Академический Документы
Профессиональный Документы
Культура Документы
ESSE Recertification
Version 1.0
QUESTION NO: 1
The attack category is for events that
A. Attempt to discover weaknesses
B. Map the structure of the network
C. Have the potential to compromise the integrity of an end system.
D. Deny access to resources
Answer: C
QUESTION NO: 2
Virtual Sensors can segregate traffic by?
A. IP Address, VLAN, Port
B. IP Address, VLAN, Port, Protocol
C. IP Address, VLAN, Port, Protocol, Application
D. IP Address, VLAN, Port, Application
Answer: B
QUESTION NO: 3
In an Event Flow Processor (EFP) a consumer can be?
A. A Sensor or an Event Channel
B. An Event channel only
C. An Event channel or an Agent
D. An Agent only
Answer: C
QUESTION NO: 4
Before the host Sensor can be deployed
A. It must be associated with a virtual sensor
B. It must be associated with a host policy
C. Its key must be added to the /usr/dragon/bin directory
D. Its address must be added to /etc/hosts
Answer: B
QUESTION NO: 5
Which of the following Dragon Agents is used for detecting changes to host files?
A. Real Time Console
B. MD5 Sum
C. Alarm Tool
D. Database
Answer: B
QUESTION NO: 6
In a standalone deployment the system will have?
A. A net-config-client.xml file
B. A net-config-server.xml file
C. A net-config-server.xml and a net-con fig-client.xml file
D. A net-config-server.xml, a net-con fig-client.xml and a net-config-reports.xml file
Answer: C
QUESTION NO: 7
MD5 checksums are
A. Stored in a protected directory on the host
QUESTION NO: 10
Signature OS
A. Applies signature to network traffic originating from the specified OS
QUESTION NO: 14
The host policy MD5 detection module
A. Detects any changes in the contents of protected file
B. Detects file size increases
C. Detects file truncations
D. Detects ownership changes
Answer: A
QUESTION NO: 15
Traffic direction refers to traffic flows in relation to the
A. Server
B. Protected network
C. Client
D. DMZ
Answer: B
QUESTION NO: 16
The master Alarm Tool Default policy
A. Is write locked
B. Is writable
C. Cannot be copied
D. Cannot be associated with an Agent
Answer: A
QUESTION NO: 17
Which alarm type is best described as: collects information for x period of time, then send event
notifications
A. Real Time
B. Summary
C. Dynamic
D. Interval
Answer: B
QUESTION NO: 18
Agent status will show as Not Available until?
A. The agent is committed
B. The agent is deployed
C. The agent is selected
D. The remote node is deployed
Answer: B
QUESTION NO: 19
Agents can be deployed on?
A. Only the Enterprise Management Server (EMS)
B. Any managed node with a networked sensor deployed
C. Any managed node with host sensor deployed
D. Any managed node
Answer: D
QUESTION NO: 20
If a packet matched the rules for two virtual sensors it will be evaluated by?
A. Both sensors
B. The first sensor it matches
C. The default sensor
D. Overlapping rules are not permitted
Answer: B
QUESTION NO: 21
A Bare Bones Event Flow Processor (EFP) has?
A. Only event channels
B. Event channels and agents
C. Only Agents and Sensors
D. Event channels and sensors
Answer: A
QUESTION NO: 22
Which alarm type is best described as: Sends event notifications as soon as the are triggered
A. Real Time
B. Summary
C. Dynamic
D. Interval
Answer: A
QUESTION NO: 23
When a notification rule is created a __________ can be associated with it.
A. Sensor
B. User
C. Time Period
D. Score
Answer: C
QUESTION NO: 24
Connection type Outbound in the net-config-client.xml file indicates?
A. The server will initiate configuration channel connections
QUESTION NO: 28
Alarm Tool filters can filter traffic based on: time (after / before ), Direction, events, IP source or
Destination, protocol and
A. Threat subnet
B. Policy
C. Sensor
D. VLAN
Answer: C
QUESTION NO: 29
The net-config-client.xml file is associated with?
A. The Enterprise Management Server (EMS)
B. Managed node client
C. Enterprise Management Server (EMS) Management Client
D. Reporting server
Answer: B
QUESTION NO: 30
Custom Signature libraries can contain
A. Copies of master signatures and libraries
B. Customized signatures
C. Copies of master signatures and libraries, customized signatures and customized policies
D. Copies of master signatures and libraries and customized signatures
Answer: D
QUESTION NO: 31
The virtual sensor name?
