Академический Документы
Профессиональный Документы
Культура Документы
- The IPS appliance will be installed in inline mode, on a dot1q trunk.
Cisco 642-627 Exam
"A Composite Solution With Just One Click" - Certification Guaranteed 138
- VLANs 10, 20, 30, 40, and 50 exist on the dot1q trunk.
- Requirement is to inspect all VLANs except VLAN 50 with the IPS appliance.
A. inline VLAN pair mode
B. inline interface mode
C. inline VLAN group mode
D. inline trunk mode
E. inline subinterface mode
Answer: C
Explanation:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configurati
on/rtg_brdg/guide/vlansif.html#wp1004190
New Questions
QUESTION NO: 153
Simlet - which area will you need to work in to get the answers for the simlet?
A. Home > Dashboard
B. Configuration > Policies > Rule 0
C. Configuration > Sensor Setup
D. Configuration > Polices > virtual sensor
Cisco 642-627 Exam
"A Composite Solution With Just One Click" - Certification Guaranteed 139
Answer: B
Explanation:
QUESTION NO: 154 CORRECT TEXT
Cisco 642-627 Exam
"A Composite Solution With Just One Click" - Certification Guaranteed 140
Answer: Tasks = 4
1: Event Action Overrides
Verify and enable this feature for rules0 instance
2: Risk Category name MYCUSTOMRISK
create a custom risk category named MYCUSTOMRISK
assign this category a risk threshold of 80 (hard to see could be 90)
Modify the the new MYCUSTOMRISK to take the following actions
> Deny Attacker Inline
> Produce Alert
> Reset TCP Connection
3: Modify the Red Threat Threshold
Modify the value to 80 to enable the new risk category to be included in the Red Threshold level
for network security health statistics alert threat categorization
4 : REMEMBER TO SAVE AND APPLY ALL CHANGES AS NEEDED (MEANS AS YOU GO - DO
NOT
WAIT TILL END TO SAVE CHANGES)
Explanation:
Cisco 642-627 Exam
"A Composite Solution With Just One Click" - Certification Guaranteed 141
Cisco 642-627 Exam
"A Composite Solution With Just One Click" - Certification Guaranteed 142
#3
http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/ime/ime_dashboards.html
Sensor Health Gadget
The Sensor Health gadget visually displays sensor health and network security information in two
colored meters. The meters are labeled Normal, Needs Attention, or Critical according to an
analysis of the specific metrics. The overall health status is set to the highest severity of all the
metrics you configured. For example, if you configure eight metrics to determine the sensor health
and seven of the eight are green while one is red, the overall sensor health is displayed as red.
The dashboard is not available you have to use
Configuration >Policies > Event Action rules > rules0 pane.
From http://www.cisco.com/en/US/docs/security/ips/7.1/configuration/guide/idm/idmguide71.html
The Event Action Rules part of the pane contains the following tabs:
Event Action FiltersLets you remove specifications from an event or discard an entire event
Cisco 642-627 Exam
"A Composite Solution With Just One Click" - Certification Guaranteed 143
and prevent further processing by the sensor.
IPv4 Target Value RatingLets you assign an IPv4 target value rating to your network assets.
The target value rating is one of the factors used to calculate the risk rating value for each alert.
IPv6 Target Value RatingLets you assign an IPv6 target value rating to your network assets.
The target value rating is one of the factors used to calculate the risk rating value for each alert.
OS IdentificationsLets you associate IP addresses with an OS type, which in turn helps the
sensor calculate the attack relevance rating.
Event VariablesLets you create event variables to use in event action filters. When you want to
use the same value within multiple filters, you can use an event variable.
Risk CategoryLets you create the risk categories you want to use to monitor sensor and
network health and to use in event action overrides.
Threat CategoryLets you set the red, yellow, and green threat thresholds for network security
health statistics.
On the Threat Category tab, you can group threats in red, yellow, and green categories. These
red, yellow, and green threshold statistics are used in event action overrides and are also shown
in the Network Security Gadget on the Home page.
The red, yellow, and green threshold statistics represent the state of network security with red
being the most critical. If you change a threshold, any event action overrides that had the same
range as the risk category are changed to reflect the new range. The new category is inserted in to
the Risk Category list according to its threshold value and is automatically assigned actions that
cover its range.
Supported User Role
The following user roles are supported:
Administrator
Operator
Viewer
Field Definitions
The following fields are found on the Threat Category tab:
Threat Category ThresholdsLists the numbers for the red, yellow, and green thresholds. The
health statistics for network security use these thresholds to determine what level the network
security is at (critical, needs attention, or normal). The overall network security value represents
the least secure value (green is the most secure and red is the least secure). These color
thresholds refer to the Sensor Health gadget on the Home pane:
Red Threat ThresholdSets the red threat threshold. The default is 90.
