Cisco 642-532 Exam Download, 100% Real Cisco 642-532 Braindumps On Store

We are committed on providing you with the latest and most accurate Cisco 642-532 exam preparation products.If you want to pass Cisco 642-532 exam successfully, do not miss to read latest Cisco 642-532 brain dumps on Flydumps.

QUESTION 51
Of the following choices, which signature description best describes a String signature engine?
A. Network reconnaissance detection
B. Regular expression-based pattern inspection for multiple transport protocols
C. Layer 5, 6, and 7 services that require protocol analysis
D. State-based, regular expression-based pattern inspection and alarm functionality for TCP streams
E. None of the above

Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation:
A STRING engine is defined as a signature engine that provides regular expression-based pattern inspection and alert functionality for multiple transport protocols, including TCP, UDP, and ICMP.

Reference:
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/ products_command_reference_chapter09186a00803a
QUESTION 52
The new Certkiller trainee technician wants to know which of the following signature engine would be the best choice when creating a signature to examine EIGRP packets, which uses protocol number 88. What will your reply be?
A. SERVICE.GENERIC
B. ATOMIC.L3.IP
C. ATOMIC.IP.ROUTING
D. OTHER
E. ATOMIC.IPOPTIONS

Correct Answer: B Section: (none) Explanation
Explanation/Reference: Explanation:
ATOMIC.L3.IP is a general-purpose Layer 3 inspector. It can handle DataLength and Protocol Number comparisons. It also has some hooks for fragment and partial ICMP comparisons. None of the parameters are required, so a simple signature meaning “any IP packet” can be written.
QUESTION 53
Which type of signature engine is best suited to create a custom signature that would inspect data at Layers 5-7?
A. Atomic
B. String
C. Sweep
D. Service
E. AIC
F. None of the above

Correct Answer: D Section: (none) Explanation
Explanation/Reference: Explanation:
Service Engines:
SERVICE engines analyze Layer 5+ traffic between two hosts. These are 1:1 signatures that track
persistent data on the STREAM (AaBb) for TCP or QUAD (AaBb) for UDP.
The engines decode and interpret the Layer 5+ payload in a manner similar to the live service. A full-service-like decode may not be necessary if the partial decode provides adequate information to inspect
the signatures. The engines decode enough of the data to make the signature determinations but do not
decode more than is needd; this minimizes CPU and memory load.
The purpose of the SERVICE decode is to mimic the live server’s interpretation of the Layer 5+ payload.
These are used primarily in the determination of signatures, as the decoded fields are compared to the
signature’s parameters.

Reference:
www.cisco.com/en/US/products/ps6634/products_white_paper0900aecd80327257.shtml
QUESTION 54
By manipulating the TTL on a TCP packet, an attacker could desynchronize inspection. Signature 1308
(TTL evasion) fires when the TTL for any packet in a TCP session is higher than the lowest-observed TTL
for that session.
Signature 1308 rewrites all TTLs to the lowest-observed TTL, and produces an alert.
The Certkiller security administrator would like to have the signatures continue to modify packets inline but
avoid generating alerts.
How could this be done?

A. This cannot be done; an alert is always generated when a signature fires.
B. Remove the Produce Alert action from the signature.
C. Create an Event Variable.
D. Create an Event Action Override that is based on the Produce Alert action.
E. Create a custom signature with the Meta engine.

Correct Answer: B Section: (none) Explanation
Explanation/Reference: Explanation:
The “produce alert” action writes the event to the Event Store as an evIdsAlert, and this is enabled by default for all signatures. To configure the IPS to continue to modify packets inline for a specific signature, but not generate alerts this can be accomplished simply by removing the “produce alert” action from the specific signature.
QUESTION 55
To ensure that all packets traversing the Certkiller network conform to RFC standards, the Normalizer
engine is being used on a sensor.
Which action is available only to signatures supported by the Normalizer engine?

A. Produce Verbose Alert
B. Modify Packet Inline
C. Deny Packet Inline
D. Log Pair Packets
E. Request SNMP Trap
F. Reset TCP Connection
G. All of the above

Correct Answer: B Section: (none) Explanation
Explanation/Reference: Explanation:
The NORMALIZER engine deals with IP fragment reassembly and TCP stream reassembly. With the
NORMALIZER engine you can set limits on system resource usage, for example, the maximum number of
fragments the sensor tries to track at the same time.
The “modify-packet-inline” function is a new feature from the inline normalizer engine.
It scrubs the packet and corrects irregular issues such as bad checksum, out of range values, and other
RFC violations.
Reference:
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/ products_configuration_guide_chapter09186a008045
QUESTION 56
A new sensor was installed on the Certkiller LAN.
Which sensor process is used to initiate the blocking response action on this device?
A. EXEC
B. Network Access Controller
C. Blockd
D. shunStart
E. ACL Daemon

Correct Answer: B Section: (none) Explanation
Explanation/Reference: Explanation:
The Attack Response Controller (ARC), the blocking application on the sensor, starts and stops blocks on routers, switches, PIX. Firewalls, FWSM, and AS A. ARC blocks the IP address on the devices it is managing. It sends the same block to all the devices it is managing, including any other master blocking sensors. ARC monitors the time for the block and removes the block after the time has expired.
Note:
ARC was formerly known as Network Access Controller. The name has been changed for IPS 5.1, although IDM still contains the term Network Access Controller.

