Cisco 642-513 PDF, Prepare for the Cisco 642-513 Practice Exam Covers All Key Points

Flydumps Cisco 642-513 exam material details are researched and created by the Most Professional Certified Authors who are regularly using current exams experience to create precise and logical dumps.You can get questions and answers from many other websites or books,but logic is the main key of success,and Flydumps will give you this key of success.

QUESTION 30
An agent kid was built on a Certkiller CSA, MC. How can this Agent kit be sent out to host machines?
A. Via a URL that is e-mailed to clients
B. Via a TFTP server
C. Via an FTP server
D. Via a Telnet server
E. None of the above

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Reference: Once you build an agent kit on CSA MC, you deliver the generated URL, via email for example, to end users so that they can download and install the Cisco Security Agent. They access the URL to download and then install the kit. This is the recommended method of agent kit distribution. But you may also point users to a URL for the CiscoWorks system. This URL will allow them to see all kits that are available. That URL is: https://<ciscoworks system name>/csamc50/kits If you are pointing users to the “kits” URL and you have multiple agent kits listed here, be sure to tell users which kits to download. Reference: http://www.cisco.com/en/US/products/sw/secursw/ps5057/ products_installation_guide_chapter09186a00805ae b
QUESTION 31
A new group has been created in which some Certkiller hosts need to be moved to. Which action must be taken before a host can enforce rules when it has been moved to a new group?
A. Save
B. Generate rules
C. Deploy
D. Clone
E. Write to memory

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
Once you have configured a policy and attached it to a new group, you need to distribute the policy to the
agents that are part of this new group. We do this by first generating our rule programs.
Click Generate rules in the bottom frame of CSA MC. All pending database changes ready for distribution
appear.
If everything looks okay, you can click the Generate button that now appears in the bottom frame. This
distributes your policy to the agents.
Reference:
http://www.cisco.com/en/US/products/sw/secursw/ps5057/
products_installation_guide_chapter09186a00805ae b

QUESTION 32
The Certkiller CSA administrator is building agent kits for distribution. Which two items make up Agent kits? (Choose two)
A. Groups
B. Hosts
C. Policies
D. Rules
E. Network shim

Correct Answer: AC Section: (none) Explanation
Explanation/Reference:
Explanation: Host groups reduce the administrative burden of managing a large number of agents. Grouping hosts together also lets you apply the same policy to a number of hosts. A group is the only element required to build Cisco Security Agent kits. When hosts register with CSA MC, they are automatically put into their assigned group or groups. Once hosts are registered you can edit their grouping at any time. Once this is accomplished you can configure some policies and distribute them to installed and registered Cisco Security Agents. Reference: http://www.cisco.com/en/US/products/sw/secursw/ps5057/ products_installation_guide_chapter09186a00805ae b
QUESTION 33
How can you configure a Certkiller host to poll in to the Certkiller CSA MC before its scheduled polling interval; using the CSA MC?
A. Click the Poll button on the Agent UI
B. Choose the Poll Now button on the CSA MC
C. Choose the Send Polling Hint option in the CSA MC
D. Enter a polling interval in the appropriate box on the CSA MC

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
Hosts poll into CSA MC to retrieve policies. You can shorten or lengthen this polling time in the Group
configuration page. You can also send a hint message to tell hosts to poll in before their set polling interval.
Reference:
http://www.cisco.com/en/US/products/sw/secursw/ps5057/
products_installation_guide_chapter09186a00805ae b

QUESTION 34
A new agent kit was created in the Certkiller CSA network, and needs to be downloaded to end users. What status is shown when an Agent kit is prepared for downloading to hosts?
A. Prepared
B. Ready
C. Needs rule generation
D. Complete
E. None of the above

Correct Answer: B Section: (none) Explanation Explanation/Reference:
Explanation: Agent Kit Status When you create an agent kit, it is given one of three status levels based on how far into the configuration you’ve progressed. Those status levels are as follows: Ready: This means the agent kit is ready for download to host systems. Needs rule generation: This means that all agent kit configuration parameters are complete, but you must generate rules before the kit can be downloaded. Incomplete: This means that you have not configured all the necessary parameters for this agent kit. You must complete the configuration and then generate rules before the kit can be downloaded. Undeployable: This status will only occur if you have ungenerated kits on the MC and then you upgrade the MC to a newer version. Agent kits that were created but never generated and have an old version number can never be deployed and should be deleted. Reference: http://www.cisco.com/en/US/products/sw/secursw/ps5057/ products_configuration_guide_chapter09186a00805 a
QUESTION 35
Software updates are available for numerous Certkiller users. Which operating system does not receive a notification window when a software update is available from the CSA MC?
A. Linux
B. Windows
C. HPUX
D. Solaris
E. All of the above