Yellow Threat ThresholdSets the yellow threat threshold. The default is 70.
Green Threat ThresholdSets the green threat threshold. The default is 1.
GeneralLets you configure some global settings that apply to event action rules
OR
Cisco 642-627 Exam
"A Composite Solution With Just One Click" - Certification Guaranteed 144
To change the sensor health metrics, click Details > Configure Sensor Health Metrics, and you are
taken to Configuration > Sensor Management > Sensor Health
Sensor Health Pane Field Definitions
The following fields are found in the Sensor Health pane:
Inspection LoadLets you set a threshold for inspection load and whether this metric is applied
to the overall sensor health rating.
Missed PacketLets you set a threshold percentage for missed packets and whether this metric
is applied to the overall sensor health rating.
Memory UsageLets you set a threshold percentage for memory usage and whether this metric
is applied to the overall sensor health rating.
Signature UpdateLets you set a threshold for when the last signature update was applied and
whether this metric is applied to the overall sensor health rating.
License ExpirationLets you set a threshold for when the license expires and whether this metric
is applied to the overall sensor health rating.
Event RetrievalLets you set a threshold for when the last event was retrieved and whether this
metric is applied to the overall sensor health rating.
Network ParticipationLets you choose whether the network participation health metrics
contribute to the overall sensor health rating.
Global CorrelationLet you choose whether the global correlation health metrics contribute to the
overall sensor health rating.
Application FailureLets you choose to have an application failure applied to the overall sensor
health rating.
IPS in Bypass ModeLet you choose to know if bypass mode is active and have that apply to the
overall sensor health rating.
One or More Active Interfaces DownLets you choose to know if one or more enabled interfaces
are down and have that apply to the overall sensor health rating.
Yellow ThresholdLets you set the lowest threshold in percentage, days, seconds, or failures for
yellow.
Red ThresholdLets you set the lowest threshold in percentage, days, seconds, or failures for
red.
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_sensor_manageme
nt.html#wp2117358
QUESTION NO: 155 DRAG DROP
D & D matching users with their capabilities
Cisco 642-627 Exam
"A Composite Solution With Just One Click" - Certification Guaranteed 145
Answer:
Explanation:
Cisco 642-627 Exam
"A Composite Solution With Just One Click" - Certification Guaranteed 146
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_introducing.html#wp10
39262
All IPS platforms allow ten concurrent CLI sessions.
The Cisco IPS CLI permits multiple users to log in at the same time. You can create and remove
users from the local sensor. You can modify only one user account at a time. Each user is
associated with a role that controls what that user can and cannot modify.
The CLI supports four user roles: administrator, operator, viewer, and service. The privilege levels
for each role are different; therefore, the menus and available commands vary for each role.
AdministratorThis user role has the highest level of privileges. Administrators have unrestricted
view access and can perform the following functions:
Add users and assign passwords
Enable and disable control of physical interfaces and virtual sensors
Assign physical sensing interfaces to a virtual sensor
Modify the list of hosts allowed to connect to the sensor as a configuring or viewing agent
Modify sensor address configuration
Tune signatures
Assign configuration to a virtual sensor
Manage routers
OperatorThis user role has the second highest level of privileges. Operators have unrestricted
Cisco 642-627 Exam
"A Composite Solution With Just One Click" - Certification Guaranteed 147
view access and can perform the following functions:
Modify their passwords
Tune signatures
Manage routers
Assign configuration to a virtual sensor
ViewerThis user role has the lowest level of privileges. Viewers can view configuration and
event data and can modify their passwords.
Tip Monitoring applications only require viewer access to the sensor. You can use the CLI to set
up a user account with viewer privileges and then configure the event viewer to use this account to
connect to the sensor.
ServiceThis user role does not have direct access to the CLI. Service account users are logged
directly into a bash shell. Use this account for support and troubleshooting purposes only.
Unauthorized modifications are not supported and require the device to be reimaged to guarantee
proper operation. You can create only one user with the service role.
When you log in to the service account, you receive the following warning:
**************** WARNING ***********************
UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.
This account is intended to be used for support and troubleshooting purposes only.
Unauthorized modifications are not supported and will require this device to be re-imaged to
guarantee proper operation.
**************************************************
In the service account you can also switch to user root by executing su-. The root password is
synchronized to the service account password. Some troubleshooting procedures may require you
to execute commands as the root user.
QUESTION NO: 156 DRAG DROP
Match the Password recovery techniques or command on left with the platform that they are used
on right
Cisco 642-627 Exam
"A Composite Solution With Just One Click" - Certification Guaranteed 148
Answer:
Explanation:
Cisco 642-627 Exam
"A Composite Solution With Just One Click" - Certification Guaranteed 149
To recover the password on appliances, follow these steps:
Step 1 Reboot the appliance.
