350-701 Sample Questions Answers

Explanation

In this IaaS model, cloud providers offer resources to users/machines that include computers as virtual

machines, raw (block) storage, firewalls, load balancers, and network devices.

Note: Cloud access security broker (CASB) provides visibility and compliance checks, protects data against misuse and exfiltration, and provides threat protections against malware such as ransomware.

Explanation

We choose “Chat and Instant Messaging” category in “URL Category”:

To block certain URLs we need to choose URL Reputation from 6 to 10.

The crypto isakmp key command is used to configure a preshared key for ISAKMP authentication between two peers. The address 0.0.0.0 indicates that the key is valid for any peer address. Therefore, the same command must be entered on hostB with the same password in order to establish the tunnel with hostA. Changing the protocol to ikev2, using a different password, or changing the password to the default will not solve the problem, as they will create a mismatch in the authentication parameters. References:

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T, section “Prerequisites for Dynamic Multipoint VPN (DMVPN)”

DMVPN - Concepts & Configuration, section “DMVPN - What is it?”

DMVPN Hub as the CA Server for the DMVPN Network Configuration Example, section “Prerequisites”

vulnerability is a flaw or gap in the security of a system or network that can be exploited by an attacker to compromise its functionality, integrity, confidentiality, or availability. A vulnerability can exist in the design, implementation, configuration, or operation of a system or network, and can be caused by human errors, software bugs, hardware defects, or environmental factors. A vulnerability can be exploited by an attacker using various methods, such as malware, phishing, brute force, denial-of-service, or injection attacks. A vulnerability can also be exploited by an insider who has legitimate access to the system or network, but abuses their privileges for malicious purposes. A vulnerability can be discovered by security researchers, ethical hackers, or malicious hackers, and can be reported to the vendor or the public for remediation or exploitation. A vulnerability can be mitigated by applying patches, updates, or configuration changes, or by using security tools such as firewalls, antivirus, or encryption.

An exploit is a piece of code, data, or technique that takes advantage of a vulnerability to perform unauthorized or malicious actions on a system or network. An exploit can be used to gain access, escalate privileges, execute commands, steal data, disrupt services, or damage resources. An exploit can be delivered by various means, such as email attachments, web links, removable media, or network packets. An exploit can be developed by security researchers, ethical hackers, or malicious hackers, and can be shared or sold on the dark web or other platforms for testing or attacking purposes. An exploit can be detected by security tools such as intrusion detection systems, antivirus, or anti-exploit software.

The difference between a vulnerability and an exploit is that a vulnerability is a potential weakness that can be exploited, while an exploit is an actual attack that uses a vulnerability. A vulnerability can exist without being exploited, but an exploit cannot exist without a vulnerability. A vulnerability can be fixed or prevented, but an exploit can only be blocked or stopped. References :=

Exploit vs Vulnerability: What’s the Difference? - InfoSec Insights

Difference Between Vulnerability and Exploit - GeeksforGeeks

Exploit vs. Vulnerability: What Is the Difference? - Coralogix

Exploit vs Vulnerability: What’s the Difference? - Cybers Guards

the interface configuration. MAB stands for MAC Authentication Bypass, which is a feature that allows devices that do not support 802.1X, such as printers and video cameras, to bypass the authentication process and gain network access based on their MAC addresses1. By adding mab to the interface configuration, the Cisco ISE administrator can enable MAB as a fallback method after 802.1X fails or times out. This way, the devices that support 802.1X can use their machine certificate credentials, while the devices that do not support 802.1X can use their MAC addresses to authenticate with Cisco ISE2. The other options are not correct because they either compromise the security controls or do not address the problem. Changing the default policy in Cisco ISE to allow all devices not using machine authentication would weaken the security posture and expose the network to unauthorized access. Enabling insecure protocols within Cisco ISE in the allowed protocols configuration would also reduce the security level and increase the risk of attacks. Configuring authentication event fail retry 2 action authorize vlan 41 on the interface would only apply to the devices that fail authentication twice, and would not solve the issue for the devices that do not support 802.1X at all3. References:

1: MAC Authentication Bypass Deployment Guide

2: Configuring MAC Authentication Bypass

3: Cisco Identity Services Engine Administrator Guide, Release 3.1 - Segmentation

EDR stands for endpoint detection and response, while EPP stands for endpoint protection platform. EDR and EPP are two types of endpoint security solutions that have different capabilities and objectives. EDR provides real-time visibility into endpoint activities, detects malicious behavior and anomalies, and enables security teams to investigate and respond to threats. EPP prevents, detects, and remediates security threats on endpoints, such as known and unknown malware, ransomware, and zero-day vulnerabilities. EPP solutions may also include EDR capabilities, but not all EDR solutions include EPP capabilities.

One of the key features of EDR is retrospective analysis, which means the ability to look back at historical endpoint data and identify the root cause, scope, and impact of a security incident. Retrospective analysis helps security teams understand how the threat entered the network, what actions it performed, and how to prevent it from happening again. EPP solutions, on the other hand, do not provide retrospective analysis, as they are mainly focused on preventing and remediating threats, rather than investigating and responding to them.

Therefore, the correct answer is B. Retrospective analysis is a characteristic of an EDR solution and not of an EPP solution.

The service password-encryption command is used to encrypt all passwords in the router configuration file, such as the enable password, the console password, the vty password, and the username password. This command prevents credentials from being seen if the router configuration was compromised, for example, by an attacker who gained access to the router or the backup files. The encryption used by this command is a weak algorithm that can be easily reversed, but it provides some level of protection against casual observers1.

The other commands are not used to encrypt passwords in the router configuration file. The username privilege 15 password and the username password commands are used to create local user accounts with or without administrative privileges, respectively. These commands store the passwords in clear text unless the service password-encryption command is enabled2. The service password-recovery command is used to enable or disable the password recovery mechanism on the router. This command does not affect the encryption of passwords in the configuration file3.

References := 1: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 1: Security Concepts, Lesson 1.2: Securing Network Devices, Topic 1.2.1: Device Hardening, page 1-14. 2: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 1: Security Concepts, Lesson 1.2: Securing Network Devices, Topic 1.2.2: Management Plane Security, page 1-17. 3: Cisco IOS Configuration Fundamentals Command Reference, Release 12.2, Chapter: service password-recovery, page 1.

A network administrator can transparently identify users using Active Directory on the Cisco WSA in two ways:

Create NTLM or Kerberos authentication realm and enable transparent user identification. This option allows the WSA to use the NTLM or Kerberos protocol to authenticate users without prompting them for credentials. The WSA must join the Active Directory domain and have a valid service principal name (SPN) for this option to work1.

Deploy a separate Active Directory agent such as Cisco Context Directory Agent (CDA). This option allows the WSA to receive user-to-IP mappings from the CDA, which monitors the Active Directory domain controllers for user logon events. The CDA must be installed on a Windows server and have access to the domain controllers and the WSA2.

The other options are not ways to transparently identify users using Active Directory on the Cisco WSA. Creating an LDAP authentication realm and disabling transparent user identification will require users to enter their credentials manually. Installing the eDirectory client on each client workstation or deploying a separate eDirectory server are not related to Active Directory, but to Novell eDirectory, which is a different directory service3.

References := 1: User Guide for AsyncOS 11.0 for Cisco Web Security Appliances, Chapter: Acquire End-User Credentials, Topic: Active Directory/Kerberos, page 4-3. 2: User Guide for AsyncOS 11.0 for Cisco Web Security Appliances, Chapter: Acquire End-User Credentials, Topic: Active Directory Agent, page 4-5. 3: User Guide for AsyncOS 11.0 for Cisco Web Security Appliances, Chapter: Acquire End-User Credentials, Topic: eDirectory, page 4-8.

 MFA stands for multi-factor authentication, which is a security method that requires users to provide two or more pieces of evidence to verify their identity before accessing a system. MFA can prevent unauthorized access to the system if a user’s password is compromised, because the attacker would also need to obtain the other factors, such as a one-time code, a biometric scan, or a physical token. MFA can be implemented using various technologies, such as SMS, email, phone call, mobile app, or hardware device. According to Microsoft, adopting MFA can prevent approximately 99.9% of compromised user accounts, significantly bolstering security measures against unauthorized access12. References:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 6: Secure Network Access and Visibility, Lesson 6.1: Implementing Secure Network Access

350-701 SCOR - Cisco, Exam Topics, 6.1 Implement secure network access

What Is Unauthorized Access? 5 Key Prevention Best Practices - Cynet, Best Practice #3: Implement multi-factor authentication

Unauthorized Access: Top 8 Practices for Detecting and Responding - Ekran System, Best Practice #3: Use multi-factor authentication

 TAXII, short for Trusted Automated eXchange of Intelligence Information, is a protocol that defines how cyber threat information can be shared via services and message exchanges. It is designed specifically to support STIX information, which is a standardized language for expressing and exchanging cyber threat information. TAXII enables organizations to share STIX information by defining an API that aligns with common sharing models, such as hub and spoke, source/subscriber, and peer-to-peer. TAXII also defines four services that allow users to discover, manage, receive, and request STIX information. Therefore, TAXII supports STIX information and determines how threat intelligence information is relayed. TAXII does not determine the “what” of threat intelligence, as that is the role of STIX. TAXII does not allow users to describe threat motivations and abilities, as that is also part of STIX. TAXII does not exchange trusted anomaly intelligence information, as that is a specific type of threat intelligence that may or may not be represented in STIX. References:

What are STIX/TAXII Standards I Resources I Anomali

Cyber Threat Intelligence Technical Committee - GitHub Pages

Explanation

Cisco Email Security Appliance (ESA) protects the email infrastructure and employees who use email at work

by filtering unsolicited and malicious email before it reaches the user. Cisco ESA easily integrates into existing

email infrastructures with a high degree of flexibility. It does this by acting as a Mail Transfer Agent (MTA) within

the email-delivery chain. Another name for an MTA is a mail relay.

Explanation

The HMAC-SHA-1-96 (also known as HMAC-SHA-1) encryption technique is used by IPSec to ensure that a message has not been altered. (-> Therefore answer “integrity” is the best choice). HMAC-SHA-1 uses the SHA-1 specified in FIPS-190-1, combined with HMAC (as per RFC 2104), and is described in RFC 2404.

To enable malware file scanning for the Secure Internet Gateway (SIG), you need to enable Intelligent Proxy, which is a feature of Cisco Umbrella that provides selective proxying of web requests based on the risk level of the domain1. Intelligent Proxy allows SIG to inspect the content of potentially malicious web requests and block or allow them based on the configured policies2. Intelligent Proxy also enables SSL decryption, which is necessary to scan encrypted web traffic for malware3. Enabling IP Layer enforcement, activating the Advanced Malware Protection license, and activating SSL decryption are not required prerequisites to enable malware file scanning for the SIG, although they may provide additional security benefits45. References: 1: Intelligent Proxy - Cisco Umbrella 2: Cisco Umbrella SIG Advantage - Cisco Umbrella 3: [SSL Decryption - Cisco Umbrella] 4: [IP Layer Enforcement - Cisco Umbrella] 5: [Advanced Malware Protection - Cisco Umbrella]

The Secure Event Connector is a component of the Security Analytics and Logging (SaaS) solution that enables the FMC to send logs to the cloud-based service. The Secure Event Connector uses syslog to forward events from the FMC and the managed devices to the cloud. This method reduces the load on the firewall resources, as the events are sent in batches and compressed before transmission. The Secure Event Connector also provides encryption, authentication, and reliability for the log data. The other methods are not supported by the Security Analytics and Logging (SaaS) solution12 References := 1: Cisco Security Analytics and Logging (On Premises)

 Cisco Web Security Appliance (WSA) is the platform that automatically blocks risky sites, and tests unknown sites for hidden advanced threats before allowing users to click them, using Cisco Cognitive Threat Analytics. Cisco Cognitive Threat Analytics is a cloud-based solution that reduces the time to discovery of threats operating inside the network by analyzing web traffic and detecting anomalous behavior. Cisco WSA integrates with Cisco Cognitive Threat Analytics to provide enhanced web security and breach detection. Cisco WSA can also leverage other Cisco security solutions, such as Cisco Umbrella, Cisco Advanced Malware Protection (AMP), and Cisco Talos Intelligence Group, to provide comprehensive web security. References:

Cisco Web Security Appliance (WSA)

Cisco Cognitive Threat Analytics At-a-Glance

Introducing Cisco Cognitive Threat Analytics

Implementing and Operating Cisco Security Core Technologies (SCOR) - Module 3: Cloud and Content Security

Explanation

Explanation

Cisco IOS public key infrastructure (PKI) provides certificate management to support security protocols such as IP Security (IPSec), secure shell (SSH), and secure socket layer (SSL). This module identifies and describes concepts that are needed to understand, plan for, and implement a PKI.

A PKI is composed of the following entities: …

– A distribution mechanism (such as Lightweight Directory Access Protocol [LDAP] or HTTP) for certificate revocation lists (CRLs)

Explanation

Application Visibility and control (AVC) supports NetFlow to export application usage and performance

statistics. This data can be used for analytics, billing, and security policies.

A Cisco Umbrella virtual appliance (VA) is a lightweight virtual machine that acts as a DNS forwarder in your network. It forwards internal DNS queries to Umbrella and provides Umbrella with the internal IP address and hostname of the device that made the request. This allows Umbrella to apply policies and report on traffic based on the subnet, hostname, or user identity of the device1. The other options are not relevant for this scenario. Tenant control features are used to limit access to specific instances of cloud applications, such as Microsoft 365 or Google G Suite2. The Microsoft Active Directory Connector is used to provision users and groups from Active Directory to Umbrella, not to provide IP address information3. An internal domain is a domain that is resolved by your own DNS server, not by Umbrella, and is used to bypass Umbrella for domains that are only accessible within your network4. References:

1: Deploy Virtual Appliances - Umbrella User Guide

2: Manage Tenant Controls - Umbrella SIG User Guide

3: Connect Active Directory to Umbrella to Provision User and Groups

4: Domain Management - Umbrella User Guide

Cisco ASA NetFlow v9 Secure Event Logging (NSEL) is a security logging mechanism that is built on NetFlow Version 9 technology and provides stateful, IP flow tracking for significant events in a flow. NSEL requires a collector to receive and process the exported data records. To configure NSEL, you need to define a flow-export event type under a policy using the Modular Policy Framework (MPF). The event type specifies which events to export, such as flow-create, flow-denied, flow-teardown, flow-update, or all. You also need to configure the NSEL collectors, the template timeout intervals, and the flow-update interval. Optionally, you can disable the redundant syslog messages and reset the runtime counters.

The other statements are false because:

To view bandwidth usage for NetFlow records, the QoS feature is not required. You can use a NetFlow collector or analyzer to view the bandwidth usage and other statistics from the exported data records.

A sysopt command cannot be used to enable NSEL on a specific interface. NSEL is enabled globally on all interfaces by default when you configure a flow-export event type under a policy.

NSEL cannot be used without a collector configured. NSEL exports data records to the configured collectors using NetFlow over UDP. If no collector is configured, the data records are discarded.

 Patching is important for security, compliance, stability, and reputation reasons. Patches are released to fix security vulnerabilities in software and systems, which can be exploited by cybercriminals to cause data breaches, data loss, or other damage. Failure to patch these vulnerabilities leaves the company’s systems exposed to potential security risks. Patch management helps to minimize these risks by ensuring that all software and systems are up-to-date with the latest security patches. Patch management also helps to comply with regulatory and industry standards that require a certain level of security, and to avoid legal consequences for non-compliance. Additionally, patches provide bug fixes and other updates that improve the stability and performance of software and systems, and prevent system crashes, downtime, and other issues that can negatively impact the business operations. Finally, patch management helps to maintain a positive reputation for the company, as a security breach or downtime caused by unpatched vulnerabilities can damage the customer trust and loyalty, and result in revenue loss. References:

5 Patch Management Best Practices for Success in 2023 - TechRepublic

Six Patch Management Best Practices [Updated 2024] - Heimdal Security

 Platform as a Service (PaaS) is a cloud service model that delivers and manages all the hardware and software resources to develop applications through the cloud. The service provider is responsible for the infrastructure, middleware, runtime, and operating system, while the customer only has to focus on the application and data. PaaS enables the customer to avoid the hassle of patching, updating, or maintaining the operating system, as well as the underlying hardware and network12. Infrastructure as a Service (IaaS) is a cloud service model that delivers on-demand infrastructure resources, such as compute, storage, networking, and virtualization, to the customer via the cloud. The service provider hosts and manages the infrastructure, but the customer is responsible for the operating system, middleware, virtual machines, and any apps or data. IaaS requires the customer to handle the patch management of the operating system, as well as the security and configuration of the virtual machines34. References := 1: Use platform as a service (PaaS) options - Azure Architecture Center 2: What is Platform-as-a-Service (PaaS)? - Cloudflare 3: PaaS vs IaaS vs SaaS: What’s the difference? | Google Cloud 4: SaaS vs PaaS vs IaaS: What’s The Difference & How To Choose – BMC Software | Blogs

The Cisco Endpoint IoC feature is a powerful incident response tool for scanning of post-compromise indicators across multiple computers. Endpoint IoCs are imported through the console from OpenIOC-based files written to trigger on file properties such as name, size, hash, and other attributes and system properties such as process information, running services, and Windows Registry entries. The IoC syntax can be used by incident responders to find specific artifacts or use logic to create sophisticated, correlated detections for families of malware. Endpoint IoCs have the advantage of being portable to share within your organization or in industry vertical forums and mailing lists. The Endpoint IoC scanner is available in AMP for Endpoints Windows Connector versions 4 and higher. Running Endpoint IoC scans may require up to 1 GB of free drive space. The Endpoint IoC feature is based on the openioc.com framework, which is an open standard for sharing threat intelligence. References:

Cisco Endpoint IOC Attributes, User Guide

What Are Indicators of Compromise (IOC)? - Cisco, Security Indicators of Compromise

General questions about AMP - Cisco Community, Post by Cisco Employee

Cisco Tetration is a Cisco security solution that provides patch management in the cloud. Patch management is the process of identifying, acquiring, installing, and verifying patches for products and systems to correct security and functionality problems in software and firmware1. Cisco Tetration is a cloud-native platform that delivers comprehensive workload protection for multicloud data centers by enabling a zero-trust model using segmentation2. One of the features of Cisco Tetration is software vulnerability detection and patch management, which allows users to identify software vulnerabilities on workloads, prioritize patching based on risk scores, and automate patch deployment using orchestration tools3. Cisco Tetration leverages the National Vulnerability Database (NVD) and Cisco Talos Intelligence Group to provide up-to-date information on software vulnerabilities and their severity levels3. Cisco Tetration also supports patch management for both Windows and Linux operating systems, as well as third-party applications such as Apache, Java, MySQL, and Oracle4. Therefore, the correct answer is D. Cisco Tetration. References: 1: RFC 9232: Network Telemetry Framework - Internet Engineering Task Force 2: Cisco Tetration - Workload Protection - Cisco 3: Cisco Tetration Software Vulnerability Detection and Patch Management - Cisco 4: Cisco Tetration Platform Data Sheet - Cisco

Explanation

Cisco Cloudlock: Secure your cloud users, data, and applications with the cloud-native Cloud Access Security

Broker (CASB) and cloud cybersecurity platform.