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation: The status window of the agent user interface can provide end users with all of the following: The host name of the machine on which this agent is installed. The name of the CSA MC with which this agent is registered. The date and time the agent registered with CSA MC. The date and time when the agent last polled in to CSA MC (data is not downloaded each time the agent polls). The date and time the agent last downloaded data from CSA MC. Lets users know if there is a software version update available for their agent. Note: The Cisco Security Agent user interface appearance and functionality is the same on all Windows and Linux platforms. However, The Cisco Security Agent user interface does not run on Solaris systems. The Solaris agent has a utility (csactl) to provide some of the capabilities that the Windows and Linux agents provide in their user interface. Reference: http://www.cisco.com/en/US/products/sw/secursw/ps5057/ products_configuration_guide_chapter09186a00805 a
QUESTION 36
A Certkiller host is trying to download policies from the CSA MC. What action must happen before a system that has CSA can download policies configured for it?
A. The system must be rebooted
B. The system must install Agent kits
C. The system must be polled by the CSA MC
D. The system must register with the CSA MC
E. All of the above

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation: The CSA MC architecture model consists of a central management center which maintains a database of policies and system nodes, all of which have Cisco Security Agent software installed on their desktops and servers. Agents register with CSA MC. CSA MC checks its configuration database for a record of the system. When the system is found and authenticated, CSA MC deploys a configured policy for that particular system or grouping of systems. There are several elements you must configure to create policies that are distributed to the agents. First, you must configure host groups and create Cisco Security Agent kits. After the agents are installed on systems throughout your network, they register with CSA MC. Then, they are automatically placed into their assigned groups. When you generate rules, agents receive the policies intended for them. Reference: http://www.cisco.com/en/US/products/sw/secursw/ps5057/ products_configuration_guide_chapter09186a00805 a
QUESTION 37
The Certkiller security administrator is in the process of naming a policy in the MC. What is the maximum number of characters that a policy name can contain?
A. 24
B. 32
C. 48
D. 64
E. 128

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
The policy name is a unique name for this group of hosts. Names are case insensitive, must start with an
alphabetic character, can be up to 64 characters long and can include alphanumeric characters, spaces,
and underscores.
Reference:
http://www.cisco.com/en/US/products/sw/secursw/ps5057/
products_installation_guide_chapter09186a00805ae b

QUESTION 38
A sniffer and protocol detection rule has been configured in the Certkiller CSA network. What is the purpose of this sniffer and protocol detection rule?
A. to stop sniffers from running on a network
B. to allow sniffers to run on a network
C. to cause an event to be logged when non-IP protocols and sniffer programs are detected running on systems
D. to deny non-IP protocols and sniffer programs from running on systems
E. None of the above

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
Use the Sniffer and protocol detection rule to cause an event to be logged when non-IP protocols and
packet sniffer programs are detected running on systems. Non-IP protocols, such as IPX, AppleTalk, and
NetBEUI, are used to provide distributed computing workgroup functions between server and clients and/
or sharing between peer clients.
A packet sniffer (also controlled by this rule type) is a program that monitors and analyzes network traffic.
Using this information, a network manager can troubleshoot network problems. A sniffer can also be used
illegitimately to capture data being transmitted on a network. Sensitive information such as login names

and passwords can be extracted from this data and used to break into systems. The Sniffer and protocol detection rule is a monitoring tool. By adding this rule to a policy, you are causing an event to be logged when any non-IP protocols and packet sniffer programs are detected running on systems which receive this rule. Reference: http://www.cisco.com/en/US/products/sw/secursw/ps5057/ products_configuration_guide_chapter09186a00805 a
QUESTION 39
Connection rate rules are in place within the Certkiller CSA network. What is the purpose of these connection rate limit rules?
A. To limit the number of connections to an application
B. To limit the number of calls to the kernel in a specified time frame
C. To limit the number of network connections within a specified time frame
D. To limit the number of malformed connection requests to a web server
E. None of the above

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
Use the connection rate limit rule to control the number of network connections that can be sent or
received by systems within a specified time frame. This is useful in preventing attacks aimed at bringing
down system services, for example, denial of service attacks (server connection rate limiting). This is also
useful in preventing the propagation of denial of service attacks (client connection rate limiting).
Reference:
http://www.cisco.com/en/US/products/sw/secursw/ps5057/
prod_release_note09186a008019b760.html#65518

QUESTION 40
If a Solaris or Windows system is not rebooted after CSA installation, which three rules are only enforced when new files are opened, new processes are invoked, or new socket connections are made? (Choose three)
A. COM component access rules
B. Network shield rules
C. Buffer overflow rules
D. Network access control rules
E. File access control rules
F. Demand memory access rules

Correct Answer: CDE Section: (none) Explanation
Explanation/Reference:
Explanation: If a system is not rebooted following the agent installation, the following functionality is not immediately available. (This functionality becomes available the next time the system is rebooted.) Windows agents: Network Shield rules are not applied until the system is rebooted. Network access control rules only apply to new socket connections. Network server services should be stopped and restarted for full network access control security without a system reboot. Data access control rules are not applied until the web server service is restarted. Solaris and Linux agents, when no reboot occurs after install, the following caveats exist Buffer overflow protection is only enforced for new processes. File access control rules only apply to newly opened files. Data access control rules are not applied until the web server service is restarted. At this time, the agent automatically and transparently registers with CSA MC.
Reference: http://www.cisco.com/en/US/products/sw/secursw/ps5057/ products_configuration_guide_chapter09186a00804
QUESTION 41
The Certkiller security administrator is ready to deploy CSA configurations to the Certkiller hosts. Which action do you take when you are ready to deploy your CSA configuration to systems?
A. Select
B. Clone
C. Deploy
D. Generate rules
E. Push