Reference:
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/ products_configuration_guide_chapter09186a00804d
QUESTION 57
You want to configure a new Certkiller sensor to ensure malicious attacks on the network are prevented. What would best mitigate the executable-code exploits that can perform a variety of malicious acts, such as erasing your hard drive?
A. Assigning deny actions to signatures that are controlled by the Trojan engine
B. Assigning the TCP reset action to signatures that are controlled by the Normalizer engine
C. Enabling blocking
D. Enabling Application Policy Enforcement
E. Assigning blocking actions to signatures that are controlled by the State engine
F. None of the above

Correct Answer: A Section: (none) Explanation
Explanation/Reference: Explanation:
Attacks or other misuses of network resources can be defined as network intrusions. Sensors that use a signature-based technology can detect network intrusions. A signature is a set of rules that your sensor uses to detect typical intrusive activity, such as DoS attacks. As sensors scan network packets, they use signatures to detect known attacks and respond with actions that you define. The sensor compares the list of signatures with network activity. When a match is found, the sensor takes an action, such as logging the event or sending an alert. Sensors let you modify existing signatures and define new ones. Actions can be assigned to each signature, specifying the action to take when an attack is found. For the most severe attacks such as the one described in this question, the best approach would be to configure deny actions for this signature, preventing the Trojan attack from taking place.
QUESTION 58
When the specific signature 3116 (NetBus) is detected in the Certkiller network, you want your sensor to
terminate the current packet and future packets on the TCP flow.
Which action should you assign to the signature to accomplish this?

A. Request Block Connection
B. Request Block Host
C. Deny attacker Inline
D. Deny Connection Inline
E. Reset TCP Connection
F. Modify Packet Inline

Correct Answer: D Section: (none) Explanation
Explanation/Reference: Explanation:
The Deny connection inline action will block all packets on the TCP flow, preventing this attack signature from traversing the network. The following list describe the various event actions that can be configured:
Event Actions:
The following event action parameters belong to each signature engine:
Produce-alert-Writes an <evIdsAlert> to the Event Store.
Produce-verbose-alert-Includes an encoded dump (possibly truncated) of the offending packet in the
evIdsAlert.
Deny-attacker-inline -Does not transmit this packet and future packets from the attacker address for a
specified period of time (inline only).
Deny-connection-inline -Does not transmit this packet and future packets on the TCP Flow (inline only).
Deny-packet-inline-Does not transmit this packet.
Log-attacker-packets-Starts IP logging of packets containing the attacker address (inline only).
Log-pair-packets-Starts IP logging of packets containing the attacker-victim address pair.
Log-victim-packets-Starts IP logging of packets containing the victim address.
Request-block-connection-Requests Network Access Controller to block this connection.
Request-block-host-Requests Network Access Controller to block this attacker host.
Request-snmp-trap-Sends request to NotificationApp to perform SNMP action.
Reset-tcp-connection-Sends TCP resets to hijack and terminate the TCP flow.
Modify-packet-inline-Modifies packet contents (inline only).
Reference:
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/ products_configuration_guide_chapter09186a008045
QUESTION 59
The Certkiller security administrator is trying to calculate a numerical value on the importance of individual alerts. What is a configurable weight that is associated with the perceived importance of a network asset?
A. Risk Rating
B. Parameter value
C. Target Value Rating
D. Severity level
E. Storage key
F. Rate parameter

Correct Answer: C Section: (none) Explanation
Explanation/Reference: Explanation:
The Target Value Rating is a main component of determining the Risk rating, and is used to place a relative value on the importance of a device. In contrast to simplistic alert rating models that are commonly used in the industry, Cisco IPS Version 5.0 Sensor Software delivers unique Risk Ratings that are assigned to alerts generated from IPS (Intrusion Prevention Systems) sensors. The intent of this risk rating is to provide the user withan indication of the relative risk of the traffic or offending host continuing to access the user’s network. This rating can be used either to illuminate the events that require immediate administrator attention in the classic intrusion detection system (IDS) promiscuous mode, or to provide a means fordeveloping risk-oriented event action policies when the sensor is employed in the inline intrusion protection system (IPS) mode. The risk rating is realized as an integer value in the range from 0 to 100. The higher the value, the greater the security risk of the trigger event for theassociated alert. The risk rating is a calculated number that has four primary components-Alert Severity Rating (ASR), Signature Fidelity Rating (SFR), Attack Relevancy Rating (ARR), and Target Value Rating (TVR). The Risk Rating is calculated using the following formula:

Signature Fidelity Rating (SFR) = Relative measure of the accuracy of the signature (predefined); 0-100 Set by Cisco Systems, Inc. Alert Severity Rating (ASR) = Relative result or damage if the attack succeeds (predefined); 25-Information, 50-Low, 75-Medium, 100-High Target Value Rating (TVR) = Value used to change the risk rating higher or lower based on the target of the attact (user defined); 75-Low Asset Value , 100-Medium Asset value , 150-High Asset Value, 200-Mission Critical Asset Value

Reference:
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/ products_white_paper0900aecd80191021.shtml
QUESTION 60

Refer to the exhibit shown above. You want your inline Cisco IPS 4255 sensor to drop packets that pose
the most severe risk to your network, especially to the servers on your DMZ.
Which two should you use to accomplish your goal in the most time-efficient manner?
(Choose two)

A. Use an Event Action Filter
B. Modify the Signature Fidelity Rating
C. Adjust the Alert Severity
D. Configure an Event Action Override
E. Modify the Application Policy
F. Adjust the Target Value Rating

Correct Answer: DF Section: (none) Explanation
Explanation/Reference: Explanation:
Since this server is deemed to be more important than other elements on the same IP network, the security administrator should use target value ratings to assign this server a higher level of importance. Cisco defines the TLV Rating as: Target Value Rating-A weight associated with the perceived value of the target. TVR is a user-configurable value that identifies the importance of a network asset (through its IP address). You can develop a security policy that is more stringent for valuable corporate resources and looser for less important resources. For example, you could assign a TVR to the company web server that is higher than the TVR you assign to a desktop node. In this example, attacks against the company web server have a higher RR than attacks against the desktop node. Finally, event action overrides should be configured to prevent and drop attacks aimed at the server. Event action overrides are a way to add event actions globally without having to configure each signature individually. Each event action has an associated RR range. If a signature event occurs and the RR for that event falls within the range for an event action, that action is added to the event. You can configure event action filters to remove specific actions from an event or to discard an entire event and prevent further processing by the sensor. You can use event action variables that you defined to group addresses for your filters.

