Download IBM.C2150-620.ExamLabs.2019-03-14.36q.vcex

Download Exam

File Info

Exam IBM Security Network Protection (XGS) V5.3.2 System Administration
Number C2150-620
File Name IBM.C2150-620.ExamLabs.2019-03-14.36q.vcex
Size 2 MB
Posted Mar 14, 2019
Download IBM.C2150-620.ExamLabs.2019-03-14.36q.vcex

ProfExam Suite - Black Friday

How to open VCEX & EXAM Files?

Files with VCEX & EXAM extensions can be opened by ProfExam Simulator.

Download
ProfExam Simulator

Purchase

Coupon: MASTEREXAM
With discount: 20%





Demo Questions

Question 1

A System Administrator has been seeing a lot of SSLv2-Weak_Cipher attacks reported on the network and wants to increase the severity of the events. 
How can this be accomplished?


  1. Modify the Threat Level of the signature.
  2. Create an Incident in SiteProtector for SSLv2_Weak Cipher.
  3. Modify the Event Log response for the Intrusion Preventions Object.
  4. increase the X-Force Protection Level for the Intrusion Prevention Object.
Correct answer: D
Explanation:
What do the various Protection Levels in the X-Force Virtual Patch and Trust X-Force Defaults mean? Note: Intrusion Prevention Object – Threat level protectionX-Force Virtual Patch Protection Levels None Do not enable any signatures by default. This option is for a user that wants complete control over which signatures get enabled. Moderate The moderate policy enables most attack events for a good level of security protection with minimal chance of false alarms. The moderate policy is designed for users who intermittently monitor security events and minimally manage the IPS configuration. Aggressive The aggressive policy enables a high percentage of attack events for a high level of security protection with a chance of false alarms. The aggressive policy is designed for users who perform testing and tuning before IPS deployment, and who closely monitor security events and occasionally fine-tune the IPS configuration. Paranoid The paranoid policy enables almost all attack events (including events from the latest XPUs) for a very high level of security protection with significant chance of false alarms. The paranoid policy is designed for users who perform considerable testing and tuning before IPS or XPU deployment, and who closely monitor security events and frequently fine-tune the IPS configuration. References: http://www-01.ibm.com/support/docview.wss?uid=swg21701441
What do the various Protection Levels in the X-Force Virtual Patch and Trust X-Force Defaults mean? 
Note: Intrusion Prevention Object – Threat level protection
X-Force Virtual Patch Protection Levels 
  • None 
    Do not enable any signatures by default. This option is for a user that wants complete control over which signatures get enabled. 
  • Moderate 
    The moderate policy enables most attack events for a good level of security protection with minimal chance of false alarms. The moderate policy is designed for users who intermittently monitor security events and minimally manage the IPS configuration. 
  • Aggressive 
    The aggressive policy enables a high percentage of attack events for a high level of security protection with a chance of false alarms. The aggressive policy is designed for users who perform testing and tuning before IPS deployment, and who closely monitor security events and occasionally fine-tune the IPS configuration. 
  • Paranoid 
The paranoid policy enables almost all attack events (including events from the latest XPUs) for a very high level of security protection with significant chance of false alarms. The paranoid policy is designed for users who perform considerable testing and tuning before IPS or XPU deployment, and who closely monitor security events and frequently fine-tune the IPS configuration. 
References: http://www-01.ibm.com/support/docview.wss?uid=swg21701441



Question 2

A System Administrator is preparing to manage an XGS appliance using the SiteProtector System. 
Which three management actions can be performed? (Choose three.)


  1. Apply a snapshot.
  2. Restart the appliance.
  3. Configure Static Routes.
  4. Create a Firmware backup.
  5. Manage the Appliance SSL Certificate.
  6. Change the Flexible Performance Level.
Correct answer: ADE



Question 3

A Security Administrator wants to enable a block page to alert users when they attempt to access HTTP websites that are blocked due to a Network Access policy (NAP) rule. 
How should the Administrator achieve this?


  1. Add a NAP rule with an action of Drop.
  2. Add a NAP rule with an action of Reject.
  3. Add a NAP rule that has an action of Do Not inspect and then set the response object to Block Page.
  4. Add a NAP rule with an action of Reject (Authenticate) and then create a special user group that has default action of Block HTTP.
Correct answer: C



Question 4

The System Administrator has discovered the XGS device is overloaded and is dropping legitimate traffic. 
Which setting is likely responsible for this behavior?


  1. Unanalyzed policy configuration
  2. TCP resets- TCP reset interface
  3. Fail Closed hardware bypass mode
  4. LogDB response enabled on NAP rules
Correct answer: A



Question 5

A System Administrator notices a large amount of bandwidth being used by one of the web application servers on an unexpected destination port. 
Which method can the System Administrator use to review a sample of that traffic?


  1. Add an event filter for the IP address in question and assign it a packet capture response.
  2. Start a capture after adding filters specifying the source IP address and destination port.
  3. Use the tcpdump command to generate a capture and specify the src host and dst port values.
  4. Create an NAP rule specifying the source host address, web application, and a capture response.
Correct answer: B



Question 6

A System Administrator needs to create a pcap capture file which contains the FTP traffic inspected by the XGS and therefore has enabled the FTP_Get signature in the Default IPS Object. 
Which other action needs to be performed to ensure that the desired capture file is available in the Local Management interface (LMI) for this event only?


  1. Select “Log With Raw” on the FTP_Get signature that was enabled.
  2. Configure “Capture Connection” on the Response tab for the Default IPS Object.
  3. Enable the tools>capture>pinterface from the command line filtering by FTP_Get event.
  4. Configure “Capture Connection” on the Response tab for an IPS Event Filter Policy rule for FTP_Get event.
Correct answer: A
Explanation:
Log With Raw is a feature of XGS that logs a summary and the associated packet capture for the IPS event or OpenSignature event. The content of the packet capture is displayed in SiteProtector through the Event Details, which can be used for network forensics and investigation. References: Implementation Guide for IBM Security Network Protection ('XGS for Techies') second edition, Version 2.0, page 260
Log With Raw is a feature of XGS that logs a summary and the associated packet capture for the IPS event or OpenSignature event. The content of the packet capture is displayed in SiteProtector through the Event Details, which can be used for network forensics and investigation. 
References: Implementation Guide for IBM Security Network Protection ('XGS for Techies') second edition, Version 2.0, page 260



Question 7

The System Administrator has configured Outbound SSL Inspection Policy for five SSL-enabled web sites. 
How can the SSL decryption errors for each web site be detected?


  1. By looking at System Events Logs
  2. By first enabling Alert on Failure
  3. By looking at Network Access Events Logs
  4. By looking at the SSL Connection Statistics Network Graph
Correct answer: B
Explanation:
Ensure that you selected the Alert On Success and Alert On Failure check boxes because they can help with the troubleshooting. References: Implementation Guide for IBM Security Network Protection ('XGS for Techies') second edition, Version 2.0, page 216
Ensure that you selected the Alert On Success and Alert On Failure check boxes because they can help with the troubleshooting. 
References: Implementation Guide for IBM Security Network Protection ('XGS for Techies') second edition, Version 2.0, page 216



Question 8

A System Administrator is planning to implement SSL Inspection for both outbound user traffic and inbound traffic to a company web server. 
The requirements are as follows:
  • SSL Inspection should protect users from connections to fraudulent servers 
  • Outbound SSL Inspection should be limited to select web site categories 
  • Avoid having to deploy files, configurations, or certificates to user workstations 
The steps to implement this plan are as follows:
  • Obtain an Inspection license for the XGS 
  • Obtain a certificate from a public CA and upload it to the XGS via Outbound SSL Certificates 
  • Obtain the certificate and private key of the internal web server and upload it to the XGS via Inbound SSL Certificates 
  • Add internal CA certificates for the company intranet to the trusted Certificate Authorities tab in Outbound SSL Inspection Settings 
  • Configure Outbound SSL Inspection Settings to block connections if the server certificate is self-signed or invalid 
  • Create Outbound SSL Inspection rules that inspect only specific Domain Certificate Categories 
  • Create Inbound SSL Inspection rules that only decrypt traffic destined for the internal web server II address 
What will happen if an internal user attempts to access the company intranet?


  1. The connection will be blocked.
  2. The connection will be successful and traffic will be decrypted.
  3. The connection will be successful and the traffic will be blocked.
  4. The connection will be successful and the traffic will not be decrypted.
Correct answer: B



Question 9

A System Administrator wants to install the XGS license files during the first time configuration of the appliance. 
How should the first time configuration wizard on the appliance be accessed?


  1. Use the LCD front panel.
  2. Use a console cable connection.
  3. Use the Command Line Interface over SSH.
  4. Use the web-based Local Management Interface.
Correct answer: D
Explanation:
The Security Network Protection appliance offers a browser-based graphical user interface for local, single appliance management. To log in to the local management interface, type the IP address or host name of your Network Protection appliance into your web browser. References: http://documentation.extremenetworks.com/PDFs/SIEM-IPS/Extreme_Security_Threat_Protection_Installation_Guide.pdf, page 13
The Security Network Protection appliance offers a browser-based graphical user interface for local, single appliance management. 
To log in to the local management interface, type the IP address or host name of your Network Protection appliance into your web browser. 
References: http://documentation.extremenetworks.com/PDFs/SIEM-IPS/Extreme_Security_Threat_Protection_Installation_Guide.pdf, page 13



Question 10

A System Administrator sees a lot of Ping_Sweep events reported as blocked on the network. However, because the Ping_Sweep signature only blocks the ping packet that triggers the event, most of the ping packets are allowed through the XGS. 
How can these suspicious packets be effectively blocked from the network?


  1. Add a quarantine response to the Ping_Sweep event.
  2. Add a Network Access policy rule to reject ICMP traffic.
  3. Add a catch-all rule to the bottom of the NAP that rejects all traffic.
  4. Enable the Ping_Sweep event in the default IPS policy with the Block option.
Correct answer: A
Explanation:
Question Why are some events allowed after setting a block response? Cause Most network attacks are carried out in a single packet or in several packets that are reconstructed into a single "session." For these attacks, the Block response in the XGS Intrusion Prevention policy is appropriate to use, and is translated into a block packet response and/or into a block connection response. Certain events, however, are classified as "non-sequitur." Non-sequitur events are events that require a succession of packets to occur before the signature is triggered. For example, a port scan signature may require a succession of ten port probes before the signature would trigger. In this case, many of the offending "packets" would have already passed through the system. Answer For these types of signatures, you must set the Quarantine response in addition to the Block response under the Default Repository > Shared Objects > Intrusion Prevention > select signature > Edit > enable the quarantine response under the Quarantine tab > Save. The quarantine response blocks the offending IP for a period of time, ensuring that the remaining probes do not get through. The standard block packet or drop connection responses (set by the Block response) are ineffective in stopping this kind of activity when not used in conjunction with Quarantine. List of non-sequitur events include SSH_Brute_Force. References: http://www-01.ibm.com/support/docview.wss?uid=swg21687475
Question 
Why are some events allowed after setting a block response? 
Cause 
Most network attacks are carried out in a single packet or in several packets that are reconstructed into a single "session." For these attacks, the Block response in the XGS Intrusion Prevention policy is appropriate to use, and is translated into a block packet response and/or into a block connection response. 
Certain events, however, are classified as "non-sequitur." Non-sequitur events are events that require a succession of packets to occur before the signature is triggered. For example, a port scan signature may require a succession of ten port probes before the signature would trigger. In this case, many of the offending "packets" would have already passed through the system. 
Answer 
For these types of signatures, you must set the Quarantine response in addition to the Block response under the Default Repository > Shared Objects > Intrusion Prevention > select signature > Edit > enable the quarantine response under the Quarantine tab > Save. The quarantine response blocks the offending IP for a period of time, ensuring that the remaining probes do not get through. The standard block packet or drop connection responses (set by the Block response) are ineffective in stopping this kind of activity when not used in conjunction with Quarantine. 
List of non-sequitur events include SSH_Brute_Force. 
References: http://www-01.ibm.com/support/docview.wss?uid=swg21687475









CONNECT US

Twitter

Mastodon

Facebook

PROFEXAM WITH A 20% DISCOUNT

You can buy ProfExam with a 20% discount!

Get Now!


HOW TO OPEN VCEX FILES

Use ProfExam Simulator to open VCEX files