New Questions Cisco 642-532 Study Guide Updated By Flydumps Guarante

Flydumps guarantee your Cisco 642-532 exam success with our Exam Resources .Cisco 642-532 braindumps are the latest and developed by experience’s IT certification Professionals working in today’s prospering companies and data centers. All our Cisco 642-532 brain dumps including Cisco 642-532 exam questions which guarantee you can 100% success Cisco 642-532 exam in your first try exam.

Exam A
QUESTION 1
A new IDSM2 module was installed in the Certkiller network. Which of the following features regarding the IDSM2 is true?
A. IDSM2 needs a separate management package
B. IDSM2 is limited to 62 signatures
C. IDSM2 can drop offending packets
D. IDSM2 makes use of the same code as the network appliance
E. None of the above
Correct Answer: D Section: (none) Explanation
Explanation/Reference: Explanation:
IDSM-2 provides the following capabilities or features: Merged switching and security into a single chassis Ability to monitor multiple VLANs Does not impact switch performance Attacks and signatures equal to appliance sensor Uses the same code base of the appliance sensor Support for improved management techniques such as IDM

Reference:
Cisco Press CCSP CSIDS Guide, 2nd edition page 199
QUESTION 2
A new NM-CIDS module is being inserted into the Certkiller network.
Which versions of Cisco IOS software is needed to support the NM-CIDS module?

A. 3.1 and above.
B. 4.1 and above
C. 4.0 and above
D. 2.0 and above
E. None of the above
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:

QUESTION 3
A new Certkiller IPS sensor is being configured for inline operation.
Which three steps must you perform to prepare sensor interfaces for inline operations?
(Choose three)

A. Disable all interfaces except the inline pair
B. Add the inline pair to the default virtual sensor
C. Enable two interfaces for the pair
D. Disable any interfaces that are operating in promiscuous mode.
E. Create the interface pair
F. Configure an alternate TCP-reset interface.
Correct Answer: BCE Section: (none) Explanation Explanation/Reference: Explanation:
Operating in inline interface mode puts the IPS directly into the traffic flow and affects packet-forwarding rates making them slower by adding latency. This allows the sensor to stop attacks by dropping malicious traffic before it reaches the intended target, thus providing a protective service. Not only is the inline device processing information on layers 3 and 4, but it is also analyzing the contents and payload of the packets for more sophisticated embedded attacks (layers 3 to 7). This deeper analysis lets the system identify and stop and/or block attacks that would normally pass through a traditional firewall device. In inline interface mode, a packet comes in through the first interface of the pair on the sensor and out the second interface of the pair. The packet is sent to the second interface of the pair unless that packet is being denied or modified by a signature. To configure the interfaces for inline operation, you will need to create the interface pair, enable the two interfaces, and add the inline interface pair to the default sensor.

Reference:
Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface 5.1, Cisco Documentation, page 5-11.
QUESTION 4
The Certkiller security administrator is determining whether to configure a new sensor in inline or
promiscuous mode.
What are three differences between inline and promiscuous sensor functionality?
(Choose three)

