What are two characteristics of both IPS and IDS sensors? (Choose two.)
A. Neither introduce latency or jitter
B. Both use signatures to detect patterns
C. Both are deployed inline in the data stream
D. Both can stop trigger packets
E. Both can detect atomic patterns
Answer:
B, E
Explanation:
IDS sensors work offline and are passive. They add very little latency but cannot stop trigger packets. An IPS can stop trigger packets but, because it is installed inline, it adds some latency and jitter. Both use signatures to detect patterns and can detect atomic patterns.
What is an advantage of using an IPS?
A. It is installed outside of the data traffic flow
B. It does not impact network traffic if there is a sensor overload
C. It can stop trigger packets
D. It has no impact on network latency
Answer:
C. It can stop trigger packets
Explanation:
An IPS can stop trigger packets but, since it is inline, it adds latency and jitter. IDS sensors are offline and cannot stop trigger packets.
What is a characteristic of an IDS?
A. It can affect network performance by introducing latency and jitter
B. It often requires assistance from other network devices to respond to an attack
C. It is installed inline with the network traffic flow
D. It can be configured to drop trigger packets that are associated with a connection
Answer:
B. It often requires assistance from other network devices to respond to an attack
Explanation:
An IDS operates passively and requires help from devices like routers or firewalls to take action on detected threats.
What are two characteristics of an IPS operating in promiscuous mode? (Choose two.)
A. It can stop malicious traffic from reaching the target for all types of attacks
B. It sits directly in the path of the traffic flow
C. It requires another device to respond to an attack
D. It does not impact the flow of packets in forwarded traffic
E. It sends alerts and drops any malicious packets
Answer:
C, D
Explanation:
An IPS in promiscuous mode does not affect packet flow but cannot stop certain types of attacks directly such as malicious attacks. It relies on another device to act on alerts.
Which tool can perform real-time traffic and port analysis, and can also detect port scans, fingerprinting, and buffer overflow attacks?
A. SIEM
B. Nmap
C. Snort
D. NetFlow
Answer:
C. Snort
Explanation:
Snort is an open-source IDS/IPS capable of real-time traffic and port analysis, packet logging, and detecting probes and attacks, port scans, fingerprinting, and buffer overflow attacks.
Which Snort IPS feature enables a router to download rule sets directly from cisco.com or snort.org?
A. Snort rule set pull
B. Signature allowed listing
C. Snort rule set push
D. Snort rule set updates
Answer:
A. Snort rule set pull
Explanation:
The Snort rule set pull feature allows automatic downloads of updated rules from cisco.com or snort.org. The download can occur using one-time commands or periodic automated updates.
What is a minimum system requirement to activate Snort IPS functionality on a Cisco router?
A. At least 4 GB RAM
B. At least 4 GB flash
C. ISR 2900 or higher
D. K9 license
Answer:
D. K9 license
Explanation:
Snort IPS requires an ISR 4300 or higher router, 8 GB RAM, 8 GB flash, and a K9 license.
What is PulledPork?
A. An open-source network IPS
B. A centralized management tool for pushing rule sets to routers
C. A virtual service container on Cisco ISR routers
D. A rule management app that downloads Snort rule updates automatically
Answer:
D. A rule management app that downloads Snort rule updates automatically
Explanation:
PulledPork is a rule management application that can be used to automatically download Snort rule updates. Using PulledPork requires an authorization code, called an oinkcode, obtained from a snort.org account.
What are two actions that an IPS can perform when a signature detects activity? (Choose two.)
A. Disable the link
B. Reconverge the network
C. Drop or prevent the activity
D. Allow the activity
E. Restart the infected device
Answer:
C, D
Explanation:
When a signature is triggered, an IPS can log, drop, prevent, reset, block, or allow activity depending on configuration.
Which IPS signature trigger category uses a decoy server to divert attacks away from production devices?
A. Honey pot-based detection
B. Policy-based detection
C. Pattern-based detection
D. Anomaly-based detection
Answer:
A. Honey pot-based detection
Explanation:
Honey pot-based detection uses a decoy server to attract and study attacks while diverting them from real systems.
Use of a honey pot can give administrators time to analyze incoming attacks and malicious traffic patterns to tune sensor signatures.
What situation will generate a true negative IPS alarm type?
A. Normal traffic that generates a false alarm
B. A verified security incident that is detected
C. A known attack that is not detected
D. Normal traffic that is correctly ignored and forwarded
Answer:
D. Normal traffic that is correctly ignored and forwarded
Explanation:
True negatives occur when benign traffic is correctly identified as safe and no alert is generated.
The true negative alarm type is used when normal network traffic flows through an interface. Normal traffic should not, and does not generate an actual alarm. A true negative indicates that benign normal traffic is correctly being ignored and forwarded without generating an alert.
Match each intrusion protection service with the description.
Cisco Firepower Next-Generation IPS an IPS service enabled on a second generation ISR
Cisco Snort IPS a dedicated inline threat prevention appliance
External Snort IPS Server an IPS service enabled on first generation ISRs that is no longer supported
Cisco IOS IPS an IPS solution that requires a promiscuous port and an external Snort IDS/IPS
Match each Snort IPS rule action with the description.
Pass - blocks and logs the packet
Drop - blocks but does not log the packet
Reject - ignores the packet
Sdrop - blocks and logs the packet and sends a TCP reset or ICMP port unreachable message
What is provided by the fail open and close functionality of Snort IPS?
A. Automatically disables problematic signatures
B. Blocks traffic flow or bypasses IPS checking if the engine fails
C. Keeps Snort updated with new signatures
D. Tracks the health of the Snort engine
Answer:
B. Blocks traffic flow or bypasses IPS checking if the engine fails
Explanation:
Fail-open and fail-close determine whether traffic is blocked or passed when the IPS engine fails.