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
Generate Rule Programs:
After a policy has been configured and attached to a group that was created, the next task is to distribute
the policy to the agents that are part of the group. We do this by first generating our rule programs. Once
you click the Make Kit button and generate rules, CSA MC produces a kit for distribution
Click Generate rules in the bottom frame of CSA MC. All pending database changes ready for distribution
appear.
If everything looks okay, you can click the Generate button that now appears in the bottom frame. This
distributes your policy to the agents.
Reference:
http://www.cisco.com/en/US/products/sw/secursw/ps5057/
products_installation_guide_chapter09186a00805ae b

QUESTION 42
Rules are being created for the Certkiller CSA network environment. Which three items make up rules? (Choose three)
A. Variables
B. Applications
C. Application classes
D. Rule modules
E. Policies
F. Actions

Correct Answer: ACF Section: (none) Explanation
Explanation/Reference:
Explanation: A policy is a collection of rule modules. A rule module is a collection of rules. The rule module acts as the container for these rules while the policy serves as the unit of attachment to groups. Machines with similar security needs are grouped together and assigned one or more policies that specifically target the needs of the group. Rules are made up of variables, application classes, and actions. You use configuration variables to help build the rules that form your policies. Using variables makes it easy for you to maintain policies by letting you make any necessary modifications in one place and having those changes instantiated across all rules and policies. Access control rules are application-centric. The application classes, those shipped with CSA MC and the ones you configure yourself, are the key to the rules you build as part of your security policies. Incorrect Answers:
B: Application classes are used in the creation of rules, not the applications themselves.
D: Rule modules consist of one or more rules. Rules make up rule modules, not the other way around.
E: Rules are used to create policies, not the other way around.
QUESTION 43
The Certkiller CSA network uses both Windows and UNIX stations. Choose three types of rules that apply to both Windows and UNIX systems (Choose three)
A. Agent service control rules
B. Agent UI control rules
C. Application control rules
D. COM component access control rules
E. File version control rules

Correct Answer: ABC Section: (none) Explanation
Explanation/Reference:
Explanation: The following rule types are available for both Windows and UNIX policies. Agent Service Control Use the Agent service control rule to control whether administrators are allowed to stop agent security and whether end users can disable security via the agent UI security slide bar. Agent UI Control Use the Agent UI rule to control how the agent user interface is displayed to end users. In the absence of this rule, end users have no visible agent UI. If this rule is present in a module, you can select to display the agent UI and one or more controls to the end user. These controls give the user the ability to change certain aspects of their agent security. Application Control Use Application control rules to control what applications can run on designated agent systems. This rule type does not control what application can access what resources as do other access control rules. This rule type can stop selected applications from running on systems. If you deny an application class (in total) in this rule, users cannotuse any application in that class. With this rule, you can also prevent an application from running only if that application was invoked by another application you specify. This way, you could prevent a command prompt from running on a system if it is invoked by an application that has downloaded content from the network. Connection Rate Limit Use the connection rate limit rule to control the number of network connections that can be sent or received by applications within a specified time frame. This is useful in preventing attacks aimed at bringing down system services, e.g. denial of service attacks (server connection rating limiting). This is also useful in preventing the propagation of denial of service attacks (client connection rate limiting). Data Access Control Use data access control rules on Web servers to detect clients making malformed web server requests where such requests could crash or hang the server. A malformed request could also be an attempt by an outside client to retrieve configuration information from the web server or to run exploited code on the server. This rule detects and stops such web server attacks by examining the URI portion of the HTTP request. File Access Control Use file access control rules to allow or deny what operations (read, write) selected applications can perform on files. You should understand that file protection encompasses read/write access. Directory protection encompasses directory deletes, renames, and new directory creation. Network Access Control Use network access control rules to control access to specified network services and network addresses. You can also use this rule type to listen for applications attempting to offer unknown or not sanctioned services. Reference: http://www.cisco.com/en/US/products/sw/secursw/ps5057/ products_configuration_guide_chapter09186a00804
QUESTION 44
Data Access Control Rules are being configured in the Certkiller CSA MC. Which portion of an HTTP request is examined by data access control rules?
A. The TCP header
B. The UDP header
C. The URI portion of the request
D. The URL portion of the request
E. The HTTP payload

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: Use data access control rules on Web servers to detect clients making malformed web server requests where such requests could crash or hang the server. A malformed request could also be an attempt by an outside client to retrieve configuration information from the web server or to run exploited code on the server. This rule detects and stops such web server attacks by examining the URI portion of the HTTP request. Reference: http://www.cisco.com/en/US/products/sw/secursw/ps5057/ products_configuration_guide_chapter09186a00805 a
QUESTION 45
Network access control rules have been implemented in the Certkiller CSA network. What is the purpose of network access control rules?
A. To control access to network services
B. To control access to network addresses
C. To control access to both network services and network addresses
D. To control access to networks
E. None of the above