A. A sensor that is operating in inline mode can drop the packet that triggers a signature before it reaches its target, but a sensor that is operating in promiscuous mode cannot.
B. A sensor that is operating in inline mode supports more signatures than a sensor that operates in promiscuous mode.
C. Deny actions are available only to inline sensors, but blocking actions are available only to promiscuous mode sensors.
D. A sensor that is operating in promiscuous mode can perform TCP resets, but a sensor that is operating in inline mode cannot.
E. Inline operation provides more protection from Internet worms than promiscuous mode does.
F. Inline operation provides more protection from atomic attacks than promiscuous mode does.
Correct Answer: AEF Section: (none) Explanation
Explanation/Reference: Explanation:
In promiscuous mode, packets do not flow through the sensor. The sensor analyzes a copy of the monitored traffic rather than the actual forwarded packet. The advantage of operating in promiscuous mode is that the sensor does not affect the packet flow with the forwarded traffic. The disadvantage of operating in promiscuous mode, however, is the sensor cannot stop malicious traffic from reaching its intended target for certain types of attacks, such as atomic attacks (single-packet attacks). The response actions implemented by promiscuous sensor devices are post-event responses and often require assistance from other networking devices, for example, routers and firewalls, to respond to an attack. While such response actions can prevent some classes of attacks, in atomic attacks the single packet has the chance of reaching the target system before the promiscuous-based sensor can apply an ACL modification on a managed device (such as a firewall, switch, or router). Operating in inline interface mode puts the IPS directly into the traffic flow and affects packet-forwarding rates making them slower by adding latency. This allows the sensor to stop attacks by dropping malicious traffic before it reaches the intended target, thus providing a protective service. Not only is the inline device processing information on layers 3 and 4, but it is also analyzing the contents and payload of the packets for more sophisticated embedded attacks (layers 3 to7). This deeper analysis lets the system identify and stop and/or block attacks that would normally pass through a traditional firewall device. In inline interface mode, a packet comes in through the first interface of the pair on the sensor and out the second interface of the pair. The packet is sent to the second interface of the pair unless that packet is being denied or modified by a signature.

Reference:
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/ products_configuration_guide_chapter09186a008055
QUESTION 5
New Cisco IPS sensors are being deployed within the Certkiller network.
Which of the following are appropriate installation points for a Cisco IPS sensor?
(Choose two)

A. On publicly accessible servers
B. On critical network servers
C. At network entry points
D. On user desktops
E. On corporate mail servers
F. On critical network segments
Correct Answer: CF Section: (none) Explanation
Explanation/Reference: Explanation:
IPS sensors are designed to be placed at Network entry points and on critical network sensors. The
sensor is designed to monitor all traffic crossing a given network segment.
You must consider all external network connections and remote access points you want to protect. Each of
the four network entry locations includes the following:

1.
Internet Connections
2.
Extranets
3.
Intranets
4.
Remote Access
The most common sensor deployment location is between the trusted internal network and the Internet.
This deployment strategy is referred to as perimeter protection and the sensor is commonly paired with
one or more firewalls to enforce security policies.
Incorrect Answers:
A, B, D, E: Cisco network based sensors are designed to be placed on network segments, not on individual hosts such as desktops or servers. Host based IDS/IPS applications should be used on these types of devices.

Reference:
CCSP: Cisco Certified Security Professional Certification All-in-One Exam Guide by Robert E. Larson and Lance Cockcroft, ISBN:0072226919.
QUESTION 6
A Cisco IPS sensor has detected a large amount of malicious activity on the Certkiller network.
How does a Cisco network sensor detect malicious network activity?
(Select the best answer)

A. By using a blend of intrusion detection technologies
B. By performing in-depth analysis of the protocols that are specified in the packets that are traversing the network
C. By comparing network activity to an established profile of normal network activity
D. By using behavior-based technology that focuses on the behavior of applications
Correct Answer: A Section: (none) Explanation
Explanation/Reference: Explanation:
Cisco Network based IDS (NIDS) uses a blend of leading intrusion detection technologies, and provide the following benefits:
1.
Comprehensive Threat Protection Multiple detection methods – Cisco uses multiple methods to accurately detect threats, including stateful pattern recognition, protocol analysis, traffic anomaly detection, and protocol anomaly detection. Additionally, Cisco IDS delivers a Layer 2 signature engine to provide protection from Address Resolution Protocol (ARP) spoofing techniques.

2.
Extensive protocol monitoring All major TCP/IP protocols are monitored, including IP, Internet Control Message Protocol (ICMP), TCP, and User Datagram Protocol (UDP). Cisco IDS 4.x also statefully decodes application layer protocols, such as FTP, Simple Mail Transfer Protocol (SMTP), HTTP, Domain Name System (DNS), remote-procedure call (RPC), NetBIOS, Network News Transport Protocol (NNTP), Telnet, and peer-to-peer (P2P).

