642 627 v5.1

Cisco 642-627
Implementing Cisco Intrusion Prevention System v7.0

Version: 5.1
QUESTION NO: 1

Which three are global correlation network participation modes? (Choose three.)

A. off
B. partial participation
C. reputation filtering
D. detect
E. full participation
F. learning

Answer: A,B,E
Explanation:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_collaboration.html

QUESTION NO: 2 DRAG DROP

Answer:
Explanation:

Cisco 642-627 Exam
"A Composite Solution With Just One Click" - Certification Guaranteed 2

QUESTION NO: 3

What are four properties of an IPS signature? (Choose four.)

A. reputation rating
B. fidelity rating
C. summarization strategy
D. signature engine
E. global correlation mode
F. signature ID and signature status

Answer: B,C,D,F
Explanation:
http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/
security_manager/3.1/user/guide/ipsvchap.html#wp1912551
Reputation and correaltion are NOT

QUESTION NO: 4

The custom signature ID of a Cisco IPS appliance has which range of values?

A. 10000 to 19999
B. 20000 to 29999
C. 50000 to 59999
D. 60000 to 65000
E. 80000 to 90000
F. 1 to 20000

Cisco 642-627 Exam
Answer: D
Explanation:
http://www.cisco.com/en/US/docs/security/ips/5.0/configuration/guide/idm/dmsigwiz.html
Signature Identification Field Definitions
The following fields and buttons are found in the Signature Identification window of the Custom
Signature Wizard.
Field Descriptions:
Signature IDIdentifies the unique numerical value assigned to this signature.
The signature ID lets the sensor identify a particular signature. The signature ID is reported to the
Event Viewer when an alert is generated. The valid range is between 60000 and 65000.

QUESTION NO: 5

When upgrading a Cisco IPS AIM or IPS NME using manual upgrade, what must be performed
before installing the upgrade?

A. Disable the heartbeat reset on the router.
B. Enable fail-open IPS mode.
C. Enable the Router Blade Configuration Protocol.
D. Gracefully halt the operating system on the Cisco IPS AIM or IPS NME.

Answer: A
Explanation:
http://www.cisco.com/en/US/docs/security/ips/7.0/release/notes/18483_01.html
Using manual upgrade:
If you want to manually update your sensor, copy the 7.0(1)E3 update files to the directory on the
server that your sensor polls for updates.
When you upgrade the AIM IPS or the NME IPS using manual upgrade, you must disable
heartbeat reset on the router before installing the upgrade. You can reenable heartbeat reset after
you complete the upgrade. If you do not disable heartbeat reset, the upgrade can fail and leave
the AIM IPS or the NME IPS in an unknown state, which can require a system reimage to recover.

QUESTION NO: 6

Which Cisco IPS NME interface is visible to the NME module but not visible in the router
configuration and acts as the sensing interface of the NME module?

Cisco 642-627 Exam
A. ids-sensor 0/1 interface
B. ids-sensor 1/0 interface
C. gigabitEthernet 0/1
D. gigabitEthernet 1/0
E. management 0/1
F. management 1/0

Answer: C
Explanation:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_nme.html#wp1057817

QUESTION NO: 7

Which two methods can be used together to configure a Cisco IPS signature set into detection
mode when tuning the Cisco IPS appliance to reduce false positives? (Choose two.)

A. Subtract all aggressive actions using event action filters.
B. Enable anomaly detection learning mode.
C. Enable verbose alerts using event action overrides.
D. Decrease the number of events required to trigger the signature.
E. Increase the maximum inter-event interval of the signature.

Answer: A,C
Explanation:
1 > Remove all agressive actions from all signatures using event action filters
2 > Add verbose alerts using event action overrides
3 > Add logging packets between the attacker and the victim using event action overrides

QUESTION NO: 8

In which CLI configuration mode is the Cisco IPS appliance management IP address configured?

A. global configuration
ips(config)#
B. service network-access
ips(config-net)#
C. service host network-settings
ips(config-hos-net)#
Cisco 642-627 Exam
D. service interface
ips(config-int)#

Answer: C
Explanation:
http://www.cisco.com/en/US/docs/security/ips/7.1/configuration/guide/cli/cli_setup.html#wp103132
5

QUESTION NO: 9

Which four parameters are used to configure how often the Cisco IPS appliance generates alerts
when a signature is firing? (Choose four.)

A. summary mode
B. summary interval
C. event count key
D. global summary threshold
E. summary key
F. event count
G. summary count
H. event alert mode

Answer: A,B,D,F
Explanation:
Cisco 642-627 Exam

NB: Watch for Summary Threshold instead of Event Count

QUESTION NO: 10

Which three Cisco IPS cross-launch capabilities do Cisco Security Manager and Cisco Security
MARS support? (Choose three.)

A. Edit IPS signatures in Cisco Security Manager from a Cisco Security MARS query.
B. Create custom signatures in Cisco Security Manager from a Cisco Security MARS query.
C. Create event action filters in Cisco Security Manager from a Cisco Security MARS query.
D. Create a Cisco Security MARS drop rule from Cisco Security Manager policy.
E. Create a Cisco Security MARS user inspection rule from Cisco Security Manager policy.
F. Query Cisco Security MARS from Cisco Security Manager policy.

Answer: A,C,F
Explanation:
"...MARS creates queries that include a launch point for CSM. When CSM is launched, you can
carry out the following (cross-connected actions):
Cisco 642-627 Exam
Edit an IPS Signature
Add an event action filter to an IPS configuration in Cisco Security Manager and when you use
CSM to cross-launch MARS, you can query events that were originated by the signatures in
CSM."
http://my.safaribooksonline.com/book/certification/ccnp/9780132372107/integrating-cisco-ips-with-
csm-andcisco-security-mars/435#

QUESTION NO: 11

Which statement about inline VLAN pair deployment with the Cisco IPS 4200 Series appliance is
true?

A. The sensing interface acts as an 802.1q trunk port, and the Cisco IPS appliance performs
VLAN translation between pairs of VLANs.
B. The Cisco IPS appliance connects to two physically distinct switches using two paired physical
interfaces.
C. Two sensing interfaces connect to the same switch that forwards traffic between two VLANs.
D. The pair of sensing interfaces can be selectively divided (virtualized) into multiple logical "wires"
by VLANs that can be analyzed separately

Answer: A
Explanation:

QUESTION NO: 12

Which four statements about Cisco IPS appliance anomaly detection histograms are true?
(Choose four.)

A. Histograms are learned or configured manually.
B. Destination IP address row is the same for all histograms.
C. Source IP address row can be learned or configured.
D. Anomaly detection only builds a single histogram for all services in a zone.
E. You can enable a separate histogram and scanner threshold for specific services, or use the
default one for all other services
F. Anomaly detection histograms only track source (attacker) IP addresses.

Answer: A,B,C,E
Explanation:

Cisco 642-627 Exam

QUESTION NO: 13

You are working with Cisco TAC to troubleshoot a software problem on the Cisco IPS appliance.
TAC suspects a fault with the NotificationApp software module in the Cisco IPS appliance. In this
case, which Cisco IPS appliance operations may be most affected by the NotificationApp software
module fault?

A. SNMP
B. IDM or IME
C. global correlation
D. remote blocking
E. anomaly detection
F. SDEE

Answer: A
Explanation:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_system_architecture.ht
ml#wp1009053

NotificationApp allows the sensor to send alerts and system error messages as SNMP traps. It
subscribes to events in the Event Store and translates them into SNMP MIBs and sends them to
destinations through a public-domain SNMP agent. NotificationApp supports sending sets and
gets. The SNMP GETs provide information about basic sensor health.

QUESTION NO: 14

Which two switching-based mechanisms are used to deploy high availability IPS using multiple
Cisco IPS appliances? (Choose two.)

A. Spanning Tree-based HA
B. HSRP-basedHA
C. EtherChannel-based HA
D. VRRP-basedHA

Answer: A,C
Explanation:
When network switches are used to provide High Availability you have two options

EtherChannel based HA
Cisco 642-627 Exam
STP based HA

QUESTION NO: 15

Which statement about the 4-port GigabitEthernet card with hardware bypass is true?

A. Hardware bypass only works with inline interface pairs.
B. Hardware bypass is only supported on the Cisco IPS 4270 appliance.
C. Hardware bypass is independent from software bypass.
D. Hardware bypass is enabled if software bypass is configured to "OFF".
E. Hardware bypass is supported between any of the four GigabitEthernet ports

Answer: A
Explanation:


Answer:
Cisco 642-627 Exam
Explanation:

Cisco 642-627 Exam

QUESTION NO: 17

What is the correct regular expression to match a URI request equal to /test.exe?

A. /test.exe
B. Vtest\.exe
C. /test\.exe
D. */test\.exe
E. \*/test\.exe
F. */test.exe

Answer: C
Explanation:
https://supportforums.cisco.com/community/netpro/security/intrusion-
prevention/blog/2010/12/23/introductionto-regular-expressions-for-ips
http://regexlib.com/DisplayPatterns.aspx?cattabindex=1&categoryid=2&p=4
http://wdvl.com/Style/Languages/Perl/PerlfortheWeb/perlintro2_table1.html
the . has a special meaning = match any character which would have the result testaexe, test$exe
Cisco 642-627 Exam
etc- would me matched as well as test.exe
The \ removes the special meaning from the . so it is now just matching the .exe -- so = test.exe
exactly has to be matched.
See the above links as to why the other answers are not valid.

QUESTION NO: 18

Which four types of interface modes are available on the Cisco IPS 4200 Series appliance?
(Choose four.)

A. promiscuous
B. inline TAP
C. inline interface
D. inline VLAN pair
E. VLAN groups
F. bypass

Answer: A,C,D,E
Explanation:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_interfaces.html#wp104
7079
https://supportforums.cisco.com/thread/246376
4000 series does not support bypass mode

QUESTION NO: 19

Which option is best to use to capture only a subset of traffic (capturing traffic per-IP-address, per-
protocol, or per-application) off the switch backplane and copy it to the Cisco IPS appliance?

A. SPAN
B. PBR
C. VACL
D. MPF
E. STP

Answer: C
Explanation:
Cisco 642-627 Exam
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guid
e/vacl.html#wp1037197

QUESTION NO: 20

Refer to the exhibit. Which statement is true?

Cisco 642-627 Exam

A. A summary alert is sent once during each interval for each unique Summary Key entry.
B. An alert is generated each time the signature triggers.
C. This signature does not fire until three events are seen during 60 seconds with the same
attacker and victim IP addresses and ports
Cisco 642-627 Exam
D. This signature is disabled by default.
E. When this signature triggers, the Cisco IPS appliance sends an SNMP trap for this event.

Answer: C
Explanation:
NB: even if the box is not checked it is still in use - it is the default action/configuration - ticking it is
allowing edit of that value

QUESTION NO: 21

What are the three anomaly detection modes? (Choose three.)

A. detect
B. active
C. inactive
D. learn
E. full
F. partial

Answer: A,C,D
Explanation:
security_manager/4.0/user/guide/ipsanom.html

Anomaly detection has the following modes:
Learning accept mode (initial setup)
Although anomaly detection is in detect mode by default, it conducts an initial learning accept
mode for the default period of 24 hours. We assume that during this phase no attack is being
carried out. Anomaly detection creates an initial baseline, known as a knowledge base, of the
network traffic. The default interval value for periodic schedules is 24 hours and the default action
is rotate, meaning that a new knowledge base is saved and loaded, and then replaces the initial
knowledge base after 24 hours.

Keep the following in mind:
Anomaly detection does not detect attacks when working with the initial knowledge base, which
is empty.
After the default of 24 hours, a knowledge base is saved and loaded and now anomaly detection
also detects attacks.
Depending on your network complexity, you may want to have anomaly detection in learning
accept mode for longer than the default 24 hours. You configure the mode in the Virtual Sensors
Cisco 642-627 Exam
policy; see Defining A Virtual Sensor, page 28-5. After your learning period has finished, edit the
virtual sensor and change the mode to Detect.

Detect mode
For ongoing operation, the sensor should remain in detect mode. This is for 24 hours a day, 7
days a week.
Once a knowledge base is created and replaces the initial knowledge base, anomaly detection
detects attacks based on it. It looks at the network traffic flows that violate thresholds in the
knowledge base and sends alerts.
As anomaly detection looks for anomalies, it also records gradual changes to the knowledge base
that do not violate the thresholds and thus creates a new knowledge base. The new knowledge
base is periodically saved and takes the place of the old one thus maintaining an up-to-date
knowledge base.

Inactive mode
You can turn anomaly detection off by putting it in inactive mode. Under certain circumstances,
anomaly detection should be in inactive mode, for example, if the sensor is running in an
asymmetric environment.
Because anomaly detection assumes it gets traffic from both directions, if the sensor is configured
to see only one direction of traffic, anomaly detection identifies all traffic as having incomplete
connections, that is, as scanners, and sends alerts for all traffic flows.

QUESTION NO: 22

Which type of signature engine is best suited for creating custom signatures that inspect data at
OSI Layer 5 and above?

A. Atomic
B. String
C. Sweep
D. Service
E. Meta
F. Flood

Answer: D
Explanation:
http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cli_signature_engines.ht
ml#wp1014328
Service Engines
Cisco 642-627 Exam
The Service engines analyze Layer 5+ traffic between two hosts. These are one-to-one signatures
that track persistent data. The engines analyze the Layer 5+ payload in a manner similar to the
live service.


Answer:
Explanation:

Cisco 642-627 Exam

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/product_data_sheet0
900aecd805baef2.html

QUESTION NO: 24

A Cisco Catalyst switch is experiencing packet drops on a SPAN destination port that is connected
to an Cisco IPS appliance. Which three configurations should be considered to resolve the packet
drops issue? (Choose three.)

A. Configure an additional SPAN session to a different Cisco IPS appliance interface connected to
the same virtual sensor
B. Configure an EtherChannel bundle as the SPAN destination port.
C. Configure RSPAN.
D. Configure VACL capture.
E. Configure the Cisco IPS appliance to inline mode.

Answer: A,D,E
Explanation:
From Neil:
A, D, E
A. Adding an additional span session to a different Cisco IPS will remove some of the traffic and
load from the existing span - Confirmed Correct
Cisco 642-627 Exam
B. Cisco documentation clearly defines that Ether-channels cannot be configured as SPAN
destination ports.
This rules out option B. - Confirmed Incorrect
http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_19_ea1/config
uration/guide/swspan.html#wp1044603
C. RSPAN is remote span which is used to send traffic to a device not connected to the local
switch.
While this would have a similar effect to answer A since you are in fact creating another span, the
implication here is that there is only one IPS device. - Unconfirmed Incorrect
D. Configuring VACL capture will allow a reduced amount of traffic and load on the span by
selecting and sending only select traffic over the SPAN to the IPS. - Confirmed Correct
E. Configuring the Cisco IPS appliance in inline mode would eliminate the need for a span
altogether. -Unconfirmed Correct.

Cisco ASA IPS ModulesInline Operation
You can configure the ASA to only forward specific traffic to the AIP SSM or AIP SSC for
inspection. This is achieved by using the Cisco Modular Policy Framework (MPF), where you can
configure a Cisco ASA to selectively send traffic to the AIP module operating in inline or
promiscuous mode. You can also specify that all traffic be inspected by the AIP module, and if the
total traffic exceeds the IPS module inspection capacity, you can modify the MPF configuration in
such a way that only critical traffic is inspected.
This approach reduces the traffic the IPS module will have to analyze, and it is guaranteed to
perform optimally.

Cisco ASA IPS ModulesPromiscuous Operation
A selective capture can also be used to ensure that only part of the traffic flowing through a Cisco
ASA is sent to the AIP module in promiscuous mode. This way, the AIP module is not
overwhelmed and critical data is analyzed.
The same concept applies when using the Cisco IPS Advanced Integration Module (AIM):
When inline or in promiscuous mode, select traffic can be directed to it.