The following menu appears:
GNU GRUB version 0.94 (632K lower / 523264K upper memory)
-------------------------------------------
0: Cisco IPS
1: Cisco IPS Recovery
2: Cisco IPS Clear Password (cisco)
-------------------------------------------
Use the ^ and v keys to select which entry is highlighted.
Press enter to boot the selected OS, 'e' to edit the
Commands before booting, or 'c' for a command-line.
Highlighted entry is 0:
Step 2 Press any key to pause the boot process.
Step 3 Choose 2: Cisco IPS Clear Password (cisco).
The password is reset to cisco. You can change the password the next time you log in to the CLI.
Using ROMMON
For the IPS 4240 and the IPS 4255 you can use the ROMMON to recover the password. To
access the ROMMON
CLI, reboot the sensor from a terminal server or direct connection and interrupt the boot process.
To recover the password using the ROMMON CLI, follow these steps:
Cisco 642-627 Exam
"A Composite Solution With Just One Click" - Certification Guaranteed 150
--------------------------------------------------------------------------------
Step 1 Reboot the appliance.
Step 2 To interrupt the boot process, press ESC or Control-R (terminal server) or send a BREAK
command (direct connection).
The boot code either pauses for 10 seconds or displays something similar to one of the following:
Evaluating boot options
Use BREAK or ESC to interrupt boot
Step 3 Enter the following commands to reset the password:
confreg 0x7 boot
Sample ROMMON session:
Booting system, please wait...
CISCO SYSTEMS
Embedded BIOS Version 1.0(11)2 01/25/06 13:21:26.17
Evaluating BIOS Options...
Launch BIOS Extension to setup ROMMON
Cisco Systems ROMMON Version (1.0(11)2) #0: Thu Jan 26 10:43:08 PST 2006
Platform IPS-4240-K9
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot interrupted.
Management0/0
Link is UP
MAC Address:000b.fcfa.d155
Use ? for help.
rommon #0> confreg 0x7
Update Config Register (0x7) in NVRAM...
rommon #1> boot
Password Recovery for the AIM IPS
To recover the password for the AIM IPS, use the clear password command. You must have
console access to the AIM IPS and administrative access to the router.
To recover the password for the AIM IPS, follow these steps:
Step 1 Log in to the router.
Step 2 Enter privileged EXEC mode on the router.
router> enable
Step 3 Confirm the module slot number in your router.
router# show run | include ids-sensor
interface IDS-Sensor0/0
router#
Step 4 Session in to the AIM IPS.
router# service-module ids-sensor slot/port session
Cisco 642-627 Exam
"A Composite Solution With Just One Click" - Certification Guaranteed 151
Example
router# service-module ids-sensor 0/0 session
Step 5 Press Control-shift-6 followed by x to navigate to the router CLI.
Step 6 Reset the AIM IPS from the router console.
router# service-module ids-sensor 0/0 reset
Step 7 Press Enter to return to the router console.
Step 8 When prompted for boot options, enter *** quickly.
You are now in the bootloader.
Step 9 Clear the password.
ServicesEngine boot-loader# clear password
The AIM IPS reboots. The password is reset to cisco. Log in to the CLI with username cisco and
password cisco. You can then change the password.
Password Recovery for the AIP SSM
You can reset the password to the default (cisco) for the AIP SSM using the CLI or the ASDM.
Resetting the password causes it to reboot. IPS services are not available during a reboot.
Note: To reset the password, you must have ASA 7.2.2 or later
Use the hw-module module slot_number password-reset command to reset the password to the
default cisco.
If the module in the specified slot has an IPS version that does not support password recovery, the
following error message is displayed:
ERROR: the module in slot <n> does not support password recovery.
Resetting the Password Using the CLI
To reset the password on the AIP SSM, follow these steps:
Step 1 Log into the adaptive security appliance and enter the following command to verify the
module slot number:
Step 2 Reset the password for module 1.
asa# hw-module module 1 password-reset
Reset the password on module in slot 1? [confirm]
Cisco 642-627 Exam
"A Composite Solution With Just One Click" - Certification Guaranteed 152
Step 3 Press Enter to confirm.
Password-Reset issued for slot 1.
Step 4 Verify the status of the module. Once the status reads Up, you can session to the AIP
SSM.
Step 5 Session to the AIP SSM.
asa# session 1
Opening command session with slot 1.
Connected to slot 1. Escape character sequence is 'CTRL-^X'.
Step 6 Enter the default username (cisco) and password (cisco) at the login prompt.
login: cisco
Password: cisco
You are required to change your password immediately (password aged)
Changing password for cisco.
(current) password: cisco
Step 7 Enter your new password twice.