3.
Comprehensive attack detection Cisco has the most comprehensive detection capabilities when detecting both the exploitation activity indicative of attempts to gain access or compromise network systems and DoS activity indicative of attempts to consume bandwidth or compute resources to disrupt normal operations. Add to that its ability to detect activity indicative of attempts to probe or map your network to identify targets, such as ping sweeps and port sweeps as well as misuse activity indicative of attempts to violate corporate polic; detected by configuring the sensor to look for custom text strings in the network traffic.

4.
Damage Prevention Cisco responds immediately to stop attacks that can cost you time and money. After an attack is accurately identified and classified, the system can deny the intruder by dropping the packet, terminating the session, reconfiguring access control lists (ACLs) on routers and switches, or dynamically modifying the firewall policy. Additionally, Cisco IDS 4.x blocks source and destination port numbers as well as source and destination IP addresses.

Reference:
http://s2s.ltd.uk/technology-ids.htm
QUESTION 7
The new Certkiller trainee technician wants to know which signature description best describes a string
signature engine.
What would your reply be?

A. Layer 5, 6, and 7 services that require protocol analysis.
B. Regular expression-based pattern inspection for multiple transport protocols.
C. Network reconnaissance detection.
D. State-based, regular expression-based, pattern inspection and alarm functionality for TCP streams.
E. None of the above
Correct Answer: B Section: (none) Explanation
Explanation/Reference: Explanation:
The STRING engine provides regular expression-based pattern inspection and alarm functionality for multiple transport protocols including TCP, UDP and ICMP. Regular expressions are a powerful and flexible notational language that allow you to describe text. In the context of pattern matching, regular expressions allow a succinct description of any arbitrary pattern. Regular expressions are compiled into a data structure called a pattern matcher, which is then used to match patterns in data. The STRING engine is a generic string-based pattern matching inspection engine for TCP, UDP, and ICMP protocols. This STRING engine uses a new Regex engine that can combine multiple patterns into a single pattern-matching table allowing for a single search through the data. The new regex has the alternation “|” operator also known as the OR operator. There are three STRING engines: STRING.TCP, STRING.UDP, and STRING.ICMP.
QUESTION 8
When designing IP blocking for the Certkiller network using different Intrusion technologies, why should you consider entry points?
A. They provide different avenues for the attacker to attack your networks.
B. They prevent all denial of service attacks.
C. They are considered critical hosts and should not be blocked.
D. They provide a method for the Sensor to route through the subnet to the managed router.
E. None of the above
Correct Answer: A Section: (none) Explanation
Explanation/Reference: Explanation:
Today’s networks have several entry points to provide reliability, redundancy, and resilience. These entry points also represent different avenues for the attacker to attack your network. You must identify all the entry points into your network and decide whether they need to also participate in IP blocking. Note: It is recommended that Sensors be placed at those network entry and exit points that provide sufficient intrusion detection coverage.

Reference:
Cisco Secure Intrusion Detection System, Cisco Press, page 467
QUESTION 9
Many hackers use Denial of Service attacks in conjunction with a specific attack.
Why would an attacker saturate the network with noise while simultaneously launching an attack?