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
Use network access control rules to control access to specified network services and network addresses.
You can also use this rule type to listen for applications attempting to offer unknown or not sanctioned
services.
Reference:
http://www.cisco.com/en/US/products/sw/secursw/ps5057/
products_configuration_guide_chapter09186a00804

QUESTION 46
Which two of the following file access rule criteria can you use to allow or deny the operations that the selected applications can perform on files within the Certkiller network? (Choose two)
A. The application attempting to access the file
B. The application attempting to access the service or address
C. The operation attempting to act on the file
D. The direction of the communications
E. The address with which a system is attempting to communicate

Correct Answer: AC Section: (none) Explanation
Explanation/Reference:
Explanation:
Use file access control rules to allow or deny what operations (read, write) selected applications can
perform on files. You should understand that file protection encompasses read/write access. Directory
protection encompasses directory deletes, renames, and new directory creation.
Reference:
http://www.cisco.com/en/US/products/sw/secursw/ps5057/
products_configuration_guide_chapter09186a00805 a

QUESTION 47
Network access rules have been implemented into the Certkiller CSA network. Which two of the following network access rules can you use to control access to specified network services? (Choose two)
A. The application attempting to access the file
B. The application attempting to access the service or address
C. The operation attempting to act on the file
D. The direction of the communications

Correct Answer: BD Section: (none) Explanation
Explanation/Reference:
Explanation:
Use network access control rules to control access to specified network services and network addresses.
You can also use this rule type to listen for applications attempting to offer unknown or not sanctioned
services.
From the pulldown menu in the CSA MC, select server, client, client or server, or listener (for more
information on the listener option) depending on the direction or type of connection you are controlling or
listening for. Select one or more preconfigured application classes here to indicate the application(s)
whose access to the listed services and addresses you want to exercise control over.
Reference:
http://www.cisco.com/en/US/products/sw/secursw/ps5057/
products_configuration_guide_chapter09186a00805 a

QUESTION 48
CSA rules need to be applied to the Certkiller windows stations. Which two types of rules apply to Windows systems only? (Choose two)
A. Agent service control rules
B. Clipboard access control rules
C. Agent UI control rules
D. COM component access control rules
E. Data access control rules

Correct Answer: BD Section: (none) Explanation
Explanation/Reference:
Explanation: Windows Only Rules The following rules are only available for Windows Rule Modules. Clipboard Access Control Use the clipboard access control rule to dictate which applications can access information that is written to the clipboard. When writing security policies, you may want to protect information from being accessed by other applications or network processes. To fully protect this information, you must consider preventing other applications from accessing protected information that may have been written to the clipboard. COM Component Access Control Use COM component access control rules to allow or deny applications from accessing specified COM components. COM is the Microsoft Component Object Model, the technology that allows objects to interact across process and machine boundaries as easily as within a single process. Each of the Microsoft Office applications (Word, Excel, Powerpoint, etc.) exposes an “Application” COM component which can be used to create macros or utility scripts. While this is useful functionality, it can be used maliciously by an inadvertently downloaded Visual Basic script. File Version Control Use the File version control rule to control the software versions of applications users can run on their systems. For example, if there is a known security hole in one or more versions of a particular application, this rule would prevent those specific versions from running, but would allow any versions not included in this rule to run unimpeded. Kernel Protection Use the Kernel protection rule to prevent unauthorized access to the operating system. In effect, this rule prevents drivers from dynamically loading after system startup. You can specify exceptions to this rule for authorized drivers that you are allowing to load any time after the system is finished booting. NT Event Log Use the NT Event log rule to have specified NT Event Log items appear in the CSA MC Event Log for selected groups. Registry Access Control Use registry access control rules to allow or deny applications from writing to specified registry keys. Service Restart Use the Service restart rule to have the agent restart Windows NT services that have gone down on a system or are simply not responding to service requests. Sniffer and Protocol Detection Use the Sniffer and protocol detection rule to cause an event to be logged when non-IP protocols and packet sniffer programs are detected running on systems. Reference: http://www.cisco.com/en/US/products/sw/secursw/ps5057/ products_configuration_guide_chapter09186a00804
QUESTION 49
Many of the Certkiller workstations are UNIX based and CSA rules need to be created for them. Which two types of rules are UNIX-only rules?
A. Network interface control rules
B. COM component access control rules
C. Connection rate limit rules
D. File access control rules
E. Rootkit/kernel protection rules

