Home > Articles

  • Print
  • + Share This
This chapter is from the book

Exam Prep Questions

Question 1

A network administrator is testing a new monitoring application that uses multiple Internet Control Message Protocol (ICMP) messages to host systems. The application is reported on IEV as a network attack. This alarm is referred to as a

  1. False positive

  2. False negative

  3. True positive

  4. True negative

Answer A is correct. Because it was not an actual malicious attack but resulted in the generation of an alarm, this alarm is referred to as a false positive. A false negative occurs when an actual attack is not reported; therefore, Answer B is incorrect. True positives occur when real attacks are successfully detected and reported; therefore, Answer C is incorrect. True negatives happen when no attack occurred and no alarm was generated. Therefore, Answer D is incorrect.

Question 2

Which three of the following methodologies are valid methodologies employed by IDS signatures to detect network attacks?

  1. Heuristic analysis

  2. Signature-based detection

  3. Host-based detection

  4. Pattern matching

  5. Flood decode analysis

  6. Obfuscation detection

Answers A, B, and D are correct. Heuristic analysis, signature-based detection, and pattern matching are all valid methodologies used by signatures to detect intrusions. Although IDS components can be host-based, such as the Security Agent, host-based is not a methodology employed by signatures. Therefore, Answer C is incorrect. Flood decode analysis does not exist, and obfuscation is an IDS evasive technique commonly used by attackers. Therefore, Answers E and F are incorrect.

Question 3

Which of the following IDS components were designed for lower-risk network environments? (Choose two.)

  1. 4200 Series Sensor Appliance

  2. Router IOS IDS

  3. Cisco Security Agent

  4. IDSM2

  5. PIX IDS

  6. Host Agent IDS

Answers B and E are correct. The Router Sensor IOS IDS and the Firewall Sensor PIX IDS contain a subset of the Sensor appliance IDS signatures and were designed for lower-risk environments. The 4200 Series Sensor Appliances provide a robust platform for intrusion detection and are designed for high-risk environments; therefore, Answer A is incorrect. Cisco Security Agent, and the host agent IDS product, is agent software that resides on hosts, and it is not designed for network intrusion detection; Answers C and F are therefore incorrect. The IDSM2 is a high-performance switching module designed for high-throughput intrusion detection with no impact on switch performance. It was not designed for lower-risk environments, so Answer D is incorrect.

Question 4

Which of the following are methods used to evade IDSs? (Choose three.)

  1. Denial of service

  2. Fragmentation

  3. Pattern matching

  4. Obfuscation

  5. Encryption

  6. Access attack

Answers B, D, and E are correct. Fragmentation, obfuscation, and encryption are all evasive techniques used by attackers to dodge IDS detection. Denial-of-service and access attacks are forms of attacks performed by hackers but are not directly used to compromise IDSs. Answers A and F are therefore incorrect. Pattern matching is a methodology used by signatures to detect an intrusion, not an evasive technique. Therefore, Answer C is incorrect.

Question 5

Which of the following is a component that is included with Cisco IEV?

  1. CSEC

  2. CCO

  3. NSDB

  4. C-CRT

Answer C is correct. Cisco's IEV, available from http://www.cisco.com, includes the Network Security Database, a reference of detailed signature and vulnerability information. CCO is a Cisco Connection Online account and is required to access the online version of NSDB. CSEC, the Cisco Secure Encyclopedia, is the online version of NSDB. Answers A and B are therefore incorrect. C-CRT is the Cisco Countermeasures Research Team, which provides support for active updates but has no relationship to IEV. Therefore, Answer D is incorrect.

Question 6

Which of the following are enhancements that the IDSM2 offers over the IDSM? (Choose three.)

  1. 600Mbps instead of 200Mbps

  2. 600Mbps instead of 120Mbps

  3. SPAN and RSPAN support

  4. VACL capture

  5. Same code as version 4 sensor appliances

  6. Support for both blocking and TCP Reset

Answers B, E, and F are correct. The IDSM2 offers 600Mbps instead of the IDSM's 120, uses the same code as the version 4 sensor appliances, and supports both blocking and TCP resets in response to attack detection. The IDSM supports only 120Mbps of performance and not 200Mbps; therefore, Answer A is incorrect. The IDSM also supports SPAN, RSPAN, and VACL capture; therefore, Answers C and D are incorrect.

Question 7

IEV version 4 can support the monitoring and reporting of up to how many sensor devices?

  1. Only the device on which it's installed

  2. Three

  3. Five

  4. Up to 300

Answer C is correct. IEV version 4 can support the monitoring and reporting of up to five sensor devices. IEV version 3 supports up to three sensor devices, but the question specifically refers to IEV version 4. Answers A, B, and D are therefore incorrect.

Question 8

Management Center for the Cisco Security Agent (CSA MC) supports deployment for up to how many host agents?

  1. 100

  2. 1000

  3. 3000

  4. 5000

Answer D is correct. The CSA MC supports management for up to 5000 host Security Agents. Therefore, Answers A, B, and C are incorrect.

Question 9

The PostOffice protocol uses which of the following ports?

  1. TCP 1741

  2. UDP 1741

  3. TCP 443

  4. UDP 443

  5. TCP 45000

  6. UDP 45000

Answer F is correct. The PostOffice protocol uses UDP port 45000 for communications. Therefore, Answers A through E are incorrect.

Question 10

When using RDEP, when are alarms overwritten?

  1. When a time limit configured through MC is reached

  2. When the threshold of 2GB is reached

  3. When the threshold of 4GB is reached

  4. When the alarm threshold configured through MC is reached

  5. Either on an hourly, daily, or weekly basis, as configured through IEV

Answer C is correct. A Sensor process called sensorApp begins to overwrite alarms when the threshold of 4GB is reached. Therefore, Answers A, B, D and E are incorrect.

  • + Share This
  • 🔖 Save To Your Account