Reference:
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/ products_configuration_guide_chapter09186a008045
QUESTION 61
The Certkiller security administrator is determining the risk rating for specific events.
Which three values are used to calculate the risk rating for an event?
(Choose three)

A. Alert Severity Rating
B. Signature Fidelity Rating
C. Target Value Rating
D. Target Fidelity Rating
E. Reply Ration
F. Rate
G. Cost Metric

Correct Answer: ABC Section: (none) Explanation
Explanation/Reference: Explanation:
The risk rating is realized as an integer value in the range from 0 to 100. The higher the value, the greater the security risk of the trigger event for theassociated alert. The risk rating is a calculated number that has three primary components-Alert Severity Rating (ASR), Signature Fidelity Rating (SFR), and Target Value Rating (TVR). The Risk Rating is calculated using the following formula:

Signature Fidelity Rating (SFR) = Relative measure of the accuracy of the signature (predefined); 0-100 Set by Cisco Systems, Inc. Alert Severity Rating (ASR) = Relative result or damage if the attack succeeds (predefined); 25-Information, 50-Low, 75-Medium, 100-High Target Value Rating (TVR) = Value used to change the risk rating higher or lower based on the target of the attact (user defined); 75-Low Asset Value , 100-Medium Asset value , 150-High Asset Value, 200-Mission Critical Asset Value

Reference:
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/ products_white_paper0900aecd80191021.shtml
QUESTION 62
In a Certkiller IPS device, both the AIC engine and the Application Policy Enforcement features are enabled. In which of the scenarios listed below are these feature needed?
A. You think some users with operator privileges have been misusing their privileges. You want the sensor to detect this activity and revoke authentication privileges.
B. You think users on your network are disguising the use of file-sharing applications by tunneling the traffic through port 80. You want your sensor to identify and stop this activity.
C. You have been experiencing attacks on your voice gateways. You want to implement advanced VOIP protection.
D. You believe that hackers are evading the Cisco IPS. You want the sensor to eradicate anomalies in the IP and TCP layers that allow an IPS to be avoided.

Correct Answer: B Section: (none) Explanation
Explanation/Reference: Explanation:
Cisco IPS Version 5.0 Sensor detects and prevents covert channel tunneling through Port 80. For example, a request message can be inspected that indicates traffic is being tunneled through Web ports using the application GoTomypc. Similarly, users can easily disguise the use of file sharing applications such as Kazaa by tunneling the traffic through Port 80. These types of activities can be accurately identified and subsequently stopped. The AIC and Application policy enforcement feature provides deep analysis and control of a broad set of applications, including control of peer-to-peer, instant messaging (IM), and tunneled applications over Port
80. This allows the user to make policy decisions concerning various traffic types and Multipurpose Internet Mail Extensions (MIME) types to help ensure that malicious traffic is disallowed from traversing the network.

Reference:
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_data_sheet0900aecd801eeea5.html
QUESTION 63
A Custom signature needs to be created in a Certkiller sensor.
Under which tab in the Cisco IDM can you find the Custom Signature Wizard?

A. Device
B. Configuration
C. Monitoring
D. Administration
E. None of the above

Correct Answer: B Section: (none) Explanation
Explanation/Reference: Explanation:
The Custom Signature Wizard guides you through a step-by-step process for creating custom signatures.
There are two possible sequences-using a signature engine to create your custom signature or creating
the custom signature without a signature engine.
The Custom Signature Wizard provides a step-by-step procedure for configuring custom signatures.
Using the IDM, the first step to create custom signatures using the Custom Signature Wizard is:
Step1 Click Configuration> Signature Definition> Custom Signature Wizard.
Reference:
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/ products_configuration_guide_chapter09186a00803e
QUESTION 64
A new Certkiller sensor is generating a great deal of false positive alerts on the web servers.
Which two actions will help to reduce the amount of these false positives?
(Choose two)

A. Create a policy that denies attackers inline and filters alerts for events with high Risk Ratings.
B. Lower the severity level of signatures that are generating the false positives.
C. Lower the fidelity ratings of signatures that are generating the false positives.
D. Raise the Target Value Ratings for your web servers.
E. Create a filter that filters out any alerts whose target address is that of one of your web servers.

Correct Answer: AD Section: (none) Explanation
Explanation/Reference: Explanation:
The Target Value Rating (TVR) is a user-configurable value that identifies the importance of a network asset (through its IP address). You can develop a security policy that is more stringent for valuable corporate resources and looser for less important resources. For example, you could assign a TVR to the company web server that is higher than the TVR you assign to a desktop node. In this example, attacks against the company web server have a higher RR than attacks against the desktop node. Raising the TVR and creating a policy that filters for the events associated with a high Risk Rating would reduce the number of overall false positive alerts for the web server.

