Actualtests 642-532
642-532 : Securing Networks with PIX and ASA Last Updated Monday, September 08, 2008 with 181 Questions
Securing Networks Using Intrusion Prevention Systems Exam
Exam Number: 642-532 Exam
Associated Certifications: Securing Networks Using Intrusion Prevention Systems Exam
Duration: 63 Q&As
Available Language(s): English
Exam Details
The Securing Networks Using Intrusion Prevention Systems exam is one of the exams associated with the Cisco Certified Security Professional and the Cisco IPS Specialist certifications. Candidates can prepare for this exam by taking the IPS v5.0 course. This exam includes simulations and tests a candidate’s knowledge and ability to describe, configure, verify and manage the Cisco IPS appliance products.
Free 642-532 Exams’s PDF Download
Free Actualtests offers free demo for 642-532 PDF(Securing Networks Using Intrusion Prevention Systems Exam). You can check out the interface, question quality and usability of our practice exams . We are the only one site can offer demo for almost all Securing Networks Using Intrusion Prevention Systems Exam.
Recommended Training about 642-532 exam PDF
The following courses are the recommended training for 642-532 exam PDF.
642-532 Q & A with Explanations
642-532 Audio Exam
642-532 Study Guide
642-532 Preparation Lab
642-532 Exam Preparation from Actualtests with FULL explanations include:
Comprehensive questions with complete details
Detailed explanations of all the questions
Questions accompanied by exhibits
Verified Answers Researched by Industry Experts
Drag and Drop questions as experienced in the Actual Exams
Questions updated on regular basis
These questions and answers are backed by our GUARANTEE.
Like actual certification exams our product is in multiple-choice questions (MCQs).
642-532 Exam: Actualtests’s Securing Networks Using Intrusion Prevention Systems Exam PDF
The Securing Networks Using Intrusion Prevention Systems Exam PDF for preparing for the 642-532 exam - Actualtests’s Securing Networks Using Intrusion Prevention Systems Exam. Actualtestsg is your premier source for practice tests, and true testing environment. Nothing will prepare you for your next exam like a Actualtests. You find it all here at ciscoexams.org.
QUESTION 1:
A new IDSM2 module was installed in the Certkiller network. Which of the
following features regarding the IDSM2 is true?
A. IDSM2 needs a separate management package
B. IDSM2 is limited to 62 signatures
C. IDSM2 can drop offending packets
D. IDSM2 makes use of the same code as the network appliance
E. None of the above
Answer: D
Explanation:
IDSM-2 provides the following capabilities or features:
- Merged switching and security into a single chassis
- Ability to monitor multiple VLANs
- Does not impact switch performance
- Attacks and signatures equal to appliance sensor
- Uses the same code base of the appliance sensor
- Support for improved management techniques such as IDM
Reference: Cisco Press CCSP CSIDS Guide, 2nd edition page 199
QUESTION 2:
Please refer to the exhibit.
A new NM-CIDS module is being inserted into the Certkiller network. Which
versions of Cisco IOS software is needed to support the NM-CIDS module?
A. 3.1 and above.
B. 4.1 and above
C. 4.0 and above
D. 2.0 and above
E. None of the above
Answer: B
642-532
Actualtests.com - The Power of Knowing
Explanation:
QUESTION 3:
A new Certkiller IPS sensor is being configured for inline operation. Which three
steps must you perform to prepare sensor interfaces for inline operations? (Choose
three)
A. Disable all interfaces except the inline pair
B. Add the inline pair to the default virtual sensor
C. Enable two interfaces for the pair
D. Disable any interfaces that are operating in promiscuous mode.
E. Create the interface pair
F. Configure an alternate TCP-reset interface.
Answer: B, C, E
642-532
Actualtests.com - The Power of Knowing
Explanation:
Operating in inline interface mode puts the IPS directly into the traffic flow and affects
packet-forwarding rates making them slower by adding latency. This allows the sensor to
stop attacks by dropping malicious traffic before it reaches the intended target, thus
providing a protective service.