What is a characteristic of the Community Rule Set type of Snort term-based subscriptions?
A. 60-day delayed access to updated signatures
B. Uses Cisco Talos for pre-exploit coverage
C. Fully supported by Cisco
D. Available for free
Answer:
D. Available for free
Explanation:
The Community Rule Set is free, has limited coverage, and 30-day delayed signature updates without Cisco support.
Subscriber Rule Set – Available for a fee and provides the best protection against threats. It includes coverage in advance of exploits by using the research work of the Cisco Talos security experts. This subscription is fully supported by Cisco.
What is a characteristic of the connectivity policy setting when configuring Snort threat protection?
A. Balances network security with performance
B. Prioritizes security over connectivity
C. Provides the lowest level of protection
D. Enables the highest number of signatures
Answer:
C. Provides the lowest level of protection
Explanation:
Snort offers three policy levels: Connectivity (least secure), Balanced, and Security (most secure).
Connectivity – The least secure option.
Balanced – The mid-range option of security.
Security – The most secure option.
What is contained in an OVA file?
A. A current compilation of known threats
B. An installable version of a virtual machine
C. A list of signatures
D. A set of IDS/IPS detection rules
Answer:
B. An installable version of a virtual machine
Explanation:
Step 1 of IPS configuration is to download an OVA (Open Virtualization Archive) file. This is a packaged virtual machine image used to deploy Snort IPS.
What is a network tap?
A. Provides statistics on packets through a router
B. Enables real-time analysis of security events
C. Copies frames to a monitoring device
D. A passive device that forwards all traffic to an analyzer
Explanation:
A network tap is used to capture traffic for monitoring the network. The tap is typically a passive splitting device implemented inline on the network and forwards all traffic, including physical layer errors, to an analysis device.
A network tap splits and forwards all network traffic (including errors) to a monitoring or analysis device.
Which statement describes the function of the SPAN tool used in a Cisco switch?
A. Secure channel for syslog messages
B. Interconnects VLANs across switches
C. Supports SNMP traps
D. Copies traffic from one port to another for monitoring
Answer:
D. Copies traffic from one port to another for monitoring
Explanation:
SPAN (Switched Port Analyzer) mirrors traffic from one port to another so it can be analyzed by a monitoring tool.
Cisco Explanation:
To analyze network traffic passing through a switch, switched port analyzer (SPAN) can be used. SPAN can send a copy of traffic from one port to another port on the same switch where a network analyzer or monitoring device is connected.
SPAN is not required for syslog or SNMP. SPAN is used to mirror traffic, while syslog and SNMP are configured to send data directly to the appropriate server.
A network administrator downloads a valid file but an alert is triggered. What condition describes this alert?
A. False negative
B. False positive
C. True negative
D. True positive
Answer:
B. False positive
Explanation:
A false positive occurs when normal, benign activity is incorrectly flagged as malicious.
Cisco Explanation:
Alerts can be classified as follows:
True Positive: The alert has been verified to be an actual security incident.
False Positive: The alert does not indicate an actual security incident. Benign activity that results in a false positive is sometimes referred to as a benign trigger.
An alternative situation is that an alert was not generated. The absence of an alert can be classified as:
True Negative: No security incident has occurred. The activity is benign.
False Negative: An undetected incident has occurred.
What is an advantage of HIPS that is not provided by IDS?
A. Quick analysis through logging
B. Deploys sensors at network entry points
C. Monitors network processes and protects critical files
D. Protects system resources and OS processes
Answer:
D. Protects system resources and OS processes
Explanation:
HIPS (Host-based IPS) runs on individual hosts, monitoring system processes and protecting critical OS files — unlike network-based IDS.
Cisco Explanation:
Network-based IDS (NIDS) sensors are typically deployed in offline mode. They do not protect individual hosts.
Host-based IPS (HIPS) is software installed on a single host to monitor and analyze suspicious activity. It can monitor and protect operating system and critical system processes that are specific to that host.
HIPS can be thought of as a combination of antivirus software, antimalware software, and a firewall.
What information must an IPS track to detect attacks matching a composite signature?
A. Total number of packets
B. State of packets related to the attack
C. Attacking period used by attacker
D. Network bandwidth consumed
Answer:
B. State of packets related to the attack
Explanation:
A composite (stateful) signature tracks the sequence or state of multiple packets over time to detect complex, multi-step attacks.
Cisco Explanation:
A composite signature is called a stateful signature. It identifies a sequence of operations distributed across multiple hosts over an arbitrary period of time. Because this type of attack involves multiple packets, an IPS sensor must maintain the state information.
However, an IPS sensor cannot maintain the state information indefinitely. A composite signature is configured with a time period to maintain the state for the specific attack when it is first detected.
Thus, an IPS may not be able to maintain all the information related to an attack such as total number of packets, total length of attack time, and the amount of bandwidth consumed by the attack.
-
Questions58
-
Chapter 1 Questions24
-
Chapter 2 Questions25
-
Chapter 3 Questions23
-
Chapter 4 Questions25
-
Module 1-4 Questions73
-
Modules 5-765
-
Modules 8-1049
-
Modules 13-1452
-
Firewalls47
-
Tutorial 611
-
Modules 11-1222
-
Modules 15-1724
-
Modules 18-1922
-
Modules 20-2221
-
Network Security Practice Final64
-
Tutorial Week 913
-
Tutorial 824
-
Tutorial 710
-
Mock Theory A14
-
Internet Security Theory Exam 22/2315
-
Internet Secuirty Theory Exam 25-2615
