Securing Networks Using Intrusion Prevention Systems Exam (IPS) : 642-532 Exam
642-532 IPS
Securing Networks Using Intrusion Prevention Systems Exam
Retired January 16, 2008
Exam Number: 642-532
Associated Certifications: CCSP, Cisco IPS Specialist
Duration: 90 minutes (60-70 questions)
Available Languages: English
Click Here to Register: Pearson VUE
Exam Policies: Read current policies and requirements
Exam Tutorial: Review type of exam questions
Exam Description Exam Topics Recommended Training Additional Resources
Exam Description
The Securing Networks Using Intrusion Prevention Systems exam is one of the exams associated with the Cisco Certified Security Professional and the Cisco IPS Specialist certifications. Candidates can prepare for this exam by taking the IPS v5.0 course. This exam includes simulations and tests a candidate’s knowledge and ability to describe, configure, verify and manage the Cisco IPS appliance products.
Exam Topics
The following information provides general guidelines for the content likely to be included on the exam. However, other related topics may also appear on any specific delivery of the exam. In order to better reflect the contents of the exam and for clarity purposes the guidelines below may change at any time without notice.
Describe how Cisco IDS/IPS sensors are used to mitigate network security threats
Select the best sensor platform to protect a given network
Describe the features of the IDSM-2
Describe the features of the NM-CIDS
List sensor requirements for inline operations
List platforms on which the 50 image will run
Explain the difference between inline and promiscuous mode sensor operations
Select the most effective location for the sensor and other defense-in-depth components
Explain how Cisco IDS/IPS protects network devices from attacks (Describe signatures, alerts, and actions)
Explain the similarities and differences among the various intrusion detection technologies
Explain the evasive techniques used by hackers and how Cisco IDS defeats those techniques
Explain the differences between HIPS and Network IPS
Describe the network sensors that are currently available and their features
Describe the considerations necessary for selection, placement, and deployment of a network intrusion prevention system
Explain the features, benefits, and system requirements of the IDM
Describe traffic that is not inspected by the NM-CIDS
Define intrusion detection
Define intrusion prevention
Explain the Cisco IDS/IPS signature features
Install Cisco IDS/IPS sensors and configure essential system parameters
Install a sensor appliance in the network
Use the IDM to configure SSH and TLS communications
Use the CLI to install the sensor’s software image
Select the appropriate image file for a sensor
Select a router to host the NM-CIDS
Configure communications between the router and the NM-CIDS
Describe the functions of the various IDSM-2 ports
Describe the tasks for configuring the NM-CIDS
Describe the interfaces and components of the NM-CIDS
Explain how the NM-CIDS works
Explain how the IDSM-2 obtains access to network traffic
Explain the importance of accurate time on the NM-CIDS and how the NM-CIDS should obtain the accurate time
Explain the importance of accurate time on the IDSM-2 and how the IDSM-2 should obtain the accurate time
Install the IDSM-2 in a switch
Install the NM-CIDS in a router
Select a switch to host the IDSM-2
Use the CLI to initialize the sensor
Describe user accounts and how they provide sensor security
Use the IDM to configure and manage user accounts
Use the IDM to verify secure management access to the sensor
Obtain management access to the sensor appliance
Obtain management access to the NM-CIDS
Obtain management access to the IDSM-2
Describe allowed hosts
Use the IDM to configure allowed hosts
Describe sensor interfaces and interface pairs
Use the IDM to configure the sensor’s interfaces (enable, create pairs, assign to virtual sensor)
Describe software bypass mode
Use the IDM to configure software bypass mode
Use the IDM to configure the sensor’s network settings (IP address, netmask, default gateway, etc)
Describe sensor communications with external management and monitoring systems
Launch, navigate, and use the IDM to manage and monitor the sensor
Use the IDM to set the sensor’s time
Define traffic flow notification
Use the IDM to configure traffic flow notification
Describe the various CLI modes
Navigate the sensor CLI
List the tasks for installing and configuring the IDSM-2
Describe Cisco IDS/IPS sensor advanced system parameters
Plan the mitigation of specific network vulnerabilities and exploits
Describe sensor tuning
Describe sensor tuning methods
Explain IP fragment and TCP stream reassembly options
Describe the IP logging capabilities of the sensor
Explain how IP logging should be used
Explain the use of Event Variables
Determine the need for a custom signature
Describe the signature engines and their functionality
Describe the types of signatures supported by each engine
Describe common engine parameters and their effects on signatures
Describe engine-specific parameters and their effects on signatures
Describe the device management capability of the sensor and how it is used to perform blocking with a Cisco device
Determine which response actions need to be configured for a given scenario
Determine the need for Event Action Filters in a given scenario