Cisco Catalyst SwitchesVACL Capture
When an IPS is connected to a Cisco Catalyst switch, you can perform selective capture by setting
the appropriate VLAN access control lists (VACL). The VACLs capture only a subset of traffic off
the switch backplane and copy it to the sensor that is connected on a capture port, instead of a
SPAN port. The sensor in this case only receives a copy of the packets that are suitable for
analysis and completely ignores the rest of the traffic.

Performance issues and bottlenecks should be avoided by sizing the IPS sensors adequately and
ensuring that the network topology design is a good fit.

Cisco 642-627 Exam


Answer:
Explanation:

Here is an explanation and reference link:
IDSM-2
The IDSM-2 Module is a Cisco IDS blade for the Cisco 6500 switch.Once you install the module
into the switch the module uses following logical ports:
Cisco 642-627 Exam

http://www.fir3net.com/IDS/Cisco/configuting-the-cisco-ids-router-switch-modules.html

QUESTION NO: 26

Which signature action should be selected to cause the attacker's traffic flow to terminate when
the Cisco IPS appliance is operating in promiscuous mode?

A. deny connection
B. deny attacker
C. reset TCP connection
D. deny packet, reset TCP connection
E. deny connection, reset TCP connection

Answer: C
Explanation:
Deny attacker is only available in inline mode!
http://www.cisco.com/web/about/security/intelligence/ipsmit.html#7

Promiscuous Mode Event Actions
The following event actions can be deployed in Promiscuous mode. These actions are in affect for
a userconfigurable default time of 30 minutes. Because the IPS sensor must send the request to
another device or craft a packet, latency is associated with these actions and could allow some
attacks to be successful. Blocking through usage of the Attack Response Controller (ARC) has the
potential benefit of being able to perform to the network edge or at multiple places within the
network.

Request block host: This event action will send an ARC request to block the host for a specified
time frame, preventing any further communication. This is a severe action that is most appropriate
when there is minimal chance of a false alarm or spoofing.
Cisco 642-627 Exam

Request block connection: This action will send an ARC response to block the specific connection.
This action is appropriate when there is potential for false alarms or spoofing.
Reset TCP connection: This action is TCP specific, and in instances where the attack requires
several TCP packets, this can be a successful action. However, in some cases where the attack
only needs one packet it may not work as well. Additionally, TCP resets are not very effective with
protocols such as SMTP that consistently try to establish new connections, nor are they effective if
the reset cannot reach the destination host in time.

Event actions can be specified on a per signature basis, or as an event action override (based on
risk rating values event action override only). In the case of event action override, specific event
actions are performed when specific risk rating value conditions are met. Event action overrides
offer consistent and simplified management. IPS version 6.0 contains a default event action
override with a deny-packet-inline action for events with a risk rating between 90 and 100. For this
action to occur, the device must be deployed in Inline mode.


Answer:
Cisco 642-627 Exam
Explanation:

QUESTION NO: 28

During Cisco IPS appliance troubleshooting, you notice that all the signatures are set to Fire All.
What can cause this situation to occur?

Cisco 642-627 Exam
A. A new signature engine update package has been loaded to the Cisco IPS appliance.
B. A new signature/virus update package has been loaded to the Cisco IPS appliance.
C. Summarizer has been disabled globally.
D. All the signatures have been set to the default state.
E. All the signatures have been retired, and then unretired.

Answer: C
Explanation:
http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a0080838bcf.
shtml

QUESTION NO: 29

From which three sources does the Cisco IPS appliance obtain OS mapping information? (Choose
three.)

A. from manually configured OS mappings
B. imported OS mappings from Management Center for Cisco Security Agent
C. imported OS mappings from Cisco Security Manager
D. learned OS mappings from passive OS fingerprinting
E. learned OS mappings from Cisco SensorBase input
F. from Cisco IPS signature updates

Answer: A,B,D
Explanation:
security_manager/4.1/user/guide/ipsevact.html#wp707692

There are three sources of OS information. The sensor ranks the sources of OS information in the
following order:

1. Configured OS mappingsOS mappings that you enter on the OS Identification tab of the
Event Actions
Network Information policy. You can configure different mappings for each virtual sensor. For
more information, see Configuring OS Identification (Cisco IPS 6.x and Later Sensors Only).
We recommend configuring OS mappings to define the identity of the OS running on critical
systems. It is best to configure OS mappings when the OS and IP address of the critical systems
are unlikely to change.

2. Imported OS mappingsOS mappings imported from Management Center for Cisco Security
Cisco 642-627 Exam
Agents (CSA MC).
Imported OS mappings are global and apply to all virtual sensors. For information on configuring
the sensor to use CSA MC, see Configuring the External Product Interface, page 32-23.

3. Learned OS mappingsOS mappings observed by the sensor through the fingerprinting of
TCP packets with the SYN control bit set.

Learned OS mappings are local to the virtual sensor that sees the traffic.
When the sensor needs to determine the OS for a target IP address, it consults the configured OS
mappings. If the target IP address is not in the configured OS mappings, the sensor looks in the
imported OS mappings. If the target IP address is not in the imported OS mappings, the sensor
looks in the learned OS mappings. If it cannot find it there, the sensor treats the OS of the target
IP address as unknown.

QUESTION NO: 30

Which IPS alert action is available only in inline mode?

A. produce verbose alert
B. request rate limit
C. reset TCP connection
D. log attacker/victim pair packets
E. deny-packet-inline
F. request block connection

Answer: E
Explanation:
http://www.cisco.com/web/about/security/intelligence/ipsmit.html

Inline Mode Event Actions
The following actions require the device to be deployed in Inline mode and are in affect for a user-
configurable default time of 3600 seconds (60 minutes).
Deny attacker inline: This action is the most severe and effectively blocks all communication from
the attacking host that passes through the IPS for a specified period of time. Because this event
action is severe, administrators are advised to use this only when the probability of false alarms or
spoofing is minimal.

Deny attacker service pair inline: This action prevents communication between the attacker IP
address and the protected network on the port in which the event was detected. However, the
Cisco 642-627 Exam
attacker would be able to communicate on another port that has hosts on the protected network.
This event action works well for worms that attack many hosts on the same service port. If an
attack occurred on the same host but on another port, this communication would be allowed. This
event action is appropriate when the likelihood of a false alarm or spoofing is minimal.
Deny attacker victim pair inline: This action prevents the attacker from communicating with the
victim on any port. However, the attacker could communicate with other hosts, making this action
better suited for exploits that target a specific host. This event action is appropriate when the
likelihood of a false alarm or spoofing is minimal.

Deny connection inline: This action prevents further communication for the specific TCP flow. This
action is appropriate when there is the potential for a false alarm or spoofing and when an
administrator wants to prevent the action but not deny further communication.
Deny packet inline: This action prevents the specific offending packet from reaching its intended
destination.

Other communication between the attacker and victim or victim network may still exist. This action
is appropriate when there is the potential for a false alarm or spoofing. Note that for this action, the
default time has no effect.
Modify packet inline: This action enables the IPS device to modify the offending part of the packet.
However, it forwards the modified packet to the destination. This action is appropriate for packet
normalization and other anomalies, such as TCP segmentation and IP fragmentation re-ordering.

QUESTION NO: 31

Refer to the exhibit. What does the Risk Threshold setting of 95 specify?

Cisco 642-627 Exam
A. the low risk rating threshold
B. the low threat rating threshold
C. the low target value rating threshold
D. the high risk rating threshold
E. the high threat rating threshold
F. the high target value rating threshold

Answer: D
Explanation:
HIGHRISK = 90 - 100 - = Red Threat

QUESTION NO: 32

From the Cisco IPS appliance CLI setup command, one of the options is "Modify default threat
prevention settings? [no]". What is this option related to?

A. anomaly detection
B. threat rating adjustment
C. event action override that denies high-risk network traffic with a risk rating of 90 to 100
D. risk rating adjustment with global correlation
E. reputation filters

Answer: C
Explanation:
http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/cli/cli_initializing.html
Modify default threat prevention settings?[no]:
Step 11 Enter yes if you want to modify the default threat prevention settings.

Note: The sensor comes with a built-in override to add the deny packet event action to high risk
rating alerts. If you do not want this protection, disable automatic threat prevention.

QUESTION NO: 33

In Cisco IDM, the Configuration > Sensor Setup > SSH > Known Host Keys screen is used for
what purpose?

A. to enable the Cisco IPS appliance as a master blocking sensor
B. to enable management hosts to access the Cisco IPS appliance
Cisco 642-627 Exam
C. to regenerate the Cisco IPS appliance SSH host key
D. to regenerate the Cisco IPS appliance SSL RSA key pair
E. to enable communications with a blocking device

Answer: E
Explanation:
http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliTasks.html#wp1067312

You must add hosts to the SSH known hosts list so that the sensor can recognize the hosts that it
can communicate with through SSH. These hosts are SSH servers that the sensor needs to
connect to for upgrades and file copying, and other hosts, such as Cisco routers, PIX Firewalls,
and Catalyst switches that the sensor will connect to for blocking.


Answer:
Cisco 642-627 Exam
Explanation:

QUESTION NO: 35

Which configuration is required when setting up the initial configuration on the Cisco ASA 5505 to
support the Cisco ASA AIP-SSC?

A. Configure a VLAN interface as a management interface to access the Cisco ASA AIP-SSC.
B. Using MPF, configure which virtual sensor to use.
C. Configure a management access rule to allow Cisco ASDM access from the Cisco ASA AIP-
SSC management interface IP address.
D. Configure a management access rule to allow SSH access from the Cisco ASA AIP-SSC
management interface IP address.

Cisco 642-627 Exam
Answer: A
Explanation:
http://www.cisco.com/en/US/docs/security/asa/quick_start/ips/ips_qsg.html

2 Connecting Management Interface Cables
ASA 5505The ASA 5505 does not have a dedicated management interface. You must use an
ASA VLAN to access an internal management IP address over the backplane. Connect the
management PC to one of the following ports: Ethernet 0/1 through 0/7. These ports are assigned
to VLAN 1 using the 192.168.1.1/24 address. The internal IPS management address is
192.168.1.2/24.

QUESTION NO: 36

The Cisco IPS appliance risk category is used with which other feature?

B. event action overrides
C. global correlation
D. reputation filter

Answer: B
Explanation:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_event_action_rules.
html#wp2068398

QUESTION NO: 37

Which two Cisco IPS modules support sensor virtualization? (Choose two.)

A. AIP-SSM
B. AIP-SSC
C. IPS AIM
D. IPS NME
E. IDSM-2

Answer: A,E
Explanation:
Cisco 642-627 Exam
http://my.safaribooksonline.com/book/certification/ccnp/9780132372107/using-cisco-ips-virtual-
sensors/ch20lev1sec5

QUESTION NO: 38

You are working with Cisco TAC to troubleshoot a software problem on the Cisco IPS appliance.
TAC suspects a fault with the ARC software module in the Cisco IPS appliance. In this case,
which Cisco IPS appliance operations may be most affected by the ARC software module fault?

A. SDEE
B. global correlation
C. anomaly detection
D. remote blocking
E. virtual sensor
F. OS fingerprinting

Answer: D
Explanation:
http://www.cisco.com/en/US/docs/security/ips/6.1/installation/guide/hw_troubleshooting.html#wpm
kr1185768

QUESTION NO: 39

Threat rating calculation is performed based on which factors?

A. risk rating and adjustment based on the prevention actions taken
B. threat rating and event action overrides
C. event action overrides and event action filters
D. risk rating and target value rating
E. alert severity and alert actions

Answer: A
Explanation:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/prod_white_paper09
00aecd806e7299.html

Threat rating is a quantitative measure of your network's threat level after IPS mitigation. The
Cisco 642-627 Exam
formula for threat rating is:

Threat Rating = Risk Rating - Alert Rating
The values of the alert ratings are listed below.
45: deny-attacker-inline
40: deny-attacker-victim-pair-inline
40: deny-attacker-service-pair-inline
35: deny-connection-inline
35: deny-packet-inline
35: modify-packet-inline
20: request-block-host
20: request-block-connection
20: reset-tcp-connection
20: request-rate-limit

For example, if an alert had a risk rating of 100 and the IPS mitigates the event with a deny-
attacker-inlineaction, the threat rating would be calculated as:
Threat Rating = Risk Rating - Alert Rating, or 100 - 45 = 55.

Threat rating brings the value of risk rating to a new level. By taking the IPS mitigation action into
account, threat rating helps you further focus on the most important threats that have not been
mitigated.

QUESTION NO: 40

Refer to the exhibit.

The scanner threshold is set to 120. Which two statements about this histogram are true? (Choose
two.)

A. From a single source you do not expect to see nonestablished connections to more than 120
different destination IP addresses.
Cisco 642-627 Exam
B. From a single source you do not expect to see nonestablished connections to more than 100
different destination IP addresses.
C. You do not expect to see more than 5 sources generate nonestablished connections to 10 or
more different destinations.
D. You do not expect to see more than 10 sources generate nonestablished connections to 5 or
more different destinations.
E. A scanner threshold of 120 is not a valid value for this histogram.
F. Scanning attacks will not be triggered, because the scanner threshold is higher than the
maximum number of destination IP addresses in the histogram.
G. Scanning attacks will not be triggered, because the scanner threshold is higher than the
maximum number of source IP addresses in the histogram.

Answer: B,D
Explanation:
security_manager/4.0/user/guide/ipsanom.pdf
Read this topic carefully and you will see the answers better.
Two test takers have done B & D and have 100% in troubleshooting so beilieve this is good.


Answer:
Cisco 642-627 Exam
Explanation:

Cisco 642-627 Exam

QUESTION NO: 42

On the Cisco IPS appliance, each virtual sensor can have its own instance of which three
parameters? (Choose three.)

A. signature-definition
B. event-action-rules
C. global-correlation-rules
D. anomaly-detection
E. reputation-filters
Cisco 642-627 Exam
F. external-product-interfaces

Answer: A,B,D
Explanation:
http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/idm/dmAnEng.html
The Virtual Sensors pane displays a list of the virtual sensors. For each virtual sensor the following
is displayed:

Assigned interfaces/pairs
Signature definition policy
Event action rules policy
Anomaly detection policy
Anomaly detection operational mode setting
Inline TCP session tracking mode
Description of the virtual sensor

You can create, edit, or delete virtual sensors.


Answer:
Cisco 642-627 Exam
Explanation:

QUESTION NO: 44

Refer to the exhibit. What happens when you click the Cisco Security MARS icon on the Cisco
Security MARS query result screen?

A. Cross-launch Cisco Security Manager to link the Cisco Security MARS event back to the IPS
signature and policy within the Cisco Security Manager that triggered it.
B. Cross-launch Cisco IDM so the signature that triggered it can be examined.
C. Cross-launch Cisco IDM to show the corresponding IPS alerts.
D. Cross-launch Cisco Security Manager to show the corresponding IPS alerts.
E. Cross-launch Cisco IME so the signature that triggered it can be examined.

Answer: A
Explanation:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5739/ps6241/product_data_sheet0900aec
d80272e64.html

Cisco Security MARS integrates tightly with Cisco's premier security management suite, Cisco
Security Manager. This integration maps traffic-related syslog messages to the firewall policies
defined in Cisco Security Manager that triggered the event. Policy lookup enables rapid, round-trip
analysis for troubleshooting firewall-configuration-related network issues, policy configuration
Cisco 642-627 Exam
errors, and fine-tuning defined policies.

http://www.cisco.com/en/US/docs/security/security_management/cs-
mars/4.3/user/guide/local_controller/cfgcsm.html

QUESTION NO: 45

Which three statements about the Cisco IPS appliance normalizer feature are true? (Choose
three.)