Asymmetric encryption, also known as public key cryptography, uses two different keys for encryption and decryption: a public key and a private key. The public key can be shared with anyone, while the private key must be kept secret. Data encrypted with the public key can only be decrypted with the private key, and vice versa. This ensures that only the intended recipient can access the encrypted data, and that the sender can prove their identity with a digital signature. Asymmetric encryption is widely used for securing Internet communications, such as TLS/SSL, which enables HTTPS. Some examples of asymmetric encryption algorithms are RSA, Diffie-Hellman, and Elliptic Curve Cryptography. The other options are not correct because they do not use a public key and private key. Symmetric encryption uses the same key for encryption and decryption, and is faster and more efficient than asymmetric encryption. However, symmetric encryption requires a secure way to exchange the key between the sender and the receiver, which can be facilitated by asymmetric encryption. Linear and nonlinear encryption are not types of encryption, but rather properties of encryption algorithms. A linear encryption algorithm is one that can be expressed as a linear function, such as XOR. A nonlinear encryption algorithm is one that involves more complex mathematical operations, such as modular arithmetic or S-boxes. Nonlinear encryption algorithms are generally more secure and resistant to cryptanalysis than linear encryption algorithms. References :=

Public-key cryptography - Wikipedia

How does public key cryptography work? - Cloudflare

Public and private encryption keys | PreVeil

AES encryption, what are public and private keys?

Explanation

You can configure your ASA FirePOWER module using one of the following deployment models:

You can configure your ASA FirePOWER module in either an inline or a monitor-only (inline tap or

passive) deployment.

Explanation

A data breach is the intentional or unintentional release of secure or private/confidential information to an

untrusted environment.

When your credentials have been compromised, it means someone other than you may be in possession of your account information, such as your username and/or password.

ZBFW stands for Zone-Based Firewall, which is a feature that allows unidirectional application of IOS firewall policies between groups of interfaces known as zones. Interfaces are assigned to zones, and firewall rules are applied to specific types of traffic moving in one direction between the zones. ZBFW enforces a secure inter-zone policy by default, meaning traffic cannot pass between security zones until an explicit policy allowing that traffic is defined. The zone itself is an abstraction of multiple interfaces with the same or similar security requirements that can be logically grouped together. ZBFW is CBAC’s replacement and offers intuitive policies for multiple-interface routers, increased granularity of firewall policy application, and a default deny-all policy that prohibits traffic between firewall security zones until an explicit policy is applied to allow desirable traffic. ZBFW is supported on IOS devices running 12.4(6)T or later, and ASR devices running 12.2(33) or later. References:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 4: Securing the Cloud, Lesson 4.1: Introducing Cisco Cloud Services Router 1000V Series, Topic 4.1.2: Zone-Based Firewall

Understand the Zone-Based Policy Firewall Design

Managing Zone-based Firewall Rules

Zone Based Firewall Overview

CBAC vs. Zone-based firewall

Explanation

Explanation

Endpoint protection platforms (EPP) prevent endpoint security threats like known and unknown malware.

Endpoint detection and response (EDR) solutions can detect and respond to threats that your EPP and other security tools did not catch.

EDR and EPP have similar goals but are designed to fulfill different purposes. EPP is designed to provide

device-level protection by identifying malicious files, detecting potentially malicious activity, and providing tools for incident investigation and response.

The preventative nature of EPP complements proactive EDR. EPP acts as the first line of defense, filtering out attacks that can be detected by the organization’s deployed security solutions. EDR acts as a second layer of protection, enabling security analysts to perform threat hunting and identify more subtle threats to the endpoint.

Effective endpoint defense requires a solution that integrates the capabilities of both EDR and EPP to provide protection against cyber threats without overwhelming an organization’s security team.

 Cisco Advanced Phishing Protection (AAP) is a solution that adds sophisticated machine learning capabilities to Cisco Email Security to block advanced identity deception attacks for inbound email by assessing its threat posture1. It also uses both global and local telemetry data combined with analytics and modeling to validate the reputation and authenticity of senders2. AAP provides sender authentication and BEC detection capabilities, and uses advanced machine learning techniques, real-time behavior analytics, relationship modeling and telemetry to protect against identity deception–based threats3.

In two ways, the Cisco Advanced Phishing Protection solution protects users:

It prevents use of compromised accounts and social engineering. AAP detects and blocks phishing emails that attempt to impersonate legitimate senders, such as executives, partners, or customers, and trick users into revealing sensitive information or transferring funds. AAP analyzes the sender’s identity, behavior, and relationship with the recipient, and assigns a risk score to the email. If the email is deemed suspicious or malicious, AAP can quarantine it, flag it, or deliver it with a warning4.

It automatically removes malicious emails from users’ inbox. AAP provides retrospective analysis and remediation capabilities, which means that it can identify and remove emails that were initially delivered but later found to be malicious. AAP leverages the Cisco Talos threat intelligence network and the Sensor-based solution to continuously monitor the threat landscape and update the email disposition accordingly. If an email is reclassified as malicious, AAP can automatically delete it from the users’ inbox, or notify the administrator or the user to take action45.

The other options are incorrect because they do not accurately describe the functions of AAP. AAP does not prevent all zero-day attacks coming from the Internet, as it focuses on phishing and identity deception attacks. AAP does not prevent trojan horse malware using sensors, as sensors are used to collect and analyze email data, not to block malware. AAP does not secure all passwords that are shared in video conferences, as it is not related to video conferencing security. Therefore, the correct answer is A and C. References:

Cisco’s Security Innovations to Protect the Endpoint and Email

Cisco Advanced Phishing Protection - Cisco Video Portal

Cisco Advanced Phishing Protection At A Glance - AVANTEC

User Guide for Cisco Advanced Phishing Protection

Cisco Secure Email Threat Defense - Cisco

Integrating the Email Gateway with Cisco Advanced Phishing Protection

Active Directory (AD) is an ID store that requires that a shadow user be created on Cisco ISE for the admin login to work. A shadow user is a user account that is defined in the ISE internal database, but has the password set to external. This means that the user authentication is performed against an external identity source, such as AD, while the user authorization is based on the ISE admin group membership. A shadow user is useful when the admin wants to assign different roles or permissions to specific AD users, rather than using AD groups. To create a shadow user, the admin must check the External checkbox in the ISE admin user configuration, and make sure that the username matches the AD username. The shadow user must also be assigned to an ISE admin group that has the Type set to External123. References := 1: ISE Admin User Shadow AD Account Issue 2: ISE Admin user authentication from AD 3: Which ID store requires that a shadow user be created on Cisco ISE for the admin login to work?

Cisco Workload Optimization Manager provides specific real-time actions that ensure workloads get the

resources they need when they need them, enabling continuous placement, resizing, and capacity decisions that can be automated, driving continuous health in the environment. You can automate the software’s decisions according to your level of comfort: recommend (view only), manual (select and apply), or automated (executed in real time by software).

 OWASP stands for Open Web Application Security Project, a non-profit organization that provides resources for web application security. OWASP has developed a number of standards, projects, events, and news on topics such as web application security, supply chain security, and cyber risk mitigation1. One of the most widely recognized OWASP resources is the OWASP Top 10, a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications, such as broken access control, cryptographic failures, injection, and insecure design2. The OWASP Top 10 is updated periodically based on data analysis and community feedback. The latest edition was released in 20213. By following the OWASP Top 10 and other OWASP resources, developers can build more secure applications that minimize these risks. References := 1: OWASP Foundation, the Open Source Foundation for Application Security 2: OWASP Top Ten | OWASP Foundation 3: OWASP Top 10:2021

RADIUS Change of Authorization (CoA) is a feature of Cisco ASA that allows VPN users to be postured against Cisco ISE without requiring an inline posture node. RADIUS CoA enables the ISE to send a message to the ASA to change the authorization attributes of an existing VPN session, such as the assigned IP address, ACL, or group policy. This way, the ISE can dynamically adjust the access level of the VPN user based on the posture assessment results, without the need for an intermediate device to enforce the policy change12. RADIUS CoA is supported by the ASA since version 9.2.13. References: 1: ASA Version 9.2.1 VPN Posture with ISE Configuration Example - Cisco 2: How To: ISE and ASA Integration using CoA for Posture - Cisco Community 3: How To Configure Posture with AnyConnect Compliance … - Cisco CommunityQUESTION NO: 94

What two mechanisms are used to redirect users to a web portal to authenticate to ISE for guest services?

(Choose two)

A. multiple factor auth

B. local web auth

C. single sign-on

D. central web auth

E. TACACS+

Answer: B, D

 Local web authentication (LWA) and central web authentication (CWA) are two mechanisms that are used to redirect users to a web portal to authenticate to ISE for guest services. Both methods involve the use of a redirect access control list (ACL) that allows the user to access only the web portal URL and blocks all other traffic until the user is authenticated. The difference between LWA and CWA is where the web portal and the authentication logic are hosted.

LWA: The web portal and the authentication logic are hosted on the wireless LAN controller (WLC). The WLC sends a RADIUS access-accept message to the network access device (NAD) along with the redirect ACL and the web portal URL. The NAD then redirects the user to the web portal on the WLC, where the user enters their credentials. The WLC verifies the credentials with the ISE and grants or denies access to the user. The advantage of LWA is that it does not require any configuration on the ISE, but the disadvantage is that it does not support advanced features such as posture assessment, profiling, or authorization policies.

CWA: The web portal and the authentication logic are hosted on the ISE. The WLC sends a RADIUS access-challenge message to the NAD along with the redirect ACL and the web portal URL. The NAD then redirects the user to the web portal on the ISE, where the user enters their credentials. The ISE verifies the credentials and sends a RADIUS access-accept message to the WLC with the authorization profile and the final ACL. The WLC then applies the authorization profile and the final ACL to the user session. The advantage of CWA is that it supports advanced features such as posture assessment, profiling, or authorization policies, but the disadvantage is that it requires more configuration on the ISE.

References :=

Configure Guest Access

Web Authentication Redirection to Original URL

Configure Local Web Authentication with External Authentication

Explanation

A destination list is a list of internet destinations that can be blocked or allowed based on the administrative

preferences for the policies applied to the identities within your organization. A destination is an IP address

(IPv4), URL, or fully qualified domain name. You can add a destination list to Umbrella at any time; however, a

destination list does not come into use until it is added to a policy.

A teardrop attack is a type of DoS attack that uses fragmented packets in an attempt to crash a target machine. The attacker sends IP packets that are deliberately malformed, such that the fragments overlap or have invalid offsets. When the target machine tries to reassemble the packets, it encounters an error or a buffer overflow, resulting in a system crash or a denial of service. Teardrop attacks exploit a vulnerability in the TCP/IP fragmentation reassembly process, which is responsible for splitting and recombining large packets that exceed the maximum transmission unit (MTU) size. Teardrop attacks can affect various operating systems, such as Windows, Linux, and BSD, depending on the implementation of the TCP/IP stack. Teardrop attacks are also known as IP fragmentation attacks or overlapping fragment attacks. References:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 5: Securing the Cloud, Lesson 5.2: Cloud Security Threats, Topic 5.2.2: DoS Attacks

What is an IP Fragmentation Attack (Teardrop ICMP/UDP)

Teardrop Attack - Radware

What Is a Teardrop Attack? | F5

A connector is a feature that enables a Cisco ISR to use the default bypass list automatically for web filtering. A connector is a software component that runs on the ISR and communicates with the Cloud Web Security service. The connector intercepts the web traffic from the branch users and redirects it to the Cloud Web Security service for scanning and policy enforcement. The connector also maintains a default bypass list, which contains the domains and URLs that are not redirected to the Cloud Web Security service. The default bypass list is updated automatically by the Cloud Web Security service and can be customized by the administrator. The default bypass list helps to improve the performance and reliability of the web filtering solution by avoiding unnecessary redirections of trusted or sensitive web traffic12. References: 1: Security Configuration Guide: Cloud Web Security, Cisco IOS Release 15M&T - Cisco Integrated Services Routers Generation 2 with Cisco Cloud Web Security Solution [Support] - Cisco 2: Security Configuration Guide: Cloud Web Security, Cisco IOS Release 15M&T - Configuring Cloud Web Security on Integrated Services Routers Generation 2 [Support] - Cisco

Configuring the IEEE 802.1X Flexible Authentication feature to support Layer 3 authentication mechanisms involves adding MAC Authentication Bypass (MAB) into the switch configuration. This allows devices that do not support 802.1X to be authenticated using their MAC address. Once MAB identifies the device, it can then be redirected to a Layer 3 device for further authentication, thus providing a mechanism to support devices requiring Layer 3 authentication methods.

SSL decryption allows the intelligent proxy to inspect traffic over HTTPS. Some websites may use self-signed certificates or certificates that are not trusted by the user’s device. This may cause the browser to display a warning or an error message when accessing those websites through the intelligent proxy. To avoid this, the user’s device needs to trust the Umbrella root CA, which is the certificate authority that signs the certificates for the websites that are proxied by Umbrella. By importing the Umbrella root CA into the trusted root store on the user’s device, the browser will recognize the certificates as valid and will not alert the end-users12. References: 1: Enable SSL Decryption - Umbrella User Guide 2: Intelligent Proxy and SSL Decryption with Cisco Umbrella

Explanation

Cisco Hybrid Email Security is a unique service offering that facilitates the deployment of your email security

infrastructure both on premises and in the cloud. You can change the number of on-premises versus cloud

users at any time throughout the term of your contract, assuming the total number of users does not change.

This allows for deployment flexibility as your organization’s needs change.

CoA-ACK is the CoA response code that is sent if an authorization state is changed successfully on a Cisco IOS device. CoA-ACK stands for CoA acknowledgment, which indicates that the device has received and processed the CoA request from the server and applied the new authorization settings to the session. The attributes returned within a CoA-ACK can vary based on the CoA request, such as session reauthentication, session termination, or session modification. The other options are not correct because they are not valid CoA response codes. CoA-NCL, CoA-NAK, and CoA-MAV are not defined in RFC 5176, which specifies the CoA protocol. CoA-NAK is the closest option, but it stands for CoA non-acknowledgment, which indicates that the device has rejected the CoA request from the server due to some error or inconsistency. References :=

Some possible references are:

RADIUS Change of Authorization - Cisco

Security and VPN Configuration Guide, Cisco IOS XE 17.x

RFC 5176 - Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)

The process of performing automated static and dynamic analysis of files against preloaded behavioral indicators for threat analysis is called advanced sandboxing. Advanced sandboxing is a feature of Cisco Secure Malware Analytics (Threat Grid), which is a cloud-based or on-premises solution that analyzes the behavior of suspicious files and URLs. Advanced sandboxing uses a combination of static and dynamic analysis techniques to examine the files against more than 700 behavioral indicators, such as registry changes, network connections, file modifications, and process injections. These indicators help to uncover stealthy and sophisticated threats, and provide the security team with detailed reports and actionable intelligence. Advanced sandboxing also integrates with other Cisco security products, such as AMP, Firepower, and Email Security, to provide comprehensive malware protection across the network. Advanced sandboxing is different from other options, such as deep visibility scan, point-in-time checks, and advanced scanning, which are not specific processes or features of Cisco Secure Malware Analytics. Deep visibility scan is a generic term that refers to the ability to inspect network traffic and files for malicious activity. Point-in-time checks are periodic scans that detect malware at a specific moment, but do not provide continuous analysis or retrospective security. Advanced scanning is also a generic term that can refer to any scanning technique that goes beyond basic signature-based detection, such as heuristic analysis, machine learning, or behavioral analysis. References :=

Some possible references are:

Cisco Secure Malware Analytics (Threat Grid)

Malware Protection - Cisco AMP Advanced Malware Protection

Cisco Secure Malware Analytics Data Sheet

Add the DNS entry for the new Cisco ISE node into the DNS server. This is because the fully qualified domain name (FQDN) of the new Cisco ISE node, for example, ise1.cisco.com, must be DNS-resolvable from the primary Administration ISE node. Otherwise, node registration will fail. The DNS server must contain the IP addresses and FQDNs of the ISE nodes that are part of the distributed deployment1.

The other options are incorrect because:

Changing the IP address of the new Cisco ISE node to the same network as the others is not necessary, as long as the nodes can communicate with each other over the network.