A. It causes the Cisco IDS to fire multiple false negative alarms.
B. An attack may go undetected.
C. It will have no effect on the ability of the sensor to detect attacks.
D. It will initiate asymmetric attack techniques.
E. It will force the sensors into Bypass mode so that future attacks go undetected.
Correct Answer: B Section: (none) Explanation
Explanation/Reference: Explanation:
Saturating the network with bogus traffic is an example of a DoS or a DDos attack. The goal of denial of service attacks is not to gain unauthorized access to machines or data, but to prevent legitimate users of a service from using it. A denial of service attack can come in many forms. Attackers may “flood” a network with large volumes of data or deliberately consume a scarce or limited resource such as process control blocks or pending network connections. They may also disrupt physical components of the network or manipulate data in transit, including encrypted data. The underlying purpose to a denial of service attack is to bog down a system by giving it too much information to process quickly enough. While this attack is occurring, an attacker could also attempt to perform another, specifically targeted attack.
Reference:
Cisco IPS Courseware, page 3-24
QUESTION 10
Which of the following types of attacks is typical of an intruder who is targeting networks of systems in an effort to retrieve data or enhance their privileges within a specific network?
A. Access attack
B. Denial of Service attack
C. Man in the middle attack
D. Authorization attack
E. Reconnaissance attack
F. None of the above
Correct Answer: A Section: (none) Explanation
Explanation/Reference: Explanation:
Access Attacks:
Access is a broad term used to describe any attack that requires the intruder to gain unauthorized
access to a secure system with the intent to manipulate data, elevate privileges, or simply access the
system. The term “access attack” is used to describe any attempt to gain system access, perform data
manipulation, or elevate privileges.
System Access Attacks:
System access is the act of gaining unauthorized access to a system for which the attacker doesn’t
have a user account. Hackers usually gain access to a device by running a script or a hacking tool, or
exploiting a known vulnerability of an application or service running on the host.
Data Manipulation Access Attacks:
Data manipulation occurs when an intruder simply reads, copies, writes, deletes, or changes data that
isn’t intended to be accessible by the intruder. This could be as simple as finding a share on a Windows
9x or NT computer, or as difficult as attempting to gain access to a credit bureau’s information, or
breaking into the department of motor vehicles to change a driving record.
Elevating Privileges Access Attacks:
Elevating privileges is a common type of attack. By elevating privileges an intruder can gain access to
files, folders or application data that the user account was not initially granted access to. Once the
hacker has gained a high-enough level of access, they can install applications, such as backdoors and
Trojan horses, to allow further access and reconnaissance.
Reference:
CCSP: Cisco Certified Security Professional Certification All-in-One Exam Guide
QUESTION 11
What reconnaissance methods are used to discover mail servers running SMTP and SNMP? (Choose two)
A. TCP scans for port 25
B. UDP scans for port 25
C. UDP scans for port 161
D. ICMP sweeps for port 25
E. ICMP sweeps for port 161
Correct Answer: AC Section: (none) Explanation
Explanation/Reference: Explanation:
If the public SMTP server were compromised, a hacker might try to attack the internal mail server over TCP port 25, which is permitted to allow mail transfer between the two hosts. SNMP is a network management protocol that can be used to retrieve information from a network device (commonly referred to as read-only access) or to remotely configure parameters on the device (commonly referred to as read-write access). SNMP agents listen on UDP port 161.
Reference:
SAFE Blueprint for Small, Midsize, and Remote-User Networks
QUESTION 12
Which of the following describes the evasive technique whereby control characters are sent to disguise an attack?
A. Flooding
B. Fragmentation
C. Obfuscation
D. Exceeding maximum transmission unit size
E. None of the above

Correct Answer: C Section: (none) Explanation
Explanation/Reference: Explanation:
Intrusion Detection Systems inspect network traffic for suspect or malicious packet formats, data payloads and traffic patterns. Intrusion detection systems typically implement obfuscation defense – ensuring that suspect packets cannot easily be disguised with UTF and/or hex encoding and bypass the Intrusion Detection systems. Recently, the Code Red worm has targeted an unpatched vulnerability with many Microsoft IIS systems and also highlighted a different encoding technique supported by Microsoft IIS systems.

Reference:
Cisco CIDS Courseware, page 3-27

Flydumps Cisco 642-532 exam dumps are audited by our certified subject matter experts and published authors for development.Flydumps Cisco 642-532 exam dumps are one of the highest quality Cisco 642-532 Q&As in the world.It covers nearly 96% real questions and answers, including the entire testing scope.Flydumps guarantees you pass Cisco 642-457 exam at first attempt.