New password: new password
Retype new password: new password
***NOTICE***
This product contains cryptographic features and is subject to United States and local country laws
governing import, export, transfer and use. Delivery of Cisco cryptographic products does not
imply third-party authority to import, export, distribute or use encryption. Importers, exporters,
distributors and users are responsible for compliance with U.S. and local country laws. By using
this product you agree to comply with applicable laws and regulations. If you are unable to comply
with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to export@cisco.com.
Cisco 642-627 Exam
"A Composite Solution With Just One Click" - Certification Guaranteed 153
***LICENSE NOTICE***
There is no license key installed on this IPS platform. The system will continue to operate with the
currently installed signature set. A valid license must be obtained in order to apply signature
updates. Please go to http://www.cisco.com/go/license to obtain a new license or install a license.
aip_ssm#
Password Recovery for the IDSM2
To recover the password for the IDSM2, you must install a special password recovery image file.
This installation only resets the password, all other configuration remains intact. The password
recovery image is version-dependent and can be found on the Cisco Download Software site. For
IPS 6.x, download WS-SVC-IDSM2-K9-a-6.0-password-recovery.bin.gz. For IPS 7.x, download
WS-SVC-IDSM2-K9-a-7.0-password-recovery.bin.gz.
FTP is the only supported protocol for image installations, so make sure you put the password
recovery image file on an FTP server that is accessible to the switch. You must have
administrative access to the Cisco 6500 series switch to recover the password on the IDSM2.
During the password recovery image installation, the following message appears:
Upgrading will wipe out the contents on the hard disk.
Do you want to proceed installing it [y|n]:
This message is in error. Installing the password recovery image does not remove any
configuration, it only resets the login account.
Once you have downloaded the password recovery image file, follow the instructions to install the
system Image file but substitute the password recovery image file for the system image file. The
IDSM2 should reboot into the primary partition after installing the recovery image file. If it does not,
enter the following command from the switch:
hw-module module module_number reset hdd:1
Note The password is reset to cisco. Log in to the CLI with username cisco and password cisco.
You can then change the password.
Password Recovery for the NME IPS
To recover the password for the NME IPS, use the clear password command. You must have
console access to the NME IPS and administrative access to the router.
To recover the password for the NME IPS, follow these steps:
Step 1 Log in to the router.
Step 2 Enter privileged EXEC mode on the router.
router> enable
Step 3 Confirm the module slot number in your router.
router# show run | include ids-sensor
interface IDS-Sensor1/0
router#
Step 4 Session in to the NME IPS.
router# service-module ids-sensor slot/port session
Example
router# service-module ids-sensor 1/0 session
Cisco 642-627 Exam
"A Composite Solution With Just One Click" - Certification Guaranteed 154
Step 5 Press Control-shift-6 followed by x to navigate to the router CLI.
Step 6 Reset the NME IPS from the router console.
router# service-module ids-sensor 1/0 reset
Step 7 Press Enter to return to the router console.
Step 8 When prompted for boot options, enter *** quickly.
You are now in the bootloader.
Step 9 Clear the password.
ServicesEngine boot-loader# clear password
The NME IPS reboots. The password is reset to cisco. Log in to the CLI with username cisco and
password cisco. You can then change the password
http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cli_administration.html
QUESTION NO: 157 DRAG DROP
Answer:
Explanation:
Cisco 642-627 Exam
"A Composite Solution With Just One Click" - Certification Guaranteed 155
QUESTION NO: 158 DRAG DROP
Answer:
Explanation:
Cisco 642-627 Exam
"A Composite Solution With Just One Click" - Certification Guaranteed 156
QUESTION NO: 159 DRAG DROP
Answer:
Explanation:
Cisco 642-627 Exam
"A Composite Solution With Just One Click" - Certification Guaranteed 157
QUESTION NO: 160 DRAG DROP
Answer:
Explanation:
Cisco 642-627 Exam
"A Composite Solution With Just One Click" - Certification Guaranteed 158
QUESTION NO: 161 DRAG DROP
Answer:
Explanation:
Cisco 642-627 Exam
"A Composite Solution With Just One Click" - Certification Guaranteed 159
QUESTION NO: 162 DRAG DROP
Answer:
Explanation:
Cisco 642-627 Exam
"A Composite Solution With Just One Click" - Certification Guaranteed 160
QUESTION NO: 163 DRAG DROP
Answer:
Explanation:
Cisco 642-627 Exam
"A Composite Solution With Just One Click" - Certification Guaranteed 161
QUESTION NO: 164 DRAG DROP
Answer:
Explanation:
Cisco 642-627 Exam
"A Composite Solution With Just One Click" - Certification Guaranteed 162
QUESTION NO: 165 DRAG DROP
Answer:
Explanation:
Cisco 642-627 Exam
"A Composite Solution With Just One Click" - Certification Guaranteed 163
Cisco 642-627 Exam
"A Composite Solution With Just One Click" - Certification Guaranteed 164