Making the new Cisco ISE node a secondary PAN before registering it with the primary is not possible, as the node must be registered first before changing its persona or role.

Opening port 8905 on the firewall between the Cisco ISE nodes is not required, as this port is used for communication between the primary and secondary Monitoring ISE nodes, not for node registration.

An application that does not validate user input is particularly susceptible to SQL injection attacks. In an SQL injection attack, an attacker can insert or "inject" a SQL query via the input data from the client to the application. Due to the lack of validation, the malicious SQL commands are executed by the database server, leading to unauthorized access or manipulation of the database.

In a man-in-the-middle (MITM) attack, the attacker inserts their machine between two hosts that are communicating with each other, and secretly relays and possibly alters the messages between them. The attacker can intercept, modify, or spoof the data, and the hosts are unaware that their communication is compromised. A MITM attack can target any communication channel that uses weak or no encryption, such as email, web, or wireless networks. A MITM attack can break the confidentiality, integrity, and authenticity of the communication, and can have various goals, such as eavesdropping, stealing credentials, impersonating a legitimate party, or redirecting traffic. A MITM attack can be prevented by using strong encryption protocols, such as TLS, IPSec, or SSH, and verifying the identity of the communication endpoints using certificates or other means. References: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Man-in-the-middle attack - Wikipedia, Man-in-the-Middle Attack: Types and Examples - Fortinet

Cisco DNA Center APIs are RESTful APIs that allow you to automate and operate your network at scale, using Python scripts or other tools. They are not Cisco proprietary, as they follow the OpenAPI specification and can be accessed by any client that supports HTTP requests. They do not require Postman, although Postman is a useful tool to test and explore the API endpoints. They can quickly provision new devices by applying predefined templates and workflows, and they can view the overall health of the network by retrieving metrics and alerts from various sources. References :=

Cisco DNA Center Platform - Cisco DevNet

Introduction to Cisco DNA Center REST APIs - Cisco DevNet Learning Labs

Cisco DNA Center Platform User Guide, Release 2.3.4

 In a PaaS model, the cloud provider is responsible for managing and maintaining the underlying infrastructure, such as the hypervisor, the virtual machine, and the network. The tenant only needs to focus on developing and deploying the application, which runs on the cloud platform. The tenant is responsible for ensuring the security and availability of the application, as well as applying any patches or updates to the application code or configuration12. References :=

Shared responsibility in the cloud

Best practices for secure PaaS deployments

Explanation

Cisco DNA Center has four general sections aligned to IT workflows:

Design: Design your network for consistent configurations by device and by site. Physical maps and logical topologies help provide quick visual reference. The direct import feature brings in existing maps, images, and topologies directly from Cisco Prime Infrastructure and the Cisco Application Policy Infrastructure Controller

Enterprise Module (APIC-EM), making upgrades easy and quick. Device configurations by site can be

consolidated in a “golden image” that can be used to automatically provision new network devices. These new devices can either be pre-staged by associating the device details and mapping to a site. Or they can be claimed upon connection and mapped to the site.

Policy: Translate business intent into network policies and apply those policies, such as access control, traffic routing, and quality of service, consistently over the entire wired and wireless infrastructure. Policy-based access control and network segmentation is a critical function of the Cisco Software-Defined Access (SDAccess) solution built from Cisco DNA Center and Cisco Identity Services Engine (ISE). Cisco AI Network Analytics and Cisco Group-Based Policy Analytics running in the Cisco DNA Center identify endpoints, group similar endpoints, and determine group communication behavior. Cisco DNA Center then facilitates creating policies that determine the form of communication allowed between and within members of each group. ISE then activates the underlying infrastructure and segments the network creating a virtual overlay to follow these

policies consistently. Such segmenting implements zero-trust security in the workplace, reduces risk, contains

threats, and helps verify regulatory compliance by giving endpoints just the right level of access they need.

Provision: Once you have created policies in Cisco DNA Center, provisioning is a simple drag-and-drop task.

The profiles (called scalable group tags or “SGTs”) in the Cisco DNA Center inventory list are assigned a policy, and this policy will always follow the identity. The process is completely automated and zero-touch. New devices added to the network are assigned to an SGT based on identity—greatly facilitating remote office setups.

Assurance: Cisco DNA Assurance, using AI/ML, enables every point on the network to become a sensor, sending continuous streaming telemetry on application performance and user connectivity in real time. The clean and simple dashboard shows detailed network health and flags issues. Then, guided remediation

automates resolution to keep your network performing at its optimal with less mundane troubleshooting work.

The outcome is a consistent experience and proactive optimization of your network, with less time spent on troubleshooting tasks.

 The Atomic ARP engine is a signature engine that defines basic Layer 2 ARP signatures and provides more advanced detection of the ARP spoof tools dsniff and ettercap. ARP spoofing is an attack that involves sending spoofed ARP messages over a local area network to associate the attacker’s MAC address with the IP address of the target. The Atomic ARP engine inspects the Layer 2 ARP protocol and compares the ARP requests and replies with the MAC address table to detect any anomalies or inconsistencies. The Atomic ARP engine can also detect gratuitous ARP messages, which are unsolicited ARP replies that can be used to poison the ARP cache of other hosts. The Atomic ARP engine is different from other IPS engines because most engines are based on Layer 3 IP protocol. References := 

https://www.cisco.com/c/en/us/td/docs/security/ips/6-1/configuration/guide/cli/cliguide/cli_signature_engines.html

https://security.stackexchange.com/questions/71023/can-suricata-ips-detect-and-prevent-arp-poisoning-attacks

NetFlow is a baseline form of telemetry that is recommended for network infrastructure devices. NetFlow is a technology that collects and exports information about IP traffic flows on enabled interfaces. NetFlow can provide valuable insight into the network performance, utilization, behavior, and security. NetFlow can help identify anomalies, such as DDoS attacks, malware, or misconfigurations, by comparing the current traffic patterns with the normal or baseline ones. NetFlow can also help with capacity planning, troubleshooting, and forensic analysis. NetFlow is supported on various Cisco platforms, such as routers, switches, firewalls, and IPS sensors. NetFlow can export data to different collectors and analyzers, such as Cisco Security Monitoring, Analysis and Response System (CS-MARS), Cisco Traffic Anomaly Detectors and Cisco Guard DDoS Mitigation Appliances, Cisco Network Analysis Module (NAM), and other third-party tools. References:

 Suppression is a feature of Cisco Next Generation Intrusion Prevention System (NGIPS) that allows you to reduce false positives and unwanted alerts by filtering out specific traffic from the intrusion detection and prevention process. You can configure suppression based on different criteria, such as port, rule, source, destination, and network. The two valid suppression types for this question are port and rule. Port suppression allows you to exclude traffic based on the source or destination port number, or both. For example, you can suppress alerts for port 80 (HTTP) traffic if you are not interested in web-based attacks. Rule suppression allows you to exclude traffic based on the rule ID (SID) or the rule category. For example, you can suppress alerts for rules that belong to the policy-violations category if you are not concerned about them. You can also suppress alerts for specific rules that are not relevant to your network or generate too many false positives. References

the routing of traffic through the Cisco Umbrella network is to browse to http://welcome.umbrella.com/. This URL will display a message that confirms whether the new network identity is working or not. If the message says “You’re protected by Cisco Umbrella”, then the traffic is being routed correctly. If the message says “You’re not using Cisco Umbrella”, then the traffic is not being routed correctly and the configuration needs to be checked. The other options are not valid actions to test the routing. Option A is incorrect because the client computers should point to the Cisco Umbrella DNS servers, not the on-premises DNS servers. Option B is incorrect because the Intelligent Proxy is a feature that selectively intercepts and proxies web requests for deeper inspection, not a tool to test the routing. Option C is incorrect because adding the public IP address to a Core Identity is a way to identify the network, not a way to test the routing. References:

How To: Successfully test to ensure you’re running Umbrella correctly

Add a Network Identity

Explanation

Explanation

You can also bring up the port by using these commands:

+ The “shutdown” interface configuration command followed by the “no shutdown” interface configuration

command restarts the disabled port.

+ The “errdisable recovery cause …” global configuration command enables the timer to automatically recover error-disabled state, and the “errdisable recovery interval interval” global configuration command specifies the time to recover error-disabled state.

 A SYN flood is a type of denial-of-service (DoS) attack that exploits the TCP three-way handshake process to exhaust the resources of a target server. The attacker sends a large number of SYN packets to the target server, each with a spoofed source IP address. The target server allocates resources for each incoming SYN packet and responds with a SYN-ACK packet to the spoofed address. However, the spoofed address never sends back the final ACK packet to complete the connection, leaving the target server with many half-open connections that eventually fill up its connection table. This prevents the target server from accepting new legitimate connections and causes service disruption123 References: 1: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 course overview 2: SYN Flood Explained. How to Prevent this Attack from Taking over your … 3: What is a SYN flood attack? | Cloudflare

Cross-site scripting (XSS) is a web security vulnerability that allows an attacker to inject malicious code into a web page that is viewed by other users. XSS can compromise the user’s interaction with the web application, steal sensitive data, perform unauthorized actions, and more. To prevent XSS, web developers need to apply various defensive techniques to ensure that user-supplied data is not interpreted as code by the browser. Two of these techniques are:

Incorporate contextual output encoding/escaping: This means that any user-supplied data that is displayed on the web page should be properly encoded or escaped according to the context where it appears. For example, if the data is inserted into an HTML attribute, it should be HTML attribute encoded; if the data is inserted into a JavaScript string, it should be JavaScript string encoded; and so on. This prevents the data from breaking out of its intended context and being executed as code by the browser. Output encoding should be done by using a reliable library or framework that supports different contexts and encodings.

Run untrusted HTML input through an HTML sanitization engine: This means that any user-supplied data that is intended to contain HTML markup should be filtered and validated by a sanitization engine that removes or escapes any potentially dangerous elements, attributes, or scripts. This prevents the attacker from injecting malicious HTML code that can execute scripts, load external resources, redirect the user, or perform other malicious actions. HTML sanitization should be done by using a well-tested and maintained library or framework that follows the best practices and standards for HTML filtering.

References :=

[Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0], Module 5: Securing the Cloud, Lesson 5.2: Web Application Security, Topic 5.2.2: Cross-Site Scripting (XSS)

Cross Site Scripting Prevention Cheat Sheet - OWASP

What is cross-site scripting (XSS) and how to prevent it? - Web Security Academy

Cisco Stealthwatch Cloud is a cloud-delivered and SaaS-based solution that provides visibility and threat detection across the AWS network. It does not require any software agents to be installed on the AWS instances, and it relies on AWS VPC flow logs to collect network traffic metadata. Cisco Stealthwatch Cloud analyzes the flow logs using machine learning and behavioral modeling to detect anomalies and threats, such as data exfiltration, lateral movement, reconnaissance, and compromised instances. Cisco Stealthwatch Cloud also provides contextual information and actionable alerts to help users respond to incidents and remediate issues.

Cisco Umbrella is a cloud-delivered and SaaS-based solution that provides DNS-layer security and web filtering for internet traffic. It does not provide visibility and threat detection for internal AWS network traffic, and it requires software agents to be installed on the endpoints or network devices to enforce policies and redirect DNS requests.

NetFlow collectors are devices or software applications that collect and analyze NetFlow records, which are generated by network devices to capture information about IP traffic flows. NetFlow collectors can provide visibility and threat detection for network traffic, but they are not cloud-delivered or SaaS-based solutions. They also require NetFlow exporters to be configured on the network devices, which may not be supported by AWS.

Cisco Cloudlock is a cloud-delivered and SaaS-based solution that provides cloud security posture management (CSPM) and cloud access security broker (CASB) capabilities for cloud applications and environments. It does not provide visibility and threat detection for AWS network traffic, and it does not rely on AWS VPC flow logs. It focuses on protecting cloud data, users, and configurations from misconfigurations, compliance violations, and malicious activities. References :=

Cisco Stealthwatch Cloud for AWS

Cisco Umbrella

NetFlow

[Cisco Cloudlock]

Explanation

Explanation

There are three basic categories of attack:

+ volume-based attacks, which use high traffic to inundate the network bandwidth

+ protocol attacks, which focus on exploiting server resources

+ application attacks, which focus on web applications and are considered the most sophisticated and serious type of attacks Reference: https://www.esecurityplanet.com/networks/types-of-ddos-attacks/

Cisco AMP (Advanced Malware Protection) is a product that provides proactive endpoint protection and allows administrators to centrally manage the deployment. AMP uses cloud-based intelligence, sandboxing, and continuous analysis to detect and block advanced threats before they reach the endpoints. AMP also provides retrospective security, which means that it can alert and remediate endpoints if a file that was previously deemed benign is later found to be malicious. AMP can be integrated with other Cisco products, such as Firepower, Meraki, and Email Security Appliance, to provide comprehensive security across the network. AMP is available for Windows, Mac, Linux, Android, and iOS devices. References :=

Some possible references are:

Endpoint Protection Platform (EPP) Definition - Cisco: This page defines what an endpoint protection platform (EPP) is and how it differs from traditional antivirus solutions. It also explains the benefits of using Cisco Secure Endpoint, formerly known as AMP for Endpoints.

Cisco Secure Endpoint (Formerly AMP for Endpoints) - Cisco: This page provides an overview of the features and capabilities of Cisco Secure Endpoint, such as cloud-based intelligence, endpoint isolation, file trajectory, device flow correlation, and more. It also offers resources for getting started, deploying, and managing Cisco Secure Endpoint.

SCOR 350-701 Flashcards | Quizlet: This page contains flashcards for the SCOR 350-701 exam, which covers the topics of implementing and operating Cisco security core technologies. One of the flashcards is the same question as the one asked by the user, and it provides the correct answer and a brief explanation.

The configuration that is needed to accomplish the goal of adding protection for data in transit and having headers in the email message is to deploy an encryption appliance. An encryption appliance is a device that encrypts and decrypts email messages using various encryption standards, such as S/MIME, PGP, or Cisco Registered Envelope Service (CRES). An encryption appliance can also add headers to the email message to indicate the encryption status, the encryption key, or the encryption policy. An encryption appliance can be integrated with an email appliance, such as Cisco Email Security Appliance (ESA), to provide end-to-end email security and encryption.

The other options are incorrect because:

Provisioning the email appliance is not enough to add protection for data in transit and have headers in the email message. An email appliance can provide various email security features, such as spam filtering, virus scanning, content filtering, or data loss prevention, but it does not encrypt or decrypt email messages by itself. An email appliance needs to work with an encryption appliance to provide email encryption and decryption.

Mapping sender IP addresses to a host interface is not related to adding protection for data in transit and having headers in the email message. This is a configuration option for an email appliance that allows it to accept email messages from specific IP addresses or ranges and assign them to a specific host interface. This can be useful for load balancing, traffic management, or policy enforcement, but it does not affect email encryption or decryption.

Enabling flagged message handling is not relevant to adding protection for data in transit and having headers in the email message. This is a configuration option for an email appliance that allows it to handle email messages that have a specific flag or tag in the subject line or the body. This can be useful for testing, troubleshooting, or applying special policies, but it does not affect email encryption or decryption.

 Cisco FTD is the recommended solution for this requirement because it allows the administrator to configure URL filtering as part of the access control policy. URL filtering in FTD can block or allow traffic based on the destination URL of a web request, the generalized category of the URL, or the public reputation of the target site. FTD can also use HTTPS URL filtering to inspect encrypted web traffic and block malicious or unwanted sites. FTD supports both local URL lists and external URL filtering servers such as Cisco Talos Intelligence Group (TIG), Websense, or SmartFilter12.

Cisco ASA does not include URL filtering in the access control policy capabilities. ASA can only enable URL filtering for web traffic using external filtering servers such as Websense or SmartFilter. ASA cannot block HTTPS or FTP traffic based on URLs, nor can it use local URL lists or categories. ASA also does not block malicious URLs by default, but relies on the filtering server’s configuration34.

Therefore, option C is the correct answer, and the other options are incorrect. References :=

FTD URL Filtering - How it works? - Cisco Community

Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.2.3 - Access Control

Configuring Filtering Services - Cisco

Configuring URL Filtering - Cisco

Explanation

Explanation

We should scan emails using AntiVirus signatures to make sure there are no viruses attached in emails.

Note: A virus signature is the fingerprint of a virus. It is a set of unique data, or bits of code, that allow it to be identified. Antivirus software uses a virus signature to find a virus in a computer file system, allowing to detect, quarantine, and remove the virus.

SenderBase is an email reputation service designed to help email administrators research senders, identify legitimate sources of email, and block spammers. When the Cisco ESA receives messages from known or highly reputable senders, it delivers them directly to the end user without any content scanning. However, when the Cisco ESA receives email messages from unknown or less reputable senders, it performs antispam and antivirus scanning.

Explanation

Explanation

Cisco ISE allows a global configuration to issue a Change of Authorization (CoA) in the Profiler Configuration

page that enables the profiling service with more control over endpoints that are already authenticated.

One of the settings to configure the CoA type is “Reauth”. This option is used to enforce reauthentication of an already authenticated endpoint when it is profiled.

Cisco Defense Orchestrator (CDO) is a cloud-based management solution that allows you to manage security policies and device configurations with ease across multiple Cisco and cloud-native security platforms. CDO centrally manages elements of policy and configuration across Cisco ASA, Cisco Firepower, Cisco Meraki, and AWS1. CDO also provides visibility, automation, and orchestration capabilities to simplify and unify security operations2. The other options are not cloud security software that can centrally manage policies on multiple platforms. Cisco Configuration Professional is a device management tool for Cisco routers and switches. Cisco Secureworks is a security services provider that offers threat intelligence and incident response. Cisco DNAC is a network controller that automates and assures services across campus, branch, and edge networks. References :=

Cisco Defense Orchestrator Data Sheet

Cisco Defense Orchestrator

Explanation

Explanation

Multi-factor Authentication (MFA) is an authentication method that requires the user to provide two or more

verification factors to gain access to a resource. MFA requires means of verification that unauthorized users

won’t have.