Incorrect Answers:
B: The Alert Severity Rating (ASR) = Relative result or damage if the attack succeeds (predefined); 25-Information, 50-Low, 75-Medium, 100-High. This value will only affect the severity of the alert, not the total number of alerts.
C: The Signature Fidelity Rating (SFR) = Relative measure of the accuracy of the signature (predefined); 0-100 Set by Cisco. Lowering this value would most likely result in more false positive alerts.
D: This will eliminate all of the alerts for attacks aimed at the web servers, including real attacks. This would fundamentally defeat the purpose of using an IPS device to monitor the web servers in the first place.
QUESTION 65
Newly installed sensors need to be configured to send SNMP traps to the Certkiller NOC.
Which two tasks must you complete in Cisco IDM to configure the sensor to allow an SNMP network
management station to obtain the sensor’s health and welfare information?
(Choose two)

A. From the SNMP General Configuration panel, configure the SNMP agent parameters.
B. From the SNMP Traps Configuration panel, enable SNMP Traps and SNMP Gets/Sets.
C. From the SNMP Traps Configuration panel, enable SNMP Traps.
D. From the SNMP General Configuration panel, enable SNMP Gets/Sets.
E. From the SNMP Traps Configuration panel, enabled SNMP Traps and SNMP Get-Responses.

Correct Answer: AD Section: (none) Explanation
Explanation/Reference: Explanation:
Use the SNMP General Configuration panel to configure the sensor to use SNMP.
The following fields and buttons are found on the SNMP General Configuration panel.
Field Descriptions:
Enable SNMP Gets/Sets-If selected, allows SNMP gets and sets.
SNMP Agent Parameters-Configures the parameters for SNMP agent.
Read-Only Community String-Identifies the community string for read-only access.
Read-Write Community String-Identifies the community string for read and write access.
Sensor Contact-Identifies the contact person, contact point, or both for the sensor.
Sensor Location-Identifies the location of the sensor.

Sensor Agent Port-Identifies the IP port of the sensor.
The default is 161.
Sensor Agent Protocol-Identifies the IP protocol of the sensor.
The default is UDP.

To set the general SNMP parameters, follow these steps:
Step1 Log in to IDM using an account with administrator privileges.
Step2 Click Configuration> SNMP> SNMP General Configuration. The SNMP General Configuration panel
appears.
Step3 Select Enable SNMP Gets/Sets to enable SNMP so that the SNMP management workstation can
issue requests to the sensor SNMP agent.
Step4 Configure the SNMP agent parameters:
Reference:
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/ products_configuration_guide_chapter09186a00804 c
QUESTION 66
What information can the Certkiller network security administrator specify in a Cisco IDS exclude signature
filter?
(Choose two)

A. Signature name
B. Signature ID
C. Signature action
D. Signature severity level
E. Sub-signature ID
F. Source port

Correct Answer: BE Section: (none) Explanation
Explanation/Reference: Explanation:
When defining a simple filter, you need to configure the following fields:
Signature

Subsignature

IP address

Network Mask

Address Role
Reference:
Cisco Secure Intrusion Detection System (Cisco Press) page 446
QUESTION 67
A new Certkiller IPS appliance needs to be configured to have the inline sensor deny attackers inline when
events occur that have a Risk Ratings over 85.
Which two actions will accomplish this?
(Choose two)

A. Create Target Value Ratings of 85 to 100.
B. Create an Event Variable for the protected network.
C. Enable Event Action Overrides.
D. Create an Event Action Filter, and assign the Risk Rating range of 85 to 100 to the filter.
E. Enable Event Action Filters.
F. Assign the Risk Rating range of 85 to 100 to the Deny Attacker Inline event action.
Correct Answer: CF Section: (none) Explanation

Explanation/Reference: Explanation:
Calculating the Risk Rating: An RR is a value between 0 and 100 that represents a numerical quantification of the risk associated with a particular event on the network. The calculation takes into account the value of the network asset being attacked (for example, a particular server), so it is configured on a per-signature basis (ASR and SFR) and on a per-server basis (TVR). RRs let you prioritize alerts that need your attention. These RR factors take into consideration the severity of the attack if it succeeds, the fidelity of the signature, and the overall value of the target host to you. You can add an event action override to change the actions associated with an event based on the RR of that event. Event action overrides are a way to add event actions globally without having to configure each signature individually. Each event action has an associated RR range. If a signature event occurs and the RR for that event falls within the range for an event action, that action is added to the event. For example, if you want any event with an RR of 85 or more to generate an SNMP trap, you can set the RR range for Request SNMP Trap to 85-100. If you do not want to use action overrides, you can disable the entire event action override component. Event action rules are a group of settings you configure for the event action processing component of the sensor. These rules dictate the actions the sensor performs when an event occurs. The event action processing component is responsible for the following functions: Calculating the risk rating Adding event action overrides Filtering event action Executing the resulting event action Summarizing and aggregating events Maintaining a list of denied attackers The “deny attacker inline” event action function does not transmit this packet and future packets originating from the attacker address for a specified period of time (inline mode only). After the RR range has been created, it can be applied to the Deny Attacker Inline event action.

Reference:
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/ products_configuration_guide_chapter09186a008045
QUESTION 68
You need to retrieve Sensor IP logs for analysis.
Which of the following methods are available to you to accomplish this task?
(Choose all that apply)

A. Download via IDM
B. Archive using SCP
C. Copy using FTP
D. Import to IDS MC
E. Upload using Security Monitor

Correct Answer: AC Section: (none) Explanation
Explanation/Reference: Explanation:
IP Log Files can be retrieved by the following methods
1.
Use the CLI copy command to copy the IP log files to another host system using FTP or SCP.
2.
Download the IP log files via IDM.
After retrieving the IP log files, you can use a network protocol analyzer to examine the data.
Note: Archive using SCP is false, although Copy using SCP would be true.

QUESTION 69
The following output was seen on a Certkiller IPS device:

Refer to the exhibit shown above. You notice these alerts and other with some of the same attributes on
your sensor when you arrive at work one morning.
What is an appropriate action to take?