Correct Answer: AE Section: (none) Explanation
Explanation/Reference:
Explanation: UNIX Only Rules: The following rules are only available for UNIX Rule Modules. Network Interface Control Use the Network interface control rule to specify whether applications can open a device and act as a sniffer (promiscuous mode). A packet sniffer is a program that monitors and analyzes network traffic. Using this information, a network manager can troubleshoot network problems. A sniffer can also be used illegitimately to capture data being transmitted on a network. Sensitive information such as login names and passwords can be extracted from this data and used to break into systems. Resource Access Control Use the Resource access control rule to protect systems from symbolic link attacks. In this type of attack, an attacker attempts to determine the name of a temporary file prior to its creation by a known application. If the name is determined correctly, the attacker could then create a symbolic link to the target file for which the user of the application has write permissions. The application process would then overwrite the contents of the target file with its own output when it tries to write the named temporary file. Rootkit/ kernel Protection Use the Rootkit / kernel protection rule to control unauthorized access to the operating system. In effect, this rule controls drivers attempting to dynamically load after boot time. You can use to this rule to specify authorized drivers that you are allowing to load any time after the system is finished booting. Syslog Control
Use the Syslog control rule to have specified Solaris and Linux Syslog items appear in the CSA MC Event
Log for selected groups.
Reference:
http://www.cisco.com/en/US/products/sw/secursw/ps5057/
products_configuration_guide_chapter09186a00804

QUESTION 50
The rootKit/kernel protection rule is being utilized in the Certkiller CSA network. What is the purpose of this rootkit/ kernel protection rule?
A. To restrict access to the operating system
B. To log access to the operating system
C. To restrict user access to the operating system
D. To restrict administrator access to the operating system
E. All of the above

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
Use the Rootkit / kernel protection rule to control unauthorized access to the operating system. In effect,
this rule controls drivers attempting to dynamically load after boot time. You can use to this rule to specify
authorized drivers that you are allowing to load any time after the system is finished booting.
Reference:
http://www.cisco.com/en/US/products/sw/secursw/ps5057/
products_configuration_guide_chapter09186a00805 a

QUESTION 51
The Certkiller CSA network utilizes the network interface control rule. What is the purpose of this rule?
A. To prevent applications from opening devices and acting as a sniffer
B. To provide protocol stack hardening rules
C. To prevent users from opening devices that can act as a sniffer
D. To provide filtering of undesired traffic at the network interface level
E. None of the above

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation: Use the Network interface control rule to specify whether applications can open a device and act as a sniffer (promiscuous mode). A packet sniffer is a program that monitors and analyzes network traffic. Using this information, a network manager can troubleshoot network problems. A sniffer can also be used illegitimately to capture data being transmitted on a network. Sensitive information such as login names and passwords can be extracted from this data and used to break into systems. Reference: http://www.cisco.com/en/US/products/sw/secursw/ps5057/ products_configuration_guide_chapter09186a00804
QUESTION 52
The Agent UI rule is used to control how the agent user interface is displayed to end users. What action is taken on user query windows when the Agent UI is not present on a system?
A. The default action is always taken
B. All actions are denied
C. All actions are allowed
D. All actions are allowed and logged
E. None of the above

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
When there is no agent UI present, there are no query user pop-up boxes displayed. The default is
immediately taken on all query user rules and heuristics that are present in the assigned polices. (Note that
this does not apply to cases where the end user manually exits the agent UI. Only the administrator
controlled agent UI rule can affect query pop-up displays on the end user system.)
Reference:
http://www.cisco.com/en/US/products/sw/secursw/ps5057/
products_configuration_guide_chapter09186a00805 a

QUESTION 53
The system API rule is being used in the Certkiller CSA network. For which operating system is the system API control rule available?
A. OS2
B. Windows
C. Linux
D. Solaris
E. None of the above.

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation: The System API control rule detects several forms of malicious programming code that is installed on a system by an unsuspecting user either thinking that he or she is running some other type of program, or as a result of some other activity such as reading an attachment to an email message. Once installed, these malicious programs (for example, Trojans) may allow others to access and virtually take over a system across the network. Other errant programs may be set up to automatically send mail messages or other types of network traffic (including system passwords) while the system owner is unaware of what is occurring. Note: Although the system API rule is common to Windows and Unix systems, this rule type is not available for UNIX policies. The system API rule is for Windows only. Reference: http://www.cisco.com/en/US/products/sw/secursw/ps5057/ products_configuration_guide_chapter09186a00805 a
QUESTION 54
New rules were applied to a Certkiller workstation, but the station has not yet been rebooted. Which rules will not be enforced if you fail to reboot a Windows system following installation of the CSA?
A. Network access control rules
B. Buffer overflow rules
C. COM component access control rules
D. Network shield rules
E. None of the above

Correct Answer: D Section: (none) Explanation Explanation/Reference:
Explanation:
If a system is not rebooted following the agent installation, the following functionality is not immediately
available. (This functionality becomes available the next time the system is rebooted.)
Windows agents:
Network Shield rules are not applied until the system is rebooted. Network access control rules only apply
to new socket connections. Network server services should be stopped and restarted for full network
access control security without a system reboot.
Data access control rules are not applied until the web server service is restarted.
Reference:
http://www.cisco.com/en/US/products/sw/secursw/ps5057/
products_installation_guide_chapter09186a00805ae b

QUESTION 55
The network shield rule is being applied to devices within the Certkiller CSA network. For which operating system is the network shield rule available?
A. OS2
B. Windows
C. Linux
D. Solaris
E. None of the above

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
The Network shield rule provides network protocol stack hardening capabilities. The features available
here require that the network shim be enabled on an agent system. If the network shim is not enabled,
these rules have no effect when applied. This rule only applies to Windows based operating systems.
Reference:
http://www.cisco.com/en/US/products/sw/secursw/ps5057/
products_configuration_guide_chapter09186a00804