A. only operates in inline modes
B. ensures that Layer 4 to Layer 7 traffic conforms to the protocol specifications
C. tracks session states and stops packets that do not fully match session state
D. modifies ambiguously fragmented IP traffic
E. cannot analyze asymmetric traffic flows

Answer: A,C,D
Explanation:
http://globalknowledgeblog.com/technology/cisco/asa-and-ips-parallel-features-part-ii/
= A
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/white_paper_c11-
459025_ps6120_Products_White_Paper.html
ml#wpxref98199
= C and D

The Cisco ASA AIP-SSM is a fully functional firewall and IPS solution that can be deployed in
symmetric or asymmetric mode and supports stateful failover deployments. In either deployment
mode, session state and evasion protection will be maintained because of advanced state features
in the Cisco ASA operating system.
E is not an option -- even though it reduces performance -it is still able to analyze a single traffic
flow.
http://globalknowledgeblog.com/technology/cisco/asa-and-ips-parallel-features-%E2%80%93-part-
iii/

QUESTION NO: 46
Cisco 642-627 Exam
Refer to the exhibit. What does the Deny Percentage setting affect?

A. the percentage of the signatures to be tuned by the event action filter
B. the percentage of the Risk Rating value to be tuned by the event action filter
C. the percentage of packets to be denied for the deny attacker actions
D. the percentage of the signatures to be tuned by the event action overrides

Answer: C
Explanation:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_event_action_rules.
html#wp2032330
Deny PercentageDetermines the percentage of packets to deny for deny attacker features. The
valid range is 0 to 100. The default is 100 percent.

Cisco 642-627 Exam

QUESTION NO: 47

Which protocol is used by Encapsulated Remote SPAN?

A. ESP
B. GRE
C. TLS
D. STP
E. VTI
F. 802.1Q

Answer: B
Explanation:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guid
e/span.html#wp1059482

ERSPAN Overview
ERSPAN supports source ports, source VLANs, and destination ports on different switches, which
provides remote monitoring of multiple switches across your network (see Figure 52-3).
ERSPAN consists of an ERSPAN source session, routable ERSPAN GRE-encapsulated traffic,
and an ERSPAN destination session. You separately configure ERSPAN source sessions and
destination sessions on different switches.

To configure an ERSPAN source session on one switch, you associate a set of source ports or
VLANs with a destination IP address, ERSPAN ID number, and optionally with a VRF name. To
configure an ERSPAN destination session on another switch, you associate the destination ports
with the source IP address, ERSPAN ID number, and optionally with a VRF name.

ERSPAN source sessions do not copy locally sourced RSPAN VLAN traffic from source trunk
ports that carry RSPAN VLANs. ERSPAN source sessions do not copy locally sourced ERSPAN
GRE-encapsulated traffic from source ports.

Each ERSPAN source session can have either ports or VLANs as sources, but not both.
The ERSPAN source session copies traffic from the source ports or source VLANs and forwards
the traffic using routable GRE-encapsulated packets to the ERSPAN destination session. The
ERSPAN destination session switches the traffic to the destination ports.

Cisco 642-627 Exam
QUESTION NO: 48

In which three ways can you achieve better Cisco IPS appliance performance? (Choose three.)

A. Place the Cisco IPS appliance behind a firewall.
B. Disable unneeded signatures.
C. Enable unidirectional capture.
D. Have multiple Cisco IPS appliances in the path and configure them to detect different types of
events
E. Enable selective packet capture using VLAN ACL on the Cisco IPS 4200 Series appliance.
F. Enable all anti-evasive measures to reduce noise.

Answer: A,B,D
Explanation:
A. Placing the IPS behind a firewall will reduce traffic which will help improve performance -
Confirmed Correct
B. Disable unneeded signatures will reduce processing over head which will help improve
performance - Unconfirmed Correct
C. Enabling unidirectional capture would improve device performance but it would also result in
poor IPS performance - Unconfirmed Incorrect
D. Having multiple Cisco IPS devices in the path each detecting a different type of traffic would
balance the load resulting in increased performance on each device - Confirmed correct
E. VACL selective packet capture is enabled on the switch, not the device. - Confirmed incorrect
F. Enabling all anti-evasive measures would force all traffic through the device likely causing an
increase in noice (not a reduction) and the increased traffic would cause increased load on the
device resulting in decrease performance. - Confirmed Incorrect
http://my.safaribooksonline.com/book/certification/ccnp/9780132372107/deploying-cisco-ips-for-
highavailability-and-high-performance/499#

QUESTION NO: 49

What must be configured to enable Cisco IPS appliance reputation filtering and global correlation?

A. DNS server(s) IP address
B. full sensor based network participation
C. trusted hosts settings
D. external product interfaces settings

Answer: A
Explanation:
Cisco 642-627 Exam
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/ime/ime_collaboration.html

Global Correlation Requirements
Global correlation has the following requirements:

Valid license
You must have a valid sensor license for global correlation features to function. You can still
configure and display statistics for the global correlation features, but the global correlation
databases are cleared and no updates are attempted. Once you install a valid license, the global
correlation features are reactivated.

Agree to network participation disclaimer
External connectivity for sensor and a DNS server
The global correlation features of IPS 7.0 require the sensor to connect to the Cisco SensorBase
Network.
Domain name resolution is also required for these features to function. You can either configure
the sensor to connect through an HTTP proxy server that has a DNS client running on it, or you
can assign an Internet routable address to the management interface of the sensor and configure
the sensor to use a DNS server. In IPS 7.0 the HTTP proxy and DNS servers are used only by the
global correlation features.

QUESTION NO: 50

What is a best practice to follow before tuning a Cisco IPS signature?

A. Disable all the alert actions on the signature to be tuned.
B. Disable the signature to be tuned.
C. Create a clone of the signature to be tuned.
D. Increase the number of events required to trigger the signature to be tuned.
E. Decrease the attention span (maximum inter-event interval) of the signature to be tuned

Answer: C
Explanation:
http://www.cisco.com/web/about/security/intelligence/ips_custom_sigs_pdf.pdf, specifically:

Cloning a Signature
Administrators often find the need to modify a signature to meet the needs of a specific network,
such as to reduce false positives or false negatives.
In such cases, the first approach should be to fine tune signature parameters such as event action
Cisco 642-627 Exam
filters and override policies. If these tunings are not sufficient, the last action that is available is to
modify a signature. By default, signature parameters such as the regular expression cannot be
modified.
The signature must first be cloned in order to modify such signature parameters. The original
signature can be retired or disabled if it is determined that it is no longer required.

ORIGINAL FROM CHIP:
Still Doubt here. 100% certain C is wrong.
A is best answer with B also possible.
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/
prod_white_paper0900aecd8066d265.html
Official Guide - Chapter 13 Quiz - When tuning signatures it is recommended
Answer: By removing harmful actions during the tuning phase we can have visibility......without
interfering with normal traffic "Do no harm" approach.

QUESTION NO: 51

Which three statements about the Cisco IntelliShield Alert Manager are true? (Choose three.)

A. Alert information is analyzed and validated by Cisco security analysts.
B. Alert analysis is vendor-neutral.
C. The built-in workflow system provides a mechanism for tracking vulnerability remediation and
integration with Cisco Security Manager and Cisco Security MARS.
D. Users can customize the notification to deliver tailored information relevant to the needs of the
organization
E. Customers are automatically subscribed to use Cisco Security IntelliShield Alert Manager
Service with the Cisco IPS license.
F. More than 10 report types are available within the Cisco Security IntelliShield Alert Manager
Service.

Answer: A,B,D
Explanation:
http://www.cisco.com/en/US/products/ps6834/serv_group_home.html
A & D are clear.
Still in doubt for B or C (and F - added by DD)

Features
Continuous threat and vulnerability updates
Customized notifications that deliver tailored information relevant to IT needs = D
Actionable alert intelligence analyzed and validated by security analysts to assist in proactive
Cisco 642-627 Exam
prevention =A

Integrated, easy to use tools for easy management of remediation efforts
Comprehensive intelligence information including historical coverage of over 14,000 alerts
Benefits
Accelerated elimination of threats through actionable security intelligence
Customized intelligence to avoid sifting through irrelevant information
Vendor-neutral analysis of threats and vulnerabilities help prevent IT attacks across business
environments = B

Workflow management tools enable efficient use of security staff resources
http://www.cisco.com/en/US/services/ps2827/ps6834/services_overview0900aecd803e85ee.pdf
Option C removal!
No mention of integration at all with CSM or CS MARS.
Added by DD
Originally suggested F as an option but one of the report types specifically mentions vendor
neutral analysis on security vulnerabilities
http://www.cisco.com/web/services/portfolio/product-technical-support/intellishield/index.html says
"....Vendorneutral analysis of threats and vulnerabilities that prevent IT attacks across business
environments..."
There is also this about reports from

The Cisco Security Intelligence Operations information is published in many forms for the benefit
of end customers, enterprises, governments, and the general public. Some examples of the other
forms of Cisco Security Intelligence Operations information arc as follows:

Cyber risk reports
Cisco annual security reports
Cisco PSIRT security advisories and security responses
Cisco IntelliShield alerts, including malicious code alerts, security activity bulletins, security issue
alerts, threat outbreak alerts, and geopolitical security reports
Service provider security best practices
Security Intelligence best practices
Cisco IPS active update bulletins
Applied mitigation bulletins
Cisco IronPort outbreak reports
IntelliShield event responses

And also something from:
http://www.cisco.com/web/about/doing_business/legal/service_descriptions/docs/
Cisco_Security_IntelliShield_Alert_Manager_Service.pdf
Cisco 642-627 Exam
Because it mentions these, not convinced that F is not a valid option:

The Service provides, among other things:

Vulnerability Alerts vendor-neutral reports on security vulnerabilities.
Malicious Code Alerts - reports on malicious codes that have a minimum of level 3 urgency rating
described in the user documentation provided by Cisco.
Activity Reports reports on attacks, outages and threat activity identified by Cisco's global
network of sources.
Threat Outbreak Alert - reports on the latest spam activity from the Cisco IronPort Threat
Operations Center.
Applied Mitigation Bulletins reports on how to use your existing Cisco security products to
mitigate and block threats.
Cyber Risk Reports weekly Cyber Risk Reports provide strategic intelligence that highlight
current security activity. The reports address seven major risk management categories:
vulnerability. physical, legal, trust, identity, human, and geopolitical.
Enterprise Task Management - a web-based console that helps customers to manage, assign
and track security-related tasks within Customer's

QUESTION NO: 52

Which two configurations are required on the Cisco IPS appliance to allow Cisco Security
Manager to log into the Cisco IPS appliance? (Choose two.)

A. Enable SNMPv2.
B. Enable SSH access.
C. Enable TLS/SSL to allow HTTPS access.
D. Enable NTP.
E. Enable Telnet access.
F. Enable the IP address of the Cisco Security Manager server as an allowed host.

Answer: C,F
Explanation: :
Obvious standard config but needs confirmation
http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliTasks.html#wp1056053

Cisco 642-627 Exam
QUESTION NO: 53

Cisco 642-627 Exam

Cisco 642-627 Exam

Cisco 642-627 Exam

What is the status of OS Identification?

A. It is only enabled to identify Cisco IOS" OS using statically mapped OS fingerprinting
B. OS mapping information will not be used for Risk Rating calculations.
C. It is configured to enable OS mapping and ARR only for the 10.0.0.0/24 network.
D. It is enabled for passive OS fingerprinting for all networks.

Answer: C
Explanation:
http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/ime/ime_event_action_rules.
html#wp2119120

Understanding Passive OS Fingerprinting
Passive OS fingerprinting lets the sensor determine the OS that hosts are running. The sensor
analyzes network traffic between hosts and stores the OS of these hosts with their IP addresses.
The sensor inspects TCP SYN and SYNACK packets exchanged on the network to determine the
OS type.

The sensor then uses the OS of the target host OS to determine the relevance of the attack to the
victim by computing the attack relevance rating component of the risk rating. Based on the
relevance of the attack, the sensor may alter the risk rating of the alert for the attack and/or the
sensor may filter the alert for the attack.
You can then use the risk rating to reduce the number of false positive alerts (a benefit in IDS
mode) or definitively drop suspicious packets (a benefit in IPS mode). Passive OS fingerprinting
also enhances the alert output by reporting the victim OS, the source of the OS identification, and
the relevance to the victim OS in the alert.

Passive OS fingerprinting consists of three components:
Passive OS learning
Passive OS learning occurs as the sensor observes traffic on the network. Based on the
characteristics of TCP
Cisco 642-627 Exam
SYN and SYNACK packets, the sensor makes a determination of the OS running on the host of
the source IP address.
User-configurable OS identification
You can configure OS host mappings, which take precedence over learned OS mappings.
Computation of attack relevance rating and risk rating

QUESTION NO: 54

Cisco 642-627 Exam

Cisco 642-627 Exam

Cisco 642-627 Exam

Cisco 642-627 Exam

Which signature definition is virtual sensor 0 assigned to use?

A. rules0
B. vs0
C. sig0
D. ad0
E. ad1
F. sigl

Answer: B
Explanation:
Default signature
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_signature_definition
s.html

You can create multiple security policies and apply them to individual virtual sensors. A security
policy is made up of a signature definition policy, an event action rules policy, and an anomaly
detection policy. Cisco IPS contains a default signature definition policy called sig0, a default event
action rules policy called rules0, and a default anomaly detection policy called ad0. You can
assign the default policies to a virtual sensor or you can create new policies.

Cisco 642-627 Exam

QUESTION NO: 55

Cisco 642-627 Exam

Cisco 642-627 Exam

Cisco 642-627 Exam

Cisco 642-627 Exam

What action will the sensortake regarding IP addresses listed as known bad hosts in the Cisco
SensorBase network?

A. Global correlation is configured in Audit mode for testing the feature without actually denying
any hosts.
B. Global correlation is configured in Aggressive mode, which has a very aggressive effect on
deny actions.
C. It will not adjust risk rating values based on the known bad hosts list.
D. Reputation filtering is disabled.

Answer: D
Explanation:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_collaboration.html#
wp1054333

QUESTION NO: 56

Cisco 642-627 Exam

Cisco 642-627 Exam

Cisco 642-627 Exam

Cisco 642-627 Exam

To what extent will the Cisco IPS sensor contribute data to the Cisco SensorBase network?

A. It will not contribute to the SensorBase network.
B. It will contribute to the SensorBase network, but will withhold some sensitive information
C. It will contribute the victim IP address and port to the SensorBase network.
D. It will not contribute to Risk Rating adjustments that use information from the SensorBase
network.

Answer: B
Explanation:
wp1053292
Configuring Network Participation
To configure network participation, follow these steps:
Step 1 Log in to IDM using an account with administrator privileges.
Step 2 Choose Configuration > Policies > Global Correlation > Network Participation.
Step 3 To turn on network participation, click the Partial or Full radio button:
PartialData is contributed to the SensorBase Network, but data considered potentially sensitive
is filtered out and never sent.
FullAll data is contributed to the SensorBase Network.

QUESTION NO: 57

Cisco 642-627 Exam

Cisco 642-627 Exam

Cisco 642-627 Exam

Cisco 642-627 Exam

Which two statements about Signature 1104 are true? (Choose two.)

A. This is a custom signature.
B. The severity level is High.
C. This signature has triggered as indicated by the red severity icon.
D. Produce Alert is the only action defined.
E. This signature is enabled, but inactive, as indicated by the/0 to that follows the signature
number.

Answer: B,D
Explanation:
http://www.cisco.com/en/US/docs/security/ips/7.1/configuration/guide/ime/ime_signature_wizard.p
df

Cisco 642-627 Exam

QUESTION NO: 58

Cisco 642-627 Exam

Cisco 642-627 Exam

Cisco 642-627 Exam

Which three statements about the Cisco IPS appliance configurations are true? (Choose three.)

Cisco 642-627 Exam
A. The maximum number of denied attackers is set to 10000.
B. The block action duraton is set to 3600 seconds.
C. The Meta Event Generator is globally enabled.
D. Events Summarization is globally disabled.
E. Threat Rating Adjustment is globally disabled.