A. Set Bypass mode to off for Sensor1.
B. Lower the target Value Ratings for hosts on your internal network.
C. Lower the Alert Severity level of signatures 2004 and 60000.
D. Create an Active Host Block.
E. Activate all retired signatures.

Correct Answer: D Section: (none) Explanation
Explanation/Reference: Explanation:
The output shown above is the result of a “show events” command, and shows two separate alert instances. Both of them were initiated by a device with IP address 192.168.10.10, so an active host block should be created for this specific device to stop it from continuing to attack the network. Use the Active Host Blocks panel to configure and manage blocking of hosts. An active host block denies traffic from a specific host permanently (until you remove the block) or for a specified amount of time. You can base the block on a connection by specifying the destination IP address and the destination protocol and port. An active host block is defined by its source IP address. If you add a block with the same source IP address as an existing block, the new block overwrites the old block. If you specify an amount of time for the block, the value must be in the range of 1 to 70560 minutes (49 days). If you do not specify a time, the host block remains in effect until the sensor is rebooted or the block is deleted.
QUESTION 70
Which of the following represents the best description of a post-block ACL on an IDS blocking device?
A. ACL applied to a managed interface once an attack has been detected.
B. ACL entries applied to the end of the active ACL after blocking entries.
C. ACL used to block traffic on the inbound direction of a managed interface
D. ACL used to block traffic on the internal (trusted) interface of a managed device.
E. ACL used to block traffic on the external (untrusted) interface of a managed device

Correct Answer: B Section: (none) Explanation
Explanation/Reference: Explanation:
If you want to change the ACL generated by the Sensor, you can specify either Pre-block or Post-block ACLs. The Pre-block ACL designates ACL entries that the Sensor should place in the beginning of the new ACL, before the addition of any Sensor blocking, deny, entries for the addresses and, or connections being blocked. The Post-block ACL designates ACL entries that the Sensor should place after the Sensor blocking entries.
QUESTION 71
One of the Certkiller IPS devices is configured as a Master Blocking Sensor. What is the primary function of a Master Blocking Sensor?
A. To serve as the central point of configuration in the Cisco IDM for blocking.
B. To serve as the central point of configuration in the Cisco IDS MC for blocking.
C. To manage and distribute blocking configurations to other slave sensors.
D. To directly communicate the blocking requests sent by other sensors.
E. To provide the first line of attack detection and prevention through blocking.
F. All of the above

Correct Answer: D Section: (none) Explanation
Explanation/Reference: Explanation:
Two sensors cannot control blocking on the same device. If this situation is needed, configure one sensor as the master blocking sensor to manage the devices and the other sensors can forward their block requests to the master blocking sensor. Multiple sensors (blocking forwarding sensors) can forward blocking requests to a specified master blocking sensor, which controls one or more devices. The master blocking sensor is the Network Access Controller running on a sensor that controls blocking on one or more devices on behalf of one or more other sensors. The Network Access Controller on a master blocking sensor controls blocking on devices at the request of the Network Access Controllers running on other sensors.

Reference:
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/ products_configuration_guide_chapter09186a008045
QUESTION 72
You are the Certkiller administrator and have been requested to permit communications with a Blocking
Forward Sensor using encryption.
Which of the following will you configure on the Master Blocking Sensor in order to accomplish
communications as requested?

A. Configure the Blocking Forwarding Sensor’s IP address.
B. Configure the Blocking Forwarding Sensor’s SSH public key.
C. Configure the Allowed Hosts table to include the Blocking Forwarding Sensor.
D. Configure the TLS Trusted-Host table to include the Blocking Forwarding Sensor.
E. No additional configuration is required to configure a Master Blocking Sensor.

Correct Answer: C Section: (none) Explanation
Explanation/Reference: Explanation:
Multiple sensors can forward blocking requests to a specified master blocking sensor, which controls one or more devices. The sensor that is sending its block requests to the master blocking sensor is referred to as a “blocking forwarding sensor.” On the blocking forwarding sensor, you must specify which remote host serves as the master blocking sensor; on the master blocking sensor you must add the blocking forwarding sensors to sensor. And on the master blocking sensor you must add the blocking forwarding sensors to its remote host configuration.
QUESTION 73
A Certkiller sensor is acting as the Master Blocking Sensor.
What is the primary role that a Master Blocking Sensor is responsible for?

A. The Master Blocking must serve as the central point of configuration in IDM for blocking.
B. The Master Blocking must serve as the central point of configuration in IDS MC for blocking.
C. The Master Blocking must communicate the blocking requests sent by other Sensors directly.
D. The Master Blocking must provide the first line of attack detection and prevention through blocking.

Correct Answer: C Section: (none) Explanation
Explanation/Reference: Explanation:
Multiple sensors can forward blocking requests to a specified master blocking sensor, which controls one or more devices. The sensor that is sending its block requests to the master blocking sensor is referred to as a “blocking forwarding sensor.” On the blocking forwarding sensor, you must specify which remote host serves as the master blocking its remote host configuration.
QUESTION 74
Some of the Certkiller users on the network are disguising the use of file-sharing applications by tunneling
the traffic through port 80.
How can you configure your sensor to identify and stop users from performing this activity?

A. Enable all signatures in the Service HTTP engine.
B. Assign the Deny Packet Inline action to all signatures in the Service HTTP engine.
C. Enable HTTP Application Policy and enable the Alarm on Non-HTTP Traffic signature.
D. Enable all signatures in the Service HTTP engine. Then create an Event Action Override that adds the Deny Packet Inline action to events triggered by these signatures if the traffic originates from your corporate network.
E. Enable the Alarm on the Non-HTTP Traffic signature. Then create an Event Action Override that adds the Deny Packet Inline action to events triggered by the signature if the traffic originates from your corporate network.
F. None of the above.

