Document Title Security Level

In this post, I will share the questions and answers for CCNA Security

Chapter 5 Test. All the questions and answers are valid and 100% correct.

The questions shared in this post is based on CCNAS v1.1. I wish this post

will be a good reference to all of us in answering CCNA Security Chapter 5

Test.

Refer to the exhibit. When modifying an IPS signature action, which two

check boxes should be selected to create an ACL that denies all traffic

from the IP address that is considered the source of the attack and

drops the packet and all future packets from the TCP flow? (Choose two.)

Deny Attacker Inline

Deny Connection Inline

Deny Packet Inline

2017-12-06 Huawei Proprietary - Restricted Distribution Page1, Total12

 Document Title Security Level

Produce Alert

Reset TCP Connection

Why is a network that deploys only IDS particularly vulnerable to an

atomic attack?

The IDS must track the three-way handshake of established TCP connections.

The IDS must track the three-way handshake of established UDP

connections.

The IDS permits malicious single packets into the network.

The IDS requires significant router resources to maintain the event horizon.

The stateful properties of atomic attacks usually require the IDS to have

several pieces of data to match an attack signature.

Refer to the exhibit. What is the result of issuing the Cisco IOS IPS

commands on router R1?

A named ACL determines the traffic to be inspected.

2017-12-06 Huawei Proprietary - Restricted Distribution Page2, Total12

 Document Title Security Level

A numbered ACL is applied to S0/0/0 in the outbound direction.

All traffic that is denied by the ACL is subject to inspection by the IPS.

All traffic that is permitted by the ACL is subject to inspection by the IPS.

Which two files could be used to implement Cisco IOS IPS with version

5.x format signatures? (Choose two.)

IOS-Sxxx-CLI.bin

IOS-Sxxx-CLI.pkg

IOS-Sxxx-CLI.sdf

realm-cisco.priv.key.txt

realm-cisco.pub.key.txt

A network administrator tunes a signature to detect abnormal activity

that might be malicious and likely to be an immediate threat. What is the

perceived severity of the signature?

high

medium
2017-12-06 Huawei Proprietary - Restricted Distribution Page3, Total12
 Document Title Security Level

low

informational

Which two benefits does the IPS version 5.x signature format provide

over the version 4.x signature format? (Choose two.)

addition of signature micro engines

support for IPX and AppleTalk protocols

addition of a signature risk rating

support for comma-delimited data import

support for encrypted signature parameters

Which two Cisco IOS commands are required to enable IPS SDEE message

logging? (Choose two.)

logging on

ip ips notify log

ip http server
ip ips notify sdee
ip sdee events 500

2017-12-06 Huawei Proprietary - Restricted Distribution Page4, Total12

 Document Title Security Level

Refer to the exhibit. What is the significance of the number 10 in the

signature 6130 10 command?

It is the alert severity.

It is the signature number.

It is the signature version.

It is the subsignature ID.

It is the signature fidelity rating.

What is a disadvantage of network-based IPS as compared to host-based

IPS?

Network-based IPS is less cost-effective.

Network-based IPS cannot examine encrypted traffic.

Network-based IPS does not detect lower level network events.
2017-12-06 Huawei Proprietary - Restricted Distribution Page5, Total12
 Document Title Security Level

Network-based IPS should not be used with multiple operating systems.

What information is provided by the show ip ips configuration configuration

command?

detailed IPS signatures

alarms that were sent since the last reset

the number of packets that are audited

the default actions for attack signatures

Which statement is true about an atomic alert that is generated by an IPS?

It is an alert that is generated every time a specific signature has been found.

It is a single alert sent for multiple occurrences of the same signature.

It is both a normal alarm and a summary alarm being sent simultaneously at set

intervals.

It is an alert that is used only when a logging attack has begun.

2017-12-06 Huawei Proprietary - Restricted Distribution Page6, Total12

 Document Title Security Level

Which Cisco IPS feature allows for regular threat updates from the Cisco

SensorBase Network database?

event correlation

global correlation

IPS Manager Express

honeypot-based detection

security-independent operation

Which protocol is used when an IPS sends signature alarm messages?

FTP

SDEE
SIO

SNMP

2017-12-06 Huawei Proprietary - Restricted Distribution Page7, Total12

 Document Title Security Level

Refer to the exhibit. Based on the configuration that is shown, which

statement is true about the IPS signature category?

Only signatures in the ios_ips basic category will be compiled into memory for scanning.

Only signatures in the ios_ips advanced category will be compiled into memory

for scanning.

All signature categories will be compiled into memory for scanning, but only

those signatures in the ios_ips basic category will be used for scanning

purposes.

All signatures categories will be compiled into memory for scanning, but only

those signatures within the ios_ips advanced category will be used for

scanning purposes.

A network security administrator would like to check the number of packets

that have been audited by the IPS. What command should the administrator

use?

show ip ips signatures

2017-12-06 Huawei Proprietary - Restricted Distribution Page8, Total12
 Document Title Security Level

show ip ips interfaces

show ip ips statistics

show ip ips configuration

Refer to the exhibit. Based on the configuration commands that are shown,

how will IPS event notifications be sent?

HTTP format

SDEE format

syslog format
TFTP format

2017-12-06 Huawei Proprietary - Restricted Distribution Page9, Total12

 Document Title Security Level

Refer to the exhibit. What action will be taken if a signature match occurs?

An ACL will be created that denies all traffic from the IP address that is

considered the source of the attack, and an alert will be generated.

This packet and all future packets from this TCP flow will be dropped, and an

alert will be generated.

Only this packet will be dropped, and an alert will be generated.

The packet will be allowed, and an alert will be generated.

The packet will be allowed, and no alert will be generated.

An administrator is using CCP to modify a signature action so that if a match

occurs, the packet and all future packets from the TCP flow are dropped.

What action should the administrator select?

2017-12-06 Huawei Proprietary - Restricted Distribution Page10, Total12

 Document Title Security Level

deny-attacker-inline

deny-connection-inline

deny-packet-inline

produce-alert

reset-tcp-connection

Refer to the exhibit. Based on the configuration, what traffic is inspected by

the IPS?

only traffic entering the s0/0/1 interface

all traffic entering or leaving the fa0/1 interface

only traffic traveling from the s0/0/1 interface to the fa0/1 interface

2017-12-06 Huawei Proprietary - Restricted Distribution Page11, Total12

 Document Title Security Level

all traffic entering the s0/0/1 interface and all traffic leaving the fa0/1

interface

all traffic entering the s0/0/1 interface and all traffic entering and leaving the fa0/1 interface

Refer to the exhibit. As an administrator is configuring an IPS, the error

message that is shown appears. What does this error message indicate?

The signature definition file is invalid or outdated.

The public crypto key is invalid or entered incorrectly.

The flash directory where the IPS signatures should be stored is corrupt or

nonexistent.

SDEE notification is disabled and must be explicitly enabled.

2017-12-06 Huawei Proprietary - Restricted Distribution Page12, Total12