Answer: A,B,C
Explanation:
Feedback from test takers.
A & C is clear.
Major issues with this answer --- the third choice is impossible I believe B should be Block action
duration is set for 30minutes -- only choice really.

QUESTION NO: 59

Which four statements about the blocking capabilities of the Cisco IPS appliance are true?
(Choose four.)

A. The three types of blocks are: host, connection, and network.
B. Host and connection blocks can be initiated manually or automatically when a signature is
triggered.
Cisco 642-627 Exam
C. Network blocks can only be initiated manually.
D. The Device Login Profiles pane is used to configure the profiles that the network devices use
when logging into the Cisco IPS appliance
E. Multiple Cisco IPS appliances can forward their blocking requests to the master blocking
sensor.
F. Pre-Block and Post-Block ACLs are applicable for blocking or rate limiting.

Answer: A,B,C,E
Explanation:
http://www.cisco.com/en/US/docs/security/ips/7.0/command/reference/crCmds.html#wp765330
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_blocking.html#wp2
216370
It appears that block network is not available from the ARC module.
D is definitely incorrect
Use the Device Login Profiles pane to configure the profiles that the sensor uses when logging in
to blocking devices.
F is also incorrect
Pre-Block and Post-Block ACLS do not apply to rate limiting.

QUESTION NO: 60

OS mappings associate IP addresses with an OS type, which in turn helps the Cisco IPS
appliance to calculate what other value?

A. TVR
B. SFR
C. ARR
D. PD
E. ASR

Answer: C
Explanation:
http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/idm/dmEvtRul.html#wp1159
073

QUESTION NO: 61

Which signature engine is recommended for creating a custom signature for packet header
Cisco 642-627 Exam
matching?

A. MULTI-STRING
B. FLOOD.HOST
C. ATOMIC.IP
D. SERVICE
E. SWEEP
F. META

Answer: C
Explanation:
ml#wp1141808

Atomic IP Engine
The Atomic IP engine defines signatures that inspect IP protocol headers and associated Layer 4
transport protocols (TCP, UDP, and ICMP) and payloads.

QUESTION NO: 62

On the Cisco IPS appliance, the anomaly detection knowledge base is used to store which two
types of information for each service? (Choose two.)

A. scanner threshold
B. packet per second rate limit
C. anomaly detection mode
D. histogram
E. total bytes transferred

Answer: A,D
Explanation:
http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security
_manager/4.0/user/guide/ipsanom.html

The knowledge base has a tree structure and contains the following information:
Knowledge base name
Zone name
Protocol
Service

Cisco 642-627 Exam
The knowledge base holds a scanner threshold and a histogram for each service. If you have
learning accept mode set to automatic and the action set to rotate, a new knowledge base is
created every 24 hours and used in the next 24 hours. If you have learning accept mode set to
automatic and the action is set to save only, a new knowledge base is created but not loaded, and
the current knowledge base is used. If you do not have learning accept mode set to automatic, no
knowledge base is created.

QUESTION NO: 63

Which four features are supported on the Cisco ASA AIP-SSM but are not supported on the Cisco
ASA AIP-SSC? (Choose four.)

A. multiple virtual sensors
B. anomaly detection
C. promiscuous mode
D. custom signatures
E. fail open
F. global correlation

Answer: A,B,D,F
Explanation:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/ps6825/product_data
_sheet0900aecd80404916_ps6120_Products_Data_Sheet.html

QUESTION NO: 64

Which Cisco IPS appliance TCP session tracking mode should be used if packets of the same
session are coming to the sensor over different interfaces, but should be treated as a single
session?

A. interface and VLAN
B. virtual sensor
C. VLAN only
D. promiscuous
E. normalizer

Answer: B
Explanation:
Cisco 642-627 Exam
http://www.cisco.com/en/US/docs/security/ips/7.1/configuration/guide/ime/ime_policies.html#wp20
05229

Inline TCP Session Tracking Mode
When you choose to modify packets inline, if the packets from a stream are seen twice by the
Normalizer engine, it cannot properly track the stream state and often the stream is dropped. This
situation occurs most often when a stream is routed through multiple VLANs or interfaces that are
being monitored by the IPS. A further complication in this situation is the necessity of allowing
asymmetric traffic to merge for proper tracking of streams when the traffic for either direction is
received from different VLANs or interfaces.

To deal with this situation, you can set the mode so that streams are perceived as unique if they
are received on separate interfaces and/or VLANs (or the subinterface for VLAN pairs).
The following inline TCP session tracking modes apply:
Interface and VLANAll packets with the same session key (AaBb) in the same VLAN (or inline
VLAN pair) and on the same interface belong to the same session. Packets with the same key but
on different VLANs are tracked separately.
VLAN OnlyAll packets with the same session key (AaBb) in the same VLAN (or inline VLAN
pair) regardless
of the interface belong to the same session. Packets with the same key but on different VLANs are
tracked separately.
Virtual SensorAll packets with the same session key (AaBb) within a virtual sensor belong to
the same session. This is the default and almost always the best option to choose.

QUESTION NO: 65

Which two Cisco IPS appliance features are implemented using input data from the Cisco
SensorBase? (Choose two.)

A. global correlation
C. reputation filters
D. botnet traffic filters
E. OS fingerprinting
F. threat detection

Answer: A,C
Explanation:

Cisco 642-627 Exam

QUESTION NO: 66

Which four configuration elements can the virtual sensor of an Cisco IPS appliance have?
(Choose four.)

A. interfaces or VLAN pairs
B. IPS reputation filters
C. signature set definition
D. global correlation rules
E. event action rules (filters and overrides)
F. anomaly detection policy

Answer: A,C,E,F
Explanation:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_policies.html#wpmk
r2163359

You can apply the same policy, for example, sig0, rules0, and ad0, to different virtual sensors. The
Add Virtual Sensor dialog box displays only the interfaces that are available to be assigned to this
virtual sensor. Interfaces that have already been assigned to other virtual sensors are not shown
in this dialog box.
You can also assign event action overrides to virtual sensors, and configure the following modes:

Anomaly detection operational mode
Inline TCP session tracking mode
Normalizer mode

The following fields are found in the Add and Edit Virtual Sensor dialog boxes:
Virtual Sensor NameName for this virtual sensor.
DescriptionDescription for this virtual sensor.
InterfacesLets you assign and remove interfaces for this virtual sensor.
AssignedWhether the interfaces or interface pairs have been assigned to the virtual sensor.
NameThe list of available interfaces or interface pairs that you can assign to the virtual sensor
(GigabitEthernet or FastEthernet).
DetailsLists the mode (Inline Interface or Promiscuous) of the interface and the interfaces of
the inline pairs.
Signature Definition PolicyThe name of the signature definition policy you want to assign to this
virtual sensor. The default is sig0.
Event Action Rules PolicyThe name of the event action rules policy you want to assign to this
virtual sensor. The default is rules0.
Cisco 642-627 Exam
Use Event Action OverridesWhen checked, lets you configure event action overrides when you
click Add to open the Add Event Action Override dialog box.
Risk RatingIndicates the level of risk rating for this override.
Actions to AddIndicates the action to add to this override.
EnabledIndicates whether this override is enabled or disabled.
Anomaly Detection PolicyThe name of the anomaly detection policy you want to assign to this
virtual sensor. The default is ad0.
AD Operational ModeThe mode that you want the anomaly detection policy to operate in for
this virtual sensor. The default is Detect.
Inline TCP Session Tracking ModeThe mode used to segregate multiple views of the same
stream if the same stream passes through the sensor more than once. The default mode is Virtual
Sensor.
Interface and VLANAll packets with the same session key (AaBb) in the same VLAN (or inline
VLAN pair) and on the same interface belong to the same session. Packets with the same key but
on different VLANs are tracked separately.
VLAN OnlyAll packets with the same session key (AaBb) in the same VLAN (or inline VLAN
pair) regardless of the interface belong to the same session.Packets with the same key but on
different VLANs are tracked separately.
Virtual SensorAll packets with the same session key (AaBb) within a virtual sensor belong to
the same session.
Normalizer ModeLets you choose which type of Normalizer mode you need for traffic
inspection:
Strict Evasion ProtectionIf a packet is missed for any reason, all packets after the missed
packet are not processed. Strict evasion protection provides full enforcement of TCP state and
sequence tracking.
Note Any out-of-order packets or missed packets can produce Normalizer engine signatures 1300
or 1330 firings, which try to correct the situation, but can result in denied connections.
Asymmetric Mode ProtectionCan only see one direction of bidirectional traffic flow. Asymmetric
mode protection relaxes the evasion protection at the TCP layer.

Note Asymmetric mode lets the sensor synchronize state with the flow and maintain inspection for
those engines that do not require both directions. Asymmetric mode lowers security because full
protection requires both sides of traffic to be seen.

QUESTION NO: 67

Which value is not used by the Cisco IPS appliance in the risk rating calculation?

A. attack severity rating
Cisco 642-627 Exam
B. target value rating
C. signature fidelity rating
D. promiscuous delta
E. threat rating adjustment
F. watch list rating

Answer: E
Explanation:
00aecd806e7299.html

Risk Rating Calculation
Risk rating is a quantitative measure of your network's threat level before IPS mitigation. For each
event fired by IPS signatures, Cisco IPS Sensor Software calculates a risk rating number. The
factors used to calculate risk rating are:
Signature fidelity rating: This IPS-generated variable indicates the degree of attack certainty.
Attack severity rating: This IPS-generated variable indicates the amount of damage an attack
can cause.
Target value rating: This user-defined variable indicates the criticality of the attack target. This is
the only factor in risk rating that is routinely maintained by the user. You can assign a target value
rating per IP address in Cisco IPS Device Manager or Cisco Security Manager. The target value
rating can raise or lower the overall risk rating for a network device. You can assign the following
target values:

75: Low asset value
100: Medium asset value
200: Mission-critical asset value

Attack relevancy rating: This IPS-generated value indicates the vulnerability of the attack target.
Promiscuous delta: The risk rating of an IPS deployed in promiscuous mode is reduced by the
promiscuous delta. This is because promiscuous sensing is less accurate than inline sensing. The
promiscuous delta can be configured on a per-signature basis, with a value range of 0 to 30. (The
promiscuous delta was introduced in Cisco IPS Sensor Software Version 6.0.)
Watch list rating: This IPS-generated value is based on data found in the Cisco Security Agent
watch list. The Cisco Security Agent watch list contains IP addresses of devices involved in
network scans or possibly contaminated by viruses or worms. If an attacker is found on the watch
list, the watch list rating for that attacker is added to the risk rating. The value for this factor is
between 0 and 35. (The watch list rating was introduced in Cisco IPS Sensor Software Version
6.0.)
The formula to calculate risk rating in Cisco IPS Sensor Software Version 6.0 is:
Risk rating can help enhance your productivity as it intelligently assesses the level of risk of each
event and helps you focus on high-risk events.
Cisco 642-627 Exam

QUESTION NO: 68

Refer to the exhibit. Which General settings under the Event Action Rule affect the risk rating
calculations?

A. Use Summarizer
B. Use Meta Event Generator
C. Use Threat Rating Adjustment
D. Use Event Action Filters
E. Enable One Way TCP Reset

Answer: C
Explanation:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/product_data_sheet0
900aecd805baef2.html

Threat Rating
New with Cisco IPS Sensor Software Version 6.0, the Threat Rating feature provides a single view
of the threat environment of the network. Threat Rating can minimize alarms and events through
the ability to customize the viewer to only show events with a high Threat Rating value. The Threat
Rating value is derived as follows:

Dynamic adjustment of event Risk Rating based on success of response action
If response action was applied, Risk Rating is deprecated (TR < RR)
If response action was not applied, Risk Rating remains unchanged (TR = RR)

The result is a single value by which the threat risk is determined. This eases the management of
Cisco 642-627 Exam
alarms and determination of risk on the network.

QUESTION NO: 69

In a centralized Cisco IPS appliance deployment, it may not be possible to connect an IPS
appliance to every switch or segment in the network. So, an IPS appliance can be deployed to
inspect traffic on ports that are located on multiple remote network switches. In this case, which
two configurations required? (Choose two.)

A. IPS promiscuous mode operations
B. in-line IPS operations
C. RSPAN
D. SPAN
E. HSRP
F. SLB

Answer: A,C
Explanation:
RSPAN aznd promiscuous
From Chip: No specific reference --- is in Videos from CBT

QUESTION NO: 70

Which three actions does the Cisco IDM custom signature wizard provide? (Choose three.)

A. selecting the signature engine to use or not to use any signature engine
B. selecting the Layer 3 or Layer 4 protocol that the sensor will use to match malicious traffic
C. selecting the attack relevancy rating
D. selecting the signature threat rating
E. selecting the scope of matching (for example, single packet)

Answer: A,B,E
Explanation:
http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/idm/idm_signature_wizard.ht
ml#wp1655660
Shows A B E and nothing for C or D

Cisco 642-627 Exam

QUESTION NO: 71

You want your inline Cisco IPS appliance to drop packets that pose the most severe risk to your
network, especially to the servers on your DMZ. Which two parameters should you set to protect
your DMZ servers in the most-time-efficient manner? (Choose two.)

A. event action filter
B. reputation filter
C. target value rating
D. signature fidelity rating
E. global correlation
F. event action override

Answer: C,F
Explanation:

QUESTION NO: 72

Which Cisco IPS appliance feature is best used to detect these two conditions? 1) The network
starts becoming congested by worm traffic. 2) A single worm-infected source enters the network
and starts scanning for other vulnerable hosts.

A. global correlation
D. custom signature
E. meta signature
F. threat detection

Answer: B
Explanation:
_manager/4.0/user/guide/ipsanom.html

Anomaly detection identifies worm-infected hosts by their behavior as a scanner. To spread, a
worm virus must find new hosts. It finds them by scanning the Internet using TCP, UDP, and other
protocols to generate unsuccessful attempts to access different destination IP addresses. A
scanner is defined as a source IP address that generates events on the same destination port (in
TCP and UDP) for too many destination IP addresses.

Cisco 642-627 Exam

QUESTION NO: 73

What will happen if you try to recover the password on the Cisco IPS 4200 Series appliance on
which password recovery is disabled?

A. The GRUB menu will be disabled.
B. The ROM monitor command to reset the password will be disabled.
C. The password recovery process will proceed with no errors or warnings; however, the
password is not reset.
D. The Cisco IPS appliance will reboot immediately.

Answer: C
Explanation:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_troubleshooting.html#
wp1139544

If you try to recover the password on a sensor on which password recovery is disabled, the
process proceeds with no errors or warnings; however, the password is not reset. If you cannot log
in to the sensor because you have forgotten the password, and password recovery is set to
disabled, you must reimage your sensor.

You have the ability to disable password recovery if required (it is enabled by default). Follow
these steps to disable password recovery from the CLI:

Step 1. Log in to the CLI using administrative privileges.
Step 2. Enter global configuration mode followed by host mode:
sensor# configure terminal
sensor(config)# service host
Step 3. Disable password recovery:
sensor(config-host)# password-recovery disallowed
Note: If an admin/user tries to recover the password on a sensor that is disabled, the process
proceeds with no errors or warnings; however, the password is not reset.
Follow these steps to disable password recovery from the Cisco IDM:
Step 1. Log in to the Cisco IDM using administrative privileges.
Step 2. Navigate to Configuration > Sensor Setup > Network.
Step 3. Disable password recovery by deselecting the Allow Password Recovery check box.

Cisco 642-627 Exam
QUESTION NO: 74

Which four networking tools does Cisco IME include that can be invoked for specific events, to
learn more about attackers and victims using basic network reconnaissance? (Choose four.)

A. ping
B. traceroute
C. packet tracer
D. nslookup
E. whois
F. nmap

Answer: A,B,D,E
Explanation:
http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/ime/ime_getting_started.htm
l
IME also supports tools such, as ping, trace route, DNS lookup, and whois lookup for selected
events

QUESTION NO: 75

Which two statements are true with respect to the AIP-SSM? (Choose two.)

