a feel for the questions.

A. This is a custom signature.B. The severity level is High.C. This signature has triggered as indicated by the red severity icon.D. Produce Alert is the only action defined.E. This signature is enabled, but inactive, as indicated by the/0 to that follows the signature

number.

Correct Answer: BDSection: SimletExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/7.1/configuration/guide/ime/ime_signature_wizard.pdf

QUESTION 8Which two switching-based mechanisms are used to deploy high availability IPS using multiple Cisco IPSappliances? (Choose two.)

A. Spanning Tree-based HAB. HSRP-based HAC. EtherChannel-based HAD. VRRP-based HA

Correct Answer: ACSection: ConfigurationExplanation

Explanation/Reference:Official Cisco Guide Chapter 21

When network switches are used to provide High Availability you have two options

EtherChannel based HASTP based HA

Exam E

QUESTION 1Simlet Question #3

*NB* -- This is only sample - real questions and an swers may vary so know the topics and purpose ofthe simlet and get a feel for the questions.

A. Global correlation is configured in Audit mode for testing the feature without actually denying any hosts.B. Global correlation is configured in Aggressive mode, which has a very aggressive effect on deny actions.C. It will not adjust risk rating values based on the known bad hosts list.D. Reputation filtering is disabled.

Correct Answer: DSection: SimletExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_collaboration.html#wp1054333

QUESTION 2This is the most likely shot of the LAB

A. Tasks = 41: Event Action Overrides

Verify and enable this feature for rules0 instance

2: Risk Category name MYCUSTOMRISKcreate a custom risk category named MYCUSTOMRISKassign this category a risk threshold of 80 (hard to see could be 90)

Modify the the new MYCUSTOMRISK to take the following actions > Deny Attacker Inline > Produce Alert > Reset TCP Connection

3: Modify the Red Threat ThresholdModify the value to 80 to enable the new risk category to be included in the Red Threshold level for network security health statistics alert threat categorization

4 : REMEMBER TO SAVE AND APPLY ALL CHANGES AS NEEDED ( MEANS AS YOU GO - DO NOTWAIT TILL END TO SAVE CHANGES)

Correct Answer: ASection: LABExplanation

Explanation/Reference:

#3 http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/ime/ime_dashboards.html

Sensor Health Gadget

The Sensor Health gadget visually displays sensor health and network security information in two coloredmeters. The meters are labeled Normal, Needs Attention, or Critical according to an analysis of the specificmetrics. The overall health status is set to the highest severity of all the metrics you configured. For example, ifyou configure eight metrics to determine the sensor health and seven of the eight are green while one is red,the overall sensor health is displayed as red.

The dashboard is not available -- You have to look for the Red Threat Option under the Policies Screen !It is a small field at the bottom of the screen.

QUESTION 3Which four types of interface modes are available on the Cisco IPS 4200 Series appliance? (Choose four.)

A. promiscuousB. inline TAP C. inline interfaceD. inline VLAN pair

E. VLAN groupsF. bypass

Correct Answer: ACDESection: HardwareExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_interfaces.html#wp1047079

https://supportforums.cisco.com/thread/2463764000 series does not support bypass mode

http://www.gratisexam.com/