Describe the purpose of the Meta Event Generator
Explain Target Value Ratings and how they are used
Determine the need for Event Action Rules in a given scenario
Explain event Risk Ratings and how they are used
Explain the sensor’s SNMP support
Determine if the sensor’s application policy enforcement feature is needed in a given scenario
Tune Cisco IDS/IPS sensor advanced system parameters to optimize attack mitigation performance
Use the IDM to tune the sensor to work optimally in the network
Use the IDM to tune signatures to provide maximum protection for a network
Use the IDM to create custom signatures as needed
Configure response actions for a signature
Configure the sensor to take response actions based on a risk rating
Configure the sensor to minimize false alerts
Use the IDM to create a Meta signature and disable alert production for the component signatures
Use the IDM to configure the sensor to support SNMP
Configure Event Action Filters
Configure Event Action Overrides
Configure Target Value Ratings
Configure general settings for Event Action Rules
Use the IDM to configure IP logging
Configure Event Variables
Use the IDM to configure blocking for a given scenario
Use the IDM to configure the sensor to use a Master Blocking Sensor
Use the IDM to configure IP fragment and TCP stream reassembly options
Use the sensor’s application policy enforcement feature
Analyze Cisco IDS/IPS sensor events to determine the appropriate response to network attacks
Configure the IDM events display
Analyze alerts and make configuration changes to respond to attacks
Use the CLI and the IDM to monitor events
Classify an alarm as true, false, positive or negative
Explain the fields in a Cisco IDS/IPS alert
Describe the various types of events generated by the sensor
Explain the difference between true and false and positive and negative alarms
Upgrade and maintain Cisco IDS/IPS sensors
Configure the sensor to allow an SNMP NMS to obtain its health and welfare information
Use the CLI to recover the sensor’s software image
Use the IDM to install signature updates and service packs
Use the IDM to configure automatic signature and service pack updates
Move software images/upgrades and configuration files via HTTP, HTTPS, SCP, and FTP
Use the IDM to restore the default configuration to the sensor
Select the correct software update file for a sensor
Use the CLI to upgrade the software image
Describe the various types of image files
Apply the appropriate system image to the sensor
Describe maintenance tasks specific to the NM-CIDS
Use the CLI to obtain PEP information from the sensor
Use the IDM to install a sensor license
Describe PEP information and its purpose
Explain the purpose of service packs and signature updates
Describe service pack and signature update file names
Explain why a sensor license is needed
Obtain a license key
Troubleshoot Cisco IDS/IPS sensor operation and configuration errors
Use the packet command to display and capture packets from the data interfaces
Copy (to a location off the sensor) packets that have been captured from the data interfaces
Use the IDM to verify the sensor’s configuration
Use the CLI to back up the sensor configuration
View IP logs for troubleshooting purposes
Troubleshoot communications between the NM-CIDS and its host router
Reset and power down the sensor
Determine when resetting or powering down the sensor is necessary
Describe the main components of the IPS 50 software architecture
Verify functionality of the NM-CIDS
Verify the Catalyst 6500 switch and Catalyst IDSM-2 functionality
Use the IDM and the CLI to obtain sensor statistics
Use the IDM to obtain a sensor diagnostic report
Use the IDM to obtain sensor system information
Use general troubleshooting commands
Use the IDM to shut down and reboot the sensor
Describe Cisco IDS/IPS configuration file format
Exam Number/Code: 642-532
Exam Name:Securing Networks Using Intrusion Prevention Systems Exam (IPS)
“Securing Networks Using Intrusion Prevention Systems Exam (IPS)”, also known as 642-532 exam, is a Cisco certification. With the complete collection of questions and answers, Actualtests has assembled to take you through 63 Q&As to your 642-532 Exam preparation. In the 642-532 exam resources, you will cover every field and category in CCSP helping to ready you for your successful Cisco Certification.
Free Demo DownloadActualtests offers free demo for 642-532 exam (Securing Networks Using Intrusion Prevention Systems Exam (IPS)). You can check out the interface, question quality and usability of our practice exams before you decide to buy it.
Free Sample :PassGuide-it certification Printable PDF Or software
Download: Actualtest offers free demo for IT certification Exams You can check out the interface, question quality and usability of our IT Simulation exams before you decide to buy it. We are the only one site can offer demo for almost all products
http://demo.passguide.com/download
Exam DetailsThe Securing Networks Using Intrusion Prevention Systems exam is one of the exams associated with the Cisco Certified Security Professional and the Cisco IPS Specialist certifications. Candidates can prepare for this exam by taking the IPS v5.0 course. This exam includes simulations and tests a candidate’s knowledge and ability to describe, configure, verify and manage the Cisco IPS appliance products.