A. The hosting ASA will always bypass the AIP-SSM if the AIP-SSM fails.
B. The AIP-SSM supports up to four virtual sensors.
C. Initial setup of the AIP-SSM is configured through its external console port.
D. The AIP-SSM supports both promiscuous and inline analysis.
E. The AIP-SSM must be managed by the IPS Device Manager.

Answer: B,D
Explanation:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ssm.html

QUESTION NO: 76

Which two statements are true with respect to the AIP-SSC? (Choose two.)

A. The AIP-SSC is a module for the ASA 5510.
Cisco 642-627 Exam
B. The AIP-SSC supports a maximum of two virtual sensors.
C. The AIP-SSC supports custom signatures.
D. The AIP-SSC supports fail open.
E. The AIP-SSC supports both promiscuous and inline analysis.

Answer: D,E
Explanation:
https://docs.google.com/viewer?a=v&q=cache:xcV24pCOF4MJ:www.cisco.com/en/US/docs/securi
ty/ips/6.2/configuration/guide/cli/cli_ssc.pdf+cisco+asa+aip+ssc+failopen&
hl=en&gl=us&pid=bl&srcid=ADGEESi0RHlzQEpHH8Uu4c_jbwGBNqpMmZsVkjsfy6phll2Z0C5uZe
QXUErbeYB-mLNlzyPb2FkNp9CrNqTJ70P-rjxrka68y6lzM9wGKpB76k-
A38s8q70NsLgU_D3QAei23f-Vql53&sig=AHIEtbQ5ENt7hynvXatqPIccq8paHRyuJQ

QUESTION NO: 77

Refer to the exhibit of a partial Cisco IPS appliance CLI configurations, what is the purpose of the
access-list CLI command?

A. to define network objects that are used for IPS policy application
B. to specify which traffic will be analyzed on the sensing interfaces of the IPS sensor
C. to configure manually blocked IP addresses
D. to specify trusted management IP addresses for SSH and HTTPS access to the IPS appliance

Answer: D
Explanation:

QUESTION NO: 78

The AIP-SSM CLI can be accessed from the ASA CLI by using which command?

Cisco 642-627 Exam
A. connect
B. telnet
C. hw-module
D. session
E. module

Answer: D
Explanation:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ssm.html#wp1096676

QUESTION NO: 79

The Cisco IPS appliance global correlation and reputation filtering features depend on which two
of these? (Choose two.)

B. OS fingerprinting
C. Cisco SensorBase
D. watch list ratings
E. event action overrides
F. DNS

Answer: C,F
Explanation:
security_manager/4.1/user/guide/ipsglobe.html

QUESTION NO: 80

Which four statements are true about the Cisco IPS global correlation and reputation filtering
features? (Choose four.)

A. Reputation filtering can adjust the risk rating of an alert.
B. Reputation filtering can be set to permissive, standard, or aggressive.
C. Global correlation can be trialed in with a test mode.
D. Reputation filtering can drop packets from untrusted source IP addresses.
E. Both global correlation and reputation filtering leverage Cisco SenderBase.
F. Global correlation can adjust the risk rating of an alert.
Cisco 642-627 Exam
Answer: C,D,E,F
Explanation:
wp1056492

Global Correlation Requirements
Global correlation has the following requirements:
Valid licenseYou must have a valid sensor license for global correlation features to function.
You can still configure and display statistics for the global correlation features, but the global
correlation databases are cleared and no updates are attempted. Once you install a valid license,
the global correlation features are reactivated.
Agree to Network Participation disclaimer
External connectivity for sensor and a DNS serverThe global correlation features of IPS 7.0
require the sensor to connect to the Cisco SensorBase Network. Domain name resolution is also
required for these features to function. You can either configure the sensor to connect through an
HTTP proxy server that has a DNS client running on it, or you can assign an Internet routeable
address to the management interface of the sensor and configure the sensor to use a DNS server.
In IPS 7.0 the HTTP proxy and DNS servers are used only by the global correlation features

QUESTION NO: 81

When setting up a Cisco IPS appliance in promiscuous mode, which Cisco Catalyst switch CLI
command is used to configure SPAN on the switch?

A. span source in interface configuration mode
B. span session in global configuration mode
C. monitor destination in interface configuration mode
D. monitor session in global configuration mode
E. mirror session in global configuration mode

Answer: D
Explanation:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.
shtml

QUESTION NO: 82
Cisco 642-627 Exam
The AIP-SSC differs from the AIP-SSM in which three ways? (Choose three.)

A. It uses the ASA backplane as its monitoring interface.
B. It does not support fail open operation.
C. It does not support global correlation.
D. It does not support custom signatures.
E. It supports only one virtual sensor.
F. It does not support inline operation.

Answer: C,D,E
Explanation:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/ps6825/
product_data_sheet0900aecd80404916_ps6120_Products_Data_Sheet.html

QUESTION NO: 83

Which ASA CLI command is used to configure the network parameters for downloading the AIP-
SSM recovery image?

A. hw-module 1 recover boot
B. hw-module 1 recover configure
C. sysopt ips recovery configure
D. sysopt ips recover-location
E. boot hw-module 1 tftp
F. boot system tftp

Answer: B
Explanation:
http://www.cisco.com/en/US/docs/security/ips/5.0/configuration/guide/cli/clissm.html#wp1034193

QUESTION NO: 84

Which global correlation data is sent to the Cisco SensorBase Network with full network
participation that is not sent with partial network participation?

A. attack type
B. connecting IP address and port
C. victim IP address and port
Cisco 642-627 Exam
D. protocol attributes
E. IPS appliance CPU and memory usage information

Answer: C
Explanation:
wp1053292

In the Network Participation pane, you can configure the sensor to send data to the SensorBase
Network. You can configure the sensor to fully participate and send all data to the SensorBase
Network. Or you can configure the sensor to collect the data but to omit potentially sensitive data,
such as the destination IP address of trigger packets.

QUESTION NO: 85

Anomaly detection may send an alert under which two circumstances? (Choose two.)

A. The attacker obfuscates a malicious HTTP request.
B. Inbound traffic arrives from a source with a low reputation score.
C. Outbound traffic is destined towards a known botnet system.
D. A single worm-infected source enters the network and starts scanning for other vulnerable
hosts.
E. Benign traffic is misinterpreted as an attack.
F. The network starts becoming congested by worm traffic.

Answer: D,F
Explanation:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/anomaly_detector/v5.0/c
onfiguration/guide/Intro.html#wp1046115

The Detector module analyzes the zone traffic, and sends out an alert when a DoS attack is
detected. The Detector module can detect attacks and activate protection mechanisms. It is best
suited to work alongside with the Cisco Anomaly Guard Module but it can also operate as a
separate DDoS detection and alarm component.

QUESTION NO: 86

Cisco 642-627 Exam
Which Cisco IPS feature is most likely to respond to a zero-day attack?

A. reputation filtering
B. botnet filtering
C. anomaly detection
D. meta-engine
E. de-obfuscation
F. threat detection

Answer: C
Explanation:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/anomaly_detector/v5.0/c
onfiguration/guide/Intro.html#wp1046115

QUESTION NO: 87

Which two interface modes can be implemented with a single physical sensing interface on the
Cisco IPS 4200 Series appliance? (Choose two.)

A. inline interface pair
B. inline VLAN groups
C. inline VLAN pair
D. promiscuous
E. hardware bypass

Answer: C,D
Explanation:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_interfaces.html

QUESTION NO: 88

Which Cisco IDM pane is used to add the public keys of all the SSH clients that are allowed to
connect to the IPS appliance SSH server using RSA authentication?

A. Configuration > Sensor Management > SSH > Authorized Keys
B. Configuration > Sensor Management > SSH > Known Host Keys
C. Configuration > Sensor Management > SSH > Sensor key
D. Configuration > Sensor Management > Certificates > Trusted Hosts
Cisco 642-627 Exam
E. Configuration > Sensor Management > Certificates > Server Certificate
F. Configuration > Sensor Management > Certificates > Known Host Keys

Answer: A
Explanation:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_ssh_tls.html

QUESTION NO: 89

Refer to the exhibit of a Cisco IPS CLI configuration, which statement is true?

A. The IPS administrator should be able to use Telnet to connect to the IP appliance 172.26.26.1
IP address.
B. The IPS administrator should be able to use Telnet to connect to the IP appliance 172.26.26.2
IP address.
C. The IP appliance default gateway IP address is 172.26.26.1.
D. The IPS administrator will not be able to use Telnet to connect to the IP appliance.
E. The IP appliance primary IP address is 172.26.26.1 with a secondary IP address of
172.26.26.2.

Answer: D
Explanation:

QUESTION NO: 90

Which two statements are true with respect to IPS false negatives? (Choose two.)

Cisco 642-627 Exam
A. A false negative is the failure of the IPS to create an alert on malicious activity.
B. Increasing event count thresholds can lead to false negatives.
C. A false negative results in an IPS alert that is associated with an unsuccessful denial of service
attack.
D. Disabling anti-evasion features of the IPS can reduce false negatives.
E. False negatives can only occur when an IPS sensor is in promiscuous mode.

Answer: A,B
Explanation:
00aecd805c389a.html

QUESTION NO: 91

You are tasked to create a custom IPS signature using the IDM Custom Signature Wizard to
detect a network reconnaissance attack in which one system makes connections to multiple hosts
on multiple TCP ports. Which Cisco IPS signature engine should be selected to configure this
custom IPS signature?

A. Atomic IP
B. Atomic IP Advanced
C. String TCP
D. Sweep
E. Meta

Answer: D
Explanation:
ml

QUESTION NO: 92

All signatures in the Cisco IPS signature set include which three parameters that can be tuned
according to the environment? (Choose three.)

A. vulnerable OS list
B. alert severity rating
C. inline mode delta
Cisco 642-627 Exam
D. signature fidelity rating
E. threat rating

Answer: A,B,D
Explanation:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/white_paper_c11_54
9300.html

After configuring Cisco IOS IPS on your router, you should adjust the staging router's signature
configuration.
The IOS IPS `basic' and `advanced' signature categories include a set of signatures that detect
and mitigate a broad range of traffic that could potentially exploit various types of software
vulnerabilities in server and workstation hosts, as well as network devices; other signature
categories may hold some appeal for your environment, but will likely require tuning to fit into the
router's available memory. You will need to be sure that IOS IPS is configured to enable
signatures that specifically address the requirements of your environment.
Additionally, while some signatures may offer some benefit for vulnerabilities that your network
presents, IPS may recognize traffic that is not an exploit as unwanted traffic, thus affecting a "false
positive". False positives must be dealt with in a manner that suits the nature of the vulnerability. If
a very high-risk vulnerability must be mitigated by IPS, operational tools and staff must be able to
distinguish between traffic that comprises a false positive and that which comprises a live exploit.
Otherwise, signatures addressing low-risk vulnerabilities might be tuned to generate less
response, or disabled entirely, to avoid the additional operational burden of dealing with the false
positives. Other reasons for tuning the signature database are to reduce memory or CPU footprint,
or to add custom IPS signatures that you have developed to address the security requirements of
your environment.

QUESTION NO: 93

Which Cisco IPS signature parameter cannot be edited using IDM?

A. signature name
B. signature engine type
C. signature type
D. vulnerable OS list
E. event count key

Answer: B
Explanation:
Cisco 642-627 Exam
_manager/4.0.1/user/guide/ipsvchap.html

QUESTION NO: 94

Which two IPS appliance configuration options are used in conjunction with the attack relevance
rating feature? (Choose two.)

A. OS mappings
B. OS risk category levels
C. passive OS fingerprinting
D. OS target value rating
E. OS event action filter
F. OS event action override

Answer: A,C
Explanation:
00aecd80191021.html

QUESTION NO: 95

Which three of these are true with respect to the numeric values associated with the target value
rating? (Choose three.)

A. Mission Critical = 100
B. Mission Critical = 200
C. High = 75
D. Medium = 50
E. Low = 75
F. 100 is the default target value rating

Answer: B,E,F
Explanation:
00aecd806e7299.html

Cisco 642-627 Exam
QUESTION NO: 96

The threat rating is calculated using which two factors? (Choose two.)

A. event action overrides
B. attack severity rating
C. risk rating
D. preventative actions taken by the Cisco IPS sensor
E. target value rating
F. attack relevancy rating

Answer: C,D
Explanation:
00aecd806e7299.html

QUESTION NO: 97

Which of these depicts the correct process order of the Cisco IPS reputation filters and global
correlation operations?

A. IPS reputation filters > signature inspection > global correlation
B. IPS reputation filters > global correlation > signature inspection
C. global correlation > IPS reputation filters > signature inspection
D. signature inspection > IPS reputation filters > global correlation

Answer: A
Explanation:
http://www.cisco.com/en/US/prod/collateral/modules/ps2641/solution_overview_cisco_ips_aim.ht
ml

QUESTION NO: 98

What are the three valid options for configuring Cisco SensorBase participation? (Choose three.)

A. off
B. test
C. manual
Cisco 642-627 Exam
D. automatic
E. partial
F. full

Answer: A,E,F
Explanation:

QUESTION NO: 99


Cisco 642-627 Exam

Which statement is true about the IPS signature shown?

A. To match a string, the regular expression requires zero or more period characters (.) to
immediately precede the newline character.
B. A summary alert is sent once during each interval for each unique Summary Key entry.
C. An alert is generated each time the signature triggers.
D. This signature does not fire until three events are seen during 60 minutes with the same
attacker and victim IP addresses and ports.
Cisco 642-627 Exam
E. This signature does not analyze traffic that is sent from the SMTP server to the client.

Answer: D
Explanation:

QUESTION NO: 100


Which statement is true?

A. The Service HTTP engine is disabled.
B. The Cisco IPS sensor will send an alert if an attacker makes more than 10 HTTP requests to a
single target server.
C. The IP logging feature has been disabled by setting the Max IP Log Packets and Max IP Log
Bytes to 0.
D. Application inspection and control for HTTP is disabled.
E. Automatic IP Log actions will capture the specified traffic for 30 minutes.
Cisco 642-627 Exam
Answer: D
Explanation:

QUESTION NO: 101


Which three statements are true? (Choose three.)

A. Triggered inline blocks will last for 1 hour while triggered requests for external systems to block
will last for 30 minutes.
B. Triggered inline blocks will last for 30 minutes while triggered requests for external systems to
block will last for 1 hour.
C. TCP Resets will only be sent to the victim IP address.
D. TCP Resets will only be sent to the attacker IP address.
E. The IPS appliance can be configured to ignore scanning events sourced from the organization
network management system.
F. An alert risk rating will be calculated from the base value of the threat rating reduced by a value
corresponding to the preventative actions taken by the IPS appliance.

Answer: A,C,E
Explanation:

QUESTION NO: 102

The default virtual sensor on all IPS appliances is vs0. Which three components are assigned to
vs0 by default? (Choose three.)
Cisco 642-627 Exam
A. sig0
B. engine0
C. rules0
D. ad0
E. filters0
F. gc0

Answer: A,C,D
Explanation:
http://www.cisco.com/en/US/docs/security/ips/7.1/configuration/guide/idm/idm_policies.html

The sensor can receive data inputs from one or many monitored data streams. These monitored
data streams can either be physical interface ports or virtual interface ports. For example, a single
sensor can monitor traffic from in front of the firewall, from behind the firewall, or from in front of
and behind the firewall concurrently. And a single sensor can monitor one or more data streams.
In this situation a single sensor policy or configuration is applied to all monitored data streams.

A virtual sensor is a collection of data that is defined by a set of configuration policies. The virtual
sensor is applied to a set of packets as defined by interface component.
A virtual sensor can monitor multiple segments, and you can apply a different policy or
configuration for each virtual sensor within a single physical sensor. You can set up a different
policy per monitored segment under analysis. You can also apply the same policy instance, for
example, sig0, rules0, or ad0, to different virtual sensors. You can assign interfaces, inline
interface pairs, inline VLAN pairs, and VLAN groups to a virtual sensor.