Correct Answer: C Section: (none) Explanation
Explanation/Reference: Explanation:
Cisco IOS HTTP Application Policy Overview: HTTP uses port 80 to transport Internet web services, which are commonly used on the network and rarely challenged with regards to their legitimacy and conformance to standards. Because port 80 traffic is typically allowed through the network without being challenged, many application developers are leveraging HTTP traffic as an alternative transport protocol in which to enable their application to travel through or even bypass the firewall. Cisco IPS Version 5.0 Sensor detects and prevents covert channel tunneling through Port 80. For example, a request message can be inspected that indicates traffic is being tunneled through Web ports using the application GoTomypc. Similarly, users can easily disguise the use of file sharing applications such as Kazaa by tunneling the traffic through Port 80. These types of activities can be accurately identified and subsequently stopped. The AIC and Application policy enforcement feature provides deep analysis and control of a broad set of applications, including control of peer-to-peer, instant messaging (IM), and tunneled applications over Port
80. This allows the user to make policy decisions concerning various traffic types and Multipurpose Internet Mail Extensions (MIME) types to help ensure that malicious traffic is disallowed from traversing the network. By enabling the HTTP policy and alarming on non-HTTP traffic, you will be able to view and optionally block all applications other than HTTP that uses port 80.

Reference:
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_data_sheet0900aecd801eeea5.html
QUESTION 75
The Certkiller security administrator is viewing the alert logs. What is the “hostid” entry in a Cisco IPS alert?
A. The blocking device that blocked the attack
B. The globally unique identifier for the attacker
C. The sensor that originated the alert
D. The IP address of the attacked host
E. The IP address of the attacker
F. None of the above.

Correct Answer: C Section: (none) Explanation
Explanation/Reference: Explanation:
The “hostid” entry seen in an IPS alert is the name or IP address of the sensor that originated the alert. Following is an example:
sensor#@ show events evError: eventId=1041472274774840147 severity=warning vendor=Cisco originator: hostId: CK2 appName: cidwebserver appInstanceId: 12075 time: 2003/01/07 04:41:45 2003/01/07 04:41:45 UTC errorMessage: name=errWarning received fatal alert: certificate_unknown
In this example, the sensor called ” CK2 ” generated the alert shown above.
QUESTION 76
The Certkiller security administrator wants to view the events generated by a sensor.
Which three are types of events that are generated by a Cisco sensor?
(Choose three)

A. evIdsAlert: intrusion detection alerts
B. evError: application errors
C. evStatus: status changes, such as software upgrade, that are being completed
D. evLog: IP logging requests
E. evAlert: system failure warnings
F. evSNMP: notification of data retrievals by an NMS

Correct Answer: BCE Section: (none) Explanation
Explanation/Reference: Explanation:
IPS Events:
IPS applications generate IPS events to report the occurrence of some stimulus. The events are the data,
such as the alerts generated by SensorApp or errors generated by any application. Events are stored in a
local database known as the Event Store.
There are five types of events:
<evAlert>-Alert event messages that report when a signature is triggered by network activity.
<evStatus>-Status event messages that report the status and actions of the IPS applications.
<evError>- Error event messages that report errors that occurred while attempting response actions.
<evLogTransaction>-Log transaction messages that report the control transactions processed by each
sensor application.
<evShunRqst>-Block request messages that report when ARC issues a block request.
You can view the status and error messages using the CLI, IDM, and ASDM.
Reference:
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/ products_configuration_guide_chapter09186a00805 5
QUESTION 77
A Large number of false negatives were discovered on the Certkiller LAN after a new sensor was
installed.
What is a false-negative alarm situation?

A. Normal traffic does not cause a signature to fire.
B. A signature is fired when offending traffic is not detected.
C. Normal traffic or a benign action causes a signature to fire.
D. A signature is not fired when offending traffic is present.
E. None of the above

Correct Answer: D Section: (none) Explanation
Explanation/Reference: Explanation:
Some legitimate network activity, such as virus scanning, can appear to be an attack on your network.
When legitimate network activity is reported as an attack, that report is called a false positive. More generally, a false positive can be defined as the interpretation of an instance of legitimate and expected network activity as an attack because that activity meets criteria that were specified to identify an attack prior to the occurrence of the attack. You can decrease the number of false positives by tuning your sensor signatures. Tuning your sensor signatures can also help you solve another problem. You can decrease the number of false negatives by tuning your sensor signatures. A false negative can be defined as an attack that was not detected.

Reference:
http://www.cisco.com/en/US/products/sw/cscowork/ps3990/ products_user_guide_chapter09186a0080104f0f.htm
QUESTION 78
A Cisco IDS Sensor has been configured to detect attempts to extract the password file from the Certkiller
Windows 2000 systems.
During a security posture assessment, the consultants attempted to extract the password files from three
Windows 2000 servers.
This activity was detected by the Sensor.
What best defines this activity?

A. True negative
B. True positive
C. False negative
D. False positive

Correct Answer: B Section: (none) Explanation
Explanation/Reference: Explanation:
True positive – is when an IDS generates an alarm for known intrusive activity.
False negative – an IDS fails to generates an alarm for known intrusive activity.
False positive – an IDS generates an alarm for normal user activity.
Note: True positive -A situation in which a signature is fired properly when offending traffic is detected. In
other words, an attack is detected as expected.

Reference:
Cisco Secure Intrusion Detection System (Cisco Press) page 55 & 58
QUESTION 79
A Cisco IDS Sensor has been configured to detect attempts to extract the password file from the Certkiller
Windows 2000 systems.
During a security assessment, the consultants attempted to extract the password files from three Windows
2000 servers.
This activity was not detected by the Sensor.
What best defines this activity?