QUESTION 56
Numerous UNIX stations exist on the Certkiller LAN that have been prone to buffer overflow attacks. Which three of these does the buffer overflow rule detect on a UNIX operating system, based on the type of memory space involved? (Choose three)
A. Location space
B. Stack space
C. Slot space
D. Data space
E. Heap space
F. File space

Correct Answer: BDE Section: (none) Explanation
Explanation/Reference:
Explanation: A buffer overflow is what happens when two conditions are met: Firstly, an application is coded in a manner such that it trusts that all users of that application will provide the application with reasonable and expected data. Secondly, the application is provided larger quantities of data than it is capable of correctly handling. When these events come together, an application can behave in unexpected and unintentional ways. For applications with special privileges, this can result in external users gaining access to machine resources and privileges which they normally would not be able to acquire. In other words, a hostile, network-based attack on a privileged, trusted application via buffer overflows can result in undesirable
parties gaining access to your system. In the case of UNIX operating systems, there are three distinct
types of buffer overruns which can occur, based upon the type of memory space involved: stack, data, and
heap.
Stack space is used to store data and information which is local to the piece of code currently being
executed in an application, and contains stored away control flow information for the application.
Data space is used to store data with fixed sizes which needs to be shared among different parts of an
application. Often, content in data space has been given initial values.
Heap space is dynamically given out to applications, with the intent that it is relatively short-lived, of varying
size based upon the input datasets, and is frequently visible to numerous sub-components of an
application.
Note:
This rule is UNIX specific. Some corresponding Windows functionality is available from the System API
control rule page.
Reference:
http://www.cisco.com/en/US/products/sw/secursw/ps5057/
products_configuration_guide_chapter09186a00804

QUESTION 57
The Certkiller security administrator is viewing investigation reports generated by the CSA MC. When should you use preconfigured application classes for application deployment investigation?
A. Never
B. Always
C. Only for specific applications
D. Only when applications require detailed analysis

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation: Application Deployment Investigation is mainly comprised of the reporting capabilities it provides once all the data is collected. You can organize the gathered data in various manners to provide information on how your enterprise operates, the resources that are accessed, resource and application usage time frames, and a great deal more. In turn, this data can inform the crafting of your policies while you create a more secure environment for all your users to operate within. While you cannot configure what types of information you collect using deployment investigation (including the use of preconfigured application classes) you can organize the information that is gathered in various ways. Reference: http://www.cisco.com/en/US/products/sw/secursw/ps5057/ products_configuration_guide_chapter09186a00804
QUESTION 58
In the Certkiller Management Center, network address sets need to be configured. In which type of rules are network address sets used?
A. COM component access control rules
B. Connection rate limit rules
C. Network access control rules
D. File control rules
E. File access control rules

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
Network Address Sets

Configure network address sets for use in network access control rules to impose restrictions on specified
IP addresses or a range of addresses. Once configured, you can simply enter the name of the address set
in any network access control rules you create.
Reference:
http://www.cisco.com/en/US/products/sw/secursw/ps5057/
products_configuration_guide_chapter09186a00804

QUESTION 59
The Certkiller security manager has configured file sets for use in the Certkiller CSA network. In which type of rules are file sets used?
A. COM component access control rules
B. Resource access control rules
C. File version control rules
D. File access control rules
E. All of the above

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
Configure file sets for use in file access control rules and application classes. File sets are groupings of
individual files and directories under one common name. This name is then used in rules that control
directory and file permissions and restrictions. All the parameters that exist under that name are then
applied to the rule where the name is used.
Reference:
http://www.cisco.com/en/US/products/sw/secursw/ps5057/
products_configuration_guide_chapter09186a00805 a

QUESTION 60
Agent kits are being built on the Certkiller MC to be installed on user stations. What can you optionally install when you choose the Quiet Install option when creating a new Windows Agent kit?
A. The Agent kit shim
B. The protocol shim
C. The network shim
D. The policy shim
E. All of the above

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: In some circumstances, you may not want users to enable the network shim on their systems as part of the agent installation. (Note that the network shim is not optional on UNIX systems.) For example, if users have VPN software or a personal firewall installed on their systems, the network shim’s Portscan detection, SYN flood protection, and malformed packet detection capabilities may be in conflict with VPNs and personal firewalls. (There are no conflicts with the Cisco VPN client.) If you check the Quiet install checkbox when you make kits, you can also select whether the network shim is installed as part of the Quiet install process. To allow users to select whether or not to install the network shim themselves, you would create kits as non-quiet installations. (Do not select the Quiet install checkbox.) This way, users are prompted to enable the network shim during the agent installation.
QUESTION 61
In the Certkiller CSA network, variables are used in the rule sets. Which of the following are types of variables used for CSA? (Choose three)
A. Global sets
B. File sets
C. API sets
D. Data sets
E. Network address sets