QUESTION NO: 103

Which three statements about the Cisco IPS appliance anomaly detection feature are true?
(Choose three.)

A. The scanner threshold is used to detect a single scanner.
B. Once the multiple scanners alert is triggered, the learning period will begin.
C. The histogram is used to detect multiple scanners.
D. Once a scanner threshold is violated, an alert is triggered for the multiple scanner signature.
E. The illegal zone should contain non-allocated internal IP addresses.
F. The traffic anomaly signature engine contains only two anomaly detection signatures (signature
ID 13000 and 13001).

Answer: A,C,E
Explanation:
Cisco 642-627 Exam
_manager/3.1/user/guide/ipsvchap.html

And

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/
product_data_sheet0900aecd805baef2.html

QUESTION NO: 104

Which four data strings will match the regular expression c[a-z]*sc[0-4]+? (Choose four.)

A. Cisc0
B. Francisc0123456789
C. Ciscocisc0
D. SanFrancisco44
E. SanFranciscosc00L
F. csc0123456780

Answer: B,C,E,F
Explanation:
https://supportforums.cisco.com/community/netpro/security/intrusion-
Cisco 642-627 Exam
prevention/blog/2010/12/23/introductionto-regular-expressions-for-ips

And also
http://www.cisco.com/web/about/security/intelligence/ips_custom_sigs.html

Note especially that there are two special wildcard operators: the plus (+) and the asterisk (*). The
plus operator signifies that one or more of the previous expressions will follow, whereas the
asterisk means that zero or more of those expressions will follow. Keep in mind that these
operators will not stop matching, so be sure to terminate them by adding a terminal expression

QUESTION NO: 105

The Cisco IDM Custom Signature Wizard asks you to select between the protocol types IP, ICMP,
UDP, and TCP under which circumstance?

A. when you specify the String engine
B. when you specify the Service engine
C. when you specify the Atomic engine
D. when you specify the String or Service engine
E. when you do not select a specific engine

Answer: E
Explanation:
ml#wp1655660

QUESTION NO: 106

Regarding the Cisco IPS NME, when should the heartbeat reset be disabled on the ISR?

A. when performing an upgrade on the ISR
B. when the NME is used in inline mode
C. when the NME is used in promiscuous mode
D. when the NME is used in fail-open mode
E. when the NME is used in fail-closed open mode
F. when performing an upgrade on the NME

Cisco 642-627 Exam
Answer: F
Explanation:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_system_images.html

QUESTION NO: 107

Which three IPS alert actions are available in promiscuous mode? (Choose three.)

A. reset tcp connection
B. request block host
C. deny packet
D. deny connection
E. send snmp inform
F. log pair packets

Answer: A,B,F
Explanation:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_event_action_rules.ht
ml

QUESTION NO: 108

Which Cisco IPS appliance feature uses profile-based intrusion detection?

A. profiler
C. threat detection
D. netflow
E. reputation filter
F. senderbase

Answer: B
Explanation:

QUESTION NO: 109
Cisco 642-627 Exam
Which two statements are true regarding the Cisco IPS appliance traffic normalizer? (Choose
two.)

A. It only operates in inline mode.
B. It operates in one of three modes: symmetric, loose, or asymmetric.
C. It can help prevent false negatives that are caused by evasions.
D. It can help ensure that Layer 7 traffic conforms to its protocol specifications.
E. It will not modify fragmented IP traffic.

Answer: A,C
Explanation:
459025.html

QUESTION NO: 110

Numerous attacks using duplicate packets, changed packets, or out-of-order packets are able to
successfully evade and pass through the Cisco IPS appliance when it is operating in inline mode.
What could be causing this problem?

A. The IPS Application Inspection and Control is disabled.
B. All the DoS signatures are disabled.
C. All the reconnaissance signatures are disabled.
D. TCP state bypass is enabled.
E. The normalizer is set to asymmetric mode.

Answer: E
Explanation:
459025.html

QUESTION NO: 111


Cisco 642-627 Exam

When viewing the All Signatures pane, clicking on the Advanced option can be used to enable
which two IPS configurations? (Choose two.)

A. normalizer mode
B. signature variables
C. HTTP and FTP AIC
D. network participation mode
F. event action filters

Answer: B,C
Explanation:
http://www.cisco.com/en/US/docs/security/ips/7.1/configuration/guide/idm/idm_signature_definition
s.html#wp1224787

QUESTION NO: 112

The Cisco IPS appliance anomaly detection signatures cover which three protocols? (Choose
three.)

A. TCP
Cisco 642-627 Exam
B. ICMP
C. UDP
D. NETBIOS
E. IP
F. other

Answer: A,C,F
Explanation:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_anomaly_detection
s.html#wp2040302

Anomaly Detection Signatures
The Traffic Anomaly engine contains nine anomaly detection signatures covering three protocols
(TCP, UDP, and other).

QUESTION NO: 113

When the Cisco IPS appliance is operating in inline mode, what is the default event actions rule?

A. All alert events with a risk rating of 75 or higher will have a default action of deny packet inline.
B. All alert events with a risk rating of 75 or higher will have a default action of deny attacker inline.
C. High risk category attacks will have a default action of deny packet inline.
D. High risk category attacks will have a default action of deny attacker inline.
E. Attacks to any of the mission critical resources will have a default action of deny packet inline.
F. Attacks to any of the mission critical resources will have a default action of deny attacker inline.

Answer: C
Explanation:
_manager/4.1/user/guide/ipsevact.html

QUESTION NO: 114

In tuning a Cisco IPS signature, you need to edit the regexp string of the Cisco IPS signature, but
when editing the signature, the regexp string of the signature cannot be edited. What should you
do?

A. Create a new custom signature, then disable the original signature.
Cisco 642-627 Exam
B. Log in to the IPS appliance using a service account, which allows you to edit the regexp string
of the signature.
C. Clone the signature, then edit the cloned signature, then disable the original signature.
D. Disable the signature first; then you can edit the regexp string of the signature and then re-
enable the signature.

Answer: C
Explanation:
http://www.cisco.com/web/about/security/intelligence/ips_custom_sigs.html

Cloning a Signature
Administrators often find the need to modify a signature to meet the needs of a specific network,
such as to reduce false positives or false negatives. In such cases, the first approach should be to
fine tune signature parameters such as event action filters and override policies. If these tunings
are not sufficient, the last action that is available is to modify a signature. By default, signature
parameters such as the regular expression cannot be modified. The signature must first be cloned
in order to modify such signature parameters. The original signature can be retired or disabled if it
is determined that it is no longer required.

QUESTION NO: 115

Which three Cisco IPS sensor features are configured within an event action rule? (Choose three.)

A. event action overrides
B. target value rating
C. use global correlation
D. use reputation filter
E. event action filters
F. enable TCP state bypass
G. blocking properties

Answer: A,B,E
Explanation:
_manager/4.1/user/guide/ipsevact.html

Cisco 642-627 Exam

QUESTION NO: 116

Which three statements about the Cisco IPS appliance Event Store are true? (Choose three.)

A. The Event Store is accessible through the CLI, Cisco IDM, Cisco ASDM, or SDEE.
B. The Event Store is a circular, first-in first-out buffer.
C. The Event Store can be configured to be located on a remote server.
D. The size of the Event Store depends on the Cisco IPS appliance platform.
E. Each virtual sensor has its own Event Store.
F. If the Event Store is full, the Cisco IPS appliance performs an automatic graceful shutdown.

Answer: A,B,D
Explanation:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_system_architecture.ht
ml

QUESTION NO: 117

Which application within the Cisco IPS appliance can modify the configurations of other devices on
the network?

A. SDEE
B. POSFP
C. ARC
Cisco 642-627 Exam
D. global correlation
E. reputation filter
F. anomaly detection

Answer: C
Explanation:
_manager/4.1/user/guide/ipsblock.pdf

QUESTION NO: 118


Cisco 642-627 Exam

A Cisco IPS appliance is connected to the FastEthernet 1/0/1 switch port. Referring to the switch
show outputs shown below, what can be determined about the Cisco IPS appliance operations?

A. The Cisco IPS appliance is operating in inline interface mode.
B. A lot of traffic is bypassing the IPS appliance.
C. The IPS appliance is dropping a lot of traffic inline.
D. The IPS appliance is experiencing many false positive alerts.
Cisco 642-627 Exam
E. The IPS appliance sensing interface that is connected to the FastEthernet 1/0/1 switch port is
shut down.

Answer: B
Explanation:

QUESTION NO: 119

A Cisco IPS appliance running in a network environment with asymmetrical traffic flow is
experiencing many false positive alerts that are triggered by the 13000 signature ID. What can the
IPS administrator tune on the IPS to reduce the false positives?

A. set the normalizer mode to strict mode
B. set the AD operational mode to inactive
C. enable TCP state bypass
D. increase the default scanner threshold
E. disable the uRPF check

Answer: B
Explanation:
security_manager/4.1/user/guide/ipsanom.html

Anomaly Detection Modes
Anomaly detection initially conducts a "peacetime" learning process when the most normal state of
the network is reflected. Anomaly detection then derives a set of policy thresholds that best fit the
normal network. This is done in two phases: an initial learning mode phase, followed by the
ongoing operational detect mode phase.
Anomaly detection has the following modes:

Learning accept mode (initial setup)
Although anomaly detection is in detect mode by default, it conducts an initial learning accept
mode for the default period of 24 hours. We assume that during this phase no attack is being
carried out. Anomaly detection creates an initial baseline, known as a knowledge base, of the
network traffic. The default interval value for periodic schedules is 24 hours and the default action
is rotate, meaning that a new knowledge base is saved and loaded, and then replaces the initial
knowledge base after 24 hours.

Keep the following in mind:
Anomaly detection does not detect attacks when working with the initial knowledge base, which
is empty.
Cisco 642-627 Exam
After the default of 24 hours, a knowledge base is saved and loaded and now anomaly detection
also detects attacks.
Depending on your network complexity, you may want to have anomaly detection in learning
accept mode for longer than the default 24 hours. You configure the mode in the Virtual Sensors
policy; see Defining A Virtual Sensor, . After your learning period has finished, edit the virtual
sensor and change the mode to Detect.

Detect mode
For ongoing operation, the sensor should remain in detect mode. This is for 24 hours a day, 7
days a week.
Once a knowledge base is created and replaces the initial knowledge base, anomaly detection
detects attacks based on it. It looks at the network traffic flows that violate thresholds in the
knowledge base and sends alerts.
As anomaly detection looks for anomalies, it also records gradual changes to the knowledge base
that do not violate the thresholds and thus creates a new knowledge base. The new knowledge
base is periodically saved and takes the place of the old one thus maintaining an up-to-date
knowledge base.

Inactive mode
You can turn anomaly detection off by putting it in inactive mode. Under certain circumstances,
anomaly detection should be in inactive mode, for example, if the sensor is running in an
asymmetric environment.
Because anomaly detection assumes it gets traffic from both directions, if the sensor is configured
to see only one direction of traffic, anomaly detection identifies all traffic as having incomplete
connections, that is, as scanners, and sends alerts for all traffic flows.
The following example summarizes the default anomaly detection configuration. If you add a
virtual sensor at 11:00 pm and do not change the default anomaly detection configuration,
anomaly detection begins working with the initial knowledge base and only performs learning.
Although it is in detect mode, it cannot detect attacks until it has gathered information for 24 hours
and replaced the initial knowledge base. At the first start time (10:00 am by default), and the first
interval (24 hours by default), the learning results are saved to a new knowledge base and this
knowledge base is loaded and replaces the initial knowledge base. Because the anomaly
detection is in detect mode by default, now that anomaly detection has a new knowledge base, the
anomaly detection begins to detect attacks.

QUESTION NO: 120

Which Cisco IPS appliance signature engine uses signature events as input to correlate different
signatures into a higher level event?
Cisco 642-627 Exam
A. Atomic signature engine
B. Service signature engine
C. Meta signature engine
D. Sweep signature engine
E. Multistring signature engine
F. Normalizer signature engine

Answer: C
Explanation:
ml#wp1014660

QUESTION NO: 121

Referring to the monitor session 1 destination GigabitEthernet0/47 ingress Cisco Catalyst switch
command, what does the "ingress" command option enable?

A. Allow the capture of bidirectional traffic on the GigabitEthernet0/47 switch port.
B. Add .1Q headers on the SPAN port (GigabitEthernet0/47) to indicate the source VLAN to the
Cisco IPS appliance in promiscuous mode.
C. Allow the SPAN port (GigabitEthernet0/47) to be a source of traffic (for TCP resets).
D. Enable flow-based SPAN session.
E. Limit (filter) SPAN source traffic.

Answer: C
Explanation:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.
shtml

QUESTION NO: 122

The Cisco IPS sensor can obtain operating system identification data from which two sources?
(Choose two.)

A. passive operating system fingerprinting
B. imported from Cisco SensorBase
C. imported from Cisco Security MARS
D. manual operating system mappings configured on the Cisco IPS appliance
Cisco 642-627 Exam
E. imported from Cisco Secure Desktop OS scan

Answer: A,D
Explanation:
html

QUESTION NO: 123

From Cisco Security Manager, which external component or service is used to access in-depth
signature information?

A. Cisco SensorBase
B. Cisco Security MARS
C. Cisco IntelliShield Service
D. ScanSafe Service

Answer: C
Explanation:
http://www.cisco.com/en/US/services/ps2827/ps6834/services_overview0900aecd803e85ee.pdf

QUESTION NO: 124

Which mode consolidates alarms where the Cisco IPS appliance will generate an alert the first
time that a signature fires on an address set and then only send a summary alert for all address
sets over a given time interval?

A. Fire Once
B. Fire All
C. Fire Summarize
D. Summarize
E. Global Summarize

Answer: E
Explanation:
http://www.cisco.com/en/US/docs/security/ips/5.1/configuration/guide/idm/dmSgEng.html
Cisco 642-627 Exam

QUESTION NO: 125


Cisco 642-627 Exam

Which option is affected by the IP Log parameters?

A. the syslog operations of the Cisco IPS appliance
B. the signature logging action
C. SNMP trap operations
D. the signature produce verbose alert action
E. the SDEE operations of the Cisco IPS appliance

Answer: B
Explanation:
_manager/4.1/user/guide/ipsvchap.pdf

QUESTION NO: 126


Cisco 642-627 Exam

Configuring traffic flow notifications on the Cisco IPS appliance is most useful in what situation?

A. to determine the IPS throughput rate when using inline mode
B. to detect IPS performance issues
C. to enable bypass mode when the Cisco IPS appliance fails
D. to prevent DoS attacks

Answer: B
Explanation:
http://www.cisco.com/en/US/docs/security/ips/5.0/configuration/guide/idm/dminter.html#wp103214
0

QUESTION NO: 127

When setting up a Cisco IPS appliance in promiscuous mode, which Cisco Catalyst switch
command is used to display information about all SPAN and remote SPAN sessions on the
switch?

A. show span
B. show sessions
C. show interface
D. show monitor

Answer: D
Cisco 642-627 Exam
Explanation:
show monitor session
To display information about the ERSPAN, SPAN and RSPAN sessions, use the show monitor
session command in user EXEC mode.
show monitor session [range session-range | local | remote | all | session]
show monitor session [erspan-destination | erspan-source | egress replication-mode capability|
detail]

QUESTION NO: 128

What about this configuration command is true: ips inline fail-open sensor sensor_name?

A. will enable fail-open hardware bypass on the Cisco IPS 4200 Series appliance
B. will enable inline operation on the Cisco IPS 4200 Series appliance
C. will enable inline operation on the Cisco IDSM-2, IPS AIM, or IPS NME
D. will enable the desired traffic to be diverted from the Cisco ASA to one of the Cisco ASA AIP-
SSM virtual sensors

Answer: D
Explanation:
http://www.cisco.com/en/US/docs/security/ips/5.0/configuration/guide/cli/clissm.html

QUESTION NO: 129

Which parameter is used to configure a signature to fire if the activity it detects happens a certain
number of times for the same address set within a specified period of time?