Not only is the inline device processing information on layers 3 and 4, but it is also
analyzing the contents and payload of the packets for more sophisticated embedded
attacks (layers 3 to 7). This deeper analysis lets the system identify and stop and/or block
attacks that would normally pass through a traditional firewall device.
In inline interface mode, a packet comes in through the first interface of the pair on the
sensor and out the second interface of the pair. The packet is sent to the second interface
of the pair unless that packet is being denied or modified by a signature.
To configure the interfaces for inline operation, you will need to create the interface pair,
enable the two interfaces, and add the inline interface pair to the default sensor.
Reference: Configuring the Cisco Intrusion Prevention System Sensor Using the
Command Line Interface 5.1, Cisco Documentation, page 5-11.
QUESTION 4:
The Certkiller security administrator is determining whether to configure a new
sensor in inline or promiscuous mode. What are three differences between inline
and promiscuous sensor functionality? (Choose three)
A. A sensor that is operating in inline mode can drop the packet that triggers a signature
before it reaches its target, but a sensor that is operating in promiscuous mode cannot.
B. A sensor that is operating in inline mode supports more signatures than a sensor that
operates in promiscuous mode.
C. Deny actions are available only to inline sensors, but blocking actions are available
only to promiscuous mode sensors.
D. A sensor that is operating in promiscuous mode can perform TCP resets, but a sensor
that is operating in inline mode cannot.
E. Inline operation provides more protection from Internet worms than promiscuous
mode does.
F. Inline operation provides more protection from atomic attacks than promiscuous mode
does.
Answer: A, E, F
Explanation:
In promiscuous mode, packets do not flow through the sensor. The sensor analyzes a
copy of the monitored traffic rather than the actual forwarded packet. The advantage of
operating in promiscuous mode is that the sensor does not affect the packet flow with the
forwarded traffic. The disadvantage of operating in promiscuous mode, however, is the
sensor cannot stop malicious traffic from reaching its intended target for certain types of
attacks, such as atomic attacks (single-packet attacks). The response actions implemented
by promiscuous sensor devices are post-event responses and often require assistance
642-532
Actualtests.com - The Power of Knowing
from other networking devices, for example, routers and firewalls, to respond to an
attack. While such response actions can prevent some classes of attacks, in atomic attacks
the single packet has the chance of reaching the target system before the
promiscuous-based sensor can apply an ACL modification on a managed device (such as
a firewall, switch, or router).
Operating in inline interface mode puts the IPS directly into the traffic flow and affects
packet-forwarding rates making them slower by adding latency. This allows the sensor to
stop attacks by dropping malicious traffic before it reaches the intended target, thus
providing a protective service. Not only is the inline device processing information on
layers 3 and 4, but it is also analyzing the contents and payload of the packets for more
sophisticated embedded attacks (layers 3 to7). This deeper analysis lets the system
identify and stop and/or block attacks that would normally pass through a traditional
firewall device.
In inline interface mode, a packet comes in through the first interface of the pair on the
sensor and out the second interface of the pair. The packet is sent to the second interface
of the pair unless that packet is being denied or modified by a signature.
Reference:
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00805
5
QUESTION 5:
New Cisco IPS sensors are being deployed within the Certkiller network. Which of
the following are appropriate installation points for a Cisco IPS sensor? (Choose
two)
A. On publicly accessible servers
B. On critical network servers
C. At network entry points
D. On user desktops
E. On corporate mail servers
F. On critical network segments
Answer: C, F
Explanation:
IPS sensors are designed to be placed at Network entry points and on critical network
sensors. The sensor is designed to monitor all traffic crossing a given network segment.
You must consider all external network connections and remote access points you want
to protect. Each of the four network entry locations includes the following:
1. Internet Connections
2. Extranets
3. Intranets
4. Remote Access
The most common sensor deployment location is between the trusted internal network
and the Internet. This deployment strategy is referred to as perimeter protection and the
642-532
Actualtests.com - The Power of Knowing
sensor is commonly paired with one or more firewalls to enforce security policies.
Incorrect Answers:
A, B, D, E: Cisco network based sensors are designed to be placed on network segments,
not on individual hosts such as desktops or servers. Host based IDS/IPS applications
should be used on these types of devices.