QUESTION 11:
What reconnaissance methods are used to discover mail servers running SMTP and
SNMP? (Choose two)
A. TCP scans for port 25
B. UDP scans for port 25
C. UDP scans for port 161
D. ICMP sweeps for port 25
E. ICMP sweeps for port 161
Answer: A, C
Explanation:
642-532
Actualtests.com – The Power of Knowing
If the public SMTP server were compromised, a hacker might try to attack the internal
mail server over TCP port 25, which is permitted to allow mail transfer between the two
hosts.
SNMP is a network management protocol that can be used to retrieve information from a
network device (commonly referred to as read-only access) or to remotely configure
parameters on the device (commonly referred to as read-write access). SNMP agents
listen on UDP port 161.
Reference: SAFE Blueprint for Small, Midsize, and Remote-User Networks
QUESTION 12:
Which of the following describes the evasive technique whereby control characters
are sent to disguise an attack?
A. Flooding
B. Fragmentation
C. Obfuscation
D. Exceeding maximum transmission unit size
E. None of the above
Answer: C
Explanation:
Intrusion Detection Systems inspect network traffic for suspect or malicious packet
formats, data payloads and traffic patterns. Intrusion detection systems typically
implement obfuscation defense – ensuring that suspect packets cannot easily be disguised
with UTF and/or hex encoding and bypass the Intrusion Detection systems. Recently, the
Code Red worm has targeted an unpatched vulnerability with many Microsoft IIS
systems and also highlighted a different encoding technique supported by Microsoft IIS
systems.
Reference: Cisco CIDS Courseware, page 3-27
QUESTION 13:
DRAG DROP
Click and drag the security technology on the left to its corresponding description
on the right.
642-532
Actualtests.com – The Power of Knowing
Answer:
QUESTION 14:
New Cisco 4200 sensors were installed in the Certkiller network for network security
purposes. In which three ways does a Cisco network sensor protect network devices
from attacks? (Choose three)
A. It uses a blend of intrusion detection technologies to detect malicious network activity.
B. It can generate an alert when it detects traffic that matches a set of rules that pertain to
typical intrusion activity.
C. It permits or denies traffic into the protected network that is based on access lists that
you create on the sensor.
D. It can take a variety of actions when it detects traffic that matches a set of rules that
pertain to typical intrusion activity.
E. It uses behavior-based technology that focuses on the behavior of applications to
protect network devices from known attacks and from new attacks for which there is no
known signature.
Answer: A, B, D
Explanation:
The Cisco IOS IDS is as an integrated intrusion detection sensor, watching packets and
sessions as they flow through the router, scanning each to match the IDS signatures.
Upon detection of suspicious activity, the Cisco IOS IDS responds before network
security can be compromised and sends alarms to a management console. The network
administrator can configure the Cisco IOS IDS to choose the appropriate response to
security incidents. When packets in a session match a signature, the Cisco IOS IDS can
be configured to take these actions:
1. Send an alarm to a syslog server or a centralized management interface
2. Drop the packet
3. Reset the TCP connection
Incorrect Answers:
C: This describes the basic functionality of Cisco routers. Cisco IPS devices take account
the state of the connections and look for anomalies in each data transmission up to layer
7. Access lists typically only filter traffic based on layers 3 and 4.
642-532
Actualtests.com – The Power of Knowing
E: The IPS devices require a signature to generate an alarm and have an action taken.
New attacks with no known signature will not be detected.
Reference:
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_white_paper09186a008010e5c8.shtml
QUESTION 15:
The Certkiller network has only one entry point. However, you are concerned about
internal attacks. Which of the following should be utilized on the Certkiller
network? (Choose three)
A. CSA Agents on corporate mail servers
B. CSA Agents on critical network servers and user desktops
C. A network sensor behind (inside) the corporate firewall
D. A network sensor in front of (outside) the corporate firewall
E. Sensor and CSA Agents that report to management and monitoring servers that are
located inside the corporate firewall
F. Sensor and CSA Agents that report to management and monitoring servers that are
located outside the corporate firewall
Answer: B, C, E
Explanation:
The Cisco Security Agent (CSA) provides endpoint server and desktop protection against
new and emerging threats due to malicious network activity. These can be placed on any
device within the enterprise, protecting the network from both internal and external
threats. When concerned with threats coming from the inside network, choices B, C, and
E are best.
Incorrect Answers:
A: Corporate mail servers are used to provide email services to the outside. Placing CSA
agents on these servers would protect from outside threats more so than from internal
attacks.
D, F: These solutions are better suited for protecting the network from external threats.