A. event action
B. event counter
C. summary count
D. summary key

Answer: B
Explanation:
_manager/4.1/user/guide/ipsvchap.pdf

Cisco 642-627 Exam

QUESTION NO: 130

What is the maximum number of virtual sensors that a Cisco IPS 4200 Series appliance can
support?

A. depends on the Cisco IPS 4200 Series appliance model
B. 2
C. 3
D. 4
E. 5
F. 6

Answer: D
Explanation:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_virtual_sensors.html#
wp1035356
It states you can create four virtual sensors.
Cisco 642-627 Exam

QUESTION NO: 131


What does an action of Rotate indicate?

A. A new knowledge base is created, but is not loaded. You can view it to decide if you want to
load it.
B. A new knowledge base is created and loaded.
C. The knowledge base is rolled back to the previous version.
D. The knowledge base is rotated on a periodic schedule using the different existing knowledge
bases.

Answer: B
Explanation:
Cisco 642-627 Exam

QUESTION NO: 132

Reports generated by Cisco IME can be saved in which two formats? (Choose two.)

A. XML
B. RTF
C. HTML
D. PDF
Cisco 642-627 Exam
E. XLS
F. DOC

Answer: B,D
Explanation:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5715/ps9610/data_sheet_c78-
459033_ps6120_Products_Data_Sheet.html

QUESTION NO: 133

Which three configurations are the defaults on the Cisco IPS 4200 Series appliance? (Choose
three.)

A. IPS appliance default IP address = 192.168.1.2 and default gateway = 192.168.1.1
B. password recovery enabled
C. TLS and SSL access disabled
D. Telnet access disabled
E. Web Server Port = 80

Answer: A,B,D
Explanation:
http://www.cisco.com/en/US/docs/security/asa/quick_start/ips/ips_qsg.html

QUESTION NO: 134

Which Cisco IPS appliance CLI command is used to display information in the IPS Event Store?

A. show config
B. show events
C. show database
D. show sdee
E. show log
F. show event-store
G. show alerts

Answer: B
Explanation:
show events
Cisco 642-627 Exam
To display the local event log contents, use the show events command in EXEC mode.
show events [{alert [informational] [low] [medium] [high] [include-traits traits] [exclude-traits traits]
[min-threatrating
min-rr] [max-threat-rating max-rr | error [warning] [error] [fatal] | NAC | status}] [hh:mm:ss [month
day
[year]] | past hh:mm:ss]
Syntax Description

Cisco 642-627 Exam

Cisco 642-627 Exam

QUESTION NO: 135

With a Cisco IPS appliance running v7.0, which three event actions support IPv4 and IPv6?
(Choose three.)

A. log attacker/victim pair packets
B. request block connection
C. request rate limit
D. reset TCP connection
E. modify packet inline
F. request block host

Answer: A,D,E
Explanation:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_event_action_rules.ht
ml

Its important to understand that there are some limitations when implementing IPv6 IPS
inspection:

AIM-IPS and NME-IPS do not currently support IPv6 features.
IPv6 inspection might work on the Intrusion Detection System Module (IDSM-2), but it is not
officially supported. VLAN access control lists (VACL) on Catalyst switches do not support IPv6,
but IPv6 with promiscuous mode using SPAN ports instead with lower capture granularity is
another option.
IPv6 is not supported on the management or command and control interface.
IPv6 does not support event actions such as Request Block Host, Request Block Connection, and
Request Rate Limit.
The Anomaly Detection (AD) feature does not support IPv6 traffic.

QUESTION NO: 136

Which two statements accurately describe virtual sensor operations on the Cisco IPS appliance?
(Choose two.)

A. You must create a new instance of a signature set for each new virtual sensor.
B. The packet processing policy is virtualized.
C. Creating a new virtual sensor creates a "virtual" machine on the Cisco IPS appliance.
Cisco 642-627 Exam
D. vs0 can be cloned then deleted.
E. Each virtual sensor can have its own unique event action rules.

Answer: B,E
Explanation:
wp1029979

QUESTION NO: 137

When using the Cisco IPS signature and engine auto updates feature from Cisco.com, which
password must be configured on the IDM Auto/Cisco.com Update pane?

A. the IPS appliance "cisco" user account password
B. the IPS appliance "service" user account password
C. the IPS appliance "support" user account password
D. the IPS appliance enable password
E. the CCO user account password

Answer: E
Explanation:
http://www.cisco.com/en/US/docs/security/security_management/cs-
mars/6.0/device/configuration/guide/chIpsCisoc6x.html

IPS Signature Dynamic Update Settings
In releases 6.0 and later, Cisco IPS supports dynamic signature updates. MARS can discover the
new signatures and correctly process and categorize received events that match those signatures.
If this feature is not configured, the events appears as unknown event type in queries and reports,
and MARS does not include these events in inspection rules. These updates provides event
normalization and event group mapping, and they enable your MARS Appliance to parse Day Zero
signatures from the IPS devices.
The downloaded update information is am XML file that contains the IPS signatures. However, this
file does not contain detailed information, such as vulnerability information. Detailed signature
information is provided in later MARS signature upgrade packages just as with 3 rd -party
signatures.

Before You Begin
Dynamic IPS signature updates are disabled by default.
Custom IPS signatures are not supported. You must manually import these signatures using the
process defined in Applying Custom Signature Updates.
Cisco 642-627 Exam
You can retrieve updates from CCO or from a local web server. After downloading and installing
an update, the MARS Appliance performs an auto-activate to load the new signature information.
If configured to retrieve the signatures from CCO, MARS downloads the most recent package as
determined by a combination of package name and the MD5 sum.
MARS checks for updates at the specified interval, hourly (1, 2, 3, 6, or 12) or daily (1 through
14).
In a Global Controller-Local Controller deployment, configure the dynamic signature URL and all
relevant settings on the Global Controller. Do not attempt to configure these features on the Local
Controllers even though the web interface allows you to do so.
When the Global Controller pulls the new signatures from CCO, all managed Local Controllers
download the new signatures from the Global Controller.

QUESTION NO: 138

Which three statements are true with respect to IPS false positives? (Choose three.)

A. An example of a false positive is when the IPS appliance produces an alert in response to the
normal activities of the company's network management system.
B. Increasing the set of TCP ports that a signature matches on may reduce false positives.
C. False positives may be reduced by disabling certain signatures.
D. Event action filters can be implemented to reduce false positives.
E. An example of a false positive is the IPS not reacting to a successful denial of service attack.

Answer: A,C,D
Explanation:
http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cli_signature_definitions.h
tml#wp1094231

Understanding Signatures
Attacks or other misuses of network resources can be defined as network intrusions. Sensors that
use a signature-based technology can detect network intrusions. A signature is a set of rules that
your sensor uses to detect typical intrusive activity, such as DoS attacks. As sensors scan network
packets, they use signatures to detect known attacks and respond with actions that you define.
The sensor compares the list of signatures with network activity. When a match is found, the
sensor takes an action, such as logging the event or sending an alert. Sensors let you modify
existing signatures and define new ones.

Signature-based intrusion detection can produce false positives because certain normal network
activity can be misinterpreted as malicious activity. For example, some network applications or
Cisco 642-627 Exam
operating systems may send out numerous ICMP messages, which a signature-based detection
system might interpret as an attempt by an attacker to map out a network segment. You can
minimize false positives by tuning your signatures.

To configure a sensor to monitor network traffic for a particular signature, you must enable the
signature. By default, the most critical signatures are enabled when you install the signature
update. When an attack is detected that matches an enabled signature, the sensor generates an
alert, which is stored in the Event Store of the sensor. The alerts, as well as other events, may be
retrieved from the Event Store by web-based clients. By default the sensor logs all Informational
alerts or higher.

Some signatures have subsignatures, that is, the signature is divided into subcategories. When
you configure a subsignature, changes made to the parameters of one subsignature apply only to
that subsignature. For example, if you edit signature 3050 subsignature 1 and change the severity,
the severity change applies to only subsignature 1 and not to 3050 2, 3050 3, and 3050 4.

Cisco IPS 6.1 contains over 10,000 built-in default signatures. You cannot rename or delete
signatures from the list of built-in signatures, but you can retire signatures to remove them from
the sensing engine. You can later activate retired signatures; however, this process requires the
sensing engines to rebuild their configuration, which takes time and could delay the processing of
traffic. You can tune built-in signatures by adjusting several signature parameters. Built-in
signatures that have been modified are called tuned signatures.

QUESTION NO: 139

Which rating is determined by adjusting the risk rating with respect to preventative actions taken
by the sensor?

A. attack severity rating
B. attack relevancy rating
C. damage assessment rating
D. hazard rating
E. threat rating
F. event action delta

Answer: E
Explanation:
00aecd806e7299.html
Cisco 642-627 Exam

QUESTION NO: 140

Passive operating system fingerprinting can be used to determine which aspect of the event risk
rating?

A. target value rating
B. watch list rating
C. signature fidelity rating
D. attack severity rating
E. promiscuous delta
F. attack relevancy rating

Answer: F
Explanation:
00aecd806e7299.html

QUESTION NO: 141

What is the maximum number of virtual sensors that can be configured on a Cisco IPS 4260
Sensor appliance?

A. 2
B. 4
C. 6
D. 8
E. 16
F. There is no fixed limit.

Answer: B
Explanation:
wp1035356
It states you can create four virtual sensors.

Cisco 642-627 Exam
QUESTION NO: 142

Which Cisco IPS appliance feature has the following three potential settings: off, partial, and full?

B. POSFP
D. global correlation network participation

Answer: D
Explanation:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_collaboration.html

QUESTION NO: 143

Defining the internal zone, external zone, and illegal zone is associated with which Cisco IPS
appliance feature?

A. reputation filtering
B. threat detection
C. event action overrides
D. global correlation network participation
E. threat rating adjustments
F. anomaly detection

Answer: F
Explanation:
http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cli_anomaly_detection.ht
ml#wp1046814

Cisco 642-627 Exam

QUESTION NO: 144

Which two are the functions of the learning feature of anomaly detection within a Cisco IPS
appliance? (Choose two.)

A. observes actual traffic patterns to the zones
B. retrieves zero-day attack information from the Cisco SIO
C. dynamically populates the host operating system database
D. allows false-positive training by an IPS administrator
E. builds the host reputation histogram
F. learns which legitimate services have a scanning behavior

Answer: A,F
Explanation:
ml#wp1046814

QUESTION NO: 145
Cisco 642-627 Exam
Regarding the Cisco IPS appliance anomaly detection feature, which two of these would be
considered scan events? (Choose two.)

A. an unacknowledged TCP SYN
B. an online dictionary password attack
C. exhaustive directory tree traversal on an FTP server
D. a scan of all TCP ports on a single destination IP address
E. a unidirectional UDP session

Answer: A,E
Explanation:
ml#wp1046814

QUESTION NO: 146

Which two are valid examples of String engines? (Choose two.)

A. String HTTP
B. String FTP
C. String TCP
D. String UDP
E. String Trojan
F. String IP

Answer: C,D
Explanation:
http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/idm/dmSigEng.html#wp1048
255
Cisco 642-627 Exam

QUESTION NO: 147

Which two operations would put an inline Cisco IPS sensor in detection mode? (Choose two.)

A. subtract all aggressive actions using event action filters
B. decrease the event count using event action filters
C. increase the maximum inter-event interval using event action overrides
D. remove the default event action override, which drops traffic with a risk rating of 90 to 100
E. enable anomaly detection in detection mode only

Answer: A,D
Explanation:
ml#wp1041433

Not sure of this answer yet - 9/25/12 - DD but seems to be another Cisco classif question,
meaning that once a signature is tuned it is ready for prime time i.e. detection mode
After the signatures are tuned, remove the event action filters that removed the aggressive
actions, and remove the event action overrides that produced the verbose alerts.
Cisco 642-627 Exam

QUESTION NO: 148

What are the five possible values for the event count key parameter of an IPS signature? (Choose
five.)

A. attacker address
B. victim address
C. attacker and victim address
D. victim address and port
E. attacker and victim addresses and ports
F. attacker address and victim port
G. attacker and victim port

Answer: A,B,C,E,F
Explanation:
tml#wp1043374

summary-keySpecifies the storage type on which to summarize this signature:
AxxxAttacker address.
AxxbAttacker address and victim port.
AxBxAttacker and victim addresses.
AaBbAttacker and victim addresses and ports.
xxBxVictim address.
Cisco 642-627 Exam

QUESTION NO: 149

Which protocol or protocols does the Cisco Security Manager use to communicate with the Cisco
IPS appliance?

A. HTTPS only
B. SSH only
C. SNMPv3 only
D. HTTPS and SNMPv3
E. HTTPS and SSH
F. HTTPS, SSH, and SNMPv3

Answer: A
Explanation:

Cisco 642-627 Exam

QUESTION NO: 150

The Cisco IPS appliance passive OS fingerprinting feature can use which three sources to
determine the OS mappings information? (Choose three.)

A. manually configured OS mappings
B. OS mappings that are dynamically learned by the sensor through the fingerprinting of TCP
packets with the SYN control bit set
C. OS mappings information received from the Cisco Security Manager
D. imported OS mappings from the Management Center for Cisco Security Agents
E. OS mappings information learned by running Nessus scans

Answer: A,B,D
Explanation:
html#wp2119120

Passive OS fingerprinting consists of three components:
Passive OS learning
Passive OS learning occurs as the sensor observes traffic on the network. Based on the
characteristics of TCP SYN and SYNACK packets, the sensor makes a determination of the OS
running on the host of the source IP address.
User-configurable OS identification
You can configure OS host mappings, which take precedence over learned OS mappings.
Computation of attack relevance rating and risk rating

The sensor uses OS information to determine the relevance of the attack signature to the targeted
host. The attack relevance is the attack relevance rating component of the risk rating value for the
attack alert. The sensor uses the OS type reported in the host posture information imported from
the CSA MC to compute the attack relevance rating.

There are three sources of OS information. The sensor ranks the sources of OS information in the
following order:

1. Configured OS mappingsOS mappings you enter.
Configured OS mappings reside in the Event Action Rules policy and can apply to one or many
virtual sensors.
2. Imported OS mappingsOS mappings imported from an external data source.
Imported OS mappings are global and apply to all virtual sensors.
3. Learned OS mappingsOS mappings observed by the sensor through the fingerprinting of
TCP packets with the SYN control bit set.
Cisco 642-627 Exam
Learned OS mappings are local to the virtual sensor that sees the traffic.

QUESTION NO: 151

Which Cisco IPS signature parameter can be tuned to reduce the volume of the alerts that are
written to the event store?

A. alert action
B. alert frequency
C. alert fidelity rating
D. alert severity
E. alert firing mode
F. alert logging

Answer: B
Explanation:
tml#wp1094231

Configuring Alert Frequency
Use the alert-frequency command in signature definition submode to configure the alert frequency
for a signature. The alert-frequency command specifies how often the sensor alerts you when this
signature is firing.
The following options apply:
sig_idIdentifies the unique numerical value assigned to this signature. This value lets the
sensor identify a particular signature. The value is 1000 to 65000.
subsig_idIdentifies the unique numerical value assigned to this subsignature. A subsignature ID
is used to identify a more granular version of a broad signature. The value is 0 to 255.

QUESTION NO: 152

Which IPS appliance inline deployment mode should be used to support the following
requirements?

- The IPS appliance will be installed in inline mode, on a dot1q trunk.

Cisco 642-627 Exam
- VLANs 10, 20, 30, 40, and 50 exist on the dot1q trunk.

- Requirement is to inspect all VLANs except VLAN 50 with the IPS appliance.

A. inline VLAN pair mode
B. inline interface mode
C. inline VLAN group mode
D. inline trunk mode
E. inline subinterface mode

Answer: C
Explanation:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configurati
on/rtg_brdg/guide/vlansif.html#wp1004190

New Questions

QUESTION NO: 153

Simlet - which area will you need to work in to get the answers for the simlet?