A. Must match the license name
QUESTION NO: 35
The Windows host sensor key
A. Is added to the /usr/keys directory
B. Is pushed from the Enterprise Management Server (EMS) when the managed node is
deployed
C. Is installed manually on the Windows system
D. Is pushed from the Enterprise Management Server (EMS) when the sensor is deployed
Answer: C
QUESTION NO: 36
The Host Sensor Virtual Sensor module
A. Associates host policies to the sensor
B. Allows the sensor name contained within an event to be overridden with configured values
C. Allows signatures to be associated with the sensor
D. Allows signatures and policies to be associated with the sensor
Answer: B
QUESTION NO: 37
Network policies and signatures are associated with the?
A. Managed node
B. Network sensor
C. Virtual sensor
D. Agent
Answer: C
QUESTION NO: 38
C. Alarm Tool
D. Database
Answer: A
QUESTION NO: 42
The default event channel port is?
A. 9111
B. 9112
C. 9113
D. 9114
Answer: B
QUESTION NO: 43
The host sensor name
A. Must match the license key
B. Is for display purposes only
C. Is included in events generated by the sensor
D. Must include the managed node name
Answer: C
QUESTION NO: 44
In a signature the service direction refers to
A. Ports
B. Networks
C. VLANS
D. Protocols
Answer: A
QUESTION NO: 45
QUESTION NO: 51
As defined in NetSight Policy Managers demo.pmd file, the Guest Access policy role should be
assigned to ports where:
A. Only IT operations may access the network
B. Only trusted users may access the network
C. Trusted users may access the network as well as untrusted users
D. The Guest Access policy role should only be dynamically assigned to ports as a result of
successful authentication
Answer: C
QUESTION NO: 52
Which of the following QUESTION NO:s is a consideration when defining an Acceptable Use
Policy for
the network:
A. Which applications are business-critical to trusted users on the network?
B. Where are untrusted users allowed to connect to the network?
C. Which protocols should not be utilized by untrusted and trusted users, representing an attack
or misuse of the network?
D. All of the above
Answer: D
QUESTION NO: 53
When configuring a highly restrictive policy role in NetSight Policy Manager with the highest
level
of security, such as the Quarantine policy, the default access control setting for the policy role
should be set to:
A. Deny
B. Allow
C. Redirect to a remediation server
D. CoS Priority 0
Answer: A
QUESTION NO: 54
Which of the following services, as defined by demo.pmd in NetSight Policy Manager, protects
the network from a user masquerading as a valid service on the network?
A. Deny Unsupported Protocol Access service
B. Deny Spoofing & other Administrative Protocols service
QUESTION NO: 59
In the deployment of static policy on the network, a policy-capable device, such as the Matrix
Nseries,:
A. Classifies ingressed traffic on the network
B. Centrally defines and pushes out the policy configuration for the network
C. Periodically updates the policy configuration in NetSight Policy Manager
D. Maintains periodic contact with other policy-capable switches on the network
Answer: A
QUESTION NO: 60
Which of the following is not a pre-defined Port Group in NetSight Policy Manager to:
A. All ports
B. Authenticated ports
C. Logical ports
D. CDP ports
Answer: B
QUESTION NO: 61
Fill in the blank. It is necessary to ______ policy configuration changes to the switches in
NetSight Policy Manager before the changes can take effect.
A. Mediate
B. Enforce
C. Compile
D. Encrypt
Answer: B
QUESTION NO: 62
By not dropping packets formatted with TCP/UDP source port 67 and TCP/UDP source port 53
on user ports, a user can:
A. Execute DNS server spoofing attacks
B. Execute man-in-the-middle-attacks to compromise data confidentiality
C. Execute a DoS attack by allocating bogus IP address to other end systems on the network
D. All of the above
Answer: D
QUESTION NO: 63
An Acceptable Use Policy for the network should define:
A. Which types of traffic trusted users only are allowed to generate on the network
B. Which types of traffic untrusted users only are allowed to generate on the network
C. Which types of traffic trusted and untrusted users are allowed to generate on the network
D. Which types of traffic guest users only are allowed to generate on the network
Answer: C
QUESTION NO: 64
A new virus has been identified on the Internet causing an infected system to listen to TCP port
X for allowing remote connections to the infected device. If a network administrator desires to
prevent an internal user from connecting to an infected device, the network administrator should
configure and enforce policy for malicious users to the Active Edge of the network that:
A. Discards traffic destined to TCP port X
B. Discards traffic sourced from TCP port X
C. Prioritizes traffic destined or sourced to TCP port X to a low priority
D. Rate limit traffic destined or sourced to TCP port X
Answer: A
QUESTION NO: 65
In a multi-vendor environment, where is the placement of a policy capable device most effective
in discarding malicious traffic and protecting the entire network:
A. At the access layer edge
B. At the distribution layer
C. In the DMZ
D. In the core
Answer: A
QUESTION NO: 66
When deploying static policy to the network,:
A. The NetSight Policy configuration must be enforced to the policy-capable devices before
policy
roles are assigned to ports
B. The Phased Implementation Approach should be used to minimize inadvertent negative
impact to business-critical applications on the network
C. Updating the policy configuration across the entire network requires enforcing the altered
policy configuration in NetSight Policy Manager and then reassigning the altered policy roles to
device ports
D. A and B
Answer: D
QUESTION NO: 67
Which of the following authentication methods requires a default policy role to be assigned to
the
port when the authentication method is enabled:
A. MAC-based authentication
B. 802.1X authentication
C. Port Web Authentication
D. All of the above
Answer: C
QUESTION NO: 68
A new policy role, Staff, is created under the Roles tab in NetSight Policy Manager. To use the
Staff policy role to classify ingressed traffic for static policy deployment, the network
administrator
must at a minimum:
A. Do nothing else. Once the Staff policy role is created in NetSight Policy Manager, the
network
begins classifying traffic according to the configuration of Staff
B. Enforce NetSight Policy Managers policy configuration to policy-capable devices only
C. Enforce NetSight Policy Managers policy configuration to policy-capable devices and also
assign the Staff policy role to a port
D. Enforce NetSight Policy Managers policy configuration to policy-capable devices, assign the
Staff policy role to a port, and enable authentication on the port.
Answer: C
QUESTION NO: 69
As defined in NetSight Policy Managers demo.pmd file, the Administrator policy role should be
statically assigned to ports where:
A. Only IT operations may access the network
B. IT operations may access the network as well as trusted users
C. IT operations may access the network as well as trusted and untrusted users
D. Only trusted users may access the network
Answer: A
QUESTION NO: 70
As defined in NetSight Policy Managers demo.pmd file, the Application Provisioning - AUP
service is designed to group classification rules that:
A. Discard malicious traffic
B. Prioritize traffic by assigning various classes of service to different applications
C. Discard unsupported protocols
D. Discard traffic associated to DoS attacks
Answer: B
QUESTION NO: 71
If a policy role is configured in NetSight Policy Manager to allow all traffic by default, then to
increase the security level of the policy role, the classification rules associated to this policy role
should be configured to:
A. Allow traffic
B. Prioritize traffic to CoS Priority 5
C. Rewrite the ToS field of traffic
D. Deny traffic
Answer: D
QUESTION NO: 72
The Device Configuration Wizard and Port Configuration Wizard in NetSight Policy Manager
can
be used to:
A. Configure a group of devices or ports on devices with the same configuration at one time
B. Add/remove network elements in NetSight Policy Manager
C. Enforce the NetSight Policy Manager policy configuration to a group of devices
D. Configure user-to-policy role mapping on the enterprise networks RADIUS server
Answer: A
QUESTION NO: 73
As defined in NetSight Policy Managers demo.pmd file, the Application Provisioning Supplemental service is designed to:
A. Discard malicious traffic
B. Prioritize mission critical traffic by provisioning on-demand QoS
C. Discard unsupported protocols
D. Rate limit traffic associated to DoS attacks
Answer: B
QUESTION NO: 74
The Guest Access policy role is implemented by:
A. Assigning the Guest Access policy role as the default policy on ports
B. Successfully authenticating guest users on the network and dynamically assigning the Guest
Access policy role
C. Assigning the Guest Access policy role to traffic sourced from the MAC address of guest
users
D. All of the above
Answer: A
QUESTION NO: 75
With VLAN-based containment for guest networking, guest users are both potential victims and
threats to each other on the network because:
A. Guests are more likely to be infected by malware when surfing the Internet
B. Guest access to critical infrastructure resources cannot be controlled
C. Traffic sourced from guests is controlled at the VLAN egress point, not upon ingress to the
network
D. Guests are placed on the production VLAN where trusted users can attack guest users
Answer: C
QUESTION NO: 76
In the context of NetSight Policy Manager, a Service is a
A. Feature set that is assigned after authentication exchange and the port is available
B. Feature used to assign access control and/or class of service to network traffic based on its
OSI layer
C. Feature used to enforce the default role on a port
D. A group of one or more classification rules.
Answer: D
QUESTION NO: 77
In a multi-vendor environment where 3 rd party devices are located at the edge of the network
and are not policy-capable, installing a policy-capable device in the distribution layer:
A. Protects the network core from internally sourced attacks
B. Protects the server farm from internally sourced attacks
C. Secures other access layer segments connected through the policy-capable distribution layer
device
D. All of the above
Answer: D
QUESTION NO: 78
In the deployment of dynamic policy, ports providing access to untrusted users and are enabled
with authentication should be configured with an unauthenticated behavior set to:
A. Discard
B. Default role of Enterprise Access
C. Default role of Guest Access
D. Default role of Administrator
Answer: C
QUESTION NO: 79
Which of the following is false about VLAN-based containment for guest networking:
A. Guest VLANs drop unwanted traffic before this traffic enters the network
B. Guest VLANs still allow guests to freely communicate to other guests within the same VLAN
C. Guest VLANs must be spanned across the network increasing the complexity of the network
topology
D. Multiple guest VLANs may need to be configured based on the topology of the network, such
as size of broadcast domains and deployment of remote sites
Answer: A
QUESTION NO: 80
A new virus has been identified on the Internet causing an infected system to listen to TCP port
X for allowing remote connections to the infected device. If a network administrator desires to
prevent infected devices from being further exploited within the enterprise network, the network
administrator should configure and enforce policy for infected devices to the Active Edge of the
network that:
A. Discards traffic destined to TCP port X
A new virus has been identified on the Internet causing an infected system to listen to TCP port
X for allowing remote connections to the infected device. Since port X is used for a businesscritical
application on the network, the network administrator can most effectively protect his/her
network
without severely impacting business continuity by configuring and enforcing policy to the Active
Edge that:
D. Maintains periodic contact with policy-capable switches on the network so the switch can pull
down the policy configuration on demand
Answer: B
QUESTION NO: 92
The advantages to using protocol-based containment via policy for guest networking over
VLANbased
containment is:
A. Policy drops unwanted traffic sourced from guests before this traffic enters the network
B. Policy can be configured to control how guests communicate to other guests on the network,
even within the same VLAN
C. Guest users can reside on the production VLAN while network security is maintained.
Therefore, guest VLANs do not need to be deployed on the network
D. All of the above
Answer: D
QUESTION NO: 93
Which of the following services, as defined by demo.pmd in NetSight Policy Manager, reduces
network congestion by removing legacy protocols from the network such as IPX?
A. Deny Unsupported Protocol Access service
B. Deny Spoofing & other Administrative Protocols service
C. Threat Management service
D. Limit Exposure to DoS Attacks service
Answer: A
QUESTION NO: 94
As defined in NetSight Policy Managers demo.pmd file, the Secure Guest Access Service Group:
A. Allows PPTP and HTTP traffic only, and discards all other traffic
B. Allows HTTP, DNS, and DHCP traffic only, and discards all other traffic
C. Allows PPTP, HTTP, DNS, and DHCP traffic, and denies access to all other TCP/UDP ports
and unsupported protocols on the network
D. Discards all traffic
Answer: C
QUESTION NO: 95
As defined in NetSight Policy Managers demo.pmd file, the Enterprise Access policy role is
associated to:
A. No services
B. The Deny Spoofing & Other Administrative Protocols service only
C. The Deny Unsupported Protocol Access service only
D. All services grouped under the Acceptable Use Policy service group
Answer: D
QUESTION NO: 96
Which of the following is not a traffic attribute for which a classification rule may be
configured?
A. MAC address
B. PHY and PMD sub-layers
C. TCP/UDP port number
D. IP address
Answer: B
QUESTION NO: 97
Which of the following services, as defined by demo.pmd in NetSight Policy Manager, protects
the network from well-known layer 4 ports utilized in various attacks and exploits on the
network?
A. Deny Unsupported Protocol Access service