Proper multi-factor authentication uses factors from at least two different categories.

MFA methods:

+ Knowledge – usually a password – is the most commonly used tool in MFA solutions. However, despite their

simplicity, passwords have become a security problem and slow down productivity.

+ Physical factors – also called possession factors–use tokens, such as a USB dongle or a portable device,

that generate a temporary QR (quick response) code. Mobile phones are commonly used, as they have the

advantage of being readily available in most situations.

+ Inherent – This category includes biometrics like fingerprint, face, and retina scans. As technology advances,

it may also include voice ID or other behavioral inputs like keystroke metrics. Because inherent factors are

reliably unique, always present, and secure, this category shows promise.

+ Location-based and time-based – Authentication systems can use GPS coordinates, network parameters,

and metadata for the network in use, and device recognition for MFA. Adaptive authentication combines these

data points with historical or contextual user data.

A time factor in conjunction with a location factor could detect an attacker attempting to authenticate in Europe

when the user was last authenticated in California an hour prior, for example.

+ Time-based one-time password (TOTP) – This is generally used in 2FA but could apply to any MFA

method where a second step is introduced dynamically at login upon completing a first step. The wait for a

second step–in which temporary passcodes are sent by SMS or email–is usually brief, and the process is easy

to use for a wide range of users and devices. This method is currently widely used.

+ Social media – In this case a user grants permission for a website to use their social media username and

password for login. This provide an easy login process, and one generally available to all users.

+ Risk-based authentication – Sometimes called adaptive multi-factor authentication, this method combines

adaptive authentication and algorithms that calculate risk and observe the context of specific login requests.

The goal of this method is to reduce redundant logins and provide a more user-friendly workflow.

+ Push-based 2FA – Push-based 2FA improves on SMS and TOTP 2FA by adding additional layers of security

while improving ease of use. It confirms a user’s identity with multiple factors of authentication that other

methods cannot. Because push-based 2FA sends notifications through data networks like cellular or Wi-Fi,

users must have data access on their mobile devices to use the 2FA functionality.

Posture is a service in Cisco ISE that allows you to check the compliance, also known as posture, of endpoints, before allowing them to connect to your network. A posture agent, such as the AnyConnect ISE Posture Agent or Network Admission Control (NAC) Agent, runs on the endpoint and collects information about the endpoint’s security posture, such as antivirus, antispyware, firewall, and patch status. The posture agent then communicates with the ISE server, which evaluates the posture information against the posture policy and determines the compliance state of the endpoint. Based on the compliance state, the ISE server can grant or deny network access to the endpoint, or apply remediation actions to bring the endpoint into compliance. Posture service is part of the ISE solution for network access control (NAC), which aims to secure the network from unauthorized or compromised endpoints. References:

Cisco Identity Services Engine Administrator Guide, Release 2.2 - Configure Client Posture Policies

Configuring posture services with the Cisco Identity Services Engine - Cisco Community

Cisco Content Hub - Configure Client Posture Policies

Explanation

The command “crypto isakmp identity address 172.19.20.24” is not valid. We can only use “crypto isakmp

identity {address | hostname}. The following example uses preshared keys at two peers and sets both their

ISAKMP identities to the IP address.

At the local peer (at 10.0.0.1) the ISAKMP identity is set and the preshared key is specified:

crypto isakmp identity address

crypto isakmp key sharedkeystring address 192.168.1.33

At the remote peer (at 192.168.1.33) the ISAKMP identity is set and the same preshared key is specified:

crypto isakmp identity address

crypto isakmp key sharedkeystring address 10.0.0.1

Explanation

Explanation

Cisco Security Manager provides a comprehensive management solution for:

– Cisco ASA 5500 Series Adaptive Security Appliances

– Cisco intrusion prevention systems 4200 and 4500 Series Sensors

– Cisco AnyConnect Secure Mobility Client

Explanation

The RADIUS Change of Authorization (CoA) feature provides a mechanism to change the attributes of an

authentication, authorization, and accounting (AAA) session after it is authenticated.

 Cisco Duo is a cloud-based solution that provides multi-factor authentication (MFA) and device trust for secure access to applications and data. MFA adds an extra layer of security by requiring users to verify their identity with something they know (such as a password) and something they have (such as a phone or a hardware token). Device trust ensures that only trusted devices can access sensitive resources by checking the device health and compliance. Cisco Duo can help prevent social engineering attacks by making it harder for hackers to impersonate legitimate users or compromise their credentials. Cisco Duo can also integrate with other Cisco security products, such as Cisco AnyConnect, Cisco AMP for Endpoints, and Cisco Umbrella, to provide a comprehensive security solution. References :=

Cisco Duo Security

Cisco Duo: Multi-Factor Authentication

Cisco Duo: Device Trust

Cisco Security Core Technologies SCOR

The amount of URI text that is stored in Cisco WSA log files is controlled by the log-entry size parameter, which can be configured using the advancedproxyconfig command. The log-entry size parameter specifies the maximum number of bytes of the URI that will be logged for each request. The default value is 1024 bytes, but it can be changed to any value between 1 and 4096 bytes. If the URI is longer than the log-entry size, it will be truncated and a plus sign (+) will be appended to indicate that the URI was cut off. Configuring a small log-entry size can reduce the disk space and bandwidth consumption of the log files, but it can also limit the visibility and analysis of the requests.

References :=

User Guide for AsyncOS 11.0 for Cisco Web Security Appliances, Customizing Access Logs

Cisco WSA CLI Reference Guide for AsyncOS 11.0, advancedproxyconfig Command

WSA FAQ: How can I view the logs on the Cisco WSA? - Cisco

According to the NIST 800-145 guide1, a community cloud is a cloud infrastructure that is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises. A community cloud differs from a private cloud, which is provisioned for exclusive use by a single organization, and a public cloud, which is provisioned for open use by the general public. A hybrid cloud is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds). References := 1: NIST SP 800-145, The NIST Definition of Cloud Computing, page 3.

The target in a phishing attack is the endpoint, which is the device or system that the user interacts with, such as a computer, smartphone, or tablet. Phishing attacks aim to steal or damage sensitive data by deceiving people into revealing personal information like passwords and credit card numbers, or clicking on malicious links or attachments that can install malware on the endpoint. Phishing attacks can be delivered through various channels, such as email, phone, or text message, but they all rely on social engineering techniques to manipulate the user’s trust and curiosity. By compromising the endpoint, attackers can gain access to the user’s accounts, files, network, or other resources. Therefore, endpoint security is essential to prevent phishing attacks and protect the user’s data and identity. References:

What Is a Phishing Attack? Definition and Types - Cisco

8 types of phishing attacks and how to identify them

What Is Phishing? | Microsoft Security

Phishing | What Is Phishing?

Explanation

To understand DHCP snooping we need to learn about DHCP spoofing attack first.

DHCP spoofing is a type of attack in that the attacker listens for DHCP Requests from clients and answers them with fake DHCP Response before the authorized DHCP Response comes to the clients. The fake DHCP Response often gives its IP address as the client default gateway -> all the traffic sent from the client will go through the attacker computer, the attacker becomes a “man-in-the-middle”.

The attacker can have some ways to make sure its fake DHCP Response arrives first. In fact, if the attacker is “closer” than the DHCP Server then he doesn’t need to do anything. Or he can DoS the DHCP Server so that it can’t send the DHCP Response.

DHCP snooping can prevent DHCP spoofing attacks. DHCP snooping is a Cisco Catalyst feature that

determines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted.

Only ports that connect to an authorized DHCP server are trusted, and allowed to send all types of DHCP

messages. All other ports on the switch are untrusted and can send only DHCP requests. If a DHCP response is seen on an untrusted port, the port is shut down.

The port connected to a DHCP server should be configured as trusted port with the “ip dhcp snooping trust” command. Other ports connecting to hosts are untrusted ports by default.

In this question, we need to configure the uplink to “trust” (under interface Gi1/0/1) as shown below.

 The RADIUS CoA feature supports five IETF attributes as defined in RFC 5176. These are:

Event-Timestamp: This attribute indicates the time when the CoA request was generated by the server.

State: This attribute contains a value that is copied from the Access-Accept message that authorized the session.

Session-Timeout: This attribute specifies the maximum number of seconds of service provided to the user before termination of the session or prompt.

Idle-Timeout: This attribute specifies the maximum number of consecutive seconds of idle connection allowed to the user before termination of the session or prompt.

Filter-Id: This attribute identifies the filter list to be applied to the user session.

The RADIUS CoA feature also supports vendor-specific attributes (VSAs) that are defined by Cisco or other vendors. These VSAs can be used to perform additional actions such as port shutdown, port bounce, or security and password accounting. References :=

Some possible references are:

RFC 5176: This document describes the dynamic authorization extensions to RADIUS, including the CoA request and response codes, and the supported IETF attributes.

RADIUS Change of Authorization - Cisco: This document provides the configuration guide for the RADIUS CoA feature on Cisco IOS devices, including the supported IETF and Cisco VSAs.

Supported IETF attributes in RFC 5176 - Ruckus Networks: This document lists the supported IETF attributes and error clause values for the RADIUS CoA feature on Ruckus devices.

V

Northbound APIs are the link between the applications and the SDN controller. The applications can tell the network what they need (data, storage, bandwidth, and so on) and the network can deliver those resources, or communicate what it has. These APIs support a wide variety of applications, such as load balancers, firewalls, orchestration platforms, and automation stacks. Northbound APIs also enable the applications to use the controller’s capabilities to program flows into the network devices using the southbound interface. Northbound APIs are usually RESTful APIs that use HTTP methods to exchange data in JSON or XML formats12.

OpenFlow is not a northbound API protocol, but a southbound API protocol that defines the communication between the SDN controller and the network switches or routers. OpenFlow allows the controller to manipulate the forwarding behavior of the switches or routers by sending commands and receiving events3 .

NETCONF is not a northbound API protocol, but a network management protocol that can be used as a southbound API protocol to configure and monitor network devices. NETCONF uses XML to encode data and remote procedure calls (RPCs) to exchange messages between the controller and the network devices . References := 1: What are SDN Northbound APIs (and SDN Rest APIs)? - SDxCentral 2: SDN North-bound and South-bound APIs and Interfaces 3: OpenFlow - Wikipedia : OpenFlow - SDxCentral : NETCONF - Wikipedia : NETCONF Protocol - Cisco

1sdxcentral.com2computernetworkingnotes.com3examguides.com

Explanation

This command uses RADIUS which combines authentication and authorization in one function (packet).

NetFlow is a Cisco IOS application that provides statistics on packets flowing through the router. NetFlow is based on 7 key fields that identify a flow, such as source and destination IP addresses, source and destination port numbers, layer 3 protocol type, ToS byte, and input logical interface. To enable NetFlow on a router, IP routing must be configured first, because NetFlow relies on IP addresses to classify and monitor traffic. SNMPv3, syslog, and VRF are not required for NetFlow configuration, although they can be used for other purposes such as network management, logging, and virtualization. References:

Getting Started with Configuring Cisco IOS NetFlow and NetFlow Data Export (Section: NetFlow Data Capture)

How to configure NetFlow on Cisco routers (Section: Enable NetFlow)

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 (Module 5.1.1)

 Phishing is a type of cyberattack that uses fraudulent emails or other communications to trick users into providing sensitive information or installing malware on their devices1. Phishing can lead to identity theft, data breaches, ransomware infections, and financial losses. To protect employees from phishing attacks, a company can use various solutions that can detect, block, and remediate phishing threats. Two of these solutions are:

Cisco Umbrella: Cisco Umbrella is a cloud-based security platform that provides the first line of defense against threats on the internet, including phishing2. Cisco Umbrella uses DNS-layer security, which can identify and block malicious domains, IPs, and URLs before they can reach the user’s device2. Cisco Umbrella also integrates with Cisco Email Security to provide additional protection against phishing emails that may bypass the email gateway3.

Cisco Email Security Appliance (ESA): Cisco ESA is an email gateway that protects inbound and outbound email traffic from spam, malware, phishing, and other threats4. Cisco ESA uses multiple layers of defense, such as reputation filtering, antivirus scanning, outbreak filters, and content filtering, to prevent malicious emails from reaching the user’s inbox4. Cisco ESA also leverages Cisco Advanced Phishing Protection, which uses machine learning and threat intelligence to identify and block sophisticated phishing attacks that use identity deception techniques5.

References := 1: What Is Phishing? Examples and Phishing Quiz - Cisco 2: Cisco Umbrella - Cloud Delivered Enterprise Security 3: Cisco Umbrella and Cisco Email Security Integration 4: Cisco Secure Email - Cisco 5: Cisco Advanced Phishing Protection - Cisco Video Portal

To connect Cisco Secure Workload to external orchestrators at a client site where incoming connections are not allowed, a reverse tunnel must be used. A reverse tunnel initiates the connection from the inside of the client's network out to the external orchestrator, thereby bypassing restrictions on incoming connections and enabling secure communication.

The Talos IP and Domain Reputation Center is the world’s most comprehensive real-time threat detection network. It collects and analyzes data from millions of web requests, emails, malware samples, open-source data sets, endpoint intelligence, and network intrusions. It assigns a reputation score to IP addresses and domains based on their observed malicious activity and behavior. The reputation score can range from -10 (very malicious) to +10 (very benign). The reputation score can be used to block or allow traffic, or to trigger further inspection or analysis. The Talos IP and Domain Reputation Center allows you to track the reputation of IP addresses for email and web traffic, as well as to look up the category, volume, and history of any IP address or domain. You can also submit feedback or request a change of reputation for any IP address or domain. References 

https://talosintelligence.com/reputation_center/

https://bing.com/search?q=Talos+reputation+center+IP+addresses+email+web+traffic

To deploy Cisco WSA in transparent mode, the configuration component that must be used is WCCP on switch. WCCP stands for Web Cache Communication Protocol, which is a protocol that allows a network device (such as a switch) to redirect web traffic to a proxy server (such as Cisco WSA) transparently. This means that the client does not need to configure any proxy settings on the browser, and the proxy server can intercept and process the web requests and responses without the client’s knowledge. WCCP can also provide load balancing and failover capabilities for multiple proxy servers.

The other options are incorrect because they are not required or relevant for transparent mode deployment. Option A is incorrect because MDA (Multilink PPP Dial Access) is a feature that allows multiple physical links to be aggregated into a single logical link for dial-up connections. It has nothing to do with transparent mode. Option B is incorrect because PBR (Policy-Based Routing) is a feature that allows routing decisions to be based on criteria other than the destination IP address, such as source IP address, protocol, port, etc. It is not necessary for transparent mode, as WCCP can handle the traffic redirection. Option D is incorrect because DNS resolution on Cisco WSA is not a configuration component, but a function that allows the proxy server to resolve domain names to IP addresses. It is not specific to transparent mode, as it is also used in explicit mode. References:

What is the difference between transparent and forward proxy mode?

User Guide for AsyncOS 12.7 for Cisco Web Security Appliances - LD (Limited Deployment) - Acquire End-User Credentials

Cisco WSA : Is it possible to use web proxy in transparent mode without WCCP?

NTP uses UDP port 123 to communicate with its servers and peers. If the Cisco ASA has IP reachability to the NTP server and is not filtering any traffic, then the most likely cause of the unsynchronized state and the stratum of 16 is that the NTP server is not working properly or is not configured to provide NTP service. A stratum of 16 means that the NTP server is unreachable or is not considered a viable candidate1. The value.INIT. in the refid column indicates that NTP is initializing, and the server has not yet been reached1. To resolve this issue, the network engineer should verify the status and configuration of the NTP server, and use a different server if needed. Alternatively, the network engineer can use the ntp server command with the prefer keyword to specify a preferred NTP server, or use the ntp update-calendar command to force a resynchronization of NTP2. References:

1: NTP server is unsynchronized or unreachable, a Wireshark perspective.

2: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 1: Network Security, Lesson 1.3: Configuring Network Time Protocol.

Using a company-managed Amazon S3 bucket for Cisco Umbrella logs allows the administrator to have full control over the access and lifecycle of the log data. This configuration can grant third-party SIEM integrations write access to the S3 bucket, which can enable more advanced analysis and correlation of the log data with other sources. This configuration also provides more flexibility in terms of how long the data can be stored offline, as opposed to the Cisco-managed S3 bucket, which has a fixed retention period of 30 days. References:

Enable Logging to Your Own S3 Bucket

Centralized Umbrella Log Management with Amazon’s S3 service for MSP, MSSP, and Multi-org customers

Multifactor authentication (MFA) is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account, or a VPN1. MFA is a core component of a strong identity and access management (IAM) policy. MFA can help prevent an attacker from stealing usernames and passwords of users within an organization by adding an extra layer of security beyond the traditional username and password. For example, a user may need to enter a one-time code sent to their phone or email, scan their fingerprint, or use a hardware token to prove their identity. This way, even if an attacker obtains the user’s credentials, they cannot access the resource without the second factor2.

The other options are not technologies that can help prevent an attacker from stealing usernames and passwords of users within an organization. RADIUS-based REAP is a protocol that allows wireless clients to authenticate with a RADIUS server, but it does not provide MFA3. Fingerprinting is a technique that identifies the operating system or application of a device based on its network characteristics, but it does not provide MFA4. Dynamic ARP Inspection is a security feature that prevents ARP spoofing attacks by validating ARP packets, but it does not provide MFA5.