QUESTION 16:
Which of the following functions can be performed remotely by means of the
Intrusion Detection System Device Manager? (Select all that apply)
A. Restarting IDS services
B. Initializing the Sensor configuration
C. Powering down the Sensor
D. Accessing the Cisco Secure Encyclopedia
E. Restarting the Sensor
F. Initiating a TCP reset response
G. None of the above
642-532
Actualtests.com – The Power of Knowing
Answer: A, C, E
Explanation:
Cisco IDS signature customization is now made easier through one web page. The
Custom Signature configuration page presents the network security administrator with all
the parameters that can be customized for a specific signature.
IDM enables the network security administrator to remotely:
1) Restart the IDS services.
2) Restart the Sensor.
3) Power down the Sensor.
Reference: Cisco CIDS Courseware, page 10-4
QUESTION 17:
Your Certkiller router is hosting a NM-CIDS. This router’s configuration contains
an inbound ACL. Which action does this router take when it receives a packet that
should be dropped, according to the inbound ACL?
A. The router forwards the packet to the NM-CIDS for inspection, then drops the packet.
B. The router drops the packet and does not forward it to the NM-CIDS for inspection.
C. The router filters the packet through the inbound ACL, tags it for drop action, and
forwards the packet to the NM-CIDS. Then the router drops it if it triggers any signature,
even a signature with no action configured.
D. The router filters the packet through the inbound ACL, forwards the packet to the
NM-CIDS for inspection only if it is an ICMP packet, and then drops the packet.
E. None of the above.
Answer: B
Explanation:
The Cisco IOS Software performs an input-ACL check on a packet before it processes
the packet for NAT or Encryption. As explained earlier, the IDS Network Module
monitors the packet after the NAT and decryption is processed. Thus if the packet is
dropped by the inbound ACL it is not forwarded to the IDS Network Module. The Cisco
IOS Software performs output-ACL check after the packet is forwarded to the IDS.
Hence the packet will be forwarded to the IDS even if the output ACL drops the packet.
Reference:
http://www.cisco.com/en/US/products/hw/routers/ps282/prod_architecture09186a00801cf9fc.html
QUESTION 18:
A new IDS NM-CIDS network module was recently installed on a Certkiller router,
and packets are now being inspected via this module. However, not all packets are
inspected. Which two packet types are not forwarded to the NM-CIDS? (Choose
two)
642-532
Actualtests.com – The Power of Knowing
A. GRE encapsulation packets
B. TCP packets
C. UDP packets
D. ARP packets
E. any IP multicast packets
F. ICMP packets
Answer: A, D
Explanation:
GRE Tunnels:
The Cisco IDS software does not analyze GRE encapsulated packet. Hence if a GRE
packet is received, and the incoming interface is enabled for IDS monitoring, the packet
WILL NOT be forwarded to the IDS Network Module for monitoring.
If a packet is encapsulated by the router into a GRE tunnel, and the incoming interface is
enabled for IDS monitoring, then the packet (before encapsulation) will be sent to the
IDS Network Module.
ARP Packets:
ARP packets are handled at layer-2 and are not forwarded to the IDS Network Module.
Reference:
http://www.cisco.com/en/US/products/hw/routers/ps282/prod_architecture09186a00801cf9fc.html
QUESTION 19:
Which of the following represents a type of exploit that involves introducing programs
that install in inconspicuous back door to gain unauthorized access?
A. File sharing
B. Trojan horse
C. Protocol weakness
D. Session hijack
E. None of the above
Answer: B
Explanation:
To gain remote access, they rely on keystroke capture software that’s planted on a
system, sometimes through a worm or Trojan horse disguised as a game or screen saver.
Reference: Cisco CIDS Courseware, page 2-46
QUESTION 20:
What can intrusion detection and prevention systems detect? (Choose three)
A. Network misuse
642-532
Actualtests.com – The Power of Knowing
B. Network uptime
C. Unauthorized network access
D. Network downtime
E. Network throughput
F. Network abuse
Answer: A, C, F
Free download:pass4sure CCSP 642-532
Free download?testking CCSP 642-532
Download Free PassGuide Product, Help you pass any it Exams,Click Me
| Actualtests Free Downloads |
|
Type
|
Exam Bible |
NEW Questions & Answers |
Latest Updated
|
Download link |
 |
All Actual-Test 's Exam Pack |
858
|
1 days ago |
Full Download
|
Download Free Latest Actualtests Certification Braindumps
- Free Actualtest Actualtests CCSP 642-513
- Free Actualtest Actualtests CCSP 642-524
- Free Actualtest Actualtests CCSP 642-523
- Free Actualtest Actualtests CCSP 642-502
- Free Actualtest Actualtests CCSP 642-515
- Free Actualtest Actualtests CCSP 642-522
- Free Actualtest Actualtests CCSP 642-552
- Free Actualtest Actualtests CCSP 642-551
- Free Actualtest IPS 6.0 Student Guide
- Free Actualtest Actualtests CCSP 642-533