A. False negative
B. False positive
C. True positive
D. True negative

Correct Answer: A Section: (none) Explanation
Explanation/Reference: Reference:
False negative – When an IDS fails to generates an alarm for known intrusive activity.
False positive – When an IDS generates an alarm for normal user activity.
True positive – When an IDS generates an alarm for known intrusive activity.
Note: A situation in which a signature is not fired when offending traffic is detected. An actual attack is not
detected -Cisco Secure Intrusion Detection System 4 chap 3 page 11
Reference:
Cisco Secure Intrusion Detection System, Cisco Press, page 55 & 58
QUESTION 80
Which of the following represents a type of signature engine that is characterized by single packet conditions?
A. String
B. Other
C. Atomic
D. Traffic
E. Simple

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Signature Structure Signature implementations deal with packet headers and packet payloads. The structure of the signatures deals with the number of packets that must be examined to trigger an alarm. Two types of signature structures exist and these are as follows: Atomic Composite Atomic Structure Some attacks can be detected by matching IP header information (context based) or string information contained in a single IP packet (content based). Any signatures that can be matched with a single packet fall into the atomic category. Because atomic signatures examine individual packets, there’s no need to collect or store state information. An example of an atomic signature is the SYN-FIN signature (signature ID 3041). This signature looks for packets that have both the SYN and FIN flags set. The SYN flag indicates this is a packet attempting to begin a new connection. The FIN flag indicatesthis packet is attempting to close an existing connection. These two flags shouldn’t beused together and, when they are, this is an indication some intrusive activity might exist.
QUESTION 81
The new Certkiller trainee technician wants to know what will happen when the Sensor alarm reaches the
4GB storage limit.
What would your reply be?

A. Alarms will not be written anymore
B. Alarms will be overwritten by new alarms
C. Alarms will be sent to offline event storage
D. Alarm storage size will increase dynamically
E. None of the above

Correct Answer: B Section: (none) Explanation
Explanation/Reference: Explanation:
All events are stored in the Sensor eventStore. Events remain in the eventStore until they are overwritten
by newer events. It takes 4 GB of newer events to overwrite an existing event.
Events can be retrieved through the Sensor’s web server via RDEP communications.
Management applications such as IEV and the Security Monitor use RDEP to retrieve events from the
Sensor.

QUESTION 82
Which of the following statements represents a false positive alarm situation?
A. Normal traffic or a benign action which will not cause a signature to fire
B. Offending traffic which will not cause a signature to fire
C. Normal traffic or a benign action which will result in the signature firing
D. Offending traffic which causes a signature to fire

Correct Answer: C Section: (none) Explanation
Explanation/Reference: Explanation:
A false positive is a situation in which normal traffic or a bnign action causes the signature to fire. Consider the following scenario: a signature exists that generates alarms if any network devices’ enable password is entered incorrectly. A network administrator attemts to log in to a Cisco router but mistakenly enters the wrong password. The IDS cannot distinguish between a rogue user and the network administrator, and generates an alarm.

Reference:
Cisco CIDS Courseware, page 3-11
QUESTION 83
The signature files need to be updated on the Certkiller sensors. When performing a signature update on a
Cisco IDS Sensor, which three server types are supported for retrieving the new software?
(Choose three)

A. FTP
B. SCP
C. RCP
D. FS
E. TFTP
F. HTTP
G. Telnet

Correct Answer: ABF Section: (none) Explanation
Explanation/Reference: Explanation:
To update the signature files, you can use the following transport protocols: FTP, or HTTPS, SCP, HTTP.
The following URL types are supported:
ftp:-Source URL for File Transfer Protocol network server.
The syntax for this prefix is:
ftp://[email protected]/relativeDirectory/filename or ftp://[email protected]//absoluteDirectory/
filename.
https:-Source URL for web server.
The syntax for this prefix is https://[email protected]/directory/filename.
scp:-Source URL for the Secure Copy Protocol network server.
The syntax for this prefix is:
scp://[email protected]]location/relativeDirectory/filename or scp://[email protected]/absoluteDirectory/
filename.
http:-Source URL for web server.
The syntax for this prefix is:
http://[email protected]/directory/filename.

Reference:
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/ module_installation_and_configuration_guides_cha p
QUESTION 84
You want to configure a new Certkiller sensor to automatically download and install updates.
Which four tasks must you complete in the Cisco IDM to have the sensor automatically look for and install
signature and service pack updates?
(Choose four)

A. Specify whether the sensor should look for an update file on Cisco.com or on a local server.
B. Enter you Cisco.com username and password.
C. Enter the IP address of the remote server that contains the updates.
D. Select the protocol that is used for transferring the file.
E. Enter the path to the update file.
F. Schedule the updates.

Correct Answer: CDEF Section: (none) Explanation
Explanation/Reference: Explanation:
You can configure the sensor to look for new upgrade files in your upgrade directory automatically.
You must download the software upgrade from Cisco.com and copy it to the upgrade directory before the
sensor can poll for automatic upgrades.
Auto-upgrade Command and Options:
Use the auto-upgrade-option enabled command in the service host submode to configure automatic
upgrades.
Using the auto-upgrade Command To schedule automatic upgrades, follow these steps:
Step1 Log in to the CLI using an account with administrator privileges.
Step2 Configure the sensor to automatically look for new upgrades in your upgrade directory.

sensor# configure terminal sensor(config)# service host sensor(config-hos)# auto-upgrade-option enabled Step3 Specify the scheduling:
a.
For calendar scheduling, which starts upgrades at specific times on specific day:
sensor(config-hos-ena)# schedule-option calendar-schedule
sensor(config-hos-ena-cal# days-of-week sunday
sensor(config-hos-ena-cal# times-of-day 12:00:00

b.
For periodic scheduling, which starts upgrades at specific periodic intervals:
sensor(config-hos-ena)# schedule-option periodic-schedule
sensor(config-hos-ena-per)# interval 24
sensor(config-hos-ena-per)# start-time 13:00:00