References := 1: What is Multi-Factor Authentication (MFA)? | OneLogin(https://www.onelogin.com/learn/what-is-mfa) 2: What is: Multifactor Authentication - Microsoft Support(https://support.microsoft.com/en-us/topic/what-is-multifactor-authentication-e5e39437-121c-be60-d123-eda06bddf661) 3: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Securing the Network, Lesson 3.3: Secure Wireless Connectivity, Topic 3.3.1: Wireless Security Protocols, page 3-40. 4: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 2: Securing the Cloud, Lesson 2.2: Cloud Security Assessment, Topic 2.2.1: Cloud Security Concepts, page 2-13. 5: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Securing the Network, Lesson 3.2: Secure Network Access, Topic 3.2.2: Layer 2 Security Features, page 3-19.

Cisco Advanced Malware Protection (AMP) for Web Security is a solution that provides protection against web-related threats before, during, and after an attack. One of the functions that AMP for Web Security includes is detailed analytics of the unknown file’s behavior. This means that AMP can continuously monitor and analyze the activity of files that cross the web gateway, even after they have been initially scanned and allowed. This allows AMP to detect and block any malicious behavior that may emerge later, and provide retrospective security alerts and remediation actions12. References: 1: Cisco Advanced Malware Protection for Web Security 2: Cisco Adds Advanced Malware Protection to Web and Email Security Appliances and Cloud Services

Explanation

DTLS is used for delay sensitive applications (voice and video) as its UDP based while TLS is TCP based.

Therefore DTLS offers strongest throughput performance. The throughput of DTLS at the time of AnyConnect connection can be expected to have processing performance close to VPN throughput.

Mobile device management (MDM) is a toolset that provides a workforce with mobile productivity tools and applications while keeping corporate data secure1. One of the essential capabilities of an MDM solution is the unified management of mobile devices, Macs, and PCs from a centralized dashboard2. This allows IT and security departments to manage all of a company’s devices, regardless of their operating system, and perform tasks such as provisioning, configuration, update, lock, wipe, and troubleshoot2. Another important capability of an MDM solution is the enforcement of device security policies from a centralized dashboard3. This enables IT and security departments to protect the device’s applications, data, and content, and ensure compliance with organizational and regulatory standards3. For example, an MDM solution can set minimum password strength, encrypt data, restrict access, and detect threats3.

 1: What is Mobile Device Management (MDM)? | IBM 2: 5 Essential Capabilities of an MDM Solution | Macworld 3: What is device management? | Microsoft Learn

The FMC and managed devices communicate using a two-way, SSL-encrypted communication channel, which by default is on port 8305.

Cisco strongly recommends that you keep the default settings for the remote management port, but if the

management port conflicts with other communications on your network, you can choose a different port. If you change the management port, you must change it for all devices in your deployment that need to communicate with each other.

Explanation

Explanation

Cisco’s DNA Center is the only centralized network management system to bring all of this functionality into a single pane of glass.

 Dynamic ARP Inspection (DAI) is a security feature that protects ARP (Address Resolution Protocol) from an attack like ARP poisoning. ARP poisoning is a technique where an attacker sends forged ARP responses to trick hosts into associating IP addresses with the attacker’s MAC address. This allows the attacker to intercept, modify, or drop traffic between the victims, creating a “man-in-the-middle” scenario. DAI can prevent this attack by validating ARP packets on untrusted interfaces, using information from the DHCP snooping database and/or an ARP access-list. If the ARP packet contains invalid MAC address to IP address bindings, it will be dropped and logged. DAI can also rate-limit ARP packets to mitigate ARP flooding attacks. DAI is configured on a per-VLAN basis and requires DHCP snooping to be enabled on the same VLANs. References :=

Some possible references are:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 2: Network Security, Lesson 2.4: Implement Layer 2 Security

Understanding and Configuring Dynamic ARP Inspection

DAI (Dynamic ARP Inspection)

The Cisco DNA Center RESTful PNP API allows external applications to interact with the Plug and Play (PNP) service of Cisco DNA Center, which automates the onboarding and provisioning of network devices. The PNP API has several endpoints for different operations, such as importing, claiming, updating, and deleting devices. The endpoint that adds and claims a device into a workflow is api/v1/onboarding/pnp-device/import, which takes a JSON payload with the device information and the workflow ID. This endpoint creates a new device entry in the PNP database and associates it with the specified workflow. The workflow defines the configuration template, image, and license to be applied to the device during the provisioning process12. References:

1: See How to Use the Plug and Play API in DNA Center – Part 2

2: Cisco DNA Center Platform User Guide, Release 2.2.3

 The Python script accomplishes the following tasks:

It imports the required libraries for HTTP, base64, SSL, and sys modules.

It takes the host, user, and password information from the command line arguments and assigns them to variables.

It creates an HTTPS connection object using the host and port 9060, and specifies the SSL protocol as TLSv1_2.

It encodes the user and password information in base64 format for basic HTTP authentication.

It sets the headers for the HTTP request, including the accept, authorization, and cache-control fields.

It sends a GET request to the Cisco ISE server to retrieve information from the “/ers/config/internaluser/” endpoint, which returns the list of internal users configured on Cisco ISE.

It reads the response from the server and prints the status, headers, and body in a human-readable format.

The script authenticates to the Cisco ISE server using the username of ersad and the password of Password1, and retrieves the internal user information from the server.

 To enable CWA for wireless guest access, the ISE engineer needs to configure the following steps on the ISE server:

Create a guest portal with the desired settings and appearance.

Create an authorization profile that references the guest portal and the DACL name for the Airespace ACL configured on the WLC. The DACL name must match the name of the ACL on the WLC exactly. The authorization profile also needs to have the common tasks of Web Redirection and Web Authentication enabled.

Create an authorization policy that matches the unauthenticated devices based on the MAC address or other criteria and applies the authorization profile created in the previous step.

The DACL name is required for the WLC to apply the correct ACL to the guest endpoints and redirect them to the guest portal. Without the DACL name, the WLC will not know which ACL to use and may grant full guest access to the endpoints. Therefore, the correct answer is D.

References :=

Some possible references are:

Central Web Authentication (CWA) for guests with ISE

Understand And Troubleshoot Central Web-Authentication (CWA) In Guest Anchor Set-Up

Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Release 17.3.0 - Guest Access

SQL injection attacks are a type of code injection technique that exploit the use of dynamic SQL queries in web applications. Attackers can inject malicious SQL statements into user input fields, such as login forms, search boxes, or URLs, and execute them on the underlying database. This can result in unauthorized access, data theft, data corruption, or denial of service.

To prevent SQL injection attacks, web developers should use the following techniques:

Use prepared statements and parameterized queries: Prepared statements are SQL queries that are precompiled and executed with user-supplied parameters. Parameterized queries are SQL queries that use placeholders for user input and bind them to actual values at runtime. Both techniques separate the SQL code from the user input, making it impossible for attackers to inject SQL commands into the query. For example, in Java, PreparedStatement is a class that implements parameterized queries. In PHP, PDO and mysqli are extensions that support prepared statements.

Block SQL code execution in the web application database login: Web applications should use a dedicated database user account with limited privileges to connect to the database. This account should only have the permissions necessary to perform the required operations, such as select, insert, update, or delete. It should not have the permissions to execute arbitrary SQL commands, such as create, drop, alter, grant, or revoke. This way, even if an attacker manages to inject SQL code into the query, the database will reject it due to insufficient privileges.

 Cisco Advanced Malware Protection (AMP) for Endpoints is a cloud-based solution that provides endpoint protection against malware and advanced threats. It can be deployed in different architectures depending on the customer’s needs and preferences. One of the deployment options is the private cloud, which is designed to keep data within a network perimeter. In this option, the customer hosts the AMP for Endpoints console and the AMP cloud on their own infrastructure, and the endpoints connect to the private cloud for analysis and policy enforcement. This option provides more control and privacy over the data, but also requires more resources and maintenance from the customer. The other deployment options are the public cloud, which uses the Cisco-hosted AMP cloud and console, and the hybrid cloud, which uses a combination of the public and private clouds123 References: 1: Protecting Against Malware Threats with Cisco AMP for Endpoints (SSFAMP) course overview 2: Cisco Secure Endpoint (Formerly AMP for Endpoints) - Cisco 3: Cisco Advanced Malware Protection for Endpoints - Zones

Cisco Tetration, which is a hybrid-cloud workload protection platform that uses machine learning, behavior analysis, and algorithmic approaches to secure compute instances in both the on-premises data center and the public cloud1. Cisco Tetration can process behavior baselines, monitor for deviations, and review for malicious processes in data center traffic and servers while performing software vulnerability detection. It can also provide zero-trust microsegmentation, proactive identification of security incidents, and reduction of the attack surface1. The other options are not correct because they do not offer the same level of workload protection as Cisco Tetration. Cisco ISE is an identity and access control platform that provides secure network access, endpoint compliance, and device administration2. Cisco AMP for Network is a network-based malware prevention solution that detects and blocks malicious files and URLs before they reach the endpoints3. Cisco AnyConnect is a VPN client that provides secure remote access, endpoint visibility, and posture enforcement4. References:

1: Cisco Secure Workload Platform Data Sheet

2: Cisco Identity Services Engine Data Sheet

3: Cisco Advanced Malware Protection for Networks Data Sheet

4: Cisco AnyConnect Secure Mobility Client Data Sheet

 Secret key cryptography, also known as symmetric key cryptography, is a type of encryption where a single secret key is used for both encryption and decryption of a message. The cryptographic key is kept secret between the sender and receiver, making it difficult for anyone else to decipher the message. Some of the functions of secret key cryptography are:

Key selection without integer factorization: Secret key cryptography does not rely on complex mathematical problems such as integer factorization or discrete logarithms to generate keys. Instead, the keys are chosen randomly or derived from a passphrase or a shared secret. This makes the key generation process faster and simpler than in public key cryptography.

Utilization of less memory: Secret key cryptography uses less memory than public key cryptography, as it only requires one key to be stored and managed. Public key cryptography, on the other hand, requires two keys (public and private) for each user, which increases the memory overhead and complexity of key management.

The other options are not functions of secret key cryptography, but rather characteristics of public key cryptography or asymmetric cryptography, which is a different type of encryption where different keys are used for encryption and decryption. Public key cryptography has the following features:

Utilization of different keys for encryption and decryption: Public key cryptography uses a pair of keys, one public and one private, for each user. The public key can be shared with anyone, while the private key must be kept secret. The public key is used to encrypt messages, while the private key is used to decrypt them. This allows users to communicate securely without having to exchange a secret key beforehand.

Utilization of large prime number iterations: Public key cryptography relies on hard mathematical problems such as integer factorization or discrete logarithms to generate keys. These problems involve finding the prime factors of large numbers or finding the discrete logarithms of numbers in a finite field. These problems are easy to solve in one direction, but hard to solve in the reverse direction. For example, it is easy to multiply two large prime numbers, but hard to find the prime factors of the product. This makes the keys hard to break by brute force or other methods.

Provides the capability to only know the key on one side: Public key cryptography enables users to encrypt messages without knowing the recipient’s key, and vice versa. This is possible because the encryption and decryption keys are different and mathematically related. For example, Alice can encrypt a message with Bob’s public key, and only Bob can decrypt it with his private key. Alice does not need to know Bob’s private key, and Bob does not need to know Alice’s key. This also enables public key cryptography to support digital signatures, which are a way of verifying the identity and integrity of a message.

References :=

What Is Secret Key Cryptography? A Complete Guide - Helenix

Definition of Secret-key Cryptography - Gartner

Application visibility and control (AVC) is a solution that leverages multiple technologies to recognize, analyze, and control over 1000 applications, including voice and video, email, file sharing, gaming, peer-to-peer (P2P), and cloud-based applications1. One of the key components of AVC is application recognition, which uses stateful deep packet inspection (DPI) to identify applications within the network traffic flow, using L3 to L7 data2. DPI is a technique that examines the content of packets beyond the header information, and can classify applications based on their signatures, protocols, ports, or other attributes3. DPI enables AVC to monitor and control application performance, bandwidth usage, quality of service, and security policies4. References := 1: Cisco Application Visibility and Control (AVC) - Cisco 2: Cisco Application Visibility and Control User Guide - Technology Overview 3: What is application visibility and control? | Juniper Networks US 4: Application visibility and control - Secure Internet Access Enterprise

https://www.cisco.com/c/dam/en_us/about/doing_business/legal/service_descriptions/docs/Cisco_Secure_Managed_Endpoint.pdf

 Cisco Container Platform (CCP) is a solution that simplifies the deployment and management of containerized applications across multiple clouds. It provides the following benefits to customers who utilize cloud service providers12:

Allows developers to create code once and deploy to multiple clouds. CCP is based on open source components, such as Kubernetes and Docker, that are compatible with various cloud platforms. This enables developers to write code once and run it anywhere, without worrying about the underlying infrastructure or vendor lock-in. CCP also supports hybrid and multicloud scenarios, allowing customers to leverage the best features of different cloud providers and optimize their costs and performance.

Manages Kubernetes clusters. CCP automates the installation, configuration, and maintenance of Kubernetes clusters, which are groups of nodes that run containerized applications. CCP provides a simple GUI-driven menu system to deploy clusters, as well as automated monthly updates for bug fixes, feature enhancements, and security patches. CCP also offers a choice of networking solutions, such as Cisco ACI, Calico, or Contiv, to connect and secure the clusters. CCP also integrates with Cisco AppDynamics and Prometheus for visibility and monitoring of the clusters and applications. References:

Cisco Container Platform - Cisco

Cisco Container Platform - At-a-Glance - Cisco

Explanation

The syntax of this command is: flow-export destination interface-name ipv4-address | hostname udp-port

This command is used on Cisco ASA to configure Network Secure Event Logging (NSEL) collector to which

NetFlow packets are sent. The destination keyword indicates that a NSEL collector is being configured.

+ The interface-name argument is the name of the ASA and ASA Services Module interface through which the

collector is reached.

+ The ipv4-address argument is the IP address of the machine running the collector application.

+ The hostname argument is the destination IP address or name of the collector.

+ The udp-port argument is the UDP port number to which NetFlow packets are sent.

You can configure a maximum of five collectors. After a collector is configured, template records are

automatically sent to all configured NSEL collectors.

The kind of API that is used with Cisco DNA Center to provision SSIDs, QoS policies, and update software versions on switches is the Intent API. The Intent API is a category of APIs that allows users to express their desired network outcomes or intents, such as creating a site, adding a device, or deploying a network profile. The Intent API then translates these intents into specific network configurations and commands, and applies them to the relevant network devices and services. The Intent API simplifies and automates the network provisioning and management process, and enables users to focus on the business objectives rather than the technical details. Some examples of Intent APIs are:

Site Management API: This API allows users to create, update, delete, and retrieve sites and buildings in Cisco DNA Center. A site is a logical grouping of network devices and services that share common characteristics, such as location, policies, or functions. A site can have one or more buildings, and a building can have one or more floors. Sites are used to organize and manage the network hierarchy and topology.

Network Settings API: This API allows users to configure and manage network-wide settings, such as global credentials, network discovery, IP address pools, DHCP and DNS servers, and SNMP settings. These settings are applied to all network devices and services that are managed by Cisco DNA Center.

Network Profile API: This API allows users to create, update, delete, and retrieve network profiles in Cisco DNA Center. A network profile is a collection of network settings and policies that define how a network segment or service should operate, such as SSIDs, QoS policies, security policies, and device roles. Network profiles are used to standardize and simplify the network configuration and deployment process, and to ensure consistency and compliance across the network.

Software Image Management API: This API allows users to manage the software images and versions of network devices that are managed by Cisco DNA Center. Users can import, export, delete, and retrieve software images, as well as assign them to network devices or device groups. Users can also schedule and monitor software image updates, and view the software image compliance status of network devices.

The command show authen sess int gi0/1 displays the authentication session information for the interface gi0/1, such as the MAC address, the authentication method, the authentication state, the session timeout, and the VLAN assignment. This command is useful for verifying the status of an 802.1X connection on a specific interface. The other commands are not related to 802.1X authentication. The command show authorization status displays the authorization status for the current user. The command show connection status gi0/1 is not a valid Cisco command. The command show ver gi0/1 displays the version information for the interface gi0/1. References: 802.1X Authentication Commands, Configuring IEEE 802.1x Port-Based Authentication, What Cisco command shows you the status of an 802.1X connection on interface gi0/1?

To force a session to be adjusted after a policy change is made, two configurations are required on Cisco ISE and on Cisco TrustSec devices: Dynamic Authorization and Change of Authorization (CoA). Dynamic Authorization allows Cisco ISE to send commands to network devices to change the authorization status of a user session. CoA is a feature that enables Cisco ISE to send a RADIUS message to a network device to reauthenticate or disconnect a user session. These two configurations enable Cisco ISE to apply the updated policy to the user session without requiring the user to log out and log in again.

According to the source book, the steps to configure Dynamic Authorization and CoA are as follows1:

On Cisco ISE, navigate to Administration > Network Resources > Network Devices and select the network device that supports TrustSec.

On the Edit Network Device page, select the Advanced TrustSec Settings tab and check the Support for CoA check box.

On the same tab, select the appropriate CoA type from the drop-down list. The options are RADIUS Disconnect, Port Bounce, and Reauth.

Click Submit to save the changes.

On the network device, enter the global configuration mode and issue the command aaa server radius dynamic-author to enable Dynamic Authorization.

Optionally, you can specify the source interface, authentication key, and port number for the Dynamic Authorization messages.

Exit the global configuration mode and save the configuration.

 1: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 4: Secure Connectivity, Lesson 4.2: Implementing TrustSec, Topic 4.2.3: Configuring TrustSec on Cisco ISE and Network Devices, pp. 4-83 to 4-85.

 Cisco Cloudlock is a cloud-native cloud access security broker (CASB) that helps you move to the cloud safely. It protects your cloud users, data, and apps. Cloudlock’s simple, open, and automated approach uses APIs to manage the risks in your cloud app ecosystem. Cloudlock integrates with cloud applications like Dropbox and Office 365 by providing visibility, compliance, threat protection, and data security. Cloudlock can detect and prevent data exfiltration by applying data loss prevention (DLP) policies, encrypting sensitive data, and alerting or blocking unauthorized activities. Cloudlock also supports cloud app discovery and risk assessment, user and entity behavior analytics (UEBA), and cloud app firewall12. References: 1: Cisco Cloudlock - Cisco 2: Cisco Cloudlock Privacy Data Sheet

 Cisco AnyConnect with Umbrella Roaming Security module protects a user from a phishing attack by enforcing security at the DNS layer and blocking malicious domains that are used for phishing campaigns. The Umbrella Roaming Security module integrates with the Cisco AnyConnect client and provides always-on security even when no VPN is active. The Umbrella Roaming Security module can replace the existing Cisco Umbrella roaming client or be part of a new AnyConnect deployment12.

Cisco Identity Services Engine (ISE) is not an endpoint solution, but a network access control and policy enforcement platform that can integrate with AnyConnect for posture assessment and compliance3. Cisco AnyConnect with ISE Posture module is used to check the compliance status of the endpoint device and apply the appropriate network access policy based on the posture result4. Cisco AnyConnect with Network Access Manager module is used to manage the network connections and profiles of the endpoint device and support various authentication methods5. Neither of these modules directly protect the user from a phishing attack.

References :=

Roaming Client: Umbrella Roaming Security (Integration with AnyConnect)

Secure Umbrella Roaming: Cisco Secure Client (Formerly AnyConnect)

Cisco Identity Services Engine

[Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.9 - Posture Module]

[Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.9 - Network Access Manager Module]

Cisco Identity Services Engine (ISE) is a product that provides comprehensive and scalable access policy enforcement for wired and wireless networks. ISE supports TACACS+ for device administration, which allows for granular control over the commands and actions that network administrators can perform on network devices. ISE also supports 802.1X, MAB, and WebAuth for network access, which enables authentication and authorization of users and endpoints based on various attributes, such as identity, device type, posture, location, and time. ISE can also integrate with other Cisco security products, such as Cisco Stealthwatch and Cisco AMP for Endpoints, to provide enhanced visibility and threat detection. Therefore, ISE is the product that meets all of the requirements stated in the question. References :=

Some possible references are:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 4: Secure Network Access, Identity Management, and Secure Access

TACACS+ Configuration Guide, Configuring TACACS

Cisco Identity Services Engine Administrator Guide, Release 2.7, Device Administration

Cisco Identity Services Engine Administrator Guide, Release 2.7, Network Access Devices

Cisco Identity Services Engine Administrator Guide, Release 2.7, Policy Sets

The function of the crypto is a kmp key cisc406397954 address 0.0.0.0 0.0.0.0 command when establishing an IPsec VPN tunnel is to configure the pre-shared authentication key. This command specifies the key that will be used to authenticate the Internet Key Exchange (IKE) phase 1 negotiation between the IPsec peers. The key is associated with the address 0.0.0.0 0.0.0.0, which means that it will apply to any peer that initiates or responds to the IKE negotiation. This is a common configuration for dynamic IPsec VPN scenarios, such as Dynamic Multipoint VPN (DMVPN) or Easy VPN, where the IP addresses of the peers are not known in advance. However, this is also a less secure configuration, as it exposes the VPN server to potential brute-force attacks from any source. A more secure configuration would be to specify the exact IP address or subnet of the peer, or to use certificates instead of pre-shared keys.

Explanation

The call to API of “https://api.amp.cisco.com/v1/computers” allows us to fetch list of computers across your organization that Advanced Malware Protection (AMP) sees.

Explanation

Explanation

The traditional use of the pull model, where the client requests data from the network does not scale when what you want is near real-time data. Moreover, in some use cases, there is the need to be notified only when some data changes, like interfaces status, protocol neighbors change etc.

Model-Driven Telemetry is a new approach for network monitoring in which data is streamed from network devices continuously using a push model and provides near real-time access to operational statistics.

Applications can subscribe to specific data items they need, by using standard-based YANG data models over NETCONF-YANG. Cisco IOS XE streaming telemetry allows to push data off of the device to an external collector at a much higher frequency, more efficiently, as well as data on-change streaming.

 A CI/CD pipeline is a process of automating the development, testing, and deployment of software applications. A CI/CD pipeline typically involves multiple tools and stages, such as source code management, build automation, testing, security scanning, and deployment. To secure a CI/CD pipeline, one of the best practices is to avoid hardcoding secrets in config files and CI/CD build tools, and instead use a secure access solution that can authenticate and authorize the access to the pipeline resources.

Duo Network Gateway is a cloud-based solution that provides secure access to internal web applications without requiring a VPN or modifying firewall rules. Duo Network Gateway integrates with Duo’s two-factor authentication (2FA) service to verify the identity of users and devices before granting access to the web applications. Duo Network Gateway also supports single sign-on (SSO) and identity federation with various identity providers, such as Active Directory, Azure AD, Google, and Okta.

By using Duo Network Gateway, you can leverage a CI/CD pipeline without exposing your internal web applications to the internet or compromising security. Duo Network Gateway can protect access to your source code repositories, build servers, testing tools, and deployment platforms. You can also enforce granular access policies based on user roles, device health, location, and time. Duo Network Gateway can help you achieve compliance with industry standards and regulations, such as PCI DSS, HIPAA, and GDPR.

The other options are not as suitable for securing access to a CI/CD pipeline as Duo Network Gateway. A remote access client is a software that allows users to connect to a remote network or server, such as a VPN client. However, a VPN client may not provide sufficient security for a CI/CD pipeline, as it may expose the entire network to potential attacks, or require complex firewall configurations and network segmentation. A VPN client may also introduce performance and reliability issues, as it depends on the quality and availability of the network connection.

SSL WebVPN is a feature of Cisco Adaptive Security Appliance (ASA) that allows users to access web-based resources securely over SSL/TLS. SSL WebVPN can provide secure access to web applications, email, file shares, and other network services. However, SSL WebVPN may not be able to support all the tools and stages of a CI/CD pipeline, as some of them may require non-web protocols, such as SSH, RDP, or VNC. SSL WebVPN may also require additional licenses and hardware resources to support a large number of concurrent users and connections.

Cisco FTD network gateway is a unified platform that combines the features of Cisco ASA and Cisco Firepower. Cisco FTD network gateway can provide firewall, intrusion prevention, malware protection, and VPN services. Cisco FTD network gateway can also integrate with Cisco Identity Services Engine (ISE) to provide identity-based access control and visibility. However, Cisco FTD network gateway may not be the best solution for securing access to a CI/CD pipeline, as it may require complex network design and deployment, and may not support all the CI/CD tools and protocols. Cisco FTD network gateway may also incur additional costs and maintenance efforts.

References := : Secure CI/CD Pipelines: Best Practices for Managing CI/CD Secrets : Duo Network Gateway | Duo Security : VPN vs. Duo Network Gateway | Duo Security : SSL VPN Deployment Guide for Cisco ASA - Cisco : Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.7 - VPN Overview [Cisco Firepower NGFW]

Explanation

Protect sensitive content in outgoing emails with Data Loss Prevention (DLP) and easy-to-use email

encryption, all in one solution.

Cisco Email Security appliance can now handle incoming mail connections and incoming messages from

specific geolocations and perform appropriate actions on them, for example:

– Prevent email threats coming from specific geographic regions.

– Allow or disallow emails coming from specific geographic regions.

Explanation

Cisco Threat Intelligence Director (CTID) can be integrated with existing Threat Intelligence Platforms deployed by your organization to ingest threat intelligence automatically.

Endpoint-based security is the solution for performing signature-based application control, which is a method of identifying and blocking malicious applications based on their signatures or hashes. Signature-based application control is one of the features of endpoint security solutions, such as Cisco AMP for Endpoints1, that protect endpoints from known and unknown threats. Endpoint security solutions can also perform other functions, such as behavioral analysis, sandboxing, machine learning, and threat hunting, to provide comprehensive protection, detection, and response on the endpoint2. The other options are not scenarios where endpoint-based security is the solution. Inspecting encrypted traffic requires a network-based security solution, such as Cisco SSL Appliance3, that can decrypt and inspect the traffic for malicious content. Device profiling and authorization requires a network access control solution, such as Cisco Identity Services Engine4, that can identify and authenticate devices and users and enforce policies based on their roles and contexts. Inspecting a password-protected archive requires a file analysis solution, such as Cisco Threat Grid5, that can extract and analyze the contents of the archive for malware and indicators of compromise. References :=

Cisco AMP for Endpoints

What is Endpoint Security? How Does It Work?

Cisco SSL Appliance

Cisco Identity Services Engine

Cisco Threat Grid

Explanation

Explanation

Each rule also has an action, which determines whether you monitor, trust, block, or allow matching traffic.

Note: With action “trust”, Firepower does not do any more inspection on the traffic. There will be no intrusion protection and also no file-policy on this traffic.

Cisco Firepower impact flags are indicators that help you evaluate the impact an intrusion has on your network by correlating intrusion data, network discovery data, and vulnerability information1. Impact flags are assigned to intrusion events based on the following criteria:

The operating system and application protocol of the target host

The exploitability of the target host by the attacker

The relevance of the intrusion rule to the target host

The severity of the intrusion rule Impact flags can have four values: unknown, neutral, affected, or vulnerable. Unknown means that the system does not have enough information to assess the impact. Neutral means that the system knows the target host is not affected by the intrusion. Affected means that the system knows the target host is affected by the intrusion, but not necessarily exploitable. Vulnerable means that the system knows the target host is exploitable by the intrusion1. Impact flags can help you prioritize your response to intrusion events, as well as generate reports and alerts based on the impact level. You can also use impact flags to filter and search for intrusion events in the Firepower Management Center1. References: 1: Firepower Management Center Configuration Guide, Version 6.1 - External Alerting with Alert Responses.

Explanation

Cisco Cognitive Threat Analytics helps you quickly detect and respond to sophisticated, clandestine attacks that are already under way or are attempting to establish a presence within your environment. The solution automatically identifies and investigates suspicious or malicious web-based traffic. It identifies both potential and confirmed threats, allowing you to quickly remediate the infection and reduce the scope and damage of an attack, whether it’s a known threat campaign that has spread across multiple organizations or a unique threat you’ve never seen before.

Detection and analytics features provided in Cognitive Threat Analytics are shown below:

+ Data exfiltration: Cognitive Threat Analytics uses statistical modeling of an organization’s network to identify anomalous web traffic and pinpoint the exfiltration of sensitive data. It recognizes data exfiltration even in HTTPS-encoded traffic, without any need for you to decrypt transferred content

+ Command-and-control (C2) communication: Cognitive Threat Analytics combines a wide range of data, ranging from statistics collected on an Internet-wide level to host-specific local anomaly scores. Combining these indicators inside the statistical detection algorithms allows us to distinguish C2 communication from benign traffic and from other malicious activities. Cognitive Threat Analytics recognizes C2 even in HTTPSencoded or anonymous traffic, including Tor, without any need to decrypt transferred content, detecting a broad

range of threats

…

Cisco Container Platform (CCP) is a security product that enables administrators to deploy Kubernetes clusters in air-gapped sites without needing Internet access. CCP tenant images contain all the necessary binaries and don’t need internet access to function. CCP also supports offline installation and updates of the platform components. CCP is designed to simplify the deployment and management of containerized applications across hybrid cloud environments, while ensuring security and compliance. CCP integrates with Cisco security solutions such as Cisco Tetration and Cisco Stealthwatch Cloud to provide visibility and protection for Kubernetes clusters and workloads. CCP also leverages Cisco Intersight, a cloud-based management platform, to provide centralized monitoring and automation for CCP clusters. References:

Cisco Container Platform

350-701 SCOR Cisco CCNP Security Updated Questions in April

To add switches into the fabric for private cloud management, administrators can use the following two methods:

PowerOn Auto Provisioning (POAP): This method allows the switches to be automatically discovered and provisioned by DCNM using a POAP configuration file. The switches are assigned an IP address and a startup configuration based on the fabric settings and policies. The switches are then added to the fabric and deployed with the VXLAN EVPN configuration. This method is suitable for greenfield deployments or adding new switches to an existing fabric12.

Seed IP: This method allows the administrators to manually specify the IP address of the switches that they want to add to the fabric. The switches must have a reachable IP address and a username and password that match the fabric settings. The switches are then added to the fabric and deployed with the VXLAN EVPN configuration. This method is suitable for brownfield deployments or transitioning existing switches to DCNM management12. References: Cisco NDFC Fabric Controller Configuration Guide, Release 12.0.x, Cisco DCNM LAN Fabric Configuration Guide, Release 11.5(x).

Explanation

Explanation

Southbound APIs enable SDN controllers to dynamically make changes based on real-time demands and

scalability needs.

One of the main reasons why a user would choose an on-premises ESA versus the CES solution is to have more control over the sensitive data that flows through the email system. With an on-premises ESA, the user can ensure that the data is stored and processed within their own network and data center, and that they comply with any regulatory or organizational requirements for data security and privacy. With a CES solution, the user would have to trust Cisco to handle the data in their cloud infrastructure, and to adhere to the service level agreements and security policies that are agreed upon. Some users may not be comfortable with this level of outsourcing, especially if they have strict data governance or compliance needs12. References: 1: Physical ESA vs Cloud ESA - Cisco Community 2: Cisco Email Security Appliance - Data Sheet

Web Cache Communication Protocol (WCCP) is supported on Cisco IOS routers and Cisco ASA firewalls. WCCP allows these devices to redirect traffic to a WCCP-capable device, such as a web cache or a Cisco Secure Web Appliance, for processing. This redirection can be used for tasks like content filtering, web caching, and load balancing.

Device compliance checks are a feature of Cisco Identity Services Engine (ISE) that allows you to verify the posture of endpoints before allowing them to access your network. Posture is the state of the endpoint in terms of security, such as the presence of anti-virus software, firewall, patches, and so on. A posture agent, such as the AnyConnect ISE Posture Agent, runs on the endpoint and collects posture information, which is then sent to the ISE server for evaluation. Based on the posture policy, the ISE server can grant or deny network access, or apply remediation actions to the endpoint. One of the benefits of conducting device compliance checks is that it validates if anti-virus software is installed on the endpoint, which can prevent malware infections and protect your network from threats. The other options are not benefits of device compliance checks, as they are not related to the posture of the endpoint. References:

Compliance - Cisco

Device Compliance - Cisco

Explanation

CoA Messages are sent on two different udp ports depending on the platform. Cisco standardizes on UDP port

1700, while the actual RFC calls out using UDP port 3799.

Cisco Identity Services Engine (ISE) uses various probes to collect attributes of connected endpoints, such as device type, operating system, IP address, MAC address, and so on. These attributes are used to profile the endpoints and assign them to appropriate identity groups and policies. Two of the probes that can be configured to gather attributes of connected endpoints using Cisco ISE are RADIUS and DHCP.

RADIUS probe: The RADIUS probe collects attributes from the RADIUS packets that are exchanged between the network access devices (NADs) and the ISE Policy Service Nodes (PSNs) during the authentication and authorization process. The RADIUS probe can extract attributes such as username, calling-station-ID, NAS-IP-address, NAS-port-type, service-type, and so on. The RADIUS probe can also collect attributes from the RADIUS accounting packets that are sent by the NADs to the ISE PSNs after the session is established. The RADIUS probe can extract attributes such as session-ID, framed-IP-address, acct-session-time, and so on. The RADIUS probe is enabled by default and does not require any additional configuration on the NADs or the ISE PSNs.

DHCP probe: The DHCP probe collects attributes from the DHCP packets that are exchanged between the endpoints and the DHCP server during the IP address assignment process. The DHCP probe can extract attributes such as hostname, vendor-class-identifier, client-identifier, parameter-request-list, and so on. The DHCP probe can also collect attributes from the DHCP relay packets that are forwarded by the NADs to the ISE PSNs. The DHCP probe can extract attributes such as relay-agent-information and subscriber-ID. The DHCP probe requires some configuration on the NADs and the ISE PSNs. The NADs must be configured to relay or copy the DHCP packets to the ISE PSNs, and the ISE PSNs must be configured to receive the DHCP packets on a specific interface.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ISE_admin_guide_24/m_assetvisibility_endpointprofiler.html

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_00.html

To achieve the goal of excluding some servers from the VPN tunnel and accessing them directly, the engineer must modify the group policy that is applied to the remote access VPN users. The group policy contains the settings for split tunneling, which is a feature that allows the VPN client to route some traffic through the VPN tunnel and some traffic directly to the internet. Split tunneling can be configured based on the destination IP address, the application, or the domain name of the traffic. By modifying the group policy, the engineer can specify which servers or networks should be excluded from the VPN tunnel and accessed directly by the VPN client. This can improve the performance and efficiency of the VPN connection, as well as reduce the load on the VPN gateway and the corporate network. However, split tunneling also introduces some security risks, such as exposing the VPN client to internet threats, bypassing the corporate firewall and security policies, and leaking sensitive data. Therefore, the engineer must carefully evaluate the trade-offs and best practices of using split tunneling for remote access VPNs. References :=

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Secure Connectivity, Lesson 3.1: Implementing and Troubleshooting Remote Access VPN, Topic 3.1.4: Configure and Verify Remote Access VPN, Subtopic 3.1.4.2: Configure and Verify Split Tunneling

VPN Split Tunneling: What It Is & Pros and Cons

Cisco ASA - Enable Split Tunnel for Remote VPN Clients

 The destination command is required to complete the flow record and specify the IP address of the Stealthwatch collector that will receive the NetFlow data. The transport udp 2055 command is also needed, but it is part of the flow exporter configuration, not the flow record. The match ipv4 ttl and cache timeout active 60 commands are optional and can be used to customize the flow record, but they are not mandatory. The flow record defines the fields that are collected and exported for each flow, such as source and destination IP addresses, ports, protocols, etc. The flow exporter defines the destination, source, transport protocol, and port for sending the NetFlow data. The flow monitor binds the flow record and the flow exporter together and applies them to an interface. The following is an example of a complete NetFlow configuration for sending data to Stealthwatch:

flow exporter EXPORTER description Export NetFlow to Stealthwatch destination 1.1.1.1 export-protocol netflow-v9 source Vlan100 transport udp 2055 ! flow record RECORD description NetFlow record match datalink mac source address input match datalink mac destination address input match datalink vlan input match ipv4 ttl match ipv4 tos match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input collect interface output collect counter bytes long collect counter packets long collect timestamp absolute first collect timestamp absolute last ! flow monitor IPv4_NETFLOW record RECORD exporter EXPORTER cache timeout active 60 ! interface <> ip flow monitor IPv4_NETFLOW input ! References : Configuring and Troubleshooting NetFlow for Stealthwatch, Cisco NetFlow Configuration, Building a Better Monitoring Solution with Flexible Netflow

Explanation

Dynamic ARP inspection (DAI) is a security feature that validates ARP packets in a network. It intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from certain man-in-the-middle attacks. After enabling DAI, all ports become untrusted ports.

AAA stands for Authentication, Authorization, and Accounting. It is a framework that provides security to network resources by controlling who can access them (authentication), what they can do (authorization), and what actions they perform (accounting). AAA can be implemented by using the local database of the device or by using an external server such as Cisco ISE (Identity Services Engine).

The question asks which configuration item makes it possible to have the AAA session on the network. A session is a logical connection between a user and a network device. A session can be initiated by various methods, such as console, telnet, SSH, PPP, etc. Each session can have different AAA policies applied to it, depending on the method list configured for that session.

A method list is a set of rules that define the authentication, authorization, and accounting methods to be used for a particular session. A method list can be named or default. A named method list is applied to a specific session by using the login, authorization, or accounting keyword followed by the name of the method list. A default method list is applied to all sessions that do not have a named method list configured.

The configuration item that makes it possible to have the AAA session on the network is the aaa authorization network default group ise command. This command configures a default method list for network authorization, which is the process of determining the network services and attributes that a user is allowed to access after authentication. The command specifies that the network authorization method is group, which means that the device will use an external server (such as Cisco ISE) to obtain the authorization information for the user. The command also specifies that the name of the server group is ise, which means that the device will use the server group defined by the aaa group server radius ise command.

The other options are incorrect because they do not configure a default method list for network authorization. Option A configures a named method list for login authentication, which is the process of verifying the identity of the user. Option B configures a default method list for enable authentication, which is the process of verifying the identity of the user who wants to enter the privileged EXEC mode. Option D configures a default method list for exec authorization, which is the process of determining the commands and features that a user can access in the EXEC mode. References:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 1: Security Concepts, Lesson 1: Describing Information Security Concepts

Configure Basic AAA on an Access Server, General AAA Configuration, Authentication Configuration, Authorization Configuration

AAA (Authentication, Authorization and Accounting) - GeeksforGeeks, AAA implementation, ACS server

Explanation

Explanation

Depending on your company policy, you might be able to use your mobile phones, tablets, printers, Internet radios, and other network devices on your company’s network. You can use the My Devices portal to register and manage these devices on your company’s network.

Explanation

The Trusted Automated eXchangeof Indicator Information (TAXII) specifies mechanisms for exchanging

structured cyber threat information between parties over the network.

TAXII exists to provide specific capabilities to those interested in sharing structured cyber threat information.

TAXII Capabilities are the highest level at which TAXII actions can be described. There are three capabilities

that this version of TAXII supports: push messaging, pull messaging, and discovery.

Although there is no “binding” capability in the list but it is the best answer here.

WannaCry ransomware is a type of malware that encrypts the files on the infected devices and demands a ransom for their decryption. It exploits a vulnerability in the Windows SMB protocol that allows remote code execution. To prevent WannaCry ransomware from spreading to all clients, IT should take the following precautions:

Ensure that noncompliant endpoints are segmented off to contain any potential damage. This means that any device that is not patched, managed, or compliant with the security policies should be isolated from the rest of the network and given limited access to resources. This can be done using Cisco Identity Services Engine (ISE) and Cisco TrustSec, which can enforce dynamic segmentation based on the device’s identity, posture, and context. This way, IT can prevent the ransomware from infecting other devices and reduce the impact of the attack12

Perform a posture check to allow only network access to those Windows devices that are already patched. This means that IT should verify that the devices have installed the latest security updates from Microsoft that fix the SMB vulnerability. This can be done using Cisco AnyConnect Secure Mobility Client, which offers a VPN Posture/HostScan Module and an ISE Posture Module. Both modules can assess the endpoint’s compliance for things like operating system, patches, antivirus, antispyware, and firewall software. If the device is not patched, it can be denied access to the network or redirected to a remediation portal13

 1: Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.0 - Configure Posture 2: Can We Trust Your Device? Checking Security Posture - Cisco 3: Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.10 - Configure Posture

Explanation

SNMP polling can often be in the order of 5-10 minutes, CLIs are unstructured and prone to change which can often break scripts.

The traditional use of the pull model, where the client requests data from the network does not scale when what you want is near real-time data.

Moreover, in some use cases, there is the need to be notified only when some data changes, like interfaces status, protocol neighbors change etc.

Model-Driven Telemetry is a new approach for network monitoring in which data is streamed from network devices continuously using a push model and provides near real-time access to operational statistics. Referfence: https://developer.cisco.com/docs/ios-xe/#!streaming-telemetry-quick-start-guide/streaming telemetry

Explanation

The user “admin5” was configured with privilege level 5. In order to allow configuration (enter global

configuration mode), we must type this command:

(config)#privilege exec level 5 configure terminal

Without this command, this user cannot do any configuration.

Note: Cisco IOS supports privilege levels from 0 to 15, but the privilege levels which are used by default are privilege level 1 (user EXEC) and level privilege 15 (privilege EXEC)

To implement external authentication against Active Directory, the Cisco ISE server needs to communicate with the domain controller using either RADIUS or LDAP protocols. RADIUS is used for network access control, while LDAP is used for identity management and directory services. Both protocols require the appropriate ports to be opened and firewall rules to be configured to allow the traffic between the ISE server and the domain controller.

The ISE account does not need to be a domain administrator in Active Directory to perform JOIN operations. It only needs to have the permissions to create computer objects and reset passwords in the domain. This can be achieved by delegating the rights to a specific OU or using a service account with limited privileges.

Active Directory supports user and machine authentication by using various methods, not only MSCHAPv2. MSCHAPv2 is a challenge-response authentication protocol that is commonly used with RADIUS and VPN connections. However, Active Directory also supports other protocols such as Kerberos, NTLM, EAP, and PEAP, depending on the scenario and the client capabilities.

Flood attacks are a type of denial-of-service (DoS) attacks that aim to saturate the bandwidth or resources of a target by sending a large number of packets or requests. Flood attacks can be classified into different categories based on the protocol or layer they target, such as ICMP, UDP, TCP SYN, HTTP, DNS, etc. Flood attacks can also be distributed (DDoS) if they involve multiple sources of attack traffic, such as compromised devices or servers123. References := 1: Denial of Service - OWASP Cheat Sheet Series 2: What is a denial-of-service (DoS) attack? | Cloudflare 3: Types of DOS attacks - GeeksforGeeks

DNSSEC (Domain Name System Security Extensions) is a technology that protects DNS from cache poisoning and spoofing attacks by digitally signing DNS data with cryptographic keys. DNSSEC ensures the integrity and authenticity of DNS responses, preventing attackers from redirecting traffic to malicious domains. Cisco Umbrella supports DNSSEC by performing validation on queries sent from Umbrella resolvers to upstream authorities. This means that Umbrella will only accept DNS responses that are signed and verified by the authoritative servers for each domain. To enable DNSSEC validation, the organization needs to configure Cisco Umbrella and use DNSSEC for domain authentication to authoritative servers. This will ensure that Umbrella resolvers will reject any forged or tampered DNS responses and provide secure DNS resolution for the organization’s network. References :=

Some possible references are:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 2: Network Security, Lesson 2.5: Implement DNS Security

What is DNSSEC and Why Is It Important? - Cisco Umbrella

DNSSEC General Availability – Cisco Umbrella

The Cisco WSA supports two main authentication protocols: LDAP and NTLM. LDAP is a protocol for accessing and managing directory information over a network. NTLM is a Windows proprietary protocol that uses a challenge-response mechanism for authentication. The Cisco WSA can use both LDAP and NTLM to authenticate users and apply policies based on their identity. The Cisco WSA does not support WCCP, TLS, or SSL as authentication protocols, although it can use them for other purposes, such as traffic redirection or encryption. References:

User Guide for AsyncOS 11.0 for Cisco Web Security Appliances, Chapter: Acquire End-User Credentials

Cisco Web Security Appliance Best Practices Guidelines, Section: Active authentication

Cisco WSA Authentication, Blog post by Kareem CCIE

Authentication and Authorization, PDF document by Cisco

Traffic storm control is a feature that prevents LAN ports from being disrupted by a broadcast, multicast, or unicast traffic storm on physical interfaces. Traffic storm control monitors the level of each traffic type for which it is enabled in 1-second intervals and compares it with the configured threshold, which is a percentage of the total available bandwidth of the port. When the ingress traffic reaches the threshold, traffic storm control drops the traffic until the end of the interval. Traffic storm control uses the Individual/Group bit in the packet destination address to determine if the packet is unicast or broadcast. This bit is set to 0 for unicast addresses and 1 for multicast or broadcast addresses. Traffic storm control does not use the source address to classify the traffic type. References := Configuring Traffic Storm Control - Cisco, Understanding Cisco Traffic Storm Control - NetCraftsmen

Before identifying the URL during HTTPS inspection in Cisco Secure Firewall Threat Defense software, the default action is to "pass." This means that the traffic is allowed through without inspection until the URL can be identified, at which point appropriate security policies can be applied based on the URL categorization and reputation.

Dynamic ARP Inspection (DAI) is a security feature that validates ARP packets on untrusted interfaces by comparing the MAC address to IP address bindings in the DHCP snooping database or an ARP access-list. If the ARP packet contains invalid or spoofed information, it is dropped and logged. DAI also inspects ARP packets on trusted interfaces, but it does not drop them if they are invalid. Instead, it forwards them to the destination without validation. This allows the switch to support devices that use static IP addresses or have legitimate reasons to send ARP packets with different MAC address to IP address bindings. However, this also means that if a spoofed ARP packet is received on a trusted interface, it will bypass the DAI validation and be forwarded to the destination. This could allow an attacker to poison the ARP cache of other devices and perform a man-in-the-middle attack. Therefore, the correct answer is option B. The switch drops the packet after validation by using the IP & MAC Binding Table. References:

Understanding and Configuring Dynamic ARP Inspection

DAI (Dynamic ARP Inspection)

Dynamic ARP Inspection (DAI) Explanation & Configuration

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0

Microsegmentation is a network security technique that enables security architects to logically divide the data center or cloud environment into distinct security segments down to the individual workload level, and then define security controls and deliver services for each unique segment. Microsegmentation software with network virtualization technology is used to create zones in cloud deployments. These granular secure zones isolate workloads, securing them individually with custom, workload-specific policies. Microsegmentation uses a zero-trust model, which means that no traffic is allowed by default, and only explicitly authorized traffic is permitted based on the principle of least privilege. Microsegmentation helps to reduce the attack surface, prevent the lateral movement of threats, and strengthen regulatory compliance. The other options are incorrect because they do not describe microsegmentation accurately. Option B is incorrect because container orchestration platforms, such as Kubernetes, are used to automate the deployment, scaling, and management of containerized applications, but they do not provide microsegmentation by themselves. Option C is incorrect because private VLAN segmentation is a network security technique that isolates hosts within the same VLAN, but it does not provide granular security controls at the workload level. Option D is incorrect because host-based firewall rules are one of the components of microsegmentation, but they are not sufficient to implement microsegmentation without network virtualization and policy automation. References : What Is Microsegmentation? - Palo Alto Networks, What Is Micro-Segmentation? - Cisco, What is Micro-Segmentation? | VMware Glossary

Explanation

Cisco‘s Group Encrypted Transport VPN (GETVPN) introduces the concept of a trusted group to eliminate

point-to-point tunnels and their associated overlay routing. All group members (GMs) share a common security

association (SA), also known as a group SA. This enables GMs to decrypt traffic that was encrypted by any

other GM.

GETVPN provides instantaneous large-scale any-to-any IP connectivity using a group IPsec security paradigm.

Explanation

The data plane of any network is responsible for handling data packets that are transported across the network.

(The data plane is also sometimes called the forwarding plane.)

Maybe this Qwants to ask about the encryption and authentication in the data plane of a SD-WAN network (but SD-WAN is not a topic of the SCOR 350-701 exam?).

In the Cisco SD-WAN network for unicast traffic, data plane encryption is done by AES-256-GCM, a symmetrickey algorithm that uses the same key to encrypt outgoing packets and to decrypt incoming packets. Each router periodically generates an AES key for its data path (specifically, one key per TLOC) and transmits this key to the vSmart controller in OMP route packets, which are similar to IP route updates.

A traffic profile is a graph of network traffic based on connection data collected over a profiling time window (PTW). This measurement presumably represents normal network traffic. After the learning period, you can detect abnormal network traffic by evaluating new traffic against your profile. You can also set up inactive periods in traffic profile to exclude data that does not reflect normal network behavior. You can use traffic profiles to write correlation rules that trigger when the traffic deviates from the profile by a certain threshold or standard deviation. This way, you can identify and respond to potential attacks or security policy violations that cause traffic anomalies. References :=

Some possible references are:

Firepower Management Center Configuration Guide, Version 6.0 - Traffic Profiling

Cisco Next-Generation Intrusion Prevention System (NGIPS)

Which statement describes a traffic profile on a Cisco Next Generation Intrusion Prevention System?

Explanation

The logging of your identities’ activities is set per-policy when you first create a policy. By default, logging is on and set to log all requests an identity makes to reach destinations. At any time after you create a policy, you can change what level of identity activity Umbrella logs.

From the Policy wizard, log settings are:

Log All Requests—For full logging, whether for content, security or otherwise

Log Only Security Events—For security logging only, which gives your users more privacy—a good setting for people with the roaming client installed on personal devices

Don’t Log Any Requests—Disables all logging. If you select this option, most reporting for identities with this policy will not be helpful as nothing is logged to report on.

to configure GigabitEthernet0/1 as promiscuous port, GigabitEthernet0/2 as isolated port and GigabitEthernet0/3 and GrgabitEthernet0/4 as community ports. This way, the default gateway can communicate with all servers, the isolated port can only communicate with the promiscuous port, and the community ports can communicate with each other and the promiscuous port. This prevents the file server from communicating with the DNS servers, as required by the question.

To understand the concept of private VLANs and port types, you can refer to the following sections of the source book:

Section 1.1.2: Describe the concepts of network security

Section 1.1.2.1: Describe the concepts of private VLANs

Section 1.1.2.2: Describe the concepts of port types

Section 1.1.2.3: Describe the concepts of PVLAN edge

Section 1.1.2.4: Describe the concepts of protected ports

Section 1.1.2.5: Describe the concepts of PVLAN configuration

Explanation

Explanation

The following are the prerequisites to integrate Active Directory with Cisco ISE.

+ Use the Network Time Protocol (NTP) server settings to synchronize the time between the Cisco ISE server

and Active Directory. You can configure NTP settings from Cisco ISE CLI.

+ If your Active Directory structure has multidomain forest or is divided into multiple forests, ensure that trust

relationships exist between the domain to which Cisco ISE is connected and the other domains that have user

and machine information to which you need access. For more information on establishing trust relationships,

refer to Microsoft Active Directory documentation.

+ You must have at least one global catalog server operational and accessible by Cisco ISE, in the domain to

which you are joining Cisco ISE.

NetFlow Secure Event Logging (NSEL) is a security logging mechanism that is built on NetFlow Version 9 technology. It provides a stateful, IP flow tracking method that exports only those records that indicate significant events in a flow, such as flow-create, flow-teardown, and flow-denied. NSEL events are triggered by the event that caused the state change in the flow. This reduces the amount of data that is exported and provides more relevant information for security analysis. NSEL also supports periodic flow-update events, which provide byte counters over the duration of the flow. These events are usually time-driven, but may also be triggered by state changes in the flow. NSEL uses templates to describe the format of the data records that are exported through NetFlow. Each event has several record formats or templates associated with it. NSEL delivers templates and data records to configured NSEL collectors through NetFlow over UDP only. NSEL also allows filtering of NSEL events based on the traffic and event type through Modular Policy Framework, and then sends records to different collectors. The supported event types are flow-create, flow-denied, flow-teardown, flow-update, and all. References :=

Some possible references are:

NetFlow Secure Event Logging (NSEL) - Cisco

NetFlow Secure Event Logging (NSEL) - Cisco

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 (source book)

Explanation

Answer B is not correct because Cross-site Scripting (XSS) is not a brute force attack.

Answer C is not correct because the statement “Cross-site Scripting is when executives in a corporation are attacked” is not true. XSS is a client-side vulnerability that targets other application users.

Answer D is not correct because the statement “Cross-site Scripting is an attack where code is executed from the server side”. In fact, XSS is a method that exploits website vulnerability by injecting scripts that will run at client’s side.

Therefore only answer A is left. In XSS, an attacker will try to inject his malicious code (usually malicious links) into a database. When other users follow his links, their web browsers are redirected to websites where

attackers can steal data from them. In a SQL Injection, an attacker will try to inject SQL code (via his browser) into forms, cookies, or HTTP headers that do not use data sanitizing or validation methods of GET/POST

parameters.

Note: The main difference between a SQL and XSS injection attack is that SQL injection attacks are used to steal information from databases whereas XSS attacks are used to redirect users to websites where attackers can steal data from them.

 The monitoring agent uses the RTP (Real-time Transport Protocol) performance metric to collect and output packet loss and jitter information. RTP is a network protocol used for delivering audio and video over IP networks. It provides mechanisms for timestamping, sequence numbering, and delivery monitoring, which allow for the measurement of packet loss and jitter. RTP is specifically designed for real-time multimedia streaming applications, which are more sensitive to changes in the transmission characteristics of data networks than other applications. Therefore, RTP performance is a suitable metric for monitoring and collecting packet loss and jitter information.

The other options are not directly related to measuring packet loss and jitter. TCP (Transmission Control Protocol) is a transport protocol that ensures reliable and ordered delivery of data, but it is not typically used for real-time multimedia applications. WSAv (Web Security Virtual Appliance) is a Cisco solution for web security, but it does not measure packet loss and jitter. AVC (Application Visibility and Control) is a technology that monitors and controls network applications, but it does not focus on packet loss and jitter. References :=

Measuring Delay, Jitter, and Packet Loss with Cisco IOS SAA and RTTMON1

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.02

Cisco 350-701: Which metric used by monitoring agent to collect and output packet loss and jitter information?

Explanation

Explanation

Cisco Umbrella protects users from accessing malicious domains by proactively analyzing and blocking unsafe destinations – before a connection is ever made. Thus it can protect from phishing attacks by blocking suspicious domains when users click on the given links that an attacker sent.

Cisco Stealthwatch is a security solution that uses NetFlow to provide visibility across the network, data center, branch offices, and cloud. NetFlow is a protocol that collects and exports statistics on network traffic flows from routers, switches, firewalls, and other devices. NetFlow data can be used to monitor network performance, troubleshoot issues, detect anomalies, and identify security threats. Cisco Stealthwatch analyzes NetFlow data from various sources and correlates it with other contextual information, such as identity, device, location, and threat intelligence. Cisco Stealthwatch then applies advanced behavioral analytics and machine learning to detect and respond to malicious activities, such as data exfiltration, malware infection, insider threats, and denial-of-service attacks. Cisco Stealthwatch also provides comprehensive network visibility and security across hybrid environments, including public cloud, private cloud, and on-premises networks. Cisco Stealthwatch can integrate with other Cisco security solutions, such as Cisco Identity Services Engine (ISE), Cisco Firepower, Cisco Umbrella, and Cisco Advanced Malware Protection (AMP), to enhance network security and incident response capabilities. References:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 8: Cloud and Virtual Network Security, Lesson 8.2: Cisco Stealthwatch Cloud

Cisco Stealthwatch

NetFlow for Cybersecurity and Incident Response

B

Data is sent out to the attacker during a DNS tunneling attack as part of the domain name. DNS tunneling is a technique that encodes the data of other protocols or programs in DNS queries and responses. The attacker registers a domain, such as badsite.com, and points it to a server under their control, where a tunneling program is installed. The attacker infects a device with malware, which sends DNS queries to the attacker’s server, using subdomains of badsite.com to encode the data. For example, the malware could send a query for 1234.badsite.com, where 1234 is the encoded data. The attacker’s server decodes the data from the subdomain and sends back a DNS response, which may also contain encoded data in the answer section12. The other options are not correct, because they do not use the domain name to encode the data. The UDP/53 and TCP/53 packet payload and header are used to transport the DNS query and response, but they are not modified by the tunneling technique. The DNS response packet contains the answer to the query, but it is not the only way to send data to the attacker3. References:

1: DNS Tunneling attack - What is it, and how to protect ourselves?

2: What Is DNS Tunneling? - Palo Alto Networks

3: What Are DNS Attacks? - Palo Alto Networks

 The Python script of the Cisco DNA Center API in the exhibit uses the requests module to send a GET request to the /dna/intent/api/v1/network-device endpoint, which returns a list of network devices managed by Cisco DNA Center. The script also uses HTTPBasicAuth to provide the username and password for authentication. The script then parses the JSON response and prints the hostname, type, management IP address, and software version of each device in a table format using the prettytable module. Therefore, the result of this script is to receive information about a switch or switches from Cisco DNA Center. References:

Python Scripting APIs in Cisco DNA Center Let You Improve Effectiveness, Topic: Network device’s script, simple and easy to create

Intro to Cisco DNA Center REST API with Python, Module 2: Using Python to Retrieve a Network Device List

Cisco DNA Center API Call Python Script Example, Topic: Cisco DNA CENTER SANDBOX Call DNA Center API Call Python Script Example

DNS tunneling is a technique that uses the DNS protocol to exfiltrate data or establish command and control channels between a compromised host and an attacker-controlled server. DNS tunneling can bypass network security controls that allow outbound DNS traffic without inspection or filtering. To stop DNS tunneling, two recommended approaches are:

Enforce security over port 53. This means applying firewall rules, access control lists, or other mechanisms to restrict outbound DNS traffic to only authorized DNS servers and domains. Additionally, DNS traffic should be inspected and analyzed for anomalies, such as unusually large or frequent queries, non-standard encoding, or suspicious domains. This can help detect and block DNS tunneling attempts.

Use Cisco Umbrella. Cisco Umbrella is a cloud-based security service that provides DNS security, web filtering, and threat intelligence. Cisco Umbrella can prevent DNS tunneling by blocking malicious domains, enforcing policies based on content categories, and applying machine learning to identify and stop emerging threats. Cisco Umbrella can also provide visibility and reporting on DNS activity and security events.

References :=

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 5: Securing the Cloud, Lesson 5.2: DNS Security

What Is DNS Tunneling? - Palo Alto Networks

An Introduction to DNS Tunneling Detection & Data Exfiltration via DNS - Vercara

Cisco AnyConnect is a client-based VPN solution that provides secure remote access for individual users from their machines. It allows customization of access policies based on user identity, such as group membership, device posture, or location. This enables granular control over who can access what resources on the network. Cisco AnyConnect also supports various authentication methods, such as certificates, multifactor authentication, or single sign-on. Cisco AnyConnect can be deployed with Cisco Adaptive Security Appliance (ASA) or Cisco Firepower Threat Defense (FTD) as the VPN headend.

Cisco DMVPN is a network-based VPN solution that provides dynamic, on-demand, and scalable connectivity for branch offices, teleworkers, and business partners. It uses multipoint GRE (mGRE) tunnels and Next Hop Resolution Protocol (NHRP) to establish direct spoke-to-spoke communications without traversing the hub. It also supports IPsec encryption and various routing protocols over the tunnel. Cisco DMVPN can be deployed with Cisco IOS routers as the VPN headend.

The advantages of using Cisco AnyConnect over DMVPN are:

It enables VPN access for individual users from their machines, which is useful for mobile workers or telecommuters who need to connect to the network from anywhere.

It allows customization of access policies based on user identity, which is useful for enforcing security and compliance requirements for different types of users or devices.

The advantages of using DMVPN over Cisco AnyConnect are:

It provides spoke-to-spoke communications without traversing the hub, which reduces latency and bandwidth consumption for traffic between remote sites.

It allows different routing protocols to work over the tunnel, which provides flexibility and scalability for network design and management.

Cisco Stealthwatch - rapidly collects and analyzes netflow and telementy data to deliver in-depth visibility and understanding of network traffic

Cisco ISE – obtains contextual identity and profiles for all users and device

Cisco TrustSec – software defined segmentation that uses SGTs

Cisco Umbrella – secure internet gateway ion the cloud that provides a security solution

Dual-SSID BYOD is the term for when an endpoint is associated to a provisioning WLAN that is shared with guest access, and the same guest portal is used as the BYOD portal. This flow is a unique capability of ISE where the user does not have to log in twice, as ISE can take the user information from the 802.1X session and direct the user to the BYOD flow. Once the endpoint is onboarded, it is reconnected to the secured WLAN for full network access. This flow is different from single-SSID BYOD, where the endpoint associates to a secure WLAN, gets onboarded, and then reconnects to the same WLAN12. References: 1: ISE BYOD: Dual vs. Single SSID Onboarding - Cisco Community 2: Cisco ISE BYOD Prescriptive Deployment Guide - Cisco Community

 Installing the Cisco Umbrella root CA onto the user’s device is the action that accomplishes the goal of inspecting traffic without alerting end-users. This is because the root CA allows the user’s device to trust the certificates issued by the Cisco Umbrella intelligent proxy, which acts as a man-in-the-middle for SSL sites on Umbrella’s grey list. Without the root CA, the user’s browser would raise errors when accessing those sites, as it would detect an untrusted certificate. By installing the root CA, the user’s browser would accept the certificate and allow the traffic to be proxied and inspected by the intelligent proxy. References:

Enable SSL Decryption - Umbrella User Guide

SSL Decryption in the Intelligent Proxy – Cisco Umbrella

Cisco Umbrella Intelligent Proxy and SSL Decryption

Intelligent Proxy and SSL Decryption with Cisco Umbrella

 The dot1x system-auth-control command enables 802.1X globally on a Cisco switch. This command allows the switch to act as an authenticator for 802.1X clients connected to the switch ports. The switch will then communicate with a RADIUS server to authenticate the clients and grant or deny access to the network. The other commands are not related to enabling 802.1X globally. The dot1x pae authenticator command enables 802.1X authentication on a specific interface. The authentication port-control aut command enables automatic port-based authentication on an interface. The aaa new-model command enables the AAA framework for authentication, authorization, and accounting. References :=

https://www.cisco.com/c/en/us/support/docs/smb/switches/cisco-small-business-300-series-managed-switches/smb5635-configure-global-802-1x-properties-on-a-switch-through-the-c.html

https://www.cisco.com/c/en/us/td/docs/routers/nfvis/switch_command/b-nfvis-switch-command-reference/802_1x_commands.html

Talos Intelligence is a comprehensive threat intelligence service that provides up-to-date information on URL filtering, reputations, and vulnerability information. Talos Intelligence can be integrated with Cisco FTD and Cisco WSA to enhance the security and visibility of the network. Cisco FTD and Cisco WSA can leverage the Talos Intelligence feeds to perform Security Intelligence filtering, which allows the devices to block or allow traffic based on the reputation of the source or destination IP addresses, URLs, or DNS requests. Talos Intelligence feeds are updated regularly and can be configured to download automatically or manually on the FTD and WSA devices12345. References := 1: Cisco Talos Intelligence Group - Comprehensive Threat Intelligence 2: Threat Intelligence on Cisco Stealthwatch - Cisco Community 3: Third-Party Integration of Security Feeds with FMC (Cisco Threat … - Cisco Community 4: Cisco Firepower Threat Defense Configuration Guide for Firepower Device … 5: Cisco Firepower Threat Defense Configuration Guide for Firepower Device …

A serverless application is one that does not require the developer to manage the underlying infrastructure or servers. Instead, the application code is executed by a cloud provider in response to events or triggers, such as HTTP requests, database changes, or messages. The cloud provider automatically provisions, scales, and manages the resources needed to run the code, and charges only for the time and resources consumed by the execution. A serverless application runs from an ephemeral, event-triggered, and stateless container that is fully managed by a cloud provider. This means that the container is created on demand when an event occurs, and is destroyed when the execution is completed. The container does not store any persistent state or data, and is isolated from other containers. The cloud provider handles the load balancing, fault tolerance, security, and monitoring of the container. A serverless application can leverage various cloud services, such as databases, storage, messaging, analytics, and machine learning, to perform complex tasks and functionalities. Serverless computing is a cloud-native development model that enables developers to focus on the business logic and deliver faster and more scalable applications. References:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 8: Cloud and Virtual Network Security, Lesson 8.1: Cloud Computing Concepts

What is serverless? - Red Hat

Serverless computing and applications | Microsoft Azure

Explanation

Explanation

Cisco Cloudlock: Secure your cloud users, data, and applications with the cloud-native Cloud Access Security Broker (CASB) and cloud cybersecurity platform.

Explanation

A trusted CA is the only entity that can issue trusted digital certificates. This is extremely important because while PKI manages more of the encryption side of these certificates, authentication is vital to understanding which entities own what keys. Without a trusted CA, anyone can issue their own keys, authentication goes out the window and chaos ensues.

Endpoint security is the process of protecting devices like workstations, servers, and other devices from malicious threats and cyberattacks. Endpoint security enables businesses to secure endpoints that employees use for work purposes or servers that are either on a network or in the cloud. Endpoint security is important because every device that connects to the corporate network is a potential vulnerability, providing a possible entry point for cyber criminals. Therefore, every device an employee uses to connect to any business system or resource carries the risk of becoming the chosen route for hacking into an organization. These devices can be exploited by malware that could leak or steal sensitive data from the business12.

One of the benefits of endpoint security is that it allows the organization to detect and mitigate threats that the perimeter security devices do not detect. Perimeter security devices, such as firewalls and intrusion prevention systems, are designed to protect the network from external attacks. However, they may not be able to prevent or detect attacks that originate from within the network, such as insider threats, compromised devices, or lateral movement. Endpoint security solutions can provide visibility and control over the devices that connect to the network, and can monitor, analyze, and respond to suspicious or malicious activities on the endpoints. Endpoint security solutions can also leverage threat intelligence and advanced analytics to identify and block known and unknown threats, such as ransomware, zero-day exploits, and targeted attacks13. References := 1: What is Endpoint Security? How Does It Work? | Fortinet 2: Microsoft Defender for Endpoint | Microsoft Security 3: Endpoint Security - Check Point Software

The main difference between an on-premise solution and a cloud-based solution is the distribution of responsibilities between the customer and the provider. With an on-premise solution, the customer has full control over the installation, configuration, maintenance, and security of the product, but also bears the costs and risks associated with it. With a cloud-based solution, the provider takes care of most of these aspects, while the customer pays a subscription fee and accesses the product over the internet. Therefore, when choosing between the two options, the customer must consider factors such as cost, scalability, performance, availability, security, compliance, and customization. For example, an on-premise solution may be preferred if the customer has strict security or regulatory requirements, or needs a high level of customization. A cloud-based solution may be preferred if the customer wants to reduce capital expenditure, or needs a flexible and scalable solution that can adapt to changing demands. References :=

Some possible references are:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 1: Security Concepts, Lesson 1: Describing Information Security Concepts, Topic: Cloud Security

350-701 SCOR - Cisco, Exam Topics, 1.0 Security Concepts, 1.6 Compare and contrast the characteristics of a data center and the cloud

Cloud vs. On-Premise Software Comparison

CoA stands for Change of Authorization, which is a feature that allows a RADIUS server to adjust an active client session after it is authenticated. For example, CoA can be used to reauthenticate a client, terminate a client session, or change the VLAN or group policy of a client. CoA is supported by several RADIUS vendors, including Cisco ISE. CoA is defined in RFC 5176 and uses a pushed model, where the request originates from the RADIUS server and is sent to the network device that acts as a listener. CoA requests can have two possible response codes: CoA-ACK (acknowledgment) or CoA-NAK (non-acknowledgment). References :=

Some possible references are:

RADIUS Change of Authorization

Change of Authorization with RADIUS (CoA) on MR Access Points

Change of Authorization with RADIUS (CoA) on MS Switches

Technical Tip: Radius COA behavior

The correct command to log all events to a destination collector is flow-export event-type all destination 209.165.201.10. This command configures a flow-export action that sends all NSEL events to the specified IP address. NSEL events include flow-create, flow-teardown, flow-denied, and flow-update events. The command must be entered in the policy-map class configuration mode, after defining a policy-map and a class-map that match the traffic and event type. The other commands are incorrect because they either specify the wrong event type (flow-update instead of all) or the wrong destination IP address (209.165.201 instead of 209.165.201.10). References :=

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 5: Securing the Cloud, Lesson 5.2: DNS Security

Cisco Secure Firewall ASA NetFlow Implementation Guide

Configuring Cisco ASA for NetFlow Export via CLI – Plixer

 Microsegmentation is a method of securing multi cloud data centers using granular segmentation rules for the individual workload or application, reducing the risk of an attacker moving from one compromised workload or application to another1. Microsegmentation with Cisco ACI enables you to automatically assign endpoints to logical security zones called endpoint groups (EPGs). These EPGs are based on various network-based or virtual machine (VM)-based attributes2. Microsegmentation is also referred to as application segmentation or east-west segmentation in a multicloud data center1. References: 1: What Is Micro-Segmentation? - Cisco 2: Microsegmentation with Cisco ACI

A destination list is a list of internet destinations: domains, URLs, and CIDRs. To control identity access to specific destinations, you can add destination lists to Umbrella and then select them when configuring your Web and DNS policies12. When you add or edit a destination list, the changes are applied immediately if the destination list is part of a policy3. This means that any identities that are associated with the policy will be affected by the changes in the destination list. You do not need to save the configuration or remove the destination list from the policy to apply the changes. However, you do need to have the appropriate user role to manage destination lists. The user role of Block Page Bypass or higher is needed to perform these changes4. References :=

Manage Destination Lists - Umbrella User Guide

Manage Destination Lists - Umbrella SIG User Guide

Add a Destination List - Umbrella User Guide

Add a DNS Destination List - Umbrella SIG User Guide