A. Home > Dashboard
B. Configuration > Policies > Rule 0
C. Configuration > Sensor Setup
D. Configuration > Polices > virtual sensor
Cisco 642-627 Exam
Answer: B
Explanation:

QUESTION NO: 154 CORRECT TEXT

Cisco 642-627 Exam

Answer: Tasks = 4
1: Event Action Overrides
Verify and enable this feature for rules0 instance
2: Risk Category name MYCUSTOMRISK
create a custom risk category named MYCUSTOMRISK
assign this category a risk threshold of 80 (hard to see could be 90)
Modify the the new MYCUSTOMRISK to take the following actions
> Deny Attacker Inline
> Produce Alert
> Reset TCP Connection
3: Modify the Red Threat Threshold
Modify the value to 80 to enable the new risk category to be included in the Red Threshold level
for network security health statistics alert threat categorization
4 : REMEMBER TO SAVE AND APPLY ALL CHANGES AS NEEDED (MEANS AS YOU GO - DO
NOT
WAIT TILL END TO SAVE CHANGES)
Explanation:
Cisco 642-627 Exam

Cisco 642-627 Exam

#3
http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/ime/ime_dashboards.html

Sensor Health Gadget
The Sensor Health gadget visually displays sensor health and network security information in two
colored meters. The meters are labeled Normal, Needs Attention, or Critical according to an
analysis of the specific metrics. The overall health status is set to the highest severity of all the
metrics you configured. For example, if you configure eight metrics to determine the sensor health
and seven of the eight are green while one is red, the overall sensor health is displayed as red.

The dashboard is not available you have to use
Configuration >Policies > Event Action rules > rules0 pane.
From http://www.cisco.com/en/US/docs/security/ips/7.1/configuration/guide/idm/idmguide71.html
The Event Action Rules part of the pane contains the following tabs:
Event Action FiltersLets you remove specifications from an event or discard an entire event
Cisco 642-627 Exam
and prevent further processing by the sensor.
IPv4 Target Value RatingLets you assign an IPv4 target value rating to your network assets.
The target value rating is one of the factors used to calculate the risk rating value for each alert.
IPv6 Target Value RatingLets you assign an IPv6 target value rating to your network assets.
The target value rating is one of the factors used to calculate the risk rating value for each alert.
OS IdentificationsLets you associate IP addresses with an OS type, which in turn helps the
sensor calculate the attack relevance rating.
Event VariablesLets you create event variables to use in event action filters. When you want to
use the same value within multiple filters, you can use an event variable.
Risk CategoryLets you create the risk categories you want to use to monitor sensor and
network health and to use in event action overrides.
Threat CategoryLets you set the red, yellow, and green threat thresholds for network security
health statistics.

On the Threat Category tab, you can group threats in red, yellow, and green categories. These
red, yellow, and green threshold statistics are used in event action overrides and are also shown
in the Network Security Gadget on the Home page.
The red, yellow, and green threshold statistics represent the state of network security with red
being the most critical. If you change a threshold, any event action overrides that had the same
range as the risk category are changed to reflect the new range. The new category is inserted in to
the Risk Category list according to its threshold value and is automatically assigned actions that
cover its range.

Supported User Role
The following user roles are supported:
Administrator
Operator
Viewer
Field Definitions
The following fields are found on the Threat Category tab:
Threat Category ThresholdsLists the numbers for the red, yellow, and green thresholds. The
health statistics for network security use these thresholds to determine what level the network
security is at (critical, needs attention, or normal). The overall network security value represents
the least secure value (green is the most secure and red is the least secure). These color
thresholds refer to the Sensor Health gadget on the Home pane:
Red Threat ThresholdSets the red threat threshold. The default is 90.
Yellow Threat ThresholdSets the yellow threat threshold. The default is 70.
Green Threat ThresholdSets the green threat threshold. The default is 1.
GeneralLets you configure some global settings that apply to event action rules

OR
Cisco 642-627 Exam

To change the sensor health metrics, click Details > Configure Sensor Health Metrics, and you are
taken to Configuration > Sensor Management > Sensor Health
Sensor Health Pane Field Definitions
The following fields are found in the Sensor Health pane:
Inspection LoadLets you set a threshold for inspection load and whether this metric is applied
to the overall sensor health rating.
Missed PacketLets you set a threshold percentage for missed packets and whether this metric
is applied to the overall sensor health rating.
Memory UsageLets you set a threshold percentage for memory usage and whether this metric
Signature UpdateLets you set a threshold for when the last signature update was applied and
whether this metric is applied to the overall sensor health rating.
License ExpirationLets you set a threshold for when the license expires and whether this metric
Event RetrievalLets you set a threshold for when the last event was retrieved and whether this
metric is applied to the overall sensor health rating.
Network ParticipationLets you choose whether the network participation health metrics
contribute to the overall sensor health rating.
Global CorrelationLet you choose whether the global correlation health metrics contribute to the
overall sensor health rating.
Application FailureLets you choose to have an application failure applied to the overall sensor
health rating.
IPS in Bypass ModeLet you choose to know if bypass mode is active and have that apply to the
overall sensor health rating.
One or More Active Interfaces DownLets you choose to know if one or more enabled interfaces
are down and have that apply to the overall sensor health rating.
Yellow ThresholdLets you set the lowest threshold in percentage, days, seconds, or failures for
yellow.
Red ThresholdLets you set the lowest threshold in percentage, days, seconds, or failures for
red.

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_sensor_manageme
nt.html#wp2117358


D & D matching users with their capabilities

Cisco 642-627 Exam

Answer:
Explanation:
Cisco 642-627 Exam

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_introducing.html#wp10
39262

All IPS platforms allow ten concurrent CLI sessions.
The Cisco IPS CLI permits multiple users to log in at the same time. You can create and remove
users from the local sensor. You can modify only one user account at a time. Each user is
associated with a role that controls what that user can and cannot modify.

The CLI supports four user roles: administrator, operator, viewer, and service. The privilege levels
for each role are different; therefore, the menus and available commands vary for each role.

AdministratorThis user role has the highest level of privileges. Administrators have unrestricted
view access and can perform the following functions:

Add users and assign passwords
Enable and disable control of physical interfaces and virtual sensors
Assign physical sensing interfaces to a virtual sensor
Modify the list of hosts allowed to connect to the sensor as a configuring or viewing agent
Modify sensor address configuration
Tune signatures
Assign configuration to a virtual sensor
Manage routers

OperatorThis user role has the second highest level of privileges. Operators have unrestricted
Cisco 642-627 Exam
view access and can perform the following functions:
Modify their passwords
Tune signatures
Manage routers
Assign configuration to a virtual sensor

ViewerThis user role has the lowest level of privileges. Viewers can view configuration and
event data and can modify their passwords.
Tip Monitoring applications only require viewer access to the sensor. You can use the CLI to set
up a user account with viewer privileges and then configure the event viewer to use this account to
connect to the sensor.

ServiceThis user role does not have direct access to the CLI. Service account users are logged
directly into a bash shell. Use this account for support and troubleshooting purposes only.
Unauthorized modifications are not supported and require the device to be reimaged to guarantee
proper operation. You can create only one user with the service role.
When you log in to the service account, you receive the following warning:

**************** WARNING ***********************
UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.
This account is intended to be used for support and troubleshooting purposes only.
Unauthorized modifications are not supported and will require this device to be re-imaged to
guarantee proper operation.
**************************************************

In the service account you can also switch to user root by executing su-. The root password is
synchronized to the service account password. Some troubleshooting procedures may require you
to execute commands as the root user.


Match the Password recovery techniques or command on left with the platform that they are used
on right

Cisco 642-627 Exam

Answer:
Explanation:

Cisco 642-627 Exam

To recover the password on appliances, follow these steps:
Step 1 Reboot the appliance.
The following menu appears:
GNU GRUB version 0.94 (632K lower / 523264K upper memory)
-------------------------------------------
0: Cisco IPS
1: Cisco IPS Recovery
2: Cisco IPS Clear Password (cisco)
-------------------------------------------
Use the ^ and v keys to select which entry is highlighted.
Press enter to boot the selected OS, 'e' to edit the
Commands before booting, or 'c' for a command-line.
Highlighted entry is 0:
Step 2 Press any key to pause the boot process.
Step 3 Choose 2: Cisco IPS Clear Password (cisco).
The password is reset to cisco. You can change the password the next time you log in to the CLI.
Using ROMMON
For the IPS 4240 and the IPS 4255 you can use the ROMMON to recover the password. To
access the ROMMON
CLI, reboot the sensor from a terminal server or direct connection and interrupt the boot process.
To recover the password using the ROMMON CLI, follow these steps:
Cisco 642-627 Exam
--------------------------------------------------------------------------------
Step 1 Reboot the appliance.
Step 2 To interrupt the boot process, press ESC or Control-R (terminal server) or send a BREAK
command (direct connection).
The boot code either pauses for 10 seconds or displays something similar to one of the following:
Evaluating boot options
Use BREAK or ESC to interrupt boot
Step 3 Enter the following commands to reset the password:
confreg 0x7 boot
Sample ROMMON session:
Booting system, please wait...
CISCO SYSTEMS
Embedded BIOS Version 1.0(11)2 01/25/06 13:21:26.17

Evaluating BIOS Options...
Launch BIOS Extension to setup ROMMON
Cisco Systems ROMMON Version (1.0(11)2) #0: Thu Jan 26 10:43:08 PST 2006
Platform IPS-4240-K9
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot interrupted.
Management0/0
Link is UP
MAC Address:000b.fcfa.d155
Use ? for help.
rommon #0> confreg 0x7
Update Config Register (0x7) in NVRAM...
rommon #1> boot
Password Recovery for the AIM IPS
To recover the password for the AIM IPS, use the clear password command. You must have
console access to the AIM IPS and administrative access to the router.
To recover the password for the AIM IPS, follow these steps:
Step 1 Log in to the router.
Step 2 Enter privileged EXEC mode on the router.
router> enable
Step 3 Confirm the module slot number in your router.
router# show run | include ids-sensor
interface IDS-Sensor0/0
router#
Step 4 Session in to the AIM IPS.
router# service-module ids-sensor slot/port session
Cisco 642-627 Exam
Example
router# service-module ids-sensor 0/0 session
Step 5 Press Control-shift-6 followed by x to navigate to the router CLI.
Step 6 Reset the AIM IPS from the router console.
router# service-module ids-sensor 0/0 reset
Step 7 Press Enter to return to the router console.
Step 8 When prompted for boot options, enter *** quickly.
You are now in the bootloader.
Step 9 Clear the password.
ServicesEngine boot-loader# clear password
The AIM IPS reboots. The password is reset to cisco. Log in to the CLI with username cisco and
password cisco. You can then change the password.
Password Recovery for the AIP SSM
You can reset the password to the default (cisco) for the AIP SSM using the CLI or the ASDM.
Resetting the password causes it to reboot. IPS services are not available during a reboot.
Note: To reset the password, you must have ASA 7.2.2 or later
Use the hw-module module slot_number password-reset command to reset the password to the
default cisco.
If the module in the specified slot has an IPS version that does not support password recovery, the
following error message is displayed:
ERROR: the module in slot <n> does not support password recovery.
Resetting the Password Using the CLI
To reset the password on the AIP SSM, follow these steps:
Step 1 Log into the adaptive security appliance and enter the following command to verify the
module slot number:

Step 2 Reset the password for module 1.
asa# hw-module module 1 password-reset
Reset the password on module in slot 1? [confirm]
Cisco 642-627 Exam
Step 3 Press Enter to confirm.
Password-Reset issued for slot 1.
Step 4 Verify the status of the module. Once the status reads Up, you can session to the AIP
SSM.

Step 5 Session to the AIP SSM.
asa# session 1
Opening command session with slot 1.
Connected to slot 1. Escape character sequence is 'CTRL-^X'.
Step 6 Enter the default username (cisco) and password (cisco) at the login prompt.
login: cisco
Password: cisco
You are required to change your password immediately (password aged)
Changing password for cisco.
(current) password: cisco
Step 7 Enter your new password twice.
New password: new password
Retype new password: new password

***NOTICE***
This product contains cryptographic features and is subject to United States and local country laws
governing import, export, transfer and use. Delivery of Cisco cryptographic products does not
imply third-party authority to import, export, distribute or use encryption. Importers, exporters,
distributors and users are responsible for compliance with U.S. and local country laws. By using
this product you agree to comply with applicable laws and regulations. If you are unable to comply
with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to export@cisco.com.

Cisco 642-627 Exam
***LICENSE NOTICE***
There is no license key installed on this IPS platform. The system will continue to operate with the
currently installed signature set. A valid license must be obtained in order to apply signature
updates. Please go to http://www.cisco.com/go/license to obtain a new license or install a license.
aip_ssm#
Password Recovery for the IDSM2
To recover the password for the IDSM2, you must install a special password recovery image file.
This installation only resets the password, all other configuration remains intact. The password
recovery image is version-dependent and can be found on the Cisco Download Software site. For
IPS 6.x, download WS-SVC-IDSM2-K9-a-6.0-password-recovery.bin.gz. For IPS 7.x, download
WS-SVC-IDSM2-K9-a-7.0-password-recovery.bin.gz.
FTP is the only supported protocol for image installations, so make sure you put the password
recovery image file on an FTP server that is accessible to the switch. You must have
administrative access to the Cisco 6500 series switch to recover the password on the IDSM2.
During the password recovery image installation, the following message appears:
Upgrading will wipe out the contents on the hard disk.
Do you want to proceed installing it [y|n]:
This message is in error. Installing the password recovery image does not remove any
configuration, it only resets the login account.
Once you have downloaded the password recovery image file, follow the instructions to install the
system Image file but substitute the password recovery image file for the system image file. The
IDSM2 should reboot into the primary partition after installing the recovery image file. If it does not,
enter the following command from the switch:
hw-module module module_number reset hdd:1
Note The password is reset to cisco. Log in to the CLI with username cisco and password cisco.
You can then change the password.
Password Recovery for the NME IPS
To recover the password for the NME IPS, use the clear password command. You must have
console access to the NME IPS and administrative access to the router.
To recover the password for the NME IPS, follow these steps:
Step 1 Log in to the router.
Step 2 Enter privileged EXEC mode on the router.
router> enable
Step 3 Confirm the module slot number in your router.
router# show run | include ids-sensor
interface IDS-Sensor1/0
router#
Step 4 Session in to the NME IPS.
router# service-module ids-sensor slot/port session
Example
router# service-module ids-sensor 1/0 session
Cisco 642-627 Exam
Step 5 Press Control-shift-6 followed by x to navigate to the router CLI.
Step 6 Reset the NME IPS from the router console.
router# service-module ids-sensor 1/0 reset
Step 7 Press Enter to return to the router console.
Step 8 When prompted for boot options, enter *** quickly.
You are now in the bootloader.
Step 9 Clear the password.
ServicesEngine boot-loader# clear password
The NME IPS reboots. The password is reset to cisco. Log in to the CLI with username cisco and
password cisco. You can then change the password
http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cli_administration.html


Answer:
Explanation:
Cisco 642-627 Exam


Answer:
Explanation:

Cisco 642-627 Exam


Answer:
Explanation:
Cisco 642-627 Exam


Answer:
Explanation:
Cisco 642-627 Exam


Answer:
Explanation:
Cisco 642-627 Exam


Answer:
Explanation:
Cisco 642-627 Exam


Answer:
Explanation:
Cisco 642-627 Exam


Answer:
Explanation:
Cisco 642-627 Exam


Answer:
Explanation:
Cisco 642-627 Exam

Cisco 642-627 Exam

642 627 v5.1

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

642 627 v5.1

Hochgeladen von

Copyright:

Verfügbare Formate

Cisco 642-627

Implementing Cisco Intrusion Prevention System v7.0

Das könnte Ihnen auch gefallen