Step4 Specify the IP address of the file server: sensor(config-hos-ena-per)# exit sensor(config-hos-ena)# ip-address 10.1.1.1
Step5 Specify the directory where the upgrade files are located on the file server: sensor(config-hos-ena)# directory /tftpboot/update/5.0_dummy_updates Step6 Specify the username for authentication on the file server: sensor(config-hos-ena)# user-name tester
Step7 Specify the password of the user: sensor(config-hos-ena)# password Enter password[]: ****** Re-enter password: ******
Step8 Specify the file server protocol: sensor(config-hos-ena)# file-copy-protocol ftp Step9
Verify the settings:
sensor(config-hos-ena)# show settings
enabled
schedule-option

periodic-schedule
start-time: 13:00:00
interval: 24 hours ip-address: 10.1.1.1
directory: /tftpboot/update/5.0_dummy_updates
user-name: tester
password: <hidden>
file-copy-protocol: ftp default: scp
sensor(config-hos-ena)#

Step10 Exit auto upgrade submode: sensor(config-hos-ena)# exit sensor(config-hos)# exit Apply Changes:?[yes]:
Step11 Press Enter to apply the changes or type no to discard them.

Reference:
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/ products_configuration_guide_chapter09186a008045
QUESTION 85
You want a new Certkiller sensor to automatically update signature and service pack files.
Which statement is true about using the Cisco IDM to configure automatic signature and service pack
updates?

A. You access the Automatic Update panel from the IDM Monitoring tab.
B. You must select the Enable Auto Update check box in the Auto Update panel in order to configure automatic updates.
C. You can schedule updates to occur daily, the sensor checks for updates at 12:00 a.m. each day.
D. If you configure updates to occur daily, the sensor checks for updates at 12:00 a.m. each day.
E. You must enter you Cisco.com username and password.

Correct Answer: B Section: (none) Explanation
Explanation/Reference: Explanation:
Configuring Automatic Updates:
You can configure automatic service pack and signature updates, so that when service pack and signature
updates are loaded on a central FTP or SCP server, they are downloaded and applied to your sensor.
To configure automatic updates, follow these steps:
Step1 Select Configuration> Auto Update.
The Auto Update page appears.
Step2 Select the Enable Auto Update check box to enable automatic updates.
Reference:
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/ module_installation_and_configuration_guides_chap
QUESTION 86
A new image needs to be applied to a Certkiller 4240 sensor.
Which two statements are true about applying a system image file to a Cisco IPS 4240 sensor?
(Choose two)

A. The system image file contains a sys identifier.
B. The same system-image file can be applied to any sensor platform.
C. The system image has an rpm.pkg extension.
D. You can use ROMMON to use the TFTP facility to copy the system image onto the sensor.
E. You can apply the system image by using the Cisco IDS version 5.0(1) Recovery CD-ROM

Correct Answer: AD Section: (none) Explanation
Explanation/Reference: Explanation:
Installing the IPS-4240 and IPS-4255 System Image:
You can install the IPS-4240 and IPS-4255 system image by using the ROMMON on the appliance to
TFTP the system image onto the compact flash device.
The complete installation procedure for the 4240 and the 4255 is described in the reference link below.
Incorrect Answers:
B: The images are platform specific.
C: The system image has an .img extension. The .pkg extensions are used for upgrading the system image only.
E: You can use the recovery/upgrade CD on appliances that have a CD-ROM, such as the IDS-4210, IDS-4235, and IDS-4250. This procedure is not supported on the 4240.

Reference:
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/ products_configuration_guide_chapter09186a00804 5
QUESTION 87
You want to configure a new Certkiller sensor to automatically download and install updates. Which two protocols can be used for automatic signature and service pack updates? (Choose two)
A. SCP
B. SSH
C. FTP
D. HTTP
E. HTTPS

Correct Answer: AC Section: (none) Explanation
Explanation/Reference: Explanation:
Configuring Automatic Updates:
You can configure automatic service pack and signature updates, so that when service pack and signature
updates are loaded on a central FTP or SCP server, they are downloaded and applied to your sensor.
Although SCP, FTP, HTTP, and HTTPS can be used to manually download and install updates, only SCP
and FTP are supported for automatic updates.
Note:
The sensor cannot automatically download service pack and signature updates from Cisco.com. You must
download the service pack and signature updates from Cisco.com to your FTP or SCP server, and then
configure the sensor to download them from the FTP or SCP server. After you download an update from
Cisco.com, you must take steps to ensure the integrity of the downloaded file while it resides on your FTP
or SCP server.

To configure automatic updates, follow these steps:
Step1:
Select Configuration> Auto Update.
The Auto Update page appears.
Step2:
Select the Enable Auto Update check box to enable automatic updates.
Step3:
In the IP Address field, enter the IP address of the server to poll for updates.
Step4:
In the Directory field, enter the path to the directory on the server where the updates are located (1 to 128
characters).

Step5:
In the Username field, enter the username to use when logging in to the server (1 to 16 characters).
Step6:
In the Password field, enter the username password on the server (1 to 16 characters).
Step7:
In the File Copy Protocol list box, select either SCP or FTP.
Reference:
Get yourself composed for Microsoft actual exam and upgrade your skills with Flydumps Cisco 642-532 practice test products. Once you have practiced through our assessment material, familiarity on Cisco 642-532 exam domains get a significant boost. Flydumps practice tests enable you to raise your performance level and assure the guaranteed success for Cisco 642-532 exam.