Reference: CCSP: Cisco Certified Security Professional Certification All-in-One Exam
Guide by Robert E. Larson and Lance Cockcroft, ISBN:0072226919.
QUESTION 6:
A Cisco IPS sensor has detected a large amount of malicious activity on the
Certkiller network. How does a Cisco network sensor detect malicious network
activity? (Select the best answer)
A. By using a blend of intrusion detection technologies
B.
By performing in-depth analysis of the protocols that are specified in the packets that are
traversing the network
C. By comparing network activity to an established profile of normal network activity
D. By using behavior-based technology that focuses on the behavior of applications
Answer: A
Explanation:
Cisco Network based IDS (NIDS) uses a blend of leading intrusion detection
technologies, and provide the following benefits:
1. Comprehensive Threat Protection Multiple detection methods - Cisco uses multiple
methods to accurately detect threats, including stateful pattern recognition, protocol
analysis, traffic anomaly detection, and protocol anomaly detection. Additionally, Cisco
IDS delivers a Layer 2 signature engine to provide protection from Address Resolution
Protocol (ARP) spoofing techniques.
1. Extensive protocol monitoring All major TCP/IP protocols are monitored, including
IP, Internet Control Message Protocol (ICMP), TCP, and User Datagram Protocol
(UDP). Cisco IDS 4.x also statefully decodes application layer protocols, such as FTP,
Simple Mail Transfer Protocol (SMTP), HTTP, Domain Name System (DNS),
remote-procedure call (RPC), NetBIOS, Network News Transport Protocol (NNTP),
Telnet, and peer-to-peer (P2P).
1. Comprehensive attack detection Cisco has the most comprehensive detection
capabilities when detecting both the exploitation activity indicative of attempts to gain
access or compromise network systems and DoS activity indicative of attempts to
consume bandwidth or compute resources to disrupt normal operations. Add to that its
ability to detect activity indicative of attempts to probe or map your network to identify
targets, such as ping sweeps and port sweeps as well as misuse activity indicative of
attempts to violate corporate polic; detected by configuring the sensor to look for
custom text strings in the network traffic.
1. Damage Prevention Cisco responds immediately to stop attacks that can cost you
642-532
Actualtests.com - The Power of Knowing
time and money. After an attack is accurately identified and classified, the system can
deny the intruder by dropping the packet, terminating the session, reconfiguring access
control lists (ACLs) on routers and switches, or dynamically modifying the firewall
policy. Additionally, Cisco IDS 4.x blocks source and destination port numbers as well
as source and destination IP addresses.
Reference: http://s2s.ltd.uk/technology-ids.htm
QUESTION 7:
The new Certkiller trainee technician wants to know which signature description
best describes a string signature engine. What would your reply be?
A. Layer 5, 6, and 7 services that require protocol analysis.
B. Regular expression-based pattern inspection for multiple transport protocols.
C. Network reconnaissance detection.
D. State-based, regular expression-based, pattern inspection and alarm functionality for
TCP streams.
E. None of the above
Answer: B
Explanation:
The STRING engine provides regular expression-based pattern inspection and alarm
functionality for multiple transport protocols including TCP, UDP and ICMP.
Regular expressions are a powerful and flexible notational language that allow you to
describe text. In the context of pattern matching, regular expressions allow a succinct
description of any arbitrary pattern. Regular expressions are compiled into a data
structure called a pattern matcher, which is then used to match patterns in data.
The STRING engine is a generic string-based pattern matching inspection engine for
TCP, UDP, and ICMP protocols. This STRING engine uses a new Regex engine that can
combine multiple patterns into a single pattern-matching table allowing for a single
search through the data. The new regex has the alternation “|” operator also known as the
OR operator. There are three STRING engines: STRING.TCP, STRING.UDP, and
STRING.ICMP.
QUESTION 8:
When designing IP blocking for the Certkiller network using different Intrusion
technologies, why should you consider entry points?
A. They provide different avenues for the attacker to attack your networks.
B. They prevent all denial of service attacks.
C. They are considered critical hosts and should not be blocked.
D. They provide a method for the Sensor to route through the subnet to the managed
router.
E. None of the above
642-532
Actualtests.com - The Power of Knowing
Answer: A
Explanation:
Today’s networks have several entry points to provide reliability, redundancy, and
resilience. These entry points also represent different avenues for the attacker to attack
your network. You must identify all the entry points into your network and decide
whether they need to also participate in IP blocking.
Note: It is recommended that Sensors be placed at those network entry and exit points
that provide sufficient intrusion detection coverage.
Reference: Cisco Secure Intrusion Detection System, Cisco Press, page 467
QUESTION 9:
Many hackers use Denial of Service attacks in conjunction with a specific attack.
Why would an attacker saturate the network with noise while simultaneously
launching an attack?
A. It causes the Cisco IDS to fire multiple false negative alarms.
B. An attack may go undetected.
C. It will have no effect on the ability of the sensor to detect attacks.
D. It will initiate asymmetric attack techniques.
E. It will force the sensors into Bypass mode so that future attacks go undetected.
Answer: B
Explanation:
Saturating the network with bogus traffic is an example of a DoS or a DDos attack. The
goal of denial of service attacks is not to gain unauthorized access to machines or data,
but to prevent legitimate users of a service from using it. A denial of service attack can
come in many forms. Attackers may “flood” a network with large volumes of data or
deliberately consume a scarce or limited resource such as process control blocks or
pending network connections. They may also disrupt physical components of the network
or manipulate data in transit, including encrypted data. The underlying purpose to a
denial of service attack is to bog down a system by giving it too much information to
process quickly enough. While this attack is occurring, an attacker could also attempt to
perform another, specifically targeted attack.
Reference: Cisco 642-532 IPS Courseware, page 3-24
QUESTION 10:
Which of the following types of attacks is typical of an intruder who is targeting
networks of systems in an effort to retrieve data or enhance their privileges within a
specific network?
A. Access attack
642-532
Actualtests.com - The Power of Knowing
B. Denial of Service attack
C. Man in the middle attack
D. Authorization attack
E. Reconnaissance attack
F. None of the above
Answer: A
Access Attacks:
Access is a broad term used to describe any attack that requires the intruder to gain
unauthorized access to a secure system with the intent to manipulate data, elevate
privileges, or simply access the system. The term “access attack” is used to describe any
attempt to gain system access, perform data manipulation, or elevate privileges.
System Access Attacks:
System access is the act of gaining unauthorized access to a system for which the attacker
doesn’t have a user account. Hackers usually gain access to a device by running a script
or a hacking tool, or exploiting a known vulnerability of an application or service running
on the host.
Data Manipulation Access Attacks:
Data manipulation occurs when an intruder simply reads, copies, writes, deletes, or
changes data that isn’t intended to be accessible by the intruder. This could be as simple
as finding a share on a Windows 9x or
NT computer, or as difficult as attempting to gain access to a credit bureau’s information,
or breaking into the department of motor vehicles to change a driving record.
Elevating Privileges Access Attacks:
Elevating privileges is a common type of attack. By elevating privileges an intruder can
gain access to files, folders or application data that the user account was not initially
granted access to. Once the hacker has gained a high-enough level of access, they can
install applications, such as backdoors and Trojan horses, to allow further access and
reconnaissance.
Free download:pass4sure 642-532
Free download:testking 642-532
TestKing - TestKing.com Help you pass Cisco exams
Pass4sure -Pass4sure.com The Worldwide Renowned Cisco Certification Material Provider .
Random Posts
[...] Systems Exam (IPS)”, also known as 642-532 exam, is a Cisco certification. Preparing for the 642-532 exam Searching 642-532 Test Questions, 642-532 Exam, 642-532 [...]
[...] Systems Exam”, also known as 642-532 exam, is a Cisco certification. Preparing for the 642-532 exam Searching 642-532 Test Questions, 642-532 Exam, 642-532 [...]
[...] Networks Using Intrusion Prevention Systems Exam (IPS)”, also known as 642-532 exam, is a Cisco certification. Preparing for the 642-532 exam? Searching 642-532 Test Questions, [...]