Correct Answer: BDE Section: (none) Explanation
Explanation/Reference:
Explanation:
The diagram below displays how variables relate to access control rules. In the diagram, variables (Event
Sets, Query Settings, File Sets, Network Address Sets, Network Services, Registry Sets, COM Component
Sets, and Data Sets) are shown on the left and the rule types they can be applied to are shown on the
right.
Variable Use in Rules:
Note:
Using variables is optional (note that Application Classes are included in this diagram, but they are not
optional). Nearly all the information used in variable configurations can also be entered directly into
corresponding rule configuration fields. Variables are simply a tool meant to simplify the creation of rules,
especially if the same configurations are used in multiple rules.
Reference:
http://www.cisco.com/en/US/products/sw/secursw/ps5057/
products_configuration_guide_chapter09186a00805 a

QUESTION 62
Access Control rules are being configured for use in the Certkiller CSA network so that query user options can be used. Which operating system does not allow Query User options?
A. OS2
B. Windows
C. Linux
D. Solaris
E. HPUX

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation: When you create access control rules, beyond simply allowing or denying a specific action, you can select to query the user when an action triggers the rule in question. The user can then decide to allow the action, deny it, or terminate the process at that time. When you select to query the user, you are also crafting explanation text to display to the user and whether to allow, deny, or terminate the action by default if the query is not answered within 5 minutes. If the user is not logged in to the system, the default action is taken immediately. Query configurations are a Variable setting which allows you to decide which radio button options are displayed in the pop-up query box, which action is the default, whether the answer given by the user is to be remembered, and what the query text to be displayed will be. For a Query setting, the response to the query is relevant to the question, not the resource. For example, if a File access control rule queries the user for a response and that identical query is also configured for a Network access control rule, the user is not queried again when the Network access control rule triggers. The query response from the previous File access control rule is automatically taken. Note: For Solaris rules, Query user options are not available. Instead, the default action is immediately taken. For Windows and Linux agents, agent settings (including user queries) are configurable by the administrator. If the agent UI is hidden for the group, there are no query user pop-up boxes displayed. The default is immediately taken on all query user rules and heuristics that are present in the assigned polices. Reference: http://www.cisco.com/en/US/products/sw/secursw/ps5057/ products_configuration_guide_chapter09186a00804
QUESTION 63
The Certkiller security administrator is viewing the audit trail in the CSA MC. What is the purpose of the Audit Trail function?
A. To generate a report listing events matching certain criteria, sorted by event severity
B. To generate a report listing events matching certain criteria, sorted by group
C. To generate a report showing detailed information for selected groups
D. To display a detailed history of configuration changes
E. None of the above

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
Accessible from the Reports drop-down list in the menu bar, the Audit Trail page displays a list of changes
administrators have made to the CSA MC database. These changes are displayed according to the
following information:
The change itself.
The type of change (configuration category: policies, file sets, groups, and so on).
The date and time the change was made.
The administrator who made the change.
Click the Change Filter link to edit the audit trail viewing parameters according to the following:
Start date (enter date parameters using the same formats as in the Event Log).
End date.
The administrator who made the changes.
The change type (configuration category: policies, file sets, groups, and so on). The number of changes to
display per viewing page.
Reference:
http://www.cisco.com/en/US/products/sw/secursw/ps5057/
products_configuration_guide_chapter09186a00805 a

QUESTION 64
The Certkiller security Administrator wants to view the most recent events on the CSA MC. Which view within the CSA MC allows users to see a continuously refreshed view of the most recently logged event records?
A. Event Log
B. Event Monitor
C. Event Sets
D. Event Alerts
E. None of the above

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation: Similar to the Event Log, the Event Monitor, available from the Events category in the menu bar, lets you view system events provided by registered agents according to designated severity levels, and the host that generated the event. You can also enter the number of events to be displayed (default value is the last 50 events). Click the Change link to access a pop-up window from which you can edit these values and change the event filter. Unlike the Event Log page, the Event Monitor page automatically refreshes itself at set intervals. The event list is updated with the latest events each time the page refreshes. The footer of this page provides a Refresh button and a Pause button. Use the Refresh button to refresh the page immediately without waiting for the set refresh interval to occur. Use the Pause button to immediately stop the page from refreshing. The set refresh interval will then stop at wherever it is in the countdown. This pause feature is useful when you are testing policies and you want to mark a certain place as a starting point for receiving new events. When you click it, the Pause button becomes a Resume button. Reference: http://www.cisco.com/en/US/products/sw/secursw/ps5057/ products_configuration_guide_chapter09186a00805 a
QUESTION 65
The Certkiller security administrator is viewing the log files in the CSA MC. Which information is logged for file access control rules?
A. Port and direction
B. Registry key
C. Process path
D. PROGID/CLSID
E. All of the above

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
The CSA MC Event Log does not contain every occurrence of an event from a system. Duplicate events
are not logged for an hour after the first occurrence. The following information is logged for each rule type.
File access control logging-Process path and file names and file operation are logged. Network access
control logging-Process path, network address, port and direction are logged.
Registry access control logging-Process path and registry key are logged. COM component access control
logging-Process path and COM component PROGID/CLSID are logged.
Reference:
http://www.cisco.com/en/US/products/sw/secursw/ps5057/
products_configuration_guide_chapter09186a00805 a

QUESTION 66
The Certkiller security administrator is viewing the logs in the CSA MC. What information is logged for registry access control?
A. Port and direction
B. Registry key
C. Registry access events
D. PROGID/CLSID
E. All of the above

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
How Logging Works:
The CSA MC Event Log does not contain every occurrence of an event from a system. Duplicate events
are not logged for an hour after the first occurrence. The following information is logged for each rule type.
File access control logging-Process path and file names and file operation are logged. Network access
control logging-Process path, network address, port and direction are logged.
Registry access control logging-Process path and registry key are logged. COM component access control
logging-Process path and COM component PROGID/CLSID are logged.
A duplicate event is defined as follows:
For file access controls , the name of the application and the file being accessed are the same.
For network access controls, the name of the application, the remote address, and the network service
port are the same.
For registry access controls, the name of the application and the registry key name and value name are
the same.
For COM component access controls, the name of the application and the COM component PROGID or
CLSID are the same.
Reference:
http://www.cisco.com/en/US/products/sw/secursw/ps5057/
products_configuration_guide_chapter09186a00804

QUESTION 67
The Certkiller CSA MC administrator wants to log all of the deny actions. When you choose the Log All Deny Actions option within a group, how are deny actions logged?
A. Deny actions are logged every 5 minutes
B. Deny actions are logged every 10 minutes
C. Every deny action is logged regardless of the specific rule settings
D. Only those deny actions that are configured within specific rules are logged
E. None of the above

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
Enable Log all deny actions to turn on logging for all deny rules running on hosts within the group
regardless of the individual rule settings for the policy attached to the group. You may wish to use this
feature to turn on all deny logging for diagnostic purposes.
Reference:
http://www.cisco.com/en/US/products/sw/secursw/ps5057/
products_configuration_guide_chapter09186a00804

QUESTION 68
The Certkiller security administrator needs to view specific events in the CSA MC. Which view within the CSA MC allows users to see a view of event records based on filtering criteria such as time and severity?
A. Event Summary
B. Event Log
C. Event Monitor
D. Event Sets
E. Event Alerts

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
The Event Log view, available from the Events category in the menu bar, lets you view system events
provided by registered agents according to designated time frames, event severity levels, and the system
that generated the event. The information displayed at the top of the Event Log page (controlled by the
settings in the Change Filter window, see next section) tells you the following:
Filter by eventset: This displays the name of the Event Set, if any, used to filter the event log view.
or Define a filter with the following parameters:
Time range: This is the current time range set for the event log filter. Severity: This is the current minimum
and maximum severity range set for the event log filter.
Host: This displays which hosts have generated the events viewable in the event log (set as part of the
filter).
Rule Module: From the pulldown list, select a rule module to search for events generated by that module.
Rule ID: Enter the ID number for a rule to search for events generated by that rule. Events per page: This
is the current value set for the number of events displayed on each page of the event log (set as part of the
filter). Filter text: Enter a text string here to either include or exclude in your event message search.
Filter out similar events: When event filtering is enabled (it’s enabled by default), the event log displays an
aggregation of events.
Reference:
http://www.cisco.com/en/US/products/sw/secursw/ps5057/
products_configuration_guide_chapter09186a00805 a

QUESTION 69
The Certkiller security administrator wants to view CSA events in the MC. Which view within the CSA MC allows users to see overall system status information, including a summary of recorded events, agent configuration, and activity?
A. Status Summary
B. Event Log
C. Event Monitor
D. Event Sets
E. Alerts
F. None of the above

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation: Status Summary Status Summary-When you first login, the Status Summary view appears. This page supplies overall system summary information including recorded events and agent rule versions. You can access this page at any time by selecting it from the Events category in the menu bar. The various summary categories available from this page are as follows. Network Status By default, items in the Network Status category do not appear in the list if their number is 0. Simply expand the Network Status view to see all available status items. The status items listed here generally have to do with overall host statistics such as hosts that are not running with up-to-date software versions or the latest rule programs. You can view the number of hosts running in test mode or learn mode, etc. Additionally, the numbers that appear in this status section are clickable and take you to a list of the hosts that comprise that number. Most Active
Use the links available in the Most Active section to view the Hosts, Rules, Applications, or Rule/
Application pairs that have been the most active or triggered the most (logged the most events to the MC).
This information is useful to help you tune your policies for rules that are being tripped too often. This can
also alert you to common unwanted occurrences that may be triggering across your enterprise.
Additionally, you can purge the events that appear in these lists.
Event Counts Per Day
A colored graph displays the event log according to severity level. Click on a color in the graph to view
logged events of that severity level.
Database Maintenance
If there is an alert present in the Database Maintenance category, we recommend that you access the
Database Maintenance page from Maintenance in the menu bar and shrink the database.
Reference:
http://www.cisco.com/en/US/products/sw/secursw/ps5057/
products_configuration_guide_chapter09186a00805 a

Our material on our site Cisco 642-513 is exam-oriented,keeping in view the candidates requirements and level of understanding.Cisco 642-513 materials are in the most popular and easy-to-use PDF version. You can use it on